公开(公告)号：US09843577B2

公开(公告)日：2017-12-12

申请号：US15365726

申请日：2016-11-30

Applicant: Microsoft Technology Licensing, LLC

Inventor： Ariel Gordon ,  Samuel Devasahayam ,  Lu Zhao ,  Yordan Rouskov ,  Parmeshwar Miguel Sequeira Arewar ,  Venkatesh Gopalakrishnan ,  Sarat Chandra Subramaniam ,  Titus Constantin Miron

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/083 ,  H04L63/08 ,  H04L63/102 ,  H04L63/1416 ,  H04L67/02 ,  H04L67/14 ,  H04L69/28

Abstract: Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user's login account has been compromised, where the user's login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.

公开(公告)号：US10574750B2

公开(公告)日：2020-02-25

申请号：US14842683

申请日：2015-09-01

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Yina Arenas ,  Dmitry Pugachev ,  Robert Howard ,  Sriram Dhanasekaran ,  Marek Rycharski ,  Vijaya Manohararaj ,  Daniel Kershaw ,  James Kleewein ,  Anthony Bloesch ,  Titus Miron ,  Vikrant Arora ,  Murli Satagopan ,  Jon Rosenberg ,  Yordan Rouskov

IPC: H04L29/08 ,  H04L29/06 ,  G06F16/903

Abstract: Network services may include data associated with one or more entities. An aggregator service may host respective application programming interfaces (APIs) of the services at a single endpoint of the network such that the entities, including associations and relationships between entities, may be federated. For example, the services may register the entities of which the data of each of the services is associated with through a declarative entity model to establish an API schema for each of the services, which may be published at the aggregator service. In response to receipt of a request for entity related data from a client, the aggregator service may employ the declarative entity model to determine which of the services are associated with the entity related data such that a query may be submitted to the services, and how to aggregate responses to the query received from the services for transmission to the client.

公开(公告)号：US10104071B2

公开(公告)日：2018-10-16

申请号：US15825523

申请日：2017-11-29

Applicant: Microsoft Technology Licensing, LLC

Inventor： Ariel Gordon ,  Samuel Devasahayam ,  Lu Zhao ,  Yordan Rouskov ,  Parmeshwar Miguel Sequeira Arewar ,  Venkatesh Gopalakrishnan ,  Sarat Chandra Subramaniam ,  Titus Constantin Miron

IPC: H04L29/06 ,  H04L29/08

Abstract: Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user's login account has been compromised, where the user's login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.

公开(公告)号：US09749313B2

公开(公告)日：2017-08-29

申请号：US14871945

申请日：2015-09-30

Applicant: Microsoft Technology Licensing, LLC

Inventor： David Steeves ,  Luke Abrams ,  Hersh Dangayach ,  Eric Fleischman ,  Prabu Raju ,  Krishna Vitaldevara ,  Niyantha Shekar ,  Payoj Baral ,  Meenakshi Ramaswamy ,  Winfred Wong ,  Yordan Rouskov ,  Ramesh Manne

IPC: H04L29/06 ,  G06F21/31 ,  H04W4/02 ,  H04L29/12 ,  H04L29/08

CPC classification number: H04L63/083 ,  G06F21/31 ,  G06F21/316 ,  G06F2221/2111 ,  H04L61/609 ,  H04L63/08 ,  H04L67/22 ,  H04L67/306 ,  H04W4/029

Abstract: In one embodiment, a user authentication server may use geo-location tracking to determine whether to present an enhanced identity challenge. A communication interface 180 may receive a user login attempt by a user and a current location of the user login attempt. A data storage 150 may store a user location profile of the user. A processor 120 may execute a comparison of the current location to the user location profile. The communication interface 180 may present the user with an enhanced identity challenge before allowing user access based on the comparison.

公开(公告)号：US20160316016A1

公开(公告)日：2016-10-27

申请号：US14842683

申请日：2015-09-01

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Yina Arenas ,  Dmitry Pugachev ,  Robert Howard ,  Sriram Dhanasekaran ,  Marek Rycharski ,  Vijaya Manohararaj ,  Daniel Kershaw ,  James Kleewein ,  Anthony Bloesch ,  Titus Miron ,  Vikrant Arora ,  Murli Satagopan ,  Jon Rosenberg ,  Yordan Rouskov

IPC: H04L29/08 ,  G06F17/30 ,  H04L29/06

CPC classification number: H04L67/1097 ,  G06F9/5055 ,  G06F9/54 ,  G06F16/90335 ,  H04L67/16 ,  H04L67/42

Abstract: Network services may include data associated with one or more entities. An aggregator service may host respective application programming interfaces (APIs) of the services at a single endpoint of the network such that the entities, including associations and relationships between entities, may be federated. For example, the services may register the entities of which the data of each of the services is associated with through a declarative entity model to establish an API schema for each of the services, which may be published at the aggregator service. In response to receipt of a request for entity related data from a client, the aggregator service may employ the declarative entity model to determine which of the services are associated with the entity related data such that a query may be submitted to the services, and how to aggregate responses to the query received from the services for transmission to the client.

Abstract translation: 网络服务可以包括与一个或多个实体相关联的数据。 聚合器服务可以在网络的单个端点处承载服务的相应应用编程接口（API），使得可以联合包括实体之间的关联和关系的实体。 例如，服务可以通过声明性实体模型来注册每个服务的数据相关联的实体，以便为可以在聚合器服务处发布的每个服务建立API模式。 响应于从客户端接收到与实体相关的数据的请求，聚合器服务可以使用声明性实体模型来确定哪个服务与实体相关的数据相关联，使得查询可以被提交给服务，以及如何 将对从服务接收的查询的响应聚合以传送给客户端。

公开(公告)号：US11750384B2

公开(公告)日：2023-09-05

申请号：US17332796

申请日：2021-05-27

Applicant: Microsoft Technology Licensing, LLC

Inventor： Prabagar Ramadasse ,  Yordan Rouskov ,  Mick Healy ,  Gaurav Dhawan ,  Venkata Raghuram Pampana ,  Aleksandr Tokarev ,  Marc Shepard ,  Ramachandra Ravitej Vennapusa

IPC: H04L9/32 ,  H04L9/30 ,  H04L9/08 ,  H04L9/00

CPC classification number: H04L9/3073 ,  H04L9/0866 ,  H04L9/3234 ,  H04L9/3265 ,  H04L9/3268 ,  H04L9/0877 ,  H04L9/50

Abstract: Generally discussed herein are devices, systems, and methods for binding with cryptographic key attestation. A method can include generating, by hardware of a device, a device public key and a device private key, based on the device private key, signing a first attestation resulting in a signed first attestation, the first attestation claiming the device private key originated from the hardware, based on the device public key and the signed first attestation, registering the device with a trusted authority, generating, by the hardware, a first application private key and a first application public key, and based on the device private key, signing a second attestation resulting in a signed second attestation, the second attestation claiming the first application private key originated from the hardware, and based on the first application public key and the signed second attestation, registering a first application of the device to a first server.

公开(公告)号：US20180332026A1

公开(公告)日：2018-11-15

申请号：US16041143

申请日：2018-07-20

Applicant: Microsoft Technology Licensing, LLC

Inventor： David Steeves ,  Luke Abrams ,  Hersh Dangayach ,  Eric Fleischman ,  Prabu Raju ,  Krishna Vitaldevara ,  Niyantha Shekar ,  Payoj Baral ,  Meenakshi Ramaswamy ,  Winfred Wong ,  Yordan Rouskov ,  Ramesh Manne

IPC: H04L29/06 ,  H04W4/029 ,  H04L29/08 ,  G06F21/31 ,  H04L29/12

CPC classification number: H04L63/083 ,  G06F21/31 ,  G06F21/316 ,  G06F2221/2111 ,  H04L61/609 ,  H04L63/08 ,  H04L67/22 ,  H04L67/306 ,  H04W4/029

Abstract: In one embodiment, a user authentication server may use geo-location tracking to determine whether to present an enhanced identity challenge. A communication interface 180 may receive a user login attempt by a user and a current location of the user login attempt. A data storage 150 may store a user location profile of the user. A processor 120 may execute a comparison of the current location to the user location profile. The communication interface 180 may present the user with an enhanced identity challenge before allowing user access based on the comparison.

公开(公告)号：US09935936B2

公开(公告)日：2018-04-03

申请号：US15634899

申请日：2017-06-27

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Wei-Qiang Guo ,  Lynn Ayres ,  Rui Chen ,  Sarah Faulkner ,  Yordan Rouskov

IPC: H04L29/06 ,  G06F17/30

CPC classification number: H04L63/0815 ,  G06F17/30864 ,  G06F21/41 ,  G06F21/606 ,  G06F21/6209 ,  H04L9/3234 ,  H04L63/08 ,  H04L63/0853 ,  H04L63/101

Abstract: A federated realm discovery system within a federation determines a “home” realm associated with a portion of the user's credentials before the user's secret information (such as a password) is passed to a non-home realm. A login user interface accepts a user identifier and, based on the user identifier, can use various methods to identify an account authority service within the federation that can authenticate the user. In one method, a realm list of the user device can be used to direct the login to the appropriate home realm of the user. In another method, an account authority service in a non-home realm can look up the user's home realm and provide realm information directing the user device to login at the home realm.

公开(公告)号：US09699180B2

公开(公告)日：2017-07-04

申请号：US15219994

申请日：2016-07-26

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Allan Edwin Wetter ,  Adrian Frei ,  Peter M. Tsang ,  Yordan Rouskov

IPC: G06F15/16 ,  H04L29/06 ,  G06F21/33 ,  G06F21/41

CPC classification number: H04L63/0853 ,  G06F21/335 ,  G06F21/41 ,  G06F2221/2115 ,  H04L63/0807 ,  H04L63/083 ,  H04L63/0861

Abstract: Providing access to a cloud service includes a system receiving an application request to access a cloud service. In response, the system sends an identity provider (IP) a token request, comprising an application identifier (ID), an operating system (OS) cloud credential associated with login credentials of a user of an OS hosting the application, and a cloud service ID of the cloud service. Based on sending the token request, and on the IP authenticating the user and verifying the application ID is valid, the system receives a token from the IP. The token, which is signed with an IP signature, comprises the cloud service ID, the application ID, and a user assigned ID associated with the cloud service. The system provides the token to the application for submission to a cloud service provider for access, and obtains cloud service access based on the cloud service provider validating the IP signature.

公开(公告)号：US12113898B2

公开(公告)日：2024-10-08

申请号：US18224518

申请日：2023-07-20

Applicant: Microsoft Technology Licensing, LLC

Inventor： Prabagar Ramadasse ,  Yordan Rouskov ,  Mick Healy ,  Gaurav Dhawan ,  Venkata Raghuram Pampana ,  Aleksandr Tokarev ,  Marc Shepard ,  Ramachandra Ravitej Vennapusa

IPC: H04L9/32 ,  H04L9/08 ,  H04L9/30 ,  H04L9/00

CPC classification number: H04L9/3073 ,  H04L9/0866 ,  H04L9/3234 ,  H04L9/3265 ,  H04L9/3268 ,  H04L9/0877 ,  H04L9/50

Abstract: Generally discussed herein are devices, systems, and methods for binding with cryptographic key attestation. A method can include generating, by hardware of a device, a device public key and a device private key, based on the device private key, signing a first attestation resulting in a signed first attestation, the first attestation claiming the device private key originated from the hardware, based on the device public key and the signed first attestation, registering the device with a trusted authority, generating, by the hardware, a first application private key and a first application public key, and based on the device private key, signing a second attestation resulting in a signed second attestation, the second attestation claiming the first application private key originated from the hardware, and based on the first application public key and the signed second attestation, registering a first application of the device to a first server.