270 results about "Identity provider" patented technology

Described herein is a transaction system (100) in which a transaction is authenticated using an external alias. When procuring an item from a supplier (120), a customer (110) needs to provide payment in some form or the other. Profiles relating to both the customer (110) and the supplier (120) are stored in an environment managed by a broker (130) and payment is effected by transfer of within that environment from a customer wallet to a supplier wallet. The customer (120) is represented as an alias as far as the supplier (120) is concerned, whereby the alias is provided by an external identity provider (140) such as a social network with which the customer (120) is associated. The anonymity of the customer (120) is maintained with respect to the supplier (120).

A system and method for performing authentication are disclosed. The system may include a shared central processing server, a plurality of software components each residing in a corresponding point-of-sale (POS) workstation and an identity provider service. The server may reside at a merchant location and communicate with multiple POS workstations at the merchant location. The server may be configured to receive biometric information from each POS workstation. Each software component may communicate with a biometric sensor in communication with the corresponding POS workstation to receive biometric information. The identity provider service may be configured to communicate with the server, store registered biometric information and compare biometric information received from the server with one or more of the stored registered biometric information. One of the biometric sensor, a POS workstation and the server may convert a biometric image into a biometric template for comparison with the stored registered biometric information.

The present invention extends to trusted third party authentication for Web services. Web services trust and delegate user authentication responsibility to a trusted third party that acts as an identity provider for the trusting Web services. The trusted third party authenticates users through common authentication mechanisms, such as, for example, username/password and X.509 certificates and uses initial user authentication to bootstrap subsequent secure sessions with Web services. Web services construct user identity context using a service session token issued by the trusted third party and reconstruct security states without having to use a service-side distributed cache.

A method, system, apparatus, and computer program product are presented to support computing systems of different enterprises that interact within a federated computing environment. Federated single-sign-on operations can be initiated at the computing systems of federation partners on behalf of a user even though the user has not established a user account at a federation partner prior to the initiation of the single-sign-on operation. For example, an identity provider can initiate a single-sign-on operation at a service provider while attempting to obtain access to a controlled resource on behalf of a user. When the service provider recognizes that it does not have a linked user account for the user that allows for a single-sign-on operation with the identity provider, the service provider creates a local user account. The service provider can also pull user attributes from the identity provider as necessary to perform the user account creation operation.

A method is presented for performing an identity provider migration operation with respect to a user within a federated computational environment, wherein the user has a first user account at a first identity provider, a second user account at a second identity provider, and a third user account at a service provider. A request to access a resource is received by the service provider, after which a federated single-sign-on operation for the user is performed between the service provider and the first identity provider. Prior to sending a response to the request to access the protected resource, information in the third user account is modified to indicate that the service provider relies upon the second identity provider to authenticate the user on behalf of the service provider rather than the first identity provider. A response for the request to access the resource is then returned by the service provider.

A “trusted service” establishes a trust relationship with an identity provider and interacts with the identity provider over a trusted connection. The trusted service acquires a token from the identity provider for a given user (or set of users) without having to present the user's credentials. The trusted service then uses this token (e.g., directly, by invoking an API, by acquiring another token, or the like) to access and obtain a cloud service on a user's behalf even in the user's absence. This approach enables background services to perform operations within a hosted session (e.g., via OAuth-based APIs) without presenting user credentials or even having the user present.

An embodiment of a method of providing identity services includes: receiving identity data for an individual for which the identity provider has provided an identity; generating a transaction to store an identifier representing the identity data in a data structure on a blockchain of a distributed system; sending the transaction to at least one node of the distributed system; and generating an identity token incorporating the identifier representing the identity data. An embodiment of a method of verifying an identity includes: receiving data extracted from the identity token, wherein the extracted data includes an identifier representing the identity data; determining whether a data structure containing the extracted identifier representing the identity data is stored on a blockchain of a distributed system; and outputting an indication of a validity of an identity associated with the identity data based on the determination.

Methods, systems, and computer program products are disclosed that give entities flexibility to implement custom authentication methods of other entities for authentication of a principal in a federation by authenticating the principal by an identity provider according to a service provider's authentication policy and recording in session data of the identity provider an authentication credential satisfying the service provider's authentication policy. Authentication of a principal in a federation is also carried out by authenticating the principal by the identity provider according to an identity provider's authentication policy. Authentication of a principal in a federation is further carried out by receiving in the identity provider an authentication request from the service provider, the authentication request specifying the service provider's authentication policy.

A distributed network identity is provided. An identity provider stores a portion of a user's personal information. A service provider accesses user information from one or more identity providers. System entities such as identity providers and service providers can be linked to enable information sharing and aggregation. User policies and privacy preferences are provided to control how information is shared. A single sign-on architecture is provided where an identity provider is used to facilitate cross-domain authentication and to enhance user convenience. Service delegation features are also provided.

Mobile operators presently offer services on behalf of service providers where such services are really carried out for the users. Mobile operators act as identity providers in this scenario, wherein service provider and identity provider share a unique identity to identify each particular user accessing a number of services. As the number of users accessing these services, and the number of services offered from different service providers increase, the storage required at the operator's network for such amount of user's identities becomes a problem. To overcome this and other problems, the present invention provides an identity Generator device arranged to generate a user's service indicator to identify the user between the service provider and the identity provider, the user's service indicator comprising a master user's identifier for identification of the user at the identity provider, and a service identifier indicating the services to be accessed at a given service provider.

A method, a system, an apparatus, and a computer program product are presented for improving a register name identifier profile within a federated computing environment such that the register name identifier profile is enhanced to be more securely binding between two federated entities within the federated computing environment, such as an identity provider and a service provider. After the first federated entity sends a register name identifier request for a principal to the second federated entity, the second federated entity performs an authentication operation for the principal. In response to successfully completing the authentication operation, the second federated entity registers or modifies a name identifier for the principal that has been extracted from the received register name identifier request.

A method for distributing cryptographic data to authenticated recipients includes receiving, by an access control management system, from a first client device, information associated with an encrypted data object. The method includes receiving, by the access control management system, from a second client device, a request for the information associated with the encrypted data object. The method includes verifying, by the access control management system, that a user of the second client device is identified in the received information associated with the encrypted data object. The method includes authenticating, by the access control management system, with an identity provider, the user of the second client device. The method includes sending, by the access control management system, to the second client device, the received information associated with the encrypted data object.

A redundant multifactor identity authentication system provides users with a secure mechanism for providing identity information through the use of redundant independent identity providers in concert with each other so that resources are accessed only through a combination of providers. By eliminating reliance on a single provider, security is increased as is reliability. Similarly, redundant credentials can be provided to relying parties to ensure that the relying party receives proof of a credential without requiring a specific credential.

A selector daemon can run in the background of a computer. Applications that are capable of processing information cards directly, without requiring the use of a card selector, can request the selector daemon to list information cards that satisfy security policy. Upon receiving such a request, selector daemon can determine the information cards available on the computer that satisfy the security policy, and can identify these information cards to the requesting application. The applications can then use the identified information cards in any manner desired, without having to use a card selector: for example, by requesting a security token based on one of the information cards directly from an identity provider.

A method includes: receiving a request regarding access by a first computing device (e.g., a mobile device of a user) to a service; in response to the request, performing, by a second computing device (e.g., a device risk evaluation server, or a server of an identity provider), an evaluation of the first computing device; and performing, by the second computing device, an action (e.g., authorizing access to the service) based on the evaluation.