白丝美女被狂躁免费视频网站,500av导航大全精品,yw.193.cnc爆乳尤物未满,97se亚洲综合色区,аⅴ天堂中文在线网官网

Identity experience framework

專(zhuān)利號(hào)
US11997077B2
公開(kāi)日期
2024-05-28
申請(qǐng)人
Microsoft Technology Licensing, LLC(US WA Redmond)
發(fā)明人
Raja Charu Vikram Kakumani; Brandon B. Murdoch; Ronald Bjones; Muhammad Omer Iqbal; Kim Cameron
IPC分類(lèi)
H04L9/00; H04L9/40; G06F3/0484
技術(shù)領(lǐng)域
policy,identity,ui,ief,provider,user,token,journeys,providers,composable
地域: WA WA Redmond

摘要

Methods for composable user journeys for user authentication via an identity experience framework are performed by systems and apparatuses. Initiating a user authentication process for an application triggers application calls for dynamic invocation of a specific identity policy, required by the application, of a number of identity policies managed by a host of the identity experience framework. User interfaces defined by the identity policies are provided from the host to the application for interaction by the user and entry of identity information needed to authenticate the user according to specified verification providers. Identity claims and token requests are provided from the application to the host which then authenticates the identity claims via the verification providers and mints a token that includes the claims required by the application, according to the identity policy. The application consumes the token to complete the token request and allow the user access to the application.

說(shuō)明書(shū)

CROSS REFERENCE TO RELATED APPLICATION(S)

This application is related to U.S. patent application Ser. No. 15/809,651 filed on the same day herewith, and entitled “Identity Experience Framework,” the entirety of which is incorporated by reference herein.

BACKGROUND

Identity features are ubiquitous across all applications used by end users. Features such as authentication based on username or email address and password, multi-factor authentication, and federation are used for application sign up, authentication, and access. Even so, current identity solutions are rife with examples where many different application developers are providing their own implementations for identity verification.

The needs of workloads for companies and governments vary widely, where the variations are unique enough that they require custom-built solutions. Workloads span from a website or mobile application interacting with consumers, to large scale application platforms that offer a built-in identity systems for developers building applications, to dynamic portal teams such as consumer portals created via wizards.

Digital transformation in the modern world has reached a point where every industry (not just software) and even governments are increasingly engaging with their customers and citizens digitally. Higher value transactions such as buying health insurance, managing health vaults, finances, paying taxes, requesting welfare benefits, etc., are moving to online implementations. Companies also need to handle the vetting of software developers for application (“app”) stores before payouts can be made. Currently, each of these issues are achieved by custom-built solutions.

SUMMARY

權(quán)利要求

1
What is claimed is:1. A system comprising:memory configured to store program logic; anda processor configured to access the memory and to execute the program logic to perform operations comprising:receiving a call over a network from an application in response to user interaction with the application via an interface, the application executing on an application service provider device remote to the system and the interface, the call comprising a policy identifier (ID) that corresponds to an identity policy that is one of a plurality of identity policies for dynamic deployment on behalf of the application;executing a user authentication process that is defined by the identity policy that corresponds to the policy ID;providing a user interface (UI) to the application over the network subsequent to receiving the call and based on the policy ID of the received call;receiving a token request and an identity claim over the network from the application responsive to additional user interaction with the UI;verifying the identity claim; andproviding a token configured to enable a user to access the application over the network to the application for consumption to complete the token request.2. The system of claim 1, wherein said verifying the identity claim comprises:providing the identity claim to a verification provider according to the identity policy that corresponds to the policy ID;receiving a response claim from the verification provider; andverifying the identity claim against the response claim.3. The system of claim 2, wherein the verification provider is one or more of:an identity provider, an attribute provider, a directory provider, a multi-factor authentication (MFA) provider, an email validation provider, or self-asserted attribute provider.4. The system of claim 2, wherein the operations further comprise:transforming the identity claim to a transformed claim, using at least one parameter associated with the claim, prior to providing the identity claim to the verification provider according to the identity policy that corresponds to the policy ID;providing the transformed claim to the verification provider instead of the identity claim; andtransforming the response claim, that is based on the transformed claim, received from the verification provider prior to verifying the identity claim.5. The system of claim 1, wherein the memory is configured to store the plurality of identity policies, the identity policy that corresponds to the policy ID of the received call being:provided to the memory from a remote identity operator; ora child identity policy comprising a base parent identity policy and one or more changes thereto specified by an application service provider that provides the application.6. The system of claim 1, wherein the operations further comprise:providing access for customer entities to a base identity policy of the plurality of identity policies, the customer entities including at least one of:an application service provider, oran identity operator;performing at least one of:receiving a customer entity base identity policy that includes a modification to the base identity policy from which it derives; orreceiving a customer entity application identity policy that includes an additional modification to the customer entity base identity policy from which it derives, the additional modification being related to the application; andstoring received customer entity base identity policies or customer entity application identity policies as a portion of the plurality of identity policies.7. The system of claim 1, wherein the UI is:defined by the identity policy that corresponds to the policy ID; andconfigured in accordance with one or more verification providers specified by the identity policy that corresponds to the policy ID.8. The system of claim 1, wherein the operations further comprise:executing the user authentication process at least in part as a security token service (STS) defined by the identity policy; andminting the token according to the STS and the token request to include claims required by the application and the identity policy.9. A method implemented by a computing system that comprises a multi-sided identity experience framework configured to support a plurality of remote identity operators, a plurality of remote verification providers, and a plurality of remote application service providers for user authentication to applications, the method comprising:receiving a call over a network from an application in response to user interaction with an interface, the application executing on an application service provider device remote to the computing system and the interface, the call comprising a policy identifier (ID) that corresponds to an identity policy of a plurality of identity policies for dynamic deployment on behalf of the application;executing a user authentication process that is defined by the identity policy that corresponds to the policy ID;providing a user interface (UI) to the application over the network subsequent to receiving the call, the UI being:provided based on the policy ID of the received call,defined by the identity policy that corresponds to the policy ID, andconfigured in accordance with one or more verification providers specified by the identity policy that corresponds to the policy ID;receiving a token request and an identity claim over the network from the applicationresponsive to additional user interaction with the UI;verifying the identity claim; andproviding a token configured to enable a user to access the application over the network to the application for consumption to complete the token request.10. The method of claim 9, further comprising:providing the identity claim to a verification provider according to the identity policy that corresponds to the policy ID; andreceiving a response claim from the verification provider;wherein verifying the identity claim includes verifying the identity claim against the response claim.11. The method of claim 10, wherein the verification provider is one or more of:an identity provider, an attribute provider, a directory provider, a multi-factor authentication (MFA) provider, an email validation provider, or self-asserted attribute provider.12. The method of claim 9, further comprising:storing the plurality of identity policies in a memory of the computing system, wherein one of the plurality of identity policies is provided to the at least one memory from a remote identity operator.13. The method of claim 12, wherein the identity policy that corresponds to the policy ID is a child identity policy comprising a base parent identity policy and one or more changes thereto specified by an application service provider that provides the application.14. The method of claim 9, wherein the method further comprises:executing the user authentication process at least in part as a security token service (STS); andminting the token according to the identity policy that corresponds to the policy ID and the token request to include claims required by the application and the identity policy that corresponds to the policy ID.15. A computer-readable storage medium comprising computer-executable instructions that, when executed by a processor, perform a method comprising:receiving a call over a network from an application in response to user interaction with the application via an interface, the application executing on an application service provider device remote to the processor and the interface, the call comprising a policy identifier (ID) that corresponds to an identity policy of a plurality of identity policies for dynamic deployment on behalf of the application;executing a user authentication process that is defined by the identity policy that corresponds to the policy ID;providing a user interface (UI) associated with the identity policy that corresponds to the policy ID to the application, over the network subsequent to receiving the call, based on the policy ID of the received call;receiving a token request and an identity claim over the network from the application responsive to additional user interaction with the UI; verifying the identity claim; andproviding a token configured to enable a user to access the application over the network to the application for consumption to complete the token request.16. The computer-readable storage medium of claim 15, wherein the method further comprises:providing the identity claim to a verification provider according to the identity policy that corresponds to the policy ID; andreceiving a response claim from the verification provider;wherein verifying the identity claim includes verifying the identity claim against the response claim.17. The computer-readable storage medium of claim 16, wherein the verification provider is one or more of:an identity provider, an attribute provider, a directory provider, a multi-factor authentication (MFA) provider, an email validation provider, or self-asserted attribute provider.18. The computer-readable storage medium of claim 15, wherein the method further comprises:storing the plurality of identity policies in a memory, wherein the identity policy that corresponds to the policy ID is provided to the memory from a remote identity operator.19. The computer-readable storage medium of claim 18, wherein the identity policy that corresponds to the policy ID is a child identity policy comprising a base parent identity policy and one or more changes thereto specified by an application service provider that provides the application.20. The computer-readable storage medium of claim 15, wherein the method further comprises:executing the user authentication process at least in part as a security token service (STS); andminting the token according to the identity policy that corresponds to the policy ID and the token request to include claims required by the application and the identity policy that corresponds to the policy ID.
微信群二維碼
意見(jiàn)反饋