Attribute-based access control
First Claim
1. A method for performing attribute-based access control across a first and a second security domain in a federated processing environment, the method comprising:
- adding, into a received security token that comprises first access control attributes and a signature of a first identity provider of the first security domain, additional access control attributes provided by a second identity provider of the second security domain;
re-signing, with a private key associated with a certificate of a second service provider in the second security domain, the received security token with the added additional access control attributes, where the re-signing comprises an assertion in the second security domain that the added additional access control attributes have been provided by the second identity provider of the second security domain; and
issuing the re-signed received security token for consuming, using the added additional access control attributes, by any service provider in the second security domain.
1 Assignment
0 Petitions
Accused Products
Abstract
A received security token includes first access control attributes and a signature of a first identity provider of a first security domain. Additional access control attributes provided by a second identity provider of a second security domain are added into the received security token. The received security token with the added additional access control attributes is re-signed, with a private key associated with a certificate of a second service provider in the second security domain. The re-signing is an assertion in the second security domain that the added additional access control attributes have been provided by the second identity provider of the second security domain. The re-signed received security token is issued for consuming, using the added additional access control attributes, by any service provider in the second security domain.
-
Citations
20 Claims
-
1. A method for performing attribute-based access control across a first and a second security domain in a federated processing environment, the method comprising:
-
adding, into a received security token that comprises first access control attributes and a signature of a first identity provider of the first security domain, additional access control attributes provided by a second identity provider of the second security domain; re-signing, with a private key associated with a certificate of a second service provider in the second security domain, the received security token with the added additional access control attributes, where the re-signing comprises an assertion in the second security domain that the added additional access control attributes have been provided by the second identity provider of the second security domain; and issuing the re-signed received security token for consuming, using the added additional access control attributes, by any service provider in the second security domain. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus for performing attribute-based access control across a first and a second security domain in a federated processing environment, the apparatus comprising:
-
a memory; and at least one processor programmed to; add, into a received security token that comprises first access control attributes and a signature of a first identity provider of the first security domain, additional access control attributes provided by a second identity provider of the second security domain; re-sign, with a private key associated with a certificate of a second service provider in the second security domain, the received security token with the added additional access control attributes, where the re-signing comprises an assertion in the second security domain that the added additional access control attributes have been provided by the second identity provider of the second security domain; and issue the re-signed received security token for consuming, using the added additional access control attributes, by any service provider in the second security domain. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A computer program product, comprising:
a computer readable storage medium having computer readable program code embodied therewith, where the computer readable storage medium is not a transitory signal per se and where the computer readable program code when executed on a computer causes the computer to, as part of performing attribute-based access control across a first and a second security domain in a federated processing environment; add, into a received security token that comprises first access control attributes and a signature of a first identity provider of the first security domain, additional access control attributes provided by a second identity provider of the second security domain; re-sign, with a private key associated with a certificate of a second service provider in the second security domain, the received security token with the added additional access control attributes, where the re-signing comprises an assertion in the second security domain that the added additional access control attributes have been provided by the second identity provider of the second security domain; and issue the re-signed received security token for consuming, using the added additional access control attributes, by any service provider in the second security domain. - View Dependent Claims (15, 16, 17, 18, 19, 20)
Specification