Attribute-based access control

US 10,142,326 B2
Filed: 08/18/2017
Issued: 11/27/2018
Est. Priority Date: 02/20/2014
Status: Active Grant

First Claim

Patent Images

1. A method for performing attribute-based access control across a first and a second security domain in a federated processing environment, the method comprising:

adding, into a received security token that comprises first access control attributes and a signature of a first identity provider of the first security domain, additional access control attributes provided by a second identity provider of the second security domain;

re-signing, with a private key associated with a certificate of a second service provider in the second security domain, the received security token with the added additional access control attributes, where the re-signing comprises an assertion in the second security domain that the added additional access control attributes have been provided by the second identity provider of the second security domain; and

issuing the re-signed received security token for consuming, using the added additional access control attributes, by any service provider in the second security domain.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A received security token includes first access control attributes and a signature of a first identity provider of a first security domain. Additional access control attributes provided by a second identity provider of a second security domain are added into the received security token. The received security token with the added additional access control attributes is re-signed, with a private key associated with a certificate of a second service provider in the second security domain. The re-signing is an assertion in the second security domain that the added additional access control attributes have been provided by the second identity provider of the second security domain. The re-signed received security token is issued for consuming, using the added additional access control attributes, by any service provider in the second security domain.

Citations

20 Claims

1. A method for performing attribute-based access control across a first and a second security domain in a federated processing environment, the method comprising:
- adding, into a received security token that comprises first access control attributes and a signature of a first identity provider of the first security domain, additional access control attributes provided by a second identity provider of the second security domain;
  
  re-signing, with a private key associated with a certificate of a second service provider in the second security domain, the received security token with the added additional access control attributes, where the re-signing comprises an assertion in the second security domain that the added additional access control attributes have been provided by the second identity provider of the second security domain; and
  
  issuing the re-signed received security token for consuming, using the added additional access control attributes, by any service provider in the second security domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - transforming the additional access control attributes to be compatible with a format of the first access control attributes of the received security token; and
      
      where consuming, using the added additional access control attributes, the re-signed received security token comprises validating the re-signed received security token by verifying a re-signed signature of the second service provider and content of the re-signed received security token using a public key of the certificate of the second service provider.
  - 3. The method of claim 1, further comprising transmitting the re-signed received security token with the added additional access control attributes by a secure network protocol to a third service provider in a third security domain.
  - 4. The method of claim 1, where the received security token is a security assertion markup language (SAML) token.
  - 5. The method of claim 1, where, by the re-signing of the received security token with the added additional access control attributes, the second service provider becomes an asserting party in the second security domain.
  - 6. The method of claim 1, where the received security token being received in the second security domain invokes at least a second transaction of a transaction processing chain that involves multiple distinct websites across multiple security domains, and where the second service provider in the second security domain comprises a next transaction website in the transaction processing chain after a website transaction involving a website hosted by a first service provider in the first security domain.
  - 7. The method of claim 1, further comprising:
    - removing the signature of the first identity provider of the first security domain from the received security token; and
      
      updating the received security token with an identifier of the second service provider in the second security domain, where the second service provider in the second security domain becomes a new issuer of the received security token in the second security domain.

8. An apparatus for performing attribute-based access control across a first and a second security domain in a federated processing environment, the apparatus comprising:
- a memory; and
  
  at least one processor programmed to;
  
  add, into a received security token that comprises first access control attributes and a signature of a first identity provider of the first security domain, additional access control attributes provided by a second identity provider of the second security domain;
  
  re-sign, with a private key associated with a certificate of a second service provider in the second security domain, the received security token with the added additional access control attributes, where the re-signing comprises an assertion in the second security domain that the added additional access control attributes have been provided by the second identity provider of the second security domain; and
  
  issue the re-signed received security token for consuming, using the added additional access control attributes, by any service provider in the second security domain.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The apparatus of claim 8, where the at least one processor is further programmed to:
    - transform the additional access control attributes to be compatible with a format of the first access control attributes of the received security token; and
      
      where consuming, using the added additional access control attributes, the re-signed received security token comprises the at least one processor validating the re-signed received security token by verifying a re-signed signature of the second service provider and content of the re-signed received security token using a public key of the certificate of the second service provider.
  - 10. The apparatus of claim 8, where the at least one processor is further programmed to transmit the re-signed received security token with the added additional access control attributes by a secure network protocol to a third service provider in a third security domain.
  - 11. The apparatus of claim 8, where the received security token is a security assertion markup language (SAML) token;
    - and where, by the re-signing of the received security token with the added additional access control attributes, the second service provider becomes an asserting party in the second security domain.
  - 12. The apparatus of claim 8, where the received security token being received in the second security domain invokes at least a second transaction of a transaction processing chain that involves multiple distinct websites across multiple security domains, and where the second service provider in the second security domain comprises a next transaction website in the transaction processing chain after a website transaction involving a website hosted by a first service provider in the first security domain.
  - 13. The apparatus of claim 8, where the at least one processor is further programmed to:
    - remove the signature of the first identity provider of the first security domain from the received security token; and
      
      update the received security token with an identifier of the second service provider in the second security domain, where the second service provider in the second security domain becomes a new issuer of the received security token in the second security domain.

14. A computer program product, comprising:
- a computer readable storage medium having computer readable program code embodied therewith, where the computer readable storage medium is not a transitory signal per se and where the computer readable program code when executed on a computer causes the computer to, as part of performing attribute-based access control across a first and a second security domain in a federated processing environment;
  
  add, into a received security token that comprises first access control attributes and a signature of a first identity provider of the first security domain, additional access control attributes provided by a second identity provider of the second security domain;
  
  re-sign, with a private key associated with a certificate of a second service provider in the second security domain, the received security token with the added additional access control attributes, where the re-signing comprises an assertion in the second security domain that the added additional access control attributes have been provided by the second identity provider of the second security domain; and
  
  issue the re-signed received security token for consuming, using the added additional access control attributes, by any service provider in the second security domain.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer program product of claim 14, where the computer readable program code when executed on the computer further causes the computer to:
    - transform the additional access control attributes to be compatible with a format of the first access control attributes of the received security token; and
      
      where consuming, using the added additional access control attributes, the re-signed received security token comprises validating the re-signed received security token by verifying a re-signed signature of the second service provider and content of the re-signed received security token using a public key of the certificate of the second service provider.
  - 16. The computer program product of claim 14, where the computer readable program code when executed on the computer further causes the computer to transmit the re-signed received security token with the added additional access control attributes by a secure network protocol to a third service provider in a third security domain.
  - 17. The computer program product of claim 14, where the received security token is a security assertion markup language (SAML) token.
  - 18. The computer program product of claim 14, where, by the re-signing of the received security token with the added additional access control attributes, the second service provider becomes an asserting party in the second security domain.
  - 19. The computer program product of claim 14, where the received security token being received in the second security domain invokes at least a second transaction of a transaction processing chain that involves multiple distinct websites across multiple security domains, and where the second service provider in the second security domain comprises a next transaction website in the transaction processing chain after a website transaction involving a website hosted by a first service provider in the first security domain.
  - 20. The computer program product of claim 14, where the computer readable program code when executed on the computer further causes the computer to:
    - remove the signature of the first identity provider of the first security domain from the received security token; and
      
      update the received security token with an identifier of the second service provider in the second security domain, where the second service provider in the second security domain becomes a new issuer of the received security token in the second security domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Flamini, Elisabetta, Penfold, Colin R.
Primary Examiner(s)
Lanier, Benjamin E

Application Number

US15/681,006
Publication Number

US 20170374060A1
Time in Patent Office

466 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

Attribute-based access control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Attribute-based access control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links