System and method for credential delegation using identity assertion
First Claim
1. A method for handling network security, said method comprising:
- receiving, at a first server, a client request, wherein the client request includes a user identifier and a password;
storing the user identifier without the password in a client credential, wherein the client credential corresponds to a client credential type;
identifying a credential type from a plurality of credential types, wherein the plurality of credential types includes the client credential type, and wherein the identifying results in an identified credential type; and
generating an identity assertion token using an identified credential which corresponds to the identified credential type.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for run-as credentials delegation using identity assertion is presented. A server receives a request from a client that includes the client'"'"'s user identifier and password. The server authenticates the client and stores the client'"'"'s user identifier without the corresponding password in a client credential storage area. The server determines if a run-as command is specified to communicate with a downstream server. If a run-as command is specified, the server retrieves a corresponding run-as identity which identifies whether a client credential type, a server credential type, or a specific identifier credential type should be used in the run-as command. The server retrieves an identified credential corresponding to the identified credential type, and sends the identified credential in an identity assertion token to a downstream server.
83 Citations
27 Claims
-
1. A method for handling network security, said method comprising:
-
receiving, at a first server, a client request, wherein the client request includes a user identifier and a password;
storing the user identifier without the password in a client credential, wherein the client credential corresponds to a client credential type;
identifying a credential type from a plurality of credential types, wherein the plurality of credential types includes the client credential type, and wherein the identifying results in an identified credential type; and
generating an identity assertion token using an identified credential which corresponds to the identified credential type. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for handling network security, said method comprising:
-
receiving, at a first server, a client request, wherein the client request includes a user identifier and a password;
authenticating the client request using a security service;
determining whether to forward the client request to a downstream server;
storing the user identifier without the password in a client credential based upon the determination, wherein the client credential corresponds to a client credential type;
identifying a credential type from a plurality of credential types, wherein the plurality of credential types includes the client credential type, and wherein the identifying results in an identified credential type;
generating an identity assertion token using an identified credential which corresponds to the identified credential type; and
sending the identity assertion token to a second server. - View Dependent Claims (9)
-
-
10. An information handling system comprising:
-
one or more processors;
a memory accessible by the processors;
one or more nonvolatile storage devices accessible by the processors;
a network security tool to handle network security, the network security tool including;
means for receiving, at a first server, a client request, wherein the client request includes a user identifier and a password;
means for storing the user identifier without the password in a client credential located in one of the nonvolatile storage devices based upon the determination, wherein the client credential corresponds to a client credential type;
means for identifying a credential type from a plurality of credential types using an identification tool, wherein the plurality of credential types includes the client credential type, and wherein the identifying results in an identified credential type;
and means for generating an identity assertion token using a generation tool wherein the identity assertion token includes an identified credential which corresponds to the identified credential type. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. An information handling system comprising:
-
one or more processors;
a memory accessible by the processors;
one or more nonvolatile storage devices accessible by the processors;
a network security tool to handle network security, the network security tool including;
means for receiving, at a first server, a client request, wherein the client request includes a user identifier and a password;
means for authenticating the client request using a security service tool;
means for determining whether to forward the client request to a downstream server;
means for storing the user identifier without the password in a client credential located in one of the nonvolatile storage devices based upon the determination, wherein the client credential corresponds to a client credential type;
means for identifying a credential type from a plurality of credential types using an identification tool, wherein the plurality of credential types includes the client credential type, and wherein the identifying results in an identified credential type;
means for generating an identity assertion token using a generation tool wherein the identity assertion token includes an identified credential which corresponds to the identified credential type; and
means for sending the identity assertion token to a second server. - View Dependent Claims (18)
-
-
19. A computer program product stored in a computer operable media for handling network security, said computer program product comprising:
-
means for receiving, at a first server, a client request, wherein the client request includes a user identifier and a password;
means for storing the user identifier without the password in a client credential, wherein the client credential corresponds to a client credential type;
means for identifying a credential type from a plurality of credential types, wherein the plurality of credential types includes the client credential type, and wherein the identifying results in an identified credential type; and
means for generating an identity assertion token using an identified credential which corresponds to the identified credential type. - View Dependent Claims (20, 21, 22, 23, 24, 25)
-
-
26. A computer program product stored in a computer operable media for handling network security, said computer program product comprising:
-
means for receiving, at a first server, a client request, wherein the client request includes a user identifier and a password;
means for authenticating the client request using a security service;
means for determining whether to forward the client request to a downstream server;
means for storing the user identifier without the password in a client credential based upon the determination, wherein the client credential corresponds to a client credential type;
means for identifying a credential type from a plurality of credential types, wherein the plurality of credential types includes the client credential type, and wherein the identifying results in an identified credential type;
means for generating an identity assertion token using an identified credential which corresponds to the identified credential type; and
means for sending the identity assertion token to a second server. - View Dependent Claims (27)
-
Specification