System and method for credential delegation using identity assertion

US 20040088578A1
Filed: 10/31/2002
Published: 05/06/2004
Est. Priority Date: 10/31/2002
Status: Active Grant

First Claim

Patent Images

1. A method for handling network security, said method comprising:

receiving, at a first server, a client request, wherein the client request includes a user identifier and a password;

storing the user identifier without the password in a client credential, wherein the client credential corresponds to a client credential type;

identifying a credential type from a plurality of credential types, wherein the plurality of credential types includes the client credential type, and wherein the identifying results in an identified credential type; and

generating an identity assertion token using an identified credential which corresponds to the identified credential type.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for run-as credentials delegation using identity assertion is presented. A server receives a request from a client that includes the client'"'"'s user identifier and password. The server authenticates the client and stores the client'"'"'s user identifier without the corresponding password in a client credential storage area. The server determines if a run-as command is specified to communicate with a downstream server. If a run-as command is specified, the server retrieves a corresponding run-as identity which identifies whether a client credential type, a server credential type, or a specific identifier credential type should be used in the run-as command. The server retrieves an identified credential corresponding to the identified credential type, and sends the identified credential in an identity assertion token to a downstream server.

83 Citations

View as Search Results

27 Claims

1. A method for handling network security, said method comprising:
- receiving, at a first server, a client request, wherein the client request includes a user identifier and a password;
  
  storing the user identifier without the password in a client credential, wherein the client credential corresponds to a client credential type;
  
  identifying a credential type from a plurality of credential types, wherein the plurality of credential types includes the client credential type, and wherein the identifying results in an identified credential type; and
  
  generating an identity assertion token using an identified credential which corresponds to the identified credential type.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as described in claim 1 wherein the credential type is selected from the group consisting of the client credential type, a server credential type, and a specific identifier credential type.
  - 3. The method as described in claim 1 further comprising:
    - determining whether a run-as command is specified;
      
      performing the identifying based upon the determination.
  - 4. The method as described in claim 3 further comprising:
    - selecting the client credential as the identified credential based upon the determination.
  - 5. The method as described in claim 1 further comprising:
    - determining whether an enterprise Java bean has been invoked; and
      
      performing the generating based upon the determination.
  - 6. The method as described in claim 1 wherein the identity assertion token includes the identified credential and a server credential.
  - 7. The method as described in claim 1 further comprising:
    - authenticating the client request using a security service;
      
      performing the storing, the identifying, and the generating in response to the authentication; and
      
      sending the identity assertion token to a downstream server.

8. A method for handling network security, said method comprising:
- receiving, at a first server, a client request, wherein the client request includes a user identifier and a password;
  
  authenticating the client request using a security service;
  
  determining whether to forward the client request to a downstream server;
  
  storing the user identifier without the password in a client credential based upon the determination, wherein the client credential corresponds to a client credential type;
  
  identifying a credential type from a plurality of credential types, wherein the plurality of credential types includes the client credential type, and wherein the identifying results in an identified credential type;
  
  generating an identity assertion token using an identified credential which corresponds to the identified credential type; and
  
  sending the identity assertion token to a second server.
- View Dependent Claims (9)
- - 9. The method as described in claim 8 wherein the credential type is selected from the group consisting of the client credential type, a server credential type, and a specific identifier credential type.

10. An information handling system comprising:
- one or more processors;
  
  a memory accessible by the processors;
  
  one or more nonvolatile storage devices accessible by the processors;
  
  a network security tool to handle network security, the network security tool including;
  
  means for receiving, at a first server, a client request, wherein the client request includes a user identifier and a password;
  
  means for storing the user identifier without the password in a client credential located in one of the nonvolatile storage devices based upon the determination, wherein the client credential corresponds to a client credential type;
  
  means for identifying a credential type from a plurality of credential types using an identification tool, wherein the plurality of credential types includes the client credential type, and wherein the identifying results in an identified credential type;
  
  and means for generating an identity assertion token using a generation tool wherein the identity assertion token includes an identified credential which corresponds to the identified credential type.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The information handling system as described in claim 10 wherein the credential type is selected from the group consisting of the client credential type, a server credential type, and a specific identifier credential type.
  - 12. The information handling system as described in claim 10 further comprising:
    - means for determining whether a run-as command is specified;
      
      means for performing the identifying based upon the determination.
  - 13. The information handling system as described in claim 12 further comprising:
    - means for selecting the client credential as the identified credential based upon the determination.
  - 14. The information handling system as described in claim 10 further comprising:
    - means for determining whether an enterprise Java bean has been invoked; and
      
      means for performing the generating based upon the determination.
  - 15. The information handling system as described in claim 10 wherein the identity assertion token includes the identified credential and a server credential.
  - 16. The information handling system as described in claim 10 further comprising:
    - means for authenticating the client request using a security service;
      
      means for performing the storing, the identifying, and the generating in response to the authentication; and
      
      means for sending the identity assertion token to a downstream server.

17. An information handling system comprising:
- one or more processors;
  
  a memory accessible by the processors;
  
  one or more nonvolatile storage devices accessible by the processors;
  
  a network security tool to handle network security, the network security tool including;
  
  means for receiving, at a first server, a client request, wherein the client request includes a user identifier and a password;
  
  means for authenticating the client request using a security service tool;
  
  means for determining whether to forward the client request to a downstream server;
  
  means for storing the user identifier without the password in a client credential located in one of the nonvolatile storage devices based upon the determination, wherein the client credential corresponds to a client credential type;
  
  means for identifying a credential type from a plurality of credential types using an identification tool, wherein the plurality of credential types includes the client credential type, and wherein the identifying results in an identified credential type;
  
  means for generating an identity assertion token using a generation tool wherein the identity assertion token includes an identified credential which corresponds to the identified credential type; and
  
  means for sending the identity assertion token to a second server.
- View Dependent Claims (18)
- - 18. The information handling system as described in claim 17 wherein the credential type is selected from the group consisting of the client credential type, a server credential type, and a specific identifier credential type.

19. A computer program product stored in a computer operable media for handling network security, said computer program product comprising:
- means for receiving, at a first server, a client request, wherein the client request includes a user identifier and a password;
  
  means for storing the user identifier without the password in a client credential, wherein the client credential corresponds to a client credential type;
  
  means for identifying a credential type from a plurality of credential types, wherein the plurality of credential types includes the client credential type, and wherein the identifying results in an identified credential type; and
  
  means for generating an identity assertion token using an identified credential which corresponds to the identified credential type.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The computer program product as described in claim 19 wherein the credential type is selected from the group consisting of the client credential type, a server credential type, and a specific identifier credential type.
  - 21. The computer program product as described in claim 19 further comprising:
    - means for determining whether a run-as command is specified;
      
      means for performing the identifying based upon the determination.
  - 22. The computer program product as described in claim 21 further comprising:
    - means for selecting the client credential as the identified credential based upon the determination.
  - 23. The computer program product as described in claim 19 further comprising:
    - means for determining whether an enterprise Java bean has been invoked; and
      
      means for performing the generating based upon the determination.
  - 24. The computer program product as described in claim 19 wherein the identity assertion token includes the identified credential and a server credential.
  - 25. The computer program product as described in claim 19 further comprising:
    - means for authenticating the client request using a security service;
      
      means for performing the storing, the identifying, and the generating in response to the authentication; and
      
      means for sending the identity assertion token to a downstream server.

26. A computer program product stored in a computer operable media for handling network security, said computer program product comprising:
- means for receiving, at a first server, a client request, wherein the client request includes a user identifier and a password;
  
  means for authenticating the client request using a security service;
  
  means for determining whether to forward the client request to a downstream server;
  
  means for storing the user identifier without the password in a client credential based upon the determination, wherein the client credential corresponds to a client credential type;
  
  means for identifying a credential type from a plurality of credential types, wherein the plurality of credential types includes the client credential type, and wherein the identifying results in an identified credential type;
  
  means for generating an identity assertion token using an identified credential which corresponds to the identified credential type; and
  
  means for sending the identity assertion token to a second server.
- View Dependent Claims (27)
- - 27. The computer program product as described in claim 26 wherein the credential type is selected from the group consisting of the client credential type, a server credential type, and a specific identifier credential type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Venkataramappa, Vishwanath, Chao, Ching-Yun, Chung, Hyen Vui, Reddy, Ajay

Granted Patent

US 7,526,798 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/0807 using tickets, e.g. Kerbero...

H04L 63/205 involving negotiation or de...

System and method for credential delegation using identity assertion

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

83 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for credential delegation using identity assertion

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links