Method and system for proof-of-possession operations associated with authentication assertions in a heterogeneous federated environment

US 20040128392A1
Filed: 12/31/2002
Published: 07/01/2004
Est. Priority Date: 12/31/2002
Status: Active Grant

First Claim

Patent Images

1. A method for assertion processing within a data processing system, the method comprising:

receiving, from a first trust proxy within a first domain at a second trust proxy in a second domain, an assertion associated with a user, wherein the assertion is associated with a request from a client to access a controlled resource within the second domain;

challenging a user of the client to provide information that is required to be possessed by the user that is associated with the assertion; and

in response to a determination that the user of the client possesses the information that is required to be possessed by the user that is associated with the assertion, validating the assertion at the second trust proxy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus, system, and computer program product are presented in which federated domains interact within a federated environment. Domains within a federation are able to initiate federated single-sign-on operations for a user at other federated domains. A point-of-contact server within a domain relies upon a trust proxy within the domain to manage trust relationships between the domain and the federation. Trust proxies interpret assertions from other federated domains as necessary. Trust proxies may have a trust relationship with one or more trust brokers, and a trust proxy may rely upon a trust broker for assistance in interpreting assertions. To enhance security, domains may also require users to re-prove their identity through proof-of-possession challenges that are executed after a user has initiated a single-sign-on operation.

Citations

36 Claims

1. A method for assertion processing within a data processing system, the method comprising:
- receiving, from a first trust proxy within a first domain at a second trust proxy in a second domain, an assertion associated with a user, wherein the assertion is associated with a request from a client to access a controlled resource within the second domain;
  
  challenging a user of the client to provide information that is required to be possessed by the user that is associated with the assertion; and
  
  in response to a determination that the user of the client possesses the information that is required to be possessed by the user that is associated with the assertion, validating the assertion at the second trust proxy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 further comprising:
    - sending from the second trust proxy to the first trust proxy a request for challenge information;
      
      receiving the challenge information at the second trust proxy from the first trust proxy;
      
      generating a proof-of-possession challenge at the second trust proxy, wherein a valid response to the proof-of-possession challenge comprises the information that is required to be possessed by the user that is associated with the assertion; and
      
      sending the proof-of-possession challenge to the client.
  - 3. The method of claim 2 further comprising:
    - validating a response to the proof-of-possession challenge at the second trust proxy.
  - 4. The method of claim 2 further comprising:
    - validating a response to the proof-of-possession challenge at the first trust proxy.
  - 5. The method of claim 2 further comprising:
    - passing the proof-of-possession challenge and the response to the proof-of-possession challenge between the first trust proxy and the second trust proxy via a trust broker.
  - 6. The method of claim 2 further comprising:
    - passing the proof-of-possession challenge and the response to the proof-of-possession challenge between the first trust proxy and the second trust proxy via a third trust proxy.
  - 7. The method of claim 1 further comprising:
    - providing access to the controlled resource in response to a successful validation of the assertion at the second trust proxy.
  - 8. The method of claim 1 further comprising:
    - determining within the first domain to generate the assertion for the user at the first trust proxy prior to receipt of the request for the controlled resource at the system in the second domain; and
      
      pushing the assertion from the first domain to the second domain along with the request for the controlled resource.
  - 9. The method of claim 1 further comprising:
    - pulling the assertion from the second trust proxy from the first trust proxy after receipt of the request for the controlled resource at the system in the second domain.
  - 10. The method of claim 1 further comprising:
    - establishing a trust relationship between the first trust proxy and the second trust proxy.
  - 11. The method of claim 1 further comprising:
    - maintaining an indirect relationship between the first trust proxy and the second trust proxy through a trust broker.
  - 12. The method of claim 1 wherein the assertion is an authentication assertion, an authorization assertion, or an attribute assertion.

13. An apparatus for assertion processing within a data processing system, the apparatus comprising:
- means for receiving, from a first trust proxy within a first domain at a second trust proxy in a second domain, an assertion associated with a user, wherein the assertion is associated with a request from a client to access a controlled resource within the second domain;
  
  means for challenging a user of the client to provide information that is required to be possessed by the user that is associated with the assertion; and
  
  means for validating the assertion at the second trust proxy in response to a determination that the user of the client possesses the information that is required to be possessed by the user that is associated with the assertion.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The apparatus of claim 13 further comprising:
    - means for sending from the second trust proxy to the first trust proxy a request for challenge information;
      
      means for receiving the challenge information at the second trust proxy from the first trust proxy;
      
      means for generating a proof-of-possession challenge at the second trust proxy, wherein a valid response to the proof-of-possession challenge comprises the information that is required to be possessed by the user that is associated with the assertion; and
      
      means for sending the proof-of-possession challenge to the client.
  - 15. The apparatus of claim 14 further comprising:
    - means for validating a response to the proof-of-possession challenge at the second trust proxy.
  - 16. The apparatus of claim 14 further comprising:
    - means for validating a response to the proof-of-possession challenge at the first trust proxy.
  - 17. The apparatus of claim 14 further comprising:
    - means for passing the proof-of-possession challenge and the response to the proof-of-possession challenge between the first trust proxy and the second trust proxy via a trust broker.
  - 18. The apparatus of claim 14 further comprising:
    - means for passing the proof-of-possession challenge and the response to the proof-of-possession challenge between the first trust proxy and the second trust proxy via a third trust proxy.
  - 19. The apparatus of claim 13 further comprising:
    - means for providing access to the controlled resource in response to a successful validation of the assertion at the second trust proxy.
  - 20. The apparatus of claim 13 further comprising:
    - means for determining within the first domain to generate the assertion for the user at the first trust proxy prior to receipt of the request for the controlled resource at the system in the second domain; and
      
      means for pushing the assertion from the first domain to the second domain along with the request for the controlled resource.
  - 21. The apparatus of claim 13 further comprising:
    - means for pulling the assertion from the second trust proxy from the first trust proxy after receipt of the request for the controlled resource at the system in the second domain.
  - 22. The apparatus of claim 13 further comprising:
    - means for establishing a trust relationship between the first trust proxy and the second trust proxy.
  - 23. The apparatus of claim 13 further comprising:
    - means for maintaining an indirect relationship between the first trust proxy and the second trust proxy through a trust broker.
  - 24. The apparatus of claim 13 wherein the assertion is an authentication assertion, an authorization assertion, or an attribute assertion.

25. A computer program product in a computer readable medium for use in a data processing system for assertion processing, the computer program product comprising:
- means for receiving, from a first trust proxy within a first domain at a second trust proxy in a second domain, an assertion associated with a user, wherein the assertion is associated with a request from a client to access a controlled resource within the second domain;
  
  means for challenging a user of the client to provide information that is required to be possessed by the user that is associated with the assertion; and
  
  means for validating the assertion at the second trust proxy in response to a determination that the user of the client possesses the information that is required to be possessed by the user that is associated with the assertion.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The computer program product of claim 25 further comprising:
    - means for sending from the second trust proxy to the first trust proxy a request for challenge information;
      
      means for receiving the challenge information at the second trust proxy from the first trust proxy;
      
      means for generating a proof-of-possession challenge at the second trust proxy, wherein a valid response to the proof-of-possession challenge comprises the information that is required to be possessed by the user that is associated with the assertion; and
      
      means for sending the proof-of-possession challenge to the client.
  - 27. The computer program product of claim 26 further comprising:
    - means for validating a response to the proof-of-possession challenge at the second trust proxy.
  - 28. The computer program product of claim 26 further comprising:
    - means for validating a response to the proof-of-possession challenge at the first trust proxy.
  - 29. The computer program product of claim 26 further comprising:
    - means for passing the proof-of-possession challenge and the response to the proof-of-possession challenge between the first trust proxy and the second trust proxy via a trust broker.
  - 30. The computer program product of claim 26 further comprising:
    - means for passing the proof-of-possession challenge and the response to the proof-of-possession challenge between the first trust proxy and the second trust proxy via a third trust proxy.
  - 31. The computer program product of claim 25 further comprising:
    - means for providing access to the controlled resource in response to a successful validation of the assertion at the second trust proxy.
  - 32. The computer program product of claim 25 further comprising:
    - means for determining within the first domain to generate the assertion for the user at the first trust proxy prior to receipt of the request for the controlled resource at the system in the second domain; and
      
      means for pushing the assertion from the first domain to the second domain along with the request for the controlled resource.
  - 33. The computer program product of claim 25 further comprising:
    - means for pulling the assertion from the second trust proxy from the first trust proxy after receipt of the request for the controlled resource at the system in the second domain.
  - 34. The computer program product of claim 25 further comprising:
    - means for establishing a trust relationship between the first trust proxy and the second trust proxy.
  - 35. The computer program product of claim 25 further comprising:
    - means for maintaining an indirect relationship between the first trust proxy and the second trust proxy through a trust broker.
  - 36. The computer program product of claim 25 wherein the assertion is an authentication assertion, an authorization assertion, or an attribute assertion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hinton, Heather Maria, Blakley, George Robert III

Granted Patent

US 8,554,930 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

H04L 63/083 using passwords cryptograph...

Method and system for proof-of-possession operations associated with authentication assertions in a heterogeneous federated environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for proof-of-possession operations associated with authentication assertions in a heterogeneous federated environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links