Method and system for proof-of-possession operations associated with authentication assertions in a heterogeneous federated environment
First Claim
1. A method for assertion processing within a data processing system, the method comprising:
- receiving, from a first trust proxy within a first domain at a second trust proxy in a second domain, an assertion associated with a user, wherein the assertion is associated with a request from a client to access a controlled resource within the second domain;
challenging a user of the client to provide information that is required to be possessed by the user that is associated with the assertion; and
in response to a determination that the user of the client possesses the information that is required to be possessed by the user that is associated with the assertion, validating the assertion at the second trust proxy.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, apparatus, system, and computer program product are presented in which federated domains interact within a federated environment. Domains within a federation are able to initiate federated single-sign-on operations for a user at other federated domains. A point-of-contact server within a domain relies upon a trust proxy within the domain to manage trust relationships between the domain and the federation. Trust proxies interpret assertions from other federated domains as necessary. Trust proxies may have a trust relationship with one or more trust brokers, and a trust proxy may rely upon a trust broker for assistance in interpreting assertions. To enhance security, domains may also require users to re-prove their identity through proof-of-possession challenges that are executed after a user has initiated a single-sign-on operation.
-
Citations
36 Claims
-
1. A method for assertion processing within a data processing system, the method comprising:
-
receiving, from a first trust proxy within a first domain at a second trust proxy in a second domain, an assertion associated with a user, wherein the assertion is associated with a request from a client to access a controlled resource within the second domain;
challenging a user of the client to provide information that is required to be possessed by the user that is associated with the assertion; and
in response to a determination that the user of the client possesses the information that is required to be possessed by the user that is associated with the assertion, validating the assertion at the second trust proxy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An apparatus for assertion processing within a data processing system, the apparatus comprising:
-
means for receiving, from a first trust proxy within a first domain at a second trust proxy in a second domain, an assertion associated with a user, wherein the assertion is associated with a request from a client to access a controlled resource within the second domain;
means for challenging a user of the client to provide information that is required to be possessed by the user that is associated with the assertion; and
means for validating the assertion at the second trust proxy in response to a determination that the user of the client possesses the information that is required to be possessed by the user that is associated with the assertion. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A computer program product in a computer readable medium for use in a data processing system for assertion processing, the computer program product comprising:
-
means for receiving, from a first trust proxy within a first domain at a second trust proxy in a second domain, an assertion associated with a user, wherein the assertion is associated with a request from a client to access a controlled resource within the second domain;
means for challenging a user of the client to provide information that is required to be possessed by the user that is associated with the assertion; and
means for validating the assertion at the second trust proxy in response to a determination that the user of the client possesses the information that is required to be possessed by the user that is associated with the assertion. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
Specification