Uniformly representing and transferring security assertion and security response information

US 20040139352A1
Filed: 01/15/2003
Published: 07/15/2004
Est. Priority Date: 01/15/2003
Status: Active Grant

First Claim

Patent Images

1. In a distributed system including a requesting message processor that is communicatively coupled to a validating message processor so as to be able to communicate by transferring electronic messages, the requesting message processor further including a security token processing interface for transferring security tokens that can encapsulate security data of any of one or more different formats, a method for determining if a client message processor is a trusted client such that the need to have multiple protocols stacks to transfer security assertions and security responses is reduced at least at the requesting message processor, the method comprising:

an act of identifying client security input data of a first format that is to be transferred to the validating message processor;

an act of encapsulating at least a portion of the client security input data within a client security token such that the client security token can be processed by a corresponding validating token processing interface at the validating message processor to determine if the client message processor is a trusted client;

an act of the requesting message processor sending the client security token to the validating message processor;

an act of the requesting message processor receiving a response security token from the validating message processor, the response security token encapsulating at least a first portion of client security output data of a second format; and

an act of processing the response security token to determine if the first portion of client security output data indicates that the client message processor is a trusted client.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A requesting message processor identifies client security input data of a first format and encapsulates the client security input data within a client security token. A requesting token processing interface sends the client security token to a validating message processor. A validating token processing interface at the validating message processor receives the client security token. Based on the encapsulated client security input data, the validating message processor selects client security output data of a second format. The validating message processor encapsulates the security output data within a response security token. The validating token processing interface sends the response security token to the requesting message processor. The token processing interfaces can be configured to similarly abstract security input data and security output data so as to increase the possibility of compatible communication between the requesting and validating message processor.

67 Citations

View as Search Results

41 Claims

1. In a distributed system including a requesting message processor that is communicatively coupled to a validating message processor so as to be able to communicate by transferring electronic messages, the requesting message processor further including a security token processing interface for transferring security tokens that can encapsulate security data of any of one or more different formats, a method for determining if a client message processor is a trusted client such that the need to have multiple protocols stacks to transfer security assertions and security responses is reduced at least at the requesting message processor, the method comprising:
- an act of identifying client security input data of a first format that is to be transferred to the validating message processor;
  
  an act of encapsulating at least a portion of the client security input data within a client security token such that the client security token can be processed by a corresponding validating token processing interface at the validating message processor to determine if the client message processor is a trusted client;
  
  an act of the requesting message processor sending the client security token to the validating message processor;
  
  an act of the requesting message processor receiving a response security token from the validating message processor, the response security token encapsulating at least a first portion of client security output data of a second format; and
  
  an act of processing the response security token to determine if the first portion of client security output data indicates that the client message processor is a trusted client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method as recited in claim 1, wherein the act of identifying client security input data of a first format that is to be transferred to the validating message processor comprises an act of identifying client security input data of a first format that is to be transferred along with client security input data of at least one other format that is different from the first format.
  - 3. The method as recited in claim 1, wherein the act of identifying client security input data of a first format that is to be transferred to the validating message processor comprises an act of identifying a request that includes one or more security assertions.
  - 4. The method as recited in claim 1, wherein the act of identifying client security input data of a first format that is to be transferred to the validating message processor comprises an act of identifying a service access token.
  - 5. The method as recited in claim 1, wherein the act of identifying client security input data of a first format that is to be transferred to the validating message processor comprises an act of the client identifying the client security input data.
  - 6. The method as recited in claim 1, wherein the act of identifying client security input data of a first format that is to be transferred to the validating message processor comprises an act of a server that is attempting to determine if the client is a trusted client identifying the client security input data.
  - 7. The method as recited in claim 1, wherein the act of encapsulating at least a portion of the client security input data within a client security token comprises an act of encapsulating one or more security assertions within a client security token.
  - 8. The method as recited in claim 1, wherein the act of encapsulating at least a portion of the client security input data within a client security token comprises an act of encapsulating a request that includes one or more security assertions within a client security token.
  - 9. The method as recited in claim 1, wherein the act of encapsulating at least a portion of the client security input data within a client security token comprises an act of encapsulating a service access token within a client security token.
  - 10. The method as recited in claim 1, wherein the act of the requesting message processor sending the client security token comprises an act of a requesting message processor sending a SOAP envelope.
  - 11. The method as recited in claim 1, wherein the act of the requesting message processor receiving a response security token comprises an act of the requesting token interface receiving a service access token.
  - 12. The method as recited in claim 1, wherein the act of the requesting message processor receiving a response security token comprises an act of the requesting token interface receiving an answer to a request that one or more security assertions be validated.
  - 13. The method as recited in claim 1, wherein the act of the requesting message processor receiving a response security token comprises an act of a server message processor receiving a trust statement that causes a trust policy to be updated.
  - 14. The method as recited in claim 1, wherein the act of processing the response security token to determine if the at least a first portion of client security output data indicates that the client message processor is a trusted client comprises an act of processing the response security token to determine that the client is a trusted client.
  - 15. The method as recited in claim 1, wherein the act of processing the response security token to determine if the at least a first portion of client security output data indicates that the client message processor is a trusted client comprises an act of processing trust statements included in the response security token to update a trust policy.
  - 16. The method as recited in claim 1, wherein the act of processing the response security token to determine if the first portion of client security output data indicates that the client message processor is a trusted client comprises an act of determining that the first portion of security output data establishes a specified level of trust.
  - 17. The method as recited in claim 1, wherein the first format and the second format are the same format.
  - 18. The method as recited in claim 1, further comprising:
    - an act of appending additional client security input data to the identified security input data.
  - 19. The method as recited in claim 1, further comprising:
    - an act of receiving a second portion of non-encapsulated client security output data of a third format.

20. In a distributed system including a requesting message processor that is communicatively coupled to a validating message processor so as to be able to communicate by transferring electronic messages, the requesting message processor further including a security token processing interface for transferring security tokens that can encapsulate security data of any of one or more different formats, a method determining if a client message processor is a trusted client such that the need to have multiple protocols stacks to transfer security assertions and security responses is reduced at least at the requesting message processor, the method comprising:
- an act of identifying client security input data of a first format that is to be transferred to the validating message processor;
  
  an act of encapsulating at least a portion of the client security input data within a client security token such that the client security token can be processed by a corresponding validating token processing interface at the validating message processor to determine if the client message processor is a trusted client;
  
  a step for exchanging security tokens via an abstract interface; and
  
  an act of processing a response security token to determine if a first portion of client security output data indicates that the client message processor is a trusted

21. In a distributed system including a validating message processor that is communicatively coupled to a requesting message processor so as to be able to communicate by transferring electronic messages, the validating message processor further including a security token processing interface for transferring security tokens that can encapsulate security data of any of one or more different formats, a method for determining if a client message processor represented by a client security token is a trusted client such that the need to maintain multiple protocol stacks to transfer security assertions and security responses is reduced at least at the validating message processor, the method comprising:
- an act of the validating message processor receiving a client security token from the requesting message processor, the client security token encapsulating client a portion of security input data of a first format;
  
  an act of, based on the portion of client security input data, selecting at least a first portion of client security output data of a second format, the first portion of security output data indicating if the client message processor is a trusted client;
  
  an act of encapsulating the first portion of client security output data within a response security token such that the response security token can be processed by the requesting message processor to indicate to the requesting message processor if the client message processor is a trusted client; and
  
  an act of the validating token processing interface sending the response security token to the requesting message processor.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 22. The method as recited in claim 21, wherein the act of the validating message processor receiving a client security token from the requesting message processor comprises an act of the validating message processor receiving a SOAP envelope.
  - 23. The method as recited in claim 21, wherein the act of the validating message processor receiving a client security token from the requesting message processor comprises an act of the validating message processor receiving one or more encapsulated security assertions.
  - 24. The method as recited in claim 21, wherein the act of the validating message processor receiving a client security token from the requesting message processor comprises an act of the validating message processor receiving an encapsulated service access token.
  - 25. The method as recited in claim 21, wherein the an act of, based on the portion of client security input data, selecting at least a first portion of client security output data of a second format comprises an act of comparing the portion of client security input data to data from a credentials database.
  - 26. The method as recited in claim 21, wherein the an act of, based on the portion of client security input data, selecting at least a first portion of client security output data of a second format comprises an act of selecting a first portion of client security output data that is indicative of the client message processor being a trusted client.
  - 27. The method as recited in claim 21, wherein the an act of, based on the portion of client security input data, selecting at least a first portion of client security output data of a second format comprises an act of selecting a second portion of client security output data of third format that is different than the second format.
  - 28. The method as recited in claim 21, wherein the act of encapsulating the first portion of client security output data within a response security token comprises an act of encapsulating an answer that is indicative of a security assertion being valid.
  - 29. The method as recited in claim 21, wherein the act of encapsulating the first portion of client security output data within a response security token comprises an act of encapsulating a service access token.
  - 30. The method as recited in claim 21, wherein the act of encapsulating the first portion of client security output data within a response security token comprises an act of encapsulating a trust statement that will cause a trust policy to be updated.
  - 31. The method as recited in claim 21, wherein the first format and the second format are the same format.
  - 32. The method as recited in claim 21, further comprising:
    - an act of appending the first portion of client security output data to the portion of security input data.

33. In a distributed system including a validating message processor that is communicatively coupled to a requesting message processor so as to be able to communicate by transferring electronic messages, the validating message processor further including a security token processing interface for transferring security tokens that can encapsulate security data of any of one or more different formats, a method determining if a client message processor represented by a client security token is a trusted client such that the need to maintain multiple protocol stacks to transfer security assertions and security responses is reduced at least at the validating message processor, the method comprising:
- an act of the validating message processor receiving the client security token from the requesting message processor, the client security token encapsulating a portion of client security input data of a first format;
  
  an act of, based on the portion of client security input data, selecting at least a first portion of client security output data of a second format, the security output data indicating if the client message processor is a trusted client; and
  
  a step for abstracting at least the first portion of client security output data.

34. A computer program product for used in a distributed system including a requesting message processor that is communicatively coupled to a validating message processor so as to be able to communicate by transferring electronic messages, the requesting message processor further including a security token processing interface for transferring security tokens that can encapsulate security data of any of one or more different formats, the computer program product for implementing a method for determining if a client message processor is a trusted client such that the need to have multiple protocols stacks to transfer security assertions and security responses is reduced at least at the requesting message processor, the computer program product comprising one or more computer-readable media having stored thereon the following:
- computer-executable instructions for identifying client security input data of a first format that is to be transferred to the validating message processor;
  
  computer-executable instructions for encapsulating at least a portion of the client security input data within a client security token such that the client security token can be processed by a corresponding validating token processing interface at the validating message processor to determine if the client message processor is a trusted client;
  
  computer-executable instructions for causing the requesting message processor to send the client security token to the validating message processor;
  
  computer-executable instructions for causing the requesting message processor to receive a response security token from the validating message processor, the response security token encapsulating a first portion of client security output data of a second format; and
  
  computer-executable instructions for processing the response security token to determine if the first portion of client security output data indicates that the client message processor is a trusted client.

35. A computer program product for use in a distributed system including a validating message processor that is communicatively coupled to a requesting message processor so as to be able to communicate by transferring electronic messages, the validating message processor further including a security token processing interface for transferring security tokens that can encapsulate security responses of any of one or more different formats, the computer program product for implementing a method for determining if a client message processor represented by a client security token is a trusted client such that the need to maintain multiple protocol stacks to transfer security assertions and security responses is reduced at least at the validating message processor, the computer program product comprising one or more computer-readable media having stored thereon the following:
- computer-executable instructions for the validating message processor to receive the client security token from the requesting message processor, the client security token encapsulating a portion of client security input data of a first format;
  
  computer-executable instructions for, based on the portion of client security input data, selecting at least a first portion of client security output data of a second format, the first portion of security output data indicating if the client message processor is a trusted client;
  
  computer-executable instructions for encapsulating the first portion of client security output data within a response security token such that the response security token can be processed by the requesting message processor to indicate to the requesting message processor if the client message processor is a trusted client; and
  
  computer-executable instructions for causing the validating token processing interface to send the response security token to the requesting message processor.

36. One or more computer-readable media having stored thereon a data structure, the data structure comprising:
- a application data field representing application data from a client message processor that is to be routed to a server message processor; and
  
  a client security token field representing one or more encapsulated security assertions submitted by a requesting message processor to attempt to cause a server message processor to trust the application data represented in the application data field.
- View Dependent Claims (37, 38)
- - 37. The one or more computer-readable media having stored thereon a data structure in accordance with claim 36, wherein the client security token field is comprised of:
    - a request field representing an encapsulated request that includes one or more security assertions.
  - 38. The one or more computer-readable media having stored thereon a data structure in accordance with claim 36, wherein the client security token field is comprised a service access token field representing an encapsulated service access token.

39. One or more computer-readable media having stored thereon a data structure, the data structure comprising:
- a application data field representing application data from a client message processor that is to be routed to a server message processor; and
  
  a response security token field representing one or more encapsulated security responses returned by a validating message processor to indicate to a requesting message processor if the client message processor, which sent the application data represented in the application data field, is to be trusted.
- View Dependent Claims (40, 41)
- - 40. The one or more computer-readable media having stored thereon a data structure in accordance with claim 39, wherein the response security token field is comprised of:
    - a Boolean field representing an encapsulated Boolean statement that indicates if the client message processor is to be trusted.
  - 41. The one or more computer-readable media having stored thereon a data structure in accordance with claim 39, wherein the response security token field is comprised of:
    - a trusted field representing an encapsulated trust statement that indicates if the client message processor is to be trusted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Shewchuk, John P., Kaler, Christopher G., Della-Libera, Giovanni M.

Granted Patent

US 7,249,373 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/12 Applying verification of th...

H04L 63/20 for managing network securi...

Uniformly representing and transferring security assertion and security response information

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

67 Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Uniformly representing and transferring security assertion and security response information

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links