Federated identity management within a distributed portal server

US 20050114701A1
Filed: 11/21/2003
Published: 05/26/2005
Est. Priority Date: 11/21/2003
Status: Active Grant

First Claim

Patent Images

1. A method of providing cross-domain authentication in a computing environment, comprising steps of:

providing security credentials of an entity to an initial point of contact in the computing environment;

passing the provided credentials from the initial point of contact to a trust proxy;

authenticating the passed credentials with an authentication service in a local security domain of the trust proxy; and

using the authentication performed by the local authentication service to seamlessly authenticate the entity to one or more selected remote security domains.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for federating identity management within a distributed portal server, leveraging Web services techniques and a number of industry standards. Identities are managed across autonomous security domains which may be comprised of independent trust models, authentication services, and user enrollment services. The disclosed techniques enable integrating third-party Web services-based portlets, which rely on various potentially-different security mechanisms, within a common portal page.

Citations

20 Claims

1. A method of providing cross-domain authentication in a computing environment, comprising steps of:
- providing security credentials of an entity to an initial point of contact in the computing environment;
  
  passing the provided credentials from the initial point of contact to a trust proxy;
  
  authenticating the passed credentials with an authentication service in a local security domain of the trust proxy; and
  
  using the authentication performed by the local authentication service to seamlessly authenticate the entity to one or more selected remote security domains.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method according to claim 1, when the using step further comprises the steps of:
    - consulting policy information to determine which of a plurality of remote security domains should be selected to receive information from the local authentication service; and
      
      passing the information from the local authentication service to each of the determined remote security domains.
  - 3. The method according to claim 1, wherein the using step enables remote services in the selected remote security domains to be accessed by the entity without requiring the entity to provide its security credentials for those remote services.
  - 4. The method according to claim 3, wherein a credential mapping operation is performed to map the provided security credentials to the entity'"'"'s security credentials for each remote service.
  - 5. The method according to claim 1, wherein the entity is an end user.
  - 6. The method according to claim 1, wherein the initial point of contact is a portal interface.
  - 7. The method according to claim 1, wherein the passing step is performed by a proxy of the initial point of contact.
  - 8. The method according to claim 7, wherein the proxy of the initial point of contact performs a protocol conversion, when passing the provided credentials, from a first protocol used in the providing step to a second protocol used by the trust proxy.
  - 9. The method according to claim 8, wherein the first protocol is Hypertext Transfer Protocol (“
    - HTTP”
      
      ) or a security-enhanced version thereof.
  - 10. The method according to claim 8, wherein the second protocol is Simple Object Access Protocol (“
    - SOAP”
      
      ).
  - 11. The method according to claim 1, wherein the initial point of contact provides an aggregation of a plurality of Web services.
  - 12. The method according to claim 1, wherein the using step further comprises the steps of:
    - forwarding a security token from the local authentication service to a remote trust proxy in each of the selected remote security domains; and
      
      using the forwarded security token, at each of the remote trust proxies, to authenticate the entity with an authentication service in the remote security domain.
  - 13. The method according to claim 12, wherein results of the authentication by the authentication service in the local security domain and results of each authentication by the authentication services in each selected remote security domain are returned to the initial point of contact.
  - 14. The method according to claim 13, further comprising the step of determining, by the initial point of contact, which services and/or views thereof can be provided to the entity based on the returned results.
  - 15. The method according to claim 1, wherein the entity has security credentials, in at least one of the selected remote security domains, that differ from the provided security credentials, and wherein the using step transparently maps the provided security credentials to the different security credentials.

16. A system for enabling an entity to have seamless access to a plurality of aggregated services which have different identity requirements, comprising:
- means for initially authenticating the entity, by a first authentication component, using an identity provided by the entity;
  
  means for mapping the provided identification to the differing identity requirements of at least one service to be aggregated, thereby establishing mapped identity requirements for each of the at least one services;
  
  means for subsequently authenticating the entity, by an authentication component associated with each of the at least one services, using the mapped identity requirements; and
  
  means for aggregating each of the at least one services and a service associated with the initial authentication component, if the authentications thereof are successful, into an aggregated result.
- View Dependent Claims (17, 18)
- - 17. The system according to claim 16, wherein the aggregated result is an aggregated view.
  - 18. The system according to claim 16, wherein the entity is a programmatic entity.

19. A computer program product for providing federated identity management within a distributed content aggregation framework, the computer program product embodied on one or more computer-readable media and comprising:
- computer-readable program code means for providing, to the content aggregation framework by a using entity, initial identity information;
  
  computer-readable program code means for authenticating the initial identity information by a first authentication service in a first security domain;
  
  computer-readable program code means for conveying results of the authentication by the first authentication service to one or more selected other authentication services associated with one or more other security domains; and
  
  computer-readable program code means for using the conveyed results to authenticate the using entity to each of the selected other authentication services, without requiring the using entity to provide additional identity information.
- View Dependent Claims (20)
- - 20. The computer program product according to claim 19, wherein the initial identity information is a name and password associated with the using entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Wesley, Ajamu A., Nadalin, Anthony J., Atkins, Barry D., Melgar, David O.

Granted Patent

US 7,346,923 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/60   Digital content management,...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/08   for authentication of entit...

H04L 9/3226   using a predetermined code,...

H04L 9/3247   involving digital signatures

Federated identity management within a distributed portal server

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Federated identity management within a distributed portal server

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links