Role-based authorization of network services using diversified security tokens

US 20060015933A1
Filed: 07/14/2004
Published: 01/19/2006
Est. Priority Date: 07/14/2004
Status: Active Grant

First Claim

Patent Images

1. In a network environment that includes a service providing computing system and a network connected to the service providing computing system, the service providing computing system offering one or more services, the network being capable of delivering to the service providing computing system a plurality of service request messages associated with diversified security token types, a method for the service providing computing system to perform role-based authorization of the one or more services using the security tokens associated with the received service request messages despite the received service request messages having diversified security token types, the method comprising the following:

an act of receiving a service request message over the network, the service request message requesting a service offered by the service providing computing system;

an act of accessing a security token associated with the received service request message;

an act of identifying one or more roles that include the identity associated with the security token;

an act of correlating the one or more identified roles with the accessed security token; and

an act of authorizing the requested service using the one or more roles correlated with the security token that is associated with the service request message that requests the requested service.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mechanism for performing role-based authorization of the one or more services using security tokens associated with received service request messages. This role-based authentication is performed regardless of the type of security token associated with the received service request messages. Upon receiving a service request message over the network for a particular service offered by the service providing computing system, the service providing computing system accesses a security token associated with the received service request message. Then, the computing system identifies one or more roles that include the identity associated with the security token, and correlates the roles with the security token. These correlated roles are then used to authorize the requested service. This mechanism is performed regardless of the type of the security token.

93 Citations

View as Search Results

35 Claims

1. In a network environment that includes a service providing computing system and a network connected to the service providing computing system, the service providing computing system offering one or more services, the network being capable of delivering to the service providing computing system a plurality of service request messages associated with diversified security token types, a method for the service providing computing system to perform role-based authorization of the one or more services using the security tokens associated with the received service request messages despite the received service request messages having diversified security token types, the method comprising the following:
- an act of receiving a service request message over the network, the service request message requesting a service offered by the service providing computing system;
  
  an act of accessing a security token associated with the received service request message;
  
  an act of identifying one or more roles that include the identity associated with the security token;
  
  an act of correlating the one or more identified roles with the accessed security token; and
  
  an act of authorizing the requested service using the one or more roles correlated with the security token that is associated with the service request message that requests the requested service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. A method in accordance with claim 1, wherein the act of accessing a security token associated with the received service request message comprises the following:
    - an act of accessing the security token from the received service request message itself.
  - 3. A method in accordance with claim 1, wherein the act of accessing a security token associated with the received service request message comprises the following:
    - an act of accessing a security token identification information from the received service request message; and
      
      an act of using the security token identification information to access the security token associated with the received service request message.
  - 4. A method in accordance with claim 1, wherein the service request message is a Simple Object Access Protocol (SOAP) envelope.
  - 5. A method in accordance with claim 1, wherein the one or more roles is a single role.
  - 6. A method in accordance with claim 1, wherein the one or more roles is a plurality of roles.
  - 7. A method in accordance with claim 1, wherein the accessed security token is a SAML security token type security token.
  - 8. A method in accordance with claim 1, wherein the accessed security token is an XrML security token type security token.
  - 9. A method in accordance with claim 1, wherein the accessed security token is a X.509 certificate.
  - 10. A method in accordance with claim 1, wherein the accessed security token is a username/password type security token.
  - 11. A method in accordance with claim 1, wherein the accessed security token is a SecurityContextToken.
  - 12. A method in accordance with claim 1, wherein the accessed security token is a DerivedKeyToken.
  - 13. A method in accordance with claim 1, wherein the act of authorizing the requested service using the one or more roles correlated with the security token that is associated with the service request message that requests the service comprises the following:
    - an act of accessing a metadata expression of the conditions that must be met in order to receive the requested service, at least one of the conditions including an indication that the security token must be correlated with a particular role of the one or more roles.
  - 14. A method in accordance with claim 1, wherein the act of authorizing the requested service using the one or more roles correlated with the security token that is associated with the service request message that requests the service comprises the following:
    - an act of executing an executable object that conditions access to the requested object at least upon the condition that the security token must be correlated with a particular role of the one or more roles.
  - 15. A method in accordance with claim 1, wherein the service request message is a first service request message, the security token is a first security token of a first security token type, the one or more roles being a first set of one or more roles, the requested service being a first requested service, the method further comprising the following:
    - an act of receiving a second service request message over the network, the second service request message requesting a second service offered by the service providing computing system;
      
      an act of accessing a second security token associated with the second received service request message, the second security token being of a second security token type that is different than the first security token type;
      
      an act of identifying a second set of one or more roles that include the identity associated with the second security token;
      
      an act of correlating the second set of one or more identified roles with the second accessed security token; and
      
      an act of authorizing the requested service using the second set of one or more roles correlated with the second security token that is associated with the second service request message that requests the second requested service.
  - 16. A method in accordance with claim 15, wherein the first requested service and the second requested service is the same requested service.
  - 17. A method in accordance with claim 1, further comprising the following:
    - an act of providing the requested service.

18. A computer program product for use in a network environment that includes a service providing computing system and a network connected to the service providing computing system, the service providing computing system offering one or more services, the network being capable of delivering to the service providing computing system a plurality of service request messages associated with diversified security token types, the computer program product for allowing the service providing computing system to perform role-based authorization of the one or more services using the security tokens associated with the received service request messages despite the received service request messages having diversified security token types, the computer program product comprising one or more computer-readable media having computer-executable instructions that, when executed by one or more processors of the service providing computing system, causes the service providing computing system to perform the following when receiving a service request message that requests a service offered by the service providing computing system:
- an act of accessing a security token associated with the received service request message;
  
  an act of identifying one or more roles that include the identity associated with the security token;
  
  an act of correlating the one or more identified roles with the accessed security token; and
  
  an act of authorizing the requested service using the one or more roles correlated with the security token that is associated with the service request message that requests the requested service.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 19. A computer program product in accordance with claim 18, wherein the act of accessing a security token associated with the received service request message comprises the following:
    - an act of accessing the security token from the received service request message itself.
  - 20. A computer program product in accordance with claim 18, wherein the act of accessing a security token associated with the received service request message comprises the following:
    - an act of accessing a security token identification information from the received service request message; and
      
      an act of using the security token identification information to access the security token associated with the received service request message.
  - 21. A computer program product in accordance with claim 18, wherein the service request message is a Simple Object Access Protocol (SOAP) envelope.
  - 22. A computer program product in accordance with claim 18, wherein the one or more roles is a single role.
  - 23. A computer program product in accordance with claim 18, wherein the one or more roles is a plurality of roles.
  - 24. A computer program product in accordance with claim 18, wherein the accessed security token is a SAML security token type security token.
  - 25. A computer program product in accordance with claim 18, wherein the accessed security token is an XrML security token type security token.
  - 26. A computer program product in accordance with claim 18, wherein the accessed security token is a X.509 certificate.
  - 27. A computer program product in accordance with claim 18, wherein the accessed security token is a username/password type security token.
  - 28. A computer program product in accordance with claim 18, wherein the accessed security token is a SecurityContextToken.
  - 29. A computer program product in accordance with claim 18, wherein the accessed security token is a DerivedKeyToken.
  - 30. A computer program product in accordance with claim 18, wherein the act of authorizing the requested service using the one or more roles correlated with the security token that is associated with the service request message that requests the service comprises the following:
    - an act of accessing a metadata expression of the conditions that must be met in order to receive the requested service, at least one of the conditions including an indication that the security token must be correlated with a particular role of the one or more roles.
  - 31. A computer program product in accordance with claim 18, wherein the act of authorizing the requested service using the one or more roles correlated with the security token that is associated with the service request message that requests the service comprises the following:
    - an act of executing an executable object that conditions access to the requested object at least upon the condition that the security token must be correlated with a particular role of the one or more roles.
  - 32. A computer program product in accordance with claim 18, wherein the service request message is a first service request message, the security token is a first security token of a first security token type, the one or more roles being a first set of one or more roles, the requested service being a first requested service, the method further comprising the following in response to receiving a second service request message that requests a second service offered by the service providing computing system;
    - an act of accessing a second security token associated with the second received service request message, the second security token being of a second security token type that is different than the first security token type;
      
      an act of identifying a second set of one or more roles that include the identity associated with the second security token;
      
      an act of correlating the second set of one or more identified roles with the second accessed security token; and
      
      an act of authorizing the requested service using the second set of one or more roles correlated with the second security token that is associated with the second service request message that requests the second requested service.
  - 33. A computer program product in accordance with claim 32, wherein the first requested service and the second requested service is the same requested service.
  - 34. A computer program product in accordance with claim 18, the method further comprising the following:
    - an act of providing the requested service.
  - 35. A computer program product in accordance with claim 18, wherein the one or more computer-readable media are physical media.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Wilson, Hervey O., Ballinger, Keith W., Mukherjee, Vick B., Ge, HongMei

Granted Patent

US 7,434,252 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/10
CPC Class Codes

G06F 21/335   for accessing specific reso...

H04L 63/0823   using certificates cryptogr...

H04L 63/105   Multiple levels of security

Role-based authorization of network services using diversified security tokens

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

93 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Role-based authorization of network services using diversified security tokens

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

93 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links