Method and system for pluggability of federation protocol runtimes for federated user lifecycle management

US 20060020679A1
Filed: 07/21/2004
Published: 01/26/2006
Est. Priority Date: 07/21/2004
Status: Active Grant

First Claim

Patent Images

1. A method for providing federated functionality within a data processing system, the method comprising:

receiving an incoming request at point-of-contact functionality within a domain, wherein the domain is associated with a plurality of domains within a federated computing environment;

analyzing an incoming request with the point-of-contact functionality;

in response to a determination that the received request is directed to accessing a resource that is controlled by resource accessing functionality without the request requiring processing by federated user lifecycle management functionality, sending the received request from the point-of-contact functionality to the resource accessing functionality; and

in response to a determination that the received request requires processing by federated user lifecycle management functionality, sending the received request from the point-of-contact functionality to the federated user lifecycle management functionality, wherein the federated user lifecycle management functionality invokes one or more pluggable modules that interface with the federated user lifecycle management functionality in order to provide one or more federated user lifecycle management functions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and a system are presented in which federated domains interact within a federated environment. Domains within a federation can initiate federated operations for a user at other federated domains. A point-of-contact server within a domain relies upon a trust proxy within the domain to manage trust relationships between the domain and the federation. The point-of-contact server receives incoming requests directed to the domain and interfaces with a first application server and a second application server, wherein the first application server responds to requests for access to controlled resources and the second application server responds to requests for access to federated user lifecycle management functions, which are implemented using one or more pluggable modules that interface with the second application server.

104 Citations

41 Claims

1. A method for providing federated functionality within a data processing system, the method comprising:
- receiving an incoming request at point-of-contact functionality within a domain, wherein the domain is associated with a plurality of domains within a federated computing environment;
  
  analyzing an incoming request with the point-of-contact functionality;
  
  in response to a determination that the received request is directed to accessing a resource that is controlled by resource accessing functionality without the request requiring processing by federated user lifecycle management functionality, sending the received request from the point-of-contact functionality to the resource accessing functionality; and
  
  in response to a determination that the received request requires processing by federated user lifecycle management functionality, sending the received request from the point-of-contact functionality to the federated user lifecycle management functionality, wherein the federated user lifecycle management functionality invokes one or more pluggable modules that interface with the federated user lifecycle management functionality in order to provide one or more federated user lifecycle management functions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein the point-of-contact functionality and the federated user lifecycle management functionality are implemented on the same server.
  - 3. The method of claim 1 wherein the point-of-contact functionality and the federated user lifecycle management functionality are implemented within the same application.
  - 4. The method of claim 1 wherein the point-of-contact functionality and the federated user lifecycle management functionality are implemented within the same domain.
  - 5. The method of claim 1 further comprising:
    - analyzing a received request message;
      
      invoking the resource accessing functionality to process a request that is received by the point-of-contact functionality which requests access to a controlled resource; and
      
      invoking the federated user lifecycle management functionality to process a request that is received by the point-of-contact functionality which requests or requires access to a federated user lifecycle management function.
  - 6. The method of claim 1 wherein a pluggable module supports a federation protocol in accordance with a WS-Federation specification.
  - 7. The method of claim 1 wherein a pluggable module supports a federation protocol in accordance with a Liberty Alliance specification.
  - 8. The method of claim 1 wherein a pluggable module supports a federation protocol in accordance with a SAML (Security Assertion Markup Language) specification.
  - 9. The method of claim 1 wherein a pluggable module supports a federation protocol in accordance with a proprietary specification.
  - 10. The method of claim 1 further comprising:
    - supporting a federation protocol at a first pluggable module in accordance with a first federation protocol profile; and
      
      supporting a federation protocol at a second pluggable module in accordance with a second federation protocol profile.

11. An apparatus for providing federated functionality within a data processing system, the apparatus comprising:
- means for receiving an incoming request at point-of-contact functionality within a domain, wherein the domain is associated with a plurality of domains within a federated computing environment;
  
  means for analyzing an incoming request with the point-of-contact functionality;
  
  means for sending, in response to a determination that the received request is directed to accessing a resource that is controlled by resource accessing functionality, the received request from the point-of-contact functionality to the resource accessing functionality; and
  
  means for sending, in response to a determination that the received request is directed to accessing federated user lifecycle management functionality, the received request from the point-of-contact functionality to the federated user lifecycle management functionality, wherein the federated user lifecycle management functionality responds to requests for access to federated user lifecycle management functions by invoking one or more pluggable modules that interface with the federated user lifecycle management functionality.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The apparatus of claim 11 wherein the point-of-contact functionality and the federated user lifecycle management functionality are implemented on the same server.
  - 13. The apparatus of claim 11 wherein the point-of-contact functionality and the federated user lifecycle management functionality are implemented within the same application.
  - 14. The apparatus of claim 11 wherein the point-of-contact functionality and the federated user lifecycle management functionality are implemented within the same domain.
  - 15. The apparatus of claim 11 further comprising:
    - means for analyzing a received request message;
      
      means for invoking the resource accessing functionality to process a request that is received by the point-of-contact functionality which requests access to a controlled resource; and
      
      means for invoking the federated user lifecycle management functionality to process a request that is received by the point-of-contact functionality which requests access to a federated user lifecycle management function.
  - 16. The apparatus of claim 11 wherein a pluggable module includes means for supporting a federation protocol in accordance with a WS-Federation specification.
  - 17. The apparatus of claim 11 wherein a pluggable module includes means for supporting a federation protocol in accordance with a Liberty Alliance specification.
  - 18. The apparatus of claim 11 wherein a pluggable module includes means for supporting a federation protocol in accordance with a SAML (Security Assertion Markup Language) specification.
  - 19. The apparatus of claim 11 wherein a pluggable module includes means for supporting a federation protocol in accordance with a proprietary specification.
  - 20. The apparatus of claim 11 further comprising:
    - means for supporting a federation protocol at a first pluggable module in accordance with a first federation protocol profile; and
      
      means for supporting a federation protocol at a second pluggable module in accordance with a second federation protocol profile.

21. A computer program product on a computer readable medium for use in a data processing system for providing federated functionality, the computer program product comprising:
- means for receiving an incoming request at point-of-contact functionality within a domain, wherein the domain is associated with a plurality of domains within a federated computing environment;
  
  means for analyzing an incoming request with the point-of-contact functionality;
  
  means for sending, in response to a determination that the received request is directed to accessing a resource that is controlled by resource accessing functionality, the received request from the point-of-contact functionality to the resource accessing functionality; and
  
  means for sending, in response to a determination that the received request is directed to accessing federated user lifecycle management functionality, the received request from the point-of-contact functionality to the federated user lifecycle management functionality, wherein the federated user lifecycle management functionality responds to requests for access to federated user lifecycle management functions by invoking one or more pluggable modules that interface with the federated user lifecycle management functionality.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The computer program product of claim 21 wherein the point-of-contact functionality and the federated user lifecycle management functionality are implemented on the same server.
  - 23. The computer program product of claim 21 wherein the point-of-contact functionality and the federated user lifecycle management functionality are implemented within the same application.
  - 24. The computer program product of claim 21 wherein the point-of-contact functionality and the federated user lifecycle management functionality are implemented within the same domain.
  - 25. The computer program product of claim 21 further comprising:
    - means for analyzing a received request message;
      
      means for invoking the resource accessing functionality to process a request that is received by the point-of-contact functionality which requests access to a controlled resource; and
      
      means for invoking the federated user lifecycle management functionality to process a request that is received by the point-of-contact functionality which requests access to a federated user lifecycle management function.
  - 26. The computer program product of claim 21 wherein a pluggable module includes means for supporting a federation protocol in accordance with a WS-Federation specification.
  - 27. The computer program product of claim 21 wherein a pluggable module includes means for supporting a federation protocol in accordance with a Liberty Alliance specification.
  - 28. The computer program product of claim 21 wherein a pluggable module includes means for supporting a federation protocol in accordance with a SAML (Security Assertion Markup Language) specification.
  - 29. The computer program product of claim 21 wherein a pluggable module includes means for supporting a federation protocol in accordance with a proprietary specification.
  - 30. The computer program product of claim 21 further comprising:
    - means for supporting a federation protocol at a first pluggable module in accordance with a first federation protocol profile; and
      
      means for supporting a federation protocol at a second pluggable module in accordance with a second federation protocol profile.

31. A data processing system comprising:
- a point-of-contact server, wherein the point-of-contact server receives incoming requests directed to a domain, wherein the domain is associated with a plurality of domains within a federated computing environment;
  
  a first application server that interfaces with the point-of-contact server, wherein the first application server includes means for responding to requests for access to controlled resources; and
  
  a second application server that interfaces with the point-of-contact server, wherein the second application server includes means for responding to requests for access to federated user lifecycle management functions, wherein the means for responding to requests for access to federated user lifecycle management functions includes one or more pluggable modules that interface with the second application server.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 32. The data processing system of claim 31 wherein the point-of-contact server further comprises:
    - means for analyzing a received request message;
      
      means for invoking the first application server to process a request that is received by the point-of-contact server which requests access to controlled resources; and
      
      means for invoking the second application server to process requests that are received by the point-of-contact server which request access to federated user lifecycle management functions.
  - 33. The data processing system of claim 31 wherein a pluggable module further comprises means for supporting a federation protocol in accordance with a WS-Federation specification.
  - 34. The data processing system of claim 31 wherein a pluggable module further comprises means for supporting a federation protocol in accordance with a Liberty Alliance specification.
  - 35. The data processing system of claim 31 wherein a pluggable module further comprises means for supporting a federation protocol in accordance with a SAML (Security Assertion Markup Language) specification.
  - 36. The data processing system of claim 31 wherein a pluggable module further comprises means for supporting a federation protocol in accordance with a proprietary specification.
  - 37. The data processing system of claim 31 further comprising:
    - a first pluggable module for supporting a federation protocol in accordance with a first federation protocol profile; and
      
      a second pluggable module for supporting a federation protocol in accordance with a second federation protocol profile.
  - 38. The data processing system of claim 31 further comprising:
    - a trust proxy, wherein the trust proxy generates security assertions sent from the domain and validates security assertions received at the domain.
  - 39. The data processing system of claim 38 wherein the second application server further comprises:
    - means for invoking the trust proxy to generate secure messages that contain a request or a response.
  - 40. The data processing system of claim 38 wherein the trust proxy further comprises:
    - means for maintaining trust relationships with different domains within the federated computing environment.
  - 41. The data processing system of claim 38 wherein the trust proxy further comprises:
    - means for interoperating with a trust broker to obtain assistance in translating an assertion that has been received from a different domain within the federated computing environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Wardrop, Patrick Ryan, Hinton, Heather Maria, Falola, Dolapo Martin, Moran, Anthony Scott

Granted Patent

US 7,698,375 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/217
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 2221/2115   Third party

G06Q 10/10   Office automation; Time man...

H04L 63/02   for separating internal fro...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

Method and system for pluggability of federation protocol runtimes for federated user lifecycle management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

104 Citations

41 Claims

Specification

Use Cases

Quick Links

Others

Method and system for pluggability of federation protocol runtimes for federated user lifecycle management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

104 Citations

41 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others