Method and system for federated provisioning

US 20060021019A1
Filed: 07/21/2004
Published: 01/26/2006
Est. Priority Date: 07/21/2004
Status: Active Grant

First Claim

Patent Images

1. A data processing system comprising:

a point-of-contact server, wherein the point-of-contact server receives incoming requests for access to resources identifiable within a domain, wherein the domain is associated with a plurality of domains within a federated computing environment;

a trust proxy, wherein the trust proxy generates authentication assertions and/or attribute assertions sent from the domain and validates authentication assertions and/or attribute assertions received at the domain; and

an application server that interfaces with the point-of-contact server for provisioning a user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and a system are presented in which federated domains interact within a federated environment. Domains within a federation can initiate federated single-sign-on operations for a user at other federated domains. A point-of-contact server within a domain relies upon a trust proxy within the domain to manage trust relationships between the domain and the federation. Trust proxies interpret assertions from other federated domains as necessary. Trust proxies may have a trust relationship with one or more trust brokers, and a trust proxy may rely upon a trust broker for assistance in interpreting assertions. When a user is provisioned at a particular federated domain, the federated domain can provision the user to other federated domains within the federated environment. A provision operation may include creating or deleting an account for a user, pushing updated user account information including attributes, and requesting updates on account information including attributes.

Citations

22 Claims

1. A data processing system comprising:
- a point-of-contact server, wherein the point-of-contact server receives incoming requests for access to resources identifiable within a domain, wherein the domain is associated with a plurality of domains within a federated computing environment;
  
  a trust proxy, wherein the trust proxy generates authentication assertions and/or attribute assertions sent from the domain and validates authentication assertions and/or attribute assertions received at the domain; and
  
  an application server that interfaces with the point-of-contact server for provisioning a user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The data processing system of claim 1 wherein the point-of-contact server further comprises:
    - means for invoking the application server to process federated provisioning requests.
  - 3. The data processing system of claim 1 wherein the application server further comprises:
    - means for invoking a trust proxy to generate security tokens to be placed in a federated provisioning request or in a federated provisioning response in order to demonstrate a trust relationship between a requester and a responder.
  - 4. The data processing system of claim 1 wherein the point-of-contact server and the trust proxy perform front-end processing for functionality associated with the federated computing environment while interfacing with back-end applications.
  - 5. The data processing system of claim 4 wherein the application server further comprises:
    - means for interfacing with an identity management subsystem as a back-end application.
  - 6. The data processing system of claim 1 wherein the point-of-contact server further comprises:
    - means for associating an assertion with an outgoing request from the point-of-contact server to a different domain within the federated computing environment.
  - 7. The data processing system of claim 1 wherein the trust proxy further comprises:
    - means for maintaining trust relationships with different domains within the federated computing environment.
  - 8. The data processing system of claim 1 wherein the trust proxy further comprises:
    - means for interoperating with a trust broker to obtain assistance in translating an assertion that has been received from a different domain within the federated computing environment.
  - 9. The data processing system of claim 1 wherein the application server supports web services.
  - 10. The data processing system of claim 9 wherein a web service is supported in accordance with web-services-based provisioning standard as exemplified by the WS-Provisioning standard.

11. A method for providing federated functionality within a data processing system, the method comprising:
- receiving an incoming request at a point-of-contact server to provision a user within a domain, wherein the domain is associated with a plurality of domains within a federated computing environment;
  
  validating at a trust proxy security assertions received at the domain through the point-of-contact server;
  
  initiating a provisioning operation within the domain by an application server that interfaces with the point-of-contact server.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11 where security assertions are distinct from the user-specific information contained in the provisioning request.
  - 13. The method of claim 11 wherein the trust proxy is able to apply an authorization decision to the incoming request.
  - 14. The method of claim 11 wherein the incoming request is interpreted as initiating a request for user-specific information and/or attributes about the user from the domain.
  - 15. The method of claim 11 further comprising:
    - extracting user-specific information that is associated with the user from the provisioning request;
      
      performing the provisioning operation by invoking from the application server an identity management application within the domain;
      
      creating, modifying, or deleting one or more user-specific entries in one or more datastores for the user by the identity management application.
  - 16. The method of claim 11 further comprising:
    - extracting user-specific information that is associated with the user from the provisioning request;
      
      creating, modifying, or deleting one or more user-specific entries by the application server in one or more datastores for the user;
      
      detecting the user-specific activity within the domain by the identity management application; and
      
      provisioning the user within the domain such that the user subsequently has access to controlled resources within the domain.

17. A computer program product on a computer readable medium for use in a data processing system for providing federated functionality within the data processing system, the computer program product comprising:
- means for receiving an incoming request at a point-of-contact server to provision a user within a domain, wherein the domain is associated with a plurality of domains within a federated computing environment;
  
  means for validating at a trust proxy security assertions received at the domain through the point-of-contact server;
  
  means for initiating a provisioning operation within the domain by an application server that interfaces with the point-of-contact server.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The computer program product of claim 17 where security assertions are distinct from the user-specific information contained in the provisioning request.
  - 19. The computer program product of claim 17 wherein the trust proxy further comprises means for applying an authorization decision to the incoming request.
  - 20. The computer program product of claim 17 wherein the incoming request is interpreted as initiating a request for user-specific information and/or attributes about the user from the domain.
  - 21. The computer program product of claim 17 further comprising:
    - means for extracting user-specific information that is associated with the user from the provisioning request;
      
      means for performing the provisioning operation by invoking from the application server an identity management application within the domain;
      
      means for creating, modifying, or deleting one or more user-specific entries in one or more datastores for the user by the identity management application.
  - 22. The computer program product of claim 17 further comprising:
    - means for extracting user-specific information that is associated with the user from the provisioning request;
      
      means for creating, modifying, or deleting one or more user-specific entries by the application server in one or more datastores for the user;
      
      means for detecting the user-specific activity within the domain by the identity management application; and
      
      means for provisioning the user within the domain such that the user subsequently has access to controlled resources within the domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Raghavan, Venkat, Hinton, Heather Maria, Turner, Brian James, Moran, Anthony Scott, Glazer, Ian Michael, Bray, Gavis George, Weeden, Shane

Granted Patent

US 8,607,322 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/10
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/0407   wherein the identity of one...

H04L 63/0815   providing single-sign-on or...

Method and system for federated provisioning

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for federated provisioning

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links