Using SSO processes to manage security credentials in a provisioning management system

US 20060248577A1
Filed: 04/29/2005
Published: 11/02/2006
Est. Priority Date: 04/29/2005
Status: Abandoned Application

First Claim

Patent Images

11. A data processing system comprising:

a bus system;

a communications system connected to the bus system;

a memory connected to the bus system, wherein the memory includes a set of instructions;

an instruction execution unit; and

a processing unit connected to the bus system, wherein the processing unit executes the set of instructions to receive a request from a client, wherein the request includes input parameters and wherein the input parameters define a host domain of a host;

verify the host domain;

verify client credentials in response to the host domain being verified, wherein the client credentials indicate accessibility to the host domain;

check the host accessibility in response to the client credentials being verified; and

return to the client a link to service access protocol credentials of the host in response to the host being accessible.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus, and computer program product are provided for using single sign-on (SSO) processes to manage security credentials in a provisioning management system. Service access operations are provided that embed credential operations and matching algorithms. Credential operations are treated at different levels of abstraction and define separate services to deal with authentication and authorization aspects. This is performed in order to be able to plug-in an external credential repository, which may be authentication/authorization provided by a third party entity.

75 Citations

View as Search Results

23 Claims

11. A data processing system comprising:
- a bus system;
  
  a communications system connected to the bus system;
  
  a memory connected to the bus system, wherein the memory includes a set of instructions;
  
  an instruction execution unit; and
  
  a processing unit connected to the bus system, wherein the processing unit executes the set of instructions to receive a request from a client, wherein the request includes input parameters and wherein the input parameters define a host domain of a host;
  
  verify the host domain;
  
  verify client credentials in response to the host domain being verified, wherein the client credentials indicate accessibility to the host domain;
  
  check the host accessibility in response to the client credentials being verified; and
  
  return to the client a link to service access protocol credentials of the host in response to the host being accessible.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The data processing system of claim 11, wherein the processing unit executing the set of instructions to verify the client credentials further comprises the processing unit executing a set of instructions to match the host domain to client predefined domains;
    - check the existence of the host domain in a data structure in response to a match of the host domain; and
      
      send an acknowledgement to the client in response to the existence of the host domain in the data structure.
  - 13. The data processing system of claim 12, wherein the processing unit executes a further set of instructions to request the addition of a new domain to the data structure in response to a non-match of the host domain;
    - retrieve the data structure from the host;
      
      select a parent domain from the data structure;
      
      create the new domain name;
      
      set the new domain name in the data structure to form a modified data structure;
      
      determine if credentials are to be associated with the new domain;
      
      set a configuration specifying the credentials that are to be associated in the modified data structure in response to an indication that credentials are to be associated with the new domain;
      
      attach the new domain to the parent domain;
      
      validate the modified data structure; and
      
      store the modified data structure on the host.
  - 14. The data processing system of claim 13, wherein the processing unit executes a further set of instructions to determine if the new domain is to be a node domain;
    - select at least one child domain from the data structure in response to an indication that the new domain is to be a node domain;
      
      attach the at least one child domain to the new domain; and
      
      detach the at least one child domain from the parent domain.
  - 15. The data processing system of claim 11, wherein the processing unit executing the set of instructions to check host accessibility further comprises the processing unit executing a set of instructions to check as to whether the host domain is found in a data structure;
    - and send an acknowledgement to the client in response to the existence of the host domain in the data structure.
  - 16. The data processing system of claim 15, wherein the processing unit executes a further set of instructions to check for a sub-domain in the data structure in response the nonexistence of the host domain in the data structure;
    - and sending an acknowledgement to the client in response to the existence of a sub-domain.
  - 17. The data processing system of claim 11, wherein the request from the client is a particular request for access to a new domain and the processing unit, in order to access the new domain, executes a further set of instructions to verify if the new domain exists in a data structure;
    - verifying the client credentials for access to the new domain in response to the new domain existing in the data structure; and
      
      create an indication of access to the new domain in a data structure on the client.

18. A computer program product for managing security credentials the computer program product comprising:
- a computer usable medium embodying one or more instructions executable by the computer, the one or more instructions comprising;
  
  first instructions for receiving a request from a client, wherein the request includes input parameters and wherein the input parameters define a host domain of a host;
  
  second instructions for verifying the host domain;
  
  in response to the host domain being verified, third instructions for verifying client credentials, wherein the client credentials indicate accessibility to the host domain;
  
  in response to the client credentials being verified, fourth instructions for checking the host accessibility; and
  
  in response to the host being accessible, fifth instructions for returning to the client a link to service access protocol credentials of the host.
- View Dependent Claims (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 19, 20, 21, 22, 23)
- - 1. A method for managing security credentials comprising:
    - receiving a request from a client, wherein the request includes input parameters and wherein the input parameters define a host domain of a host;
      
      verifying the host domain;
      
      in response to the host domain being verified, verifying client credentials, wherein the client credentials indicate accessibility to the host domain;
      
      in response to the client credentials being verified, checking the host accessibility; and
      
      in response to the host being accessible, returning to the client a link to service access protocol credentials of the host.
  - 2. The method of claim 1, wherein the step of verifying client credentials further comprises:
    - matching the host domain to client predefined domains;
      
      in response to a match of the host domain, checking the existence of the host domain in a data structure; and
      
      in response to the existence of the host domain in the data structure, sending an acknowledgement to the client.
  - 3. The method of claim 2, further comprising:
    - in response to a non-match of the host domain, requesting the addition of a new domain to the data structure;
      
      retrieving the data structure from the host;
      
      selecting a parent domain from the data structure;
      
      creating the new domain name;
      
      setting the new domain name in the data structure to form a modified data structure;
      
      determining if credentials are to be associated with the new domain;
      
      in response to an indication that credentials are to be associated with the new domain, setting a configuration specifying the credentials that are to be associated in the modified data structure;
      
      attaching the new domain to the parent domain;
      
      validating the modified data structure; and
      
      storing the modified data structure on the host.
  - 4. The method of claim 3, further comprising:
    - determining if the new domain is to be a node domain;
      
      in response to an indication that the new domain is to be a node domain, selecting at least one child domain from the data structure;
      
      attaching the at least one child domain to the new domain; and
      
      detaching the at least one child domain from the parent domain.
  - 5. The method of claim 3, wherein storing the modified data structure on the host replaces the previous data structure.
  - 6. The method of claim 1, wherein the step of checking host accessibility further comprises:
    - checking as to whether the host domain is found in a data structure; and
      
      in response to the existence of the host domain in the data structure, sending an acknowledgement to the client.
  - 7. The method of claim 6, further comprising:
    - in response the nonexistence of the host domain in the data structure, checking for a sub-domain in the data structure; and
      
      in response to the existence of a sub-domain, sending an acknowledgement to the client.
  - 8. The method of claim 1, wherein the request from the client is a particular request for access to a new domain and the method for accessing the new domain comprises:
    - verifying if the new domain exists in a data structure;
      
      in response to the new domain existing in the data structure, verifying the client credentials for access to the new domain; and
      
      creating an indication of access to the new domain in a data structure on the client.
  - 9. The method of claim 1, wherein the request from the client is for access to a service.
  - 10. The method of claim 1, wherein the request is a single sign on request.
  - 19. The computer program product of claim 18, wherein the third instructions for verifying client credentials further comprises:
    - first sub-instructions for matching the host domain to client predefined domains;
      
      in response to a match of the host domain, second sub-instructions for checking the existence of the host domain in a data structure; and
      
      in response to the existence of the host domain in the data structure, third sub-instructions for sending an acknowledgement to the client.
  - 20. The computer program product of claim 19, further comprising:
    - in response to a non-match of the host domain, first sub-instructions for requesting the addition of a new domain to the data structure;
      
      second sub-instructions for retrieving the data structure from the host;
      
      third sub-instructions for selecting a parent domain from the data structure;
      
      fourth sub-instructions for creating the new domain name;
      
      fifth sub-instructions for setting the new domain name in the data structure to form a modified data structure;
      
      sixth sub-instructions for determining if credentials are to be associated with the new domain;
      
      in response to an indication that credentials are to be associated with the new domain, seventh sub-instructions for setting a configuration specifying the credentials that are to be associated in the modified data structure;
      
      eighth sub-instructions for attaching the new domain to the parent domain;
      
      ninth sub-instructions for validating the modified data structure; and
      
      tenth sub-instructions for storing the modified data structure on the host.
  - 21. The computer program product of claim 20, further comprising:
    - first sub-instructions for determining if the new domain is to be a node domain;
      
      in response to an indication that the new domain is to be a node domain, second sub-instructions for selecting at least one child domain from the data structure;
      
      third sub-instructions for attaching the at least one child domain to the new domain; and
      
      fourth sub-instructions for detaching the at least one child domain from the parent domain.
  - 22. The computer program product of claim 18, wherein the fourth instructions for checking host accessibility further comprises:
    - first sub-instructions for checking as to whether the host domain is found in a data structure; and
      
      in response to the existence of the host domain in the data structure, second sub-instructions for sending an acknowledgement to the client.
  - 23. The computer program product of claim 18, wherein the request from the client is a particular request for access to a new domain and the instructions for accessing the new domain comprises:
    - first sub-instructions for verifying if the new domain exists in a data structure;
      
      in response to the new domain existing in the data structure, second sub-instructions for verifying the client credentials for access to the new domain; and
      
      third sub-instructions for creating an indication of access to the new domain in a data structure on the client.

22-1. The computer program product of claim 18, further comprising:
- in response the nonexistence of the host domain in the data structure, first sub-instructions for checking for a sub-domain in the data structure; and
  
  in response to the existence of a sub-domain, second sub-instructions for sending an acknowledgement to the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Beghian, Antranig Edward, Faur, Adrian

Application Number

US11/117,897
Publication Number

US 20060248577A1
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/0815   providing single-sign-on or...

H04L 63/102   Entity profiles

Using SSO processes to manage security credentials in a provisioning management system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

75 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Using SSO processes to manage security credentials in a provisioning management system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

75 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links