Enterprise service-to-service trust framework
First Claim
1. In an enterprise computing network, a system for providing authorization and authentication in response to a service request from a client computer, the system comprising:
- a centralized policy server comprising a centralized policy repository, the centralized policy repository comprising;
(a) an information store configured to store a plurality of sets of trust information, each of the plurality of sets of trust information comprising trust information about one of a plurality of services;
(b) one or more authorization models, each of the one or more authorization models comprising information about a mode of interaction between two or more services;
(c) one or more authentication policies, each of the one or more authentication policies defining a set of authentication requirements for a particular service; and
(d) one or more authorization policies, each of the one or more authentication policies defining a set of authorization requirements for a particular service;
a first server computer comprising a first processor and a first set of instructions executable by the first processor, the first set of instructions comprising;
(a) instructions to receive with a first service the service request from the client computer;
(b) instructions to ascertain that the service request requests an operation to be performed by second service at a second server computer;
(c) instructions to obtain from the centralized policy repository an identifier of the first service;
(d) instructions to transmit a request for the operation for reception by the second server computer, the request comprising the identifier of the first service;
a second server computer comprising a second processor and a second set of instructions executable by the second processor, the second set of instructions comprising;
(a) instructions to receive, with the second service, the request for the operation from the first server computer;
(b) instructions to transmit an authentication request for reception by the centralized policy server, the authentication request comprising the identifier;
(c) instructions to transmit an authorization request for reception by the centralized policy server; and
(d) instructions to provide the requested operation, based on an authentication status and an authorization status of the first server; and
an application programming interface (“
API”
) configured allow the first service and the second service to communicate with the centralized policy repository;
wherein the centralized policy server further comprises a third processor and a third set of instructions executable by the third processor, the third set of instructions comprising;
(a) instructions to receive the authentication request;
(b) instructions to identify the first service, based on the identifier;
(c) instructions to determine, based on an authentication policy for the second service, a set of authentication information for the first service, the set of authentication information being sufficient to authenticate the first service;
(d) instructions to provide the set of authentication information to the second server computer;
(d) instructions to receive the authorization request;
(e) instructions to determine, based on an authorization policy for the second service, a set of authorization information for the first service, the set of authorization information being sufficient to indicate whether the first service is authorized for the second service; and
(f) instructions to provide the set of authorization information to the second server computer.
2 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the invention provide a trust framework for governing service-to-service interactions. This trust framework can provide enhanced security and/or manageability over prior systems. Merely by way of example, in some cases, an information store can be used to store information security information (such as trust information, credentials, etc.) for a variety of services across an enterprise. In other cases, the trust framework can provide authentication policies to define and/or control authentication between services (such as, for example, types of authentication credentials and/or protocols are required to access a particular service—either as a user and/or as another service—and/or types of authentication credentials and/or protocols a service may be enabled to use to access another service). Alternatively and/or additionally, the trust framework can provide authorization policies to define and/or control authorization between services.
-
Citations
23 Claims
-
1. In an enterprise computing network, a system for providing authorization and authentication in response to a service request from a client computer, the system comprising:
-
a centralized policy server comprising a centralized policy repository, the centralized policy repository comprising;
(a) an information store configured to store a plurality of sets of trust information, each of the plurality of sets of trust information comprising trust information about one of a plurality of services;
(b) one or more authorization models, each of the one or more authorization models comprising information about a mode of interaction between two or more services;
(c) one or more authentication policies, each of the one or more authentication policies defining a set of authentication requirements for a particular service; and
(d) one or more authorization policies, each of the one or more authentication policies defining a set of authorization requirements for a particular service;
a first server computer comprising a first processor and a first set of instructions executable by the first processor, the first set of instructions comprising;
(a) instructions to receive with a first service the service request from the client computer;
(b) instructions to ascertain that the service request requests an operation to be performed by second service at a second server computer;
(c) instructions to obtain from the centralized policy repository an identifier of the first service;
(d) instructions to transmit a request for the operation for reception by the second server computer, the request comprising the identifier of the first service;
a second server computer comprising a second processor and a second set of instructions executable by the second processor, the second set of instructions comprising;
(a) instructions to receive, with the second service, the request for the operation from the first server computer;
(b) instructions to transmit an authentication request for reception by the centralized policy server, the authentication request comprising the identifier;
(c) instructions to transmit an authorization request for reception by the centralized policy server; and
(d) instructions to provide the requested operation, based on an authentication status and an authorization status of the first server; and
an application programming interface (“
API”
) configured allow the first service and the second service to communicate with the centralized policy repository;
wherein the centralized policy server further comprises a third processor and a third set of instructions executable by the third processor, the third set of instructions comprising;
(a) instructions to receive the authentication request;
(b) instructions to identify the first service, based on the identifier;
(c) instructions to determine, based on an authentication policy for the second service, a set of authentication information for the first service, the set of authentication information being sufficient to authenticate the first service;
(d) instructions to provide the set of authentication information to the second server computer;
(d) instructions to receive the authorization request;
(e) instructions to determine, based on an authorization policy for the second service, a set of authorization information for the first service, the set of authorization information being sufficient to indicate whether the first service is authorized for the second service; and
(f) instructions to provide the set of authorization information to the second server computer.
-
-
2. In a computer environment comprising a plurality of services distributed across a plurality of network nodes, the plurality of services comprising a target service that is configured to perform a requested operation and a source service that requests the requested operation, a method of providing authentication and authorization among the plurality of services, the method comprising:
-
receiving, at a centralized policy repository, a first request from the target service, the first request comprising a request for authentication information about the source service;
determining, based on an authentication policy for the target service, a set of trust information required by the target service for authentication;
providing a first response to the target service, the first response comprising information for authenticating the source service;
receiving, at the centralized policy repository, a second request from the target service, the second request comprising a request for authorization information about an authorization of the source service to access the target service;
determining, based on an authorization policy for the target service, a set of authorization requirements for the source service; and
providing a second response to the target service, the second response comprising information about authorizing the source service. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. In a computer environment comprising a plurality of services distributed across a plurality of network nodes, a method of providing a service-to-service trust framework to allow interoperability between two or more services, the method comprising:
-
providing, at a centralized policy repository, an information store configured to store trust information related to each of the plurality of services;
providing an authorization model to define an interaction between the two or more services, wherein the two or more services comprise a target service that is configured to perform a requested operation and a source service that requests the requested operation;
providing, at the centralized policy repository, at least one authentication policy for the target service to define a set of authentication requirements for the target service;
providing, at the centralized policy repository, at least one authorization policy for the target service to define a set of authorization requirements for the target service; and
providing an application programming interface (“
API”
) to allow each of the two or more services to communicate with the information store. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. In a computer environment comprising a plurality of services distributed across a plurality of network nodes, a service-to-service trust framework for facilitating interactions between two or more services, the framework comprising:
-
an information store configured to store trust information related to each of the plurality of services;
an authorization model to define an interaction between the two or more services, wherein the two or more services comprise a target service that is configured to perform a requested operation and a source service that requests the requested operation;
at least one authentication policy for the target service to define a set of authentication requirements for the target service;
at least one authorization policy for the target service to define a set of authorization requirements for the target service; and
an application programming interface (“
API”
) to allow each of the two or more services to communicate with the information store.
-
Specification