Method and system for native authentication protocols in a heterogeneous federated environment
First Claim
1. A method for authenticating a user within a distributed computing environment, wherein the distributing computing environment includes a plurality of authentication domains, each of which use a respective authentication protocol, the method comprising:
- receiving from a system in a first authentication domain at a system in a second authentication domain an authentication assertion that is formatted in accordance with a first authentication protocol;
routing the authentication assertion to a trust proxy associated with the second authentication domain;
determining at the trust proxy to translate the authentication assertion from the first authentication protocol to a second authentication protocol used in the second authentication domain; and
translating the authentication assertion to the second authentication protocol.
0 Assignments
0 Petitions
Accused Products
Abstract
A method is presented in which federated domains interact within a federated environment. Domains within a federation can initiate federated single-sign-on operations for a user at other federated domains. A point-of-contact server within a domain relies upon a trust proxy within the domain to manage trust relationships between the domain and the federation. Trust proxies interpret assertions from other federated domains as necessary. Trust proxies may have a trust relationship with one or more trust brokers, and a trust proxy may rely upon a trust broker for assistance in interpreting assertions.
90 Citations
21 Claims
-
1. A method for authenticating a user within a distributed computing environment, wherein the distributing computing environment includes a plurality of authentication domains, each of which use a respective authentication protocol, the method comprising:
-
receiving from a system in a first authentication domain at a system in a second authentication domain an authentication assertion that is formatted in accordance with a first authentication protocol;
routing the authentication assertion to a trust proxy associated with the second authentication domain;
determining at the trust proxy to translate the authentication assertion from the first authentication protocol to a second authentication protocol used in the second authentication domain; and
translating the authentication assertion to the second authentication protocol. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A data processing system for authenticating a user within a distributing environment, wherein the distributing computing environment includes a first authentication domain and a second authentication domain amongst a plurality of authentication domains, each of which use a respective authentication protocol, wherein the data processing system supports the second authentication domain, the data processing system comprising:
-
means for receiving at the data processing system an authentication assertion from a system in a first authentication domain, wherein the authentication assertion is formatted in accordance with a first authentication protocol;
means for routing the authentication assertion to a trust proxy associated with the second authentication domain;
means for determining at the trust proxy to translate the authentication assertion from the first authentication protocol to a second authentication protocol used in the second authentication domain; and
means for translating the authentication assertion to the second authentication protocol. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product in a computer readable medium for use in a data processing system in a distributed computing environment for authenticating a user, wherein the distributed computing environment includes a plurality of authentication domains, each of which use a respective authentication protocol, the computer program product comprising:
-
means for receiving from a system in a first authentication domain at a system in a second authentication domain an authentication assertion that is formatted in accordance with a first authentication protocol;
means for routing the authentication assertion to a trust proxy associated with the second authentication domain;
means for determining at the trust proxy to translate the authentication assertion from the first authentication protocol to a second authentication protocol used in the second authentication domain; and
means for translating the authentication assertion to the second authentication protocol. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification