Method and system for native authentication protocols in a heterogeneous federated environment

US 20070234417A1
Filed: 06/12/2007
Published: 10/04/2007
Est. Priority Date: 12/31/2002
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a user within a distributed computing environment, wherein the distributing computing environment includes a plurality of authentication domains, each of which use a respective authentication protocol, the method comprising:

receiving from a system in a first authentication domain at a system in a second authentication domain an authentication assertion that is formatted in accordance with a first authentication protocol;

routing the authentication assertion to a trust proxy associated with the second authentication domain;

determining at the trust proxy to translate the authentication assertion from the first authentication protocol to a second authentication protocol used in the second authentication domain; and

translating the authentication assertion to the second authentication protocol.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is presented in which federated domains interact within a federated environment. Domains within a federation can initiate federated single-sign-on operations for a user at other federated domains. A point-of-contact server within a domain relies upon a trust proxy within the domain to manage trust relationships between the domain and the federation. Trust proxies interpret assertions from other federated domains as necessary. Trust proxies may have a trust relationship with one or more trust brokers, and a trust proxy may rely upon a trust broker for assistance in interpreting assertions.

90 Citations

View as Search Results

21 Claims

1. A method for authenticating a user within a distributed computing environment, wherein the distributing computing environment includes a plurality of authentication domains, each of which use a respective authentication protocol, the method comprising:
- receiving from a system in a first authentication domain at a system in a second authentication domain an authentication assertion that is formatted in accordance with a first authentication protocol;
  
  routing the authentication assertion to a trust proxy associated with the second authentication domain;
  
  determining at the trust proxy to translate the authentication assertion from the first authentication protocol to a second authentication protocol used in the second authentication domain; and
  
  translating the authentication assertion to the second authentication protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising:
    - performing the receiving step and the routing step at a point-of-contact server in the second authentication domain.
  - 3. The method of claim 1 further comprising:
    - accepting the authentication assertion in the second authentication domain as proof-of-authentication in the first authentication domain.
  - 4. The method of claim 1 further comprising:
    - accepting the authentication assertion in the second authentication domain to implement a single-sign-on operation within the distributed computing environment.
  - 5. The method of claim 1 further comprising:
    - receiving from the system in the first authentication domain at the system in the second authentication domain a request for a resource identifiable within the second authentication domain;
      
      routing the request for the resource to an application server hosted within the second authentication domain;
      
      triggering an authentication challenge by the application server; and
      
      responding to the authentication challenge by a system within the second authentication domain using information within the authentication assertion that has been translated to the second authentication protocol.
  - 6. The method of claim 1 further comprising:
    - invoking assistance from a trust broker to translate the authentication assertion to the second authentication protocol, wherein the trust broker maintains trust relationships with a plurality of authentication domains in the distributed computing environment.
  - 7. The method of claim 1 further comprising:
    - performing translation of a security token within a security token service hosted within the second authentication domain.

8. A data processing system for authenticating a user within a distributing environment, wherein the distributing computing environment includes a first authentication domain and a second authentication domain amongst a plurality of authentication domains, each of which use a respective authentication protocol, wherein the data processing system supports the second authentication domain, the data processing system comprising:
- means for receiving at the data processing system an authentication assertion from a system in a first authentication domain, wherein the authentication assertion is formatted in accordance with a first authentication protocol;
  
  means for routing the authentication assertion to a trust proxy associated with the second authentication domain;
  
  means for determining at the trust proxy to translate the authentication assertion from the first authentication protocol to a second authentication protocol used in the second authentication domain; and
  
  means for translating the authentication assertion to the second authentication protocol.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The data processing system of claim 8 further comprising:
    - means for performing the receiving step and the routing step at a point-of-contact server in the second authentication domain.
  - 10. The data processing system of claim 8 further comprising:
    - means for accepting the authentication assertion in the second authentication domain as proof-of-authentication in the first authentication domain.
  - 11. The data processing system of claim 8 further comprising:
    - means for accepting the authentication assertion in the second authentication domain to implement a single-sign-on operation within the distributed computing environment.
  - 12. The data processing system of claim 8 further comprising:
    - means for receiving from the system in the first authentication domain at the system in the second authentication domain a request for a resource identifiable within the second authentication domain;
      
      means for routing the request for the resource to an application server hosted within the second authentication domain;
      
      means for triggering an authentication challenge by the application server; and
      
      means for responding to the authentication challenge by a system within the second authentication domain using information within the authentication assertion that has been translated to the second authentication protocol.
  - 13. The data processing system of claim 8 further comprising:
    - means for invoking assistance from a trust broker to translate the authentication assertion to the second authentication protocol, wherein the trust broker maintains trust relationships with a plurality of authentication domains in the distributed computing environment.
  - 14. The data processing system of claim 8 further comprising:
    - means for performing translation of a security token within a security token service hosted within the second authentication domain.

15. A computer program product in a computer readable medium for use in a data processing system in a distributed computing environment for authenticating a user, wherein the distributed computing environment includes a plurality of authentication domains, each of which use a respective authentication protocol, the computer program product comprising:
- means for receiving from a system in a first authentication domain at a system in a second authentication domain an authentication assertion that is formatted in accordance with a first authentication protocol;
  
  means for routing the authentication assertion to a trust proxy associated with the second authentication domain;
  
  means for determining at the trust proxy to translate the authentication assertion from the first authentication protocol to a second authentication protocol used in the second authentication domain; and
  
  means for translating the authentication assertion to the second authentication protocol.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer program product of claim 15 further comprising:
    - means for performing the receiving step and the routing step at a point-of-contact server in the second authentication domain.
  - 17. The computer program product of claim 15 further comprising:
    - means for accepting the authentication assertion in the second authentication domain as proof-of-authentication in the first authentication domain.
  - 18. The computer program product of claim 15 further comprising:
    - means for accepting the authentication assertion in the second authentication domain to implement a single-sign-on operation within the distributed computing environment.
  - 19. The computer program product of claim 15 further comprising:
    - means for receiving from the system in the first authentication domain at the system in the second authentication domain a request for a resource identifiable within the second authentication domain;
      
      means for routing the request for the resource to an application server hosted within the second authentication domain;
      
      means for triggering an authentication challenge by the application server; and
      
      means for responding to the authentication challenge by a system within the second authentication domain using information within the authentication assertion that has been translated to the second authentication protocol.
  - 20. The computer program product of claim 15 further comprising:
    - means for invoking assistance from a trust broker to translate the authentication assertion to the second authentication protocol, wherein the trust broker maintains trust relationships with a plurality of authentication domains in the distributed computing environment.
  - 21. The computer program product of claim 15 further comprising:
    - means for performing translation of a security token within a security token service hosted within the second authentication domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hinton, Heather, Nadalin, Anthony, Blakley III, George

Granted Patent

US 8,042,162 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

H04L 2463/102   applying security measure f...

H04L 63/0281   Proxies

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

Method and system for native authentication protocols in a heterogeneous federated environment

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for native authentication protocols in a heterogeneous federated environment

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links