METHOD AND SYSTEM FOR DISTRIBUTED RETRIEVAL OF DATA OBJECTS WITHIN MULTI-PROTOCOL PROFILES IN FEDERATED ENVIRONMENTS

US 20080010288A1
Filed: 07/08/2006
Published: 01/10/2008
Est. Priority Date: 07/08/2006
Status: Active Grant

First Claim

Patent Images

1. A method for transferring data objects between federated entities in a federated computational environment, the computer-implemented method comprising:

receiving a data object retrieval request from a first federated entity at a second federated entity, wherein the second federated entity issues artifacts for the first federated entity in accordance with a trust relationship between the second federated entity and the first federated entity, wherein services of the second federated entity are provided by a set of data processing systems within a distributed data processing system, and wherein each data processing system in the set of data processing systems generates artifacts;

extracting an artifact from the data object retrieval request by a first data processing system in the set of data processing systems, wherein the artifact references a data object that is stored by the second federated entity;

employing the artifact to retrieve the data object by the first data processing system from a second data processing system in the set of data processing systems; and

returning a data object retrieval response from the first data processing system to the first federated entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is presented for transferring data objects between federated entities within a federation using artifacts. A first federated entity, such as a service provider, receives artifacts from a second federated entity, such as an identity provider, which generates data objects, such as assertions, for use at or by the first federated entity. The artifact references a data object that is locally stored by the second federated entity, which is implemented as a distributed data processing system with a set of data processing systems, each of which can generate artifacts and artifact-referenced data objects, and each of which can proxy data object retrieval requests to other data processing systems within the distributed data processing system. When the second federated entity receives a data object retrieval request with an artifact from the first federated entity, the artifact-referenced data object is retrieved from within the distributed data processing system using the artifact.

61 Citations

View as Search Results

37 Claims

1. A method for transferring data objects between federated entities in a federated computational environment, the computer-implemented method comprising:
- receiving a data object retrieval request from a first federated entity at a second federated entity, wherein the second federated entity issues artifacts for the first federated entity in accordance with a trust relationship between the second federated entity and the first federated entity, wherein services of the second federated entity are provided by a set of data processing systems within a distributed data processing system, and wherein each data processing system in the set of data processing systems generates artifacts;
  
  extracting an artifact from the data object retrieval request by a first data processing system in the set of data processing systems, wherein the artifact references a data object that is stored by the second federated entity;
  
  employing the artifact to retrieve the data object by the first data processing system from a second data processing system in the set of data processing systems; and
  
  returning a data object retrieval response from the first data processing system to the first federated entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1 further comprising:
    - searching a local datastore of the first data processing system using the artifact;
      
      in response to a determination that the data object is not stored within a local datastore of the first data processing system, sending a retrieval request from the first data processing system to the second data processing system, wherein the retrieval request contains the artifact; and
      
      receiving a retrieval response from the second data processing system at the first data processing system, wherein the retrieval response contains the data object.
  - 3. The method of claim 1 further comprising:
    - receiving a retrieval request from the first data processing system at the second data processing system, wherein the retrieval request contains the artifact;
      
      searching a local datastore of the second data processing system using the artifact;
      
      in response to a determination that the data object is stored within a local datastore of the second data processing system, sending a retrieval response from the second data processing system to the first data processing system, wherein the retrieval response contains the data object.
  - 4. The method of claim 3 further comprising:
    - deleting the data object from a local datastore of the second data processing system.
  - 5. The method of claim 1 further comprising:
    - in response to a determination that the data object is not stored within a local datastore of the first data processing system, performing a search for the data object using the artifact within the set of data processing systems to retrieve the data object.
  - 6. The method of claim 5 further comprising:
    - individually querying data processing systems in the set of data processing systems in a serial fashion by the first data processing system until the data object is retrieved.
  - 7. The method of claim 5 further comprising:
    - concurrently querying data processing systems in the set of data processing systems in a broadcast fashion by the first data processing system to retrieve the data object.
  - 8. The method of claim 5 further comprising:
    - individually querying data processing systems in the set of data processing systems in a chained fashion until the data object is retrieved.
  - 9. The method of claim 8 further comprising:
    - receiving a retrieval request from the first data processing system at a third data processing system in the set of data processing systems, wherein the retrieval request contains the artifact;
      
      in response to a determination that the data object is not stored within a local datastore of the third data processing system, sending the retrieval request from the third data processing system to the second data processing system;
      
      receiving a retrieval response from the second data processing system at the third data processing system, wherein the retrieval response contains the data object; and
      
      sending the retrieval response from the third data processing system to the first data processing system.
  - 10. The method of claim 8 further comprising:
    - restricting the search for the data object such that a chain of queried data processing systems has a maximum length as indicated by data parameters contained within a retrieval request that is passed between queried data processing systems.
  - 11. The method of claim 1 wherein the first federated entity is an identity provider and the second federated entity is a service provider.
  - 12. The method of claim 1 wherein the first federated entity is a service provider and the second federated entity is an identity provider.
  - 13. The method of claim 1 wherein the first federated entity is an issuing party and the second federated entity is a relying party.
  - 14. The method of claim 1 wherein the first federated entity is a relying party and the second federated entity is an issuing party.
  - 15. The method of claim 1 wherein the data object is an assertion.
  - 16. The method of claim 1 wherein the data object is a security assertion.
  - 17. The method of claim 1 wherein the data object is retrieved during an authentication operation.

18. A computer program product on a computer readable storage medium for transferring data objects between federated entities in a federated computational environment, the computer program product comprising:
- instructions for receiving a data object retrieval request from a first federated entity at a second federated entity, wherein the second federated entity issues artifacts for the first federated entity in accordance with a trust relationship between the second federated entity and the first federated entity, wherein services of the second federated entity are provided by a set of data processing systems within a distributed data processing system, and wherein each data processing system in the set of data processing systems generates artifacts;
  
  instructions for extracting an artifact from the data object retrieval request by a first data processing system in the set of data processing systems, wherein the artifact references a data object that is stored by the second federated entity;
  
  instructions for employing the artifact to retrieve the data object by the first data processing system from a second data processing system in the set of data processing systems; and
  
  instructions for returning a data object retrieval response from the first data processing system to the first federated entity.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 19. The computer program product of claim 18 further comprising:
    - instructions for searching a local datastore of the first data processing system using the artifact;
      
      instructions for sending, in response to a determination that the data object is not stored within a local datastore of the first data processing system, a retrieval request from the first data processing system to the second data processing system, wherein the retrieval request contains the artifact; and
      
      instructions for receiving a retrieval response from the second data processing system at the first data processing system, wherein the retrieval response contains the data object.
  - 20. The computer program product of claim 18 further comprising:
    - instructions for receiving a retrieval request from the first data processing system at the second data processing system, wherein the retrieval request contains the artifact;
      
      instructions for searching a local datastore of the second data processing system using the artifact; and
      
      instructions for sending, in response to a determination that the data object is stored within a local datastore of the second data processing system, a retrieval response from the second data processing system to the first data processing system, wherein the retrieval response contains the data object.
  - 21. The computer program product of claim 20 further comprising:
    - instructions for deleting the data object from a local datastore of the second data processing system.
  - 22. The computer program product of claim 18 further comprising:
    - instructions for performing, in response to a determination that the data object is not stored within a local datastore of the first data processing system, a search for the data object using the artifact within the set of data processing systems to retrieve the data object.
  - 23. The computer program product of claim 22 further comprising:
    - instructions for individually querying data processing systems in the set of data processing systems in a serial fashion by the first data processing system until the data object is retrieved.
  - 24. The computer program product of claim 22 further comprising:
    - instructions for concurrently querying data processing systems in the set of data processing systems in a broadcast fashion by the first data processing system to retrieve the data object.
  - 25. The computer program product of claim 22 further comprising:
    - instructions for individually querying data processing systems in the set of data processing systems in a chained fashion until the data object is retrieved.
  - 26. The computer program product of claim 25 further comprising:
    - instructions for receiving a retrieval request from the first data processing system at a third data processing system in the set of data processing systems, wherein the retrieval request contains the artifact;
      
      instructions for sending, in response to a determination that the data object is not stored within a local datastore of the third data processing system, the retrieval request from the third data processing system to the second data processing system;
      
      instructions for receiving a retrieval response from the second data processing system at the third data processing system, wherein the retrieval response contains the data object; and
      
      instructions for sending the retrieval response from the third data processing system to the first data processing system.
  - 27. The computer program product of claim 25 further comprising:
    - instructions for restricting the search for the data object such that a chain of queried data processing systems has a maximum length as indicated by data parameters contained within a retrieval request that is passed between queried data processing systems.
  - 28. The computer program product of claim 18 wherein the second federated entity is an identity provider and the first federated entity is a service provider.
  - 29. The computer program product of claim 18 wherein the second federated entity is a service provider and the first federated entity is an identity provider.

30. An apparatus for transferring data objects between federated entities in a federated computational environment, the apparatus comprising:
- means for receiving a data object retrieval request from a first federated entity at a second federated entity, wherein the second federated entity issues artifacts for the first federated entity in accordance with a trust relationship between the second federated entity and the first federated entity, wherein services of the second federated entity are provided by a set of data processing systems within a distributed data processing system, and wherein each data processing system in the set of data processing systems generates artifacts;
  
  means for extracting an artifact from the data object retrieval request by a first data processing system in the set of data processing systems, wherein the artifact references a data object that is stored by the second federated entity;
  
  means for employing the artifact to retrieve the data object by the first data processing system from a second data processing system in the set of data processing systems; and
  
  means for returning a data object retrieval response from the first data processing system to the first federated entity.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37)
- - 31. The apparatus of claim 30 wherein the second federated entity is an identity provider and the first federated entity is a service provider.
  - 32. The apparatus of claim 30 wherein the second federated entity is a service provider and the first federated entity is an identity provider.
  - 33. The apparatus of claim 30 further comprising:
    - means for searching a local datastore of the first data processing system using the artifact;
      
      means for sending, in response to a determination that the data object is not stored within a local datastore of the first data processing system, a retrieval request from the first data processing system to the second data processing system, wherein the retrieval request contains the artifact; and
      
      means for receiving a retrieval response from the second data processing system at the first data processing system, wherein the retrieval response contains the data object.
  - 34. The apparatus of claim 30 further comprising:
    - means for receiving a retrieval request from the first data processing system at the second data processing system, wherein the retrieval request contains the artifact;
      
      means for searching a local datastore of the second data processing system using the artifact;
      
      means for sending, in response to a determination that the data object is stored within a local datastore of the second data processing system, a retrieval response from the second data processing system to the first data processing system, wherein the retrieval response contains the data object.
  - 35. The apparatus of claim 30 further comprising:
    - means for performing, in response to a determination that the data object is not stored within a local datastore of the first data processing system, a search for the data object using the artifact within the set of data processing systems to retrieve the data object.
  - 36. The apparatus of claim 35 further comprising:
    - means for individually querying data processing systems in the set of data processing systems in a serial fashion by the first data processing system until the data object is retrieved.
  - 37. The apparatus of claim 35 further comprising:
    - means for individually querying data processing systems in the set of data processing systems in a chained fashion until the data object is retrieved.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hinton, Heather M., Duggan, Matthew P., Wardrop, Patrick R.

Granted Patent

US 7,860,883 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/10
CPC Class Codes

G06F 16/2471   Distributed queries

G06F 16/256   in federated or virtual dat...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 67/10   in which an application is ...

H04L 67/1001   for accessing one among a p...

H04L 67/1008   based on parameters of serv...

H04L 67/1017   based on a round robin mech...

H04L 67/1021   based on client or server l...

METHOD AND SYSTEM FOR DISTRIBUTED RETRIEVAL OF DATA OBJECTS WITHIN MULTI-PROTOCOL PROFILES IN FEDERATED ENVIRONMENTS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

61 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR DISTRIBUTED RETRIEVAL OF DATA OBJECTS WITHIN MULTI-PROTOCOL PROFILES IN FEDERATED ENVIRONMENTS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links