METHOD AND SYSTEM FOR IMPLEMENTING A FLOATING IDENTITY PROVIDER MODEL ACROSS DATA CENTERS

US 20080021866A1
Filed: 07/20/2006
Published: 01/24/2008
Est. Priority Date: 07/20/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method for processing transactions in a federated computational environment, the computer-implemented method comprising:

receiving resource requests at a first federated entity from a second federated entity, wherein the first federated entity responds to federation protocol operations for the second federated entity in accordance with a trust relationship between the first federated entity and the second federated entity, wherein services of the first federated entity are provided by a set of data processing systems within a distributed data processing system, and wherein each data processing system in the set of data processing systems is able to act as an identity provider;

establishing a first data processing system in the set of data processing systems, through a self-assignment process by the first data processing system, to act as an identity provider across the set of data processing systems with respect to the second federated entity; and

employing, across the set of data processing systems, the first data center to perform federated protocol operations as an identity provider while processing requests from the second federated entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is presented for processing transactions in a federated computational environment. Resource requests are received at a first federated entity from a second federated entity. The first federated entity responds to federation protocol operations for the second federated entity in accordance with a trust relationship between the first and second federated entity. The services of the first federated entity are provided by a set of data processing systems within a distributed data processing system, and each data processing system in the set of data processing systems is able to act as an identity provider. A first data processing system in the set of data processing systems establishes itself to act as an identity provider for the set of data processing systems with respect to the second federated entity and then is employed to perform federated protocol operations as an identity provider for requests from the second federated entity.

Citations

24 Claims

1. A method for processing transactions in a federated computational environment, the computer-implemented method comprising:
- receiving resource requests at a first federated entity from a second federated entity, wherein the first federated entity responds to federation protocol operations for the second federated entity in accordance with a trust relationship between the first federated entity and the second federated entity, wherein services of the first federated entity are provided by a set of data processing systems within a distributed data processing system, and wherein each data processing system in the set of data processing systems is able to act as an identity provider;
  
  establishing a first data processing system in the set of data processing systems, through a self-assignment process by the first data processing system, to act as an identity provider across the set of data processing systems with respect to the second federated entity; and
  
  employing, across the set of data processing systems, the first data center to perform federated protocol operations as an identity provider while processing requests from the second federated entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising:
    - establishing a second data processing system in the set of data processing systems to act as an identity provider for the set of data processing systems with respect to the second federated entity after an expiration of a configurable time period; and
      
      employing the second data processing system to perform federated protocol operations as an identity provider for requests from the second federated entity.
  - 3. The method of claim 1 further comprising:
    - setting a cookie to establish the first data processing system as acting as an identity provider for the set of data processing systems with respect to the second federated entity, wherein the cookie includes data that indicates an identity of the first data processing system.
  - 4. The method of claim 3 further comprising:
    - receiving a resource request at a second data processing system from the second federated entity, wherein the resource request is accompanied by the cookie;
      
      extracting, from the cookie, data indicating the identity of the first data processing system; and
      
      performing a single-sign-on operation for the second federated entity between the second data processing system and the first data processing system.
  - 5. The method of claim 3 further comprising:
    - generating the cookie to include an expiration value such that the first data processing system is established as the identity provider for a valid time period that is controlled by the expiration value.
  - 6. The method of claim 5 further comprising:
    - receiving a resource request at a second data processing system from the second federated entity, wherein the resource request is accompanied by the cookie;
      
      extracting the expiration value from the cookie;
      
      modifying the cookie to establish the second data processing system as acting as an identity provider for the set of data processing systems with respect to the second federated entity in response to a determination that a time period for the expiration value has passed, wherein the modified cookie includes data that indicates an identity of the second data center; and
      
      resetting the expiration value.
  - 7. The method of claim 3 further comprising:
    - modifying the cookie to remove data that indicates the identity of the first data processing system so that the cookie indicates that the first federated entity is acting as an identity provider without an assignment of a particular data processing system to act as an identity provider across the set of data processing systems with respect to the second federated entity.
  - 8. The method of claim 7 further comprising:
    - receiving a resource request at a second data processing system from the second federated entity, wherein the resource request is accompanied by the cookie;
      
      determining that the cookie does not indicate an assignment of a particular data processing system to act as an identity provider across the set of data processing systems with respect to the second federated entity; and
      
      modifying the cookie to indicate an assignment of the second data processing system to act as an identity provider across the set of data processing systems with respect to the second federated entity.

9. A computer program product on a computer readable storage medium for processing transactions in a federated computational environment, the computer program product comprising:
- instructions for receiving resource requests at a first federated entity from a second federated entity, wherein the first federated entity responds to federation protocol operations for the second federated entity in accordance with a trust relationship between the first federated entity and the second federated entity, wherein services of the first federated entity are provided by a set of data processing systems within a distributed data processing system, and wherein each data processing system in the set of data processing systems is able to act as an identity provider;
  
  instructions for establishing a first data processing system in the set of data processing systems, through a self-assignment process by the first data processing system, to act as an identity provider across the set of data processing systems with respect to the second federated entity; and
  
  instructions for employing, across the set of data processing systems, the first data center to perform federated protocol operations as an identity provider while processing requests from the second federated entity.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer program product of claim 9 further comprising:
    - instructions for establishing a second data processing system in the set of data processing systems to act as an identity provider for the set of data processing systems with respect to the second federated entity after an expiration of a configurable time period; and
      
      instructions for employing the second data processing system to perform federated protocol operations as an identity provider for requests from the second federated entity.
  - 11. The computer program product of claim 9 further comprising:
    - instructions for setting a cookie to establish the first data processing system as acting as an identity provider for the set of data processing systems with respect to the second federated entity, wherein the cookie includes data that indicates an identity of the first data processing system.
  - 12. The computer program product of claim 11 further comprising:
    - instructions for receiving a resource request at a second data processing system from the second federated entity, wherein the resource request is accompanied by the cookie;
      
      instructions for extracting, from the cookie, data indicating the identity of the first data processing system; and
      
      instructions for performing a single-sign-on operation for the second federated entity between the second data processing system and the first data processing system.
  - 13. The computer program product of claim 11 further comprising:
    - instructions for generating the cookie to include an expiration value such that the first data processing system is established as the identity provider for a valid time period that is controlled by the expiration value.
  - 14. The computer program product of claim 13 further comprising:
    - instructions for receiving a resource request at a second data processing system from the second federated entity, wherein the resource request is accompanied by the cookie;
      
      instructions for extracting the expiration value from the cookie;
      
      instructions for modifying the cookie to establish the second data processing system as acting as an identity provider for the set of data processing systems with respect to the second federated entity in response to a determination that a time period for the expiration value has passed, wherein the modified cookie includes data that indicates an identity of the second data center; and
      
      instructions for resetting the expiration value.
  - 15. The computer program product of claim 11 further comprising:
    - instructions for modifying the cookie to remove data that indicates the identity of the first data processing system so that the cookie indicates that the first federated entity is acting as an identity provider without an assignment of a particular data processing system to act as an identity provider across the set of data processing systems with respect to the second federated entity.
  - 16. The computer program product of claim 15 further comprising:
    - instructions for receiving a resource request at a second data processing system from the second federated entity, wherein the resource request is accompanied by the cookie;
      
      instructions for determining that the cookie does not indicate an assignment of a particular data processing system to act as an identity provider across the set of data processing systems with respect to the second federated entity; and
      
      instructions for modifying the cookie to indicate an assignment of the second data processing system to act as an identity provider across the set of data processing systems with respect to the second federated entity.

17. An apparatus for processing transactions in a federated computational environment, the apparatus comprising:
- means for receiving resource requests at a first federated entity from a second federated entity, wherein the first federated entity responds to federation protocol operations for the second federated entity in accordance with a trust relationship between the first federated entity and the second federated entity, wherein services of the first federated entity are provided by a set of data processing systems within a distributed data processing system, and wherein each data processing system in the set of data processing systems is able to act as an identity provider;
  
  means for establishing a first data processing system in the set of data processing systems, through a self-assignment process by the first data processing system, to act as an identity provider across the set of data processing systems with respect to the second federated entity; and
  
  means for employing, across the set of data processing systems, the first data center to perform federated protocol operations as an identity provider while processing requests from the second federated entity.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The apparatus of claim 17 further comprising:
    - means for establishing a second data processing system in the set of data processing systems to act as an identity provider for the set of data processing systems with respect to the second federated entity after an expiration of a configurable time period; and
      
      means for employing the second data processing system to perform federated protocol operations as an identity provider for requests from the second federated entity.
  - 19. The apparatus of claim 17 further comprising:
    - means for setting a cookie to establish the first data processing system as acting as an identity provider for the set of data processing systems with respect to the second federated entity, wherein the cookie includes data that indicates an identity of the first data processing system.
  - 20. The apparatus of claim 19 further comprising:
    - means for receiving a resource request at a second data processing system from the second federated entity, wherein the resource request is accompanied by the cookie;
      
      means for extracting, from the cookie, data indicating the identity of the first data processing system; and
      
      means for performing a single-sign-on operation for the second federated entity between the second data processing system and the first data processing system.
  - 21. The apparatus of claim 19 further comprising:
    - means for generating the cookie to include an expiration value such that the first data processing system is established as the identity provider for a valid time period that is controlled by the expiration value.
  - 22. The apparatus of claim 21 further comprising:
    - means for receiving a resource request at a second data processing system from the second federated entity, wherein the resource request is accompanied by the cookie;
      
      means for extracting the expiration value from the cookie;
      
      means for modifying the cookie to establish the second data processing system as acting as an identity provider for the set of data processing systems with respect to the second federated entity in response to a determination that a time period for the expiration value has passed, wherein the modified cookie includes data that indicates an identity of the second data center; and
      
      means for resetting the expiration value.
  - 23. The apparatus of claim 19 further comprising:
    - means for modifying the cookie to remove data that indicates the identity of the first data processing system so that the cookie indicates that the first federated entity is acting as an identity provider without an assignment of a particular data processing system to act as an identity provider across the set of data processing systems with respect to the second federated entity.
  - 24. The apparatus of claim 23 further comprising:
    - means for receiving a resource request at a second data processing system from the second federated entity, wherein the resource request is accompanied by the cookie;
      
      means for determining that the cookie does not indicate an assignment of a particular data processing system to act as an identity provider across the set of data processing systems with respect to the second federated entity; and
      
      means for modifying the cookie to indicate an assignment of the second data processing system to act as an identity provider across the set of data processing systems with respect to the second federated entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
HINTON, HEATHER M, Gooding, Glen, Wardrop, Patrick R.

Application Number

US11/458,845
Publication Number

US 20080021866A1
Time in Patent Office

Days
Field of Search
US Class Current

707/2
CPC Class Codes

G06Q 10/10 Office automation; Time man...

METHOD AND SYSTEM FOR IMPLEMENTING A FLOATING IDENTITY PROVIDER MODEL ACROSS DATA CENTERS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR IMPLEMENTING A FLOATING IDENTITY PROVIDER MODEL ACROSS DATA CENTERS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links