MOVING PRINCIPALS ACROSS SECURITY BOUNDARIES WITHOUT SERVICE INTERRUPTION
First Claim
1. At an authenticating authority in a network environment, the authenticating authority configured to authenticate requests for a specified domain within the network environment, the authenticating authority communicatively coupled to one or more other authenticating authorities, each of the one or more other authenticating authorities configured to authenticate requests for one or more other specified domains within the network environment, a method for transferring an authentication request to an appropriate authenticating authority within the network environment, the method comprising:
- receiving a request for access to resources within the network environment from a principal, the request including both an individual identifier and a domain identifier, the combination of the individual identifier and a domain identifier representing the identity of a principal;
forwarding at least part of the received request to a super authority prior to determining if the authenticating authority is the appropriate authenticating authority to authenticate the request, the super authority configured to direct access attempts to appropriate authenticating authorities, from among the one or more other authenticating authorities, for authentication, the super authority directing access by resolving combinations of individual identifiers and domain identifiers representing identities to appropriate authenticating authorities for authentication the requests, the super authority including an identity catalog with a plurality of mapping entries, each mapping entry mapping a combination of an individual identifier and an domain identifier representing an identity to an appropriate authenticating authority for authenticating requests for the identity;
receiving a referral from the super authority, the referral conveying the identify of an appropriate authenticating authority that is to authenticate the received request for the identity represented by the combination of the individual identifier and a domain identifier, the referral indicating to the authenticating authority that the authenticating authority is to pass the received request to the identified appropriate authentication authority to reduce resource consumption at the super authority; and
passing the received request from the authenticating authority to the identified appropriate authenticating authority in response to receiving the referral such that the identified appropriate authentication authority can authenticate the received request for the principal.
2 Assignments
0 Petitions
Accused Products
Abstract
An improved network architecture employs a super authority having an identity catalog to direct login authentication tasks to appropriate authorities. Authentication tasks may be performed by authorities across namespace boundaries if so directed by the super authority, such that a principal account may be moved without alteration of the account ID. In an embodiment of the invention, the identity catalog comprises a listing associating account IDs with appropriate authenticating authorities.
-
Citations
20 Claims
-
1. At an authenticating authority in a network environment, the authenticating authority configured to authenticate requests for a specified domain within the network environment, the authenticating authority communicatively coupled to one or more other authenticating authorities, each of the one or more other authenticating authorities configured to authenticate requests for one or more other specified domains within the network environment, a method for transferring an authentication request to an appropriate authenticating authority within the network environment, the method comprising:
-
receiving a request for access to resources within the network environment from a principal, the request including both an individual identifier and a domain identifier, the combination of the individual identifier and a domain identifier representing the identity of a principal; forwarding at least part of the received request to a super authority prior to determining if the authenticating authority is the appropriate authenticating authority to authenticate the request, the super authority configured to direct access attempts to appropriate authenticating authorities, from among the one or more other authenticating authorities, for authentication, the super authority directing access by resolving combinations of individual identifiers and domain identifiers representing identities to appropriate authenticating authorities for authentication the requests, the super authority including an identity catalog with a plurality of mapping entries, each mapping entry mapping a combination of an individual identifier and an domain identifier representing an identity to an appropriate authenticating authority for authenticating requests for the identity; receiving a referral from the super authority, the referral conveying the identify of an appropriate authenticating authority that is to authenticate the received request for the identity represented by the combination of the individual identifier and a domain identifier, the referral indicating to the authenticating authority that the authenticating authority is to pass the received request to the identified appropriate authentication authority to reduce resource consumption at the super authority; and passing the received request from the authenticating authority to the identified appropriate authenticating authority in response to receiving the referral such that the identified appropriate authentication authority can authenticate the received request for the principal. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. At an authenticating authority in a network environment, the authenticating authority configured to authenticate requests within a security boundary of the network environment, the authenticating authority communicatively coupled to one or more other authenticating authorities, each of the one or more other authenticating authorities configured to authenticate requests within other security boundaries of the network environment, a method for authenticating a request for access to resources within the network environment, the method comprising:
-
moving a principal from the security boundary of the authenticating authority to within one of the other security boundaries without changing the principal'"'"'s account ID such that authenticating authority remains capable of authenticating requests from the principal; altering an identity catalog at a super authority to indicate that the authenticating authority is capable of authenticating requests for principal'"'"'s account ID in response to moving the principal across security boundaries; receiving a referred request from one of the other authenticating authorities on behalf of the principal, the request including principal'"'"'s account ID, the principal having originally submitted the referred request to the other authenticating authority, the super authority having subsequently referred the other authenticating authority to the authenticating authority subsequent to submission of the request to the other authenticating authority; and the authenticating authority authenticating the referred request for the principal even though the referred request was originally submitted to the other authenticating authority. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. In a network environment, a system for authenticating requests for access to resources within the network environment, the system including:
-
a first authenticating authority configured to authenticate requests within a first security boundary of the network environment; a second authenticating authority configured to authentication requests within a second security boundary of the network environment; a super authority configured to; receive requests including account IDs from authenticating authorities; locate from within a catalog mapping appropriate authenticating authorities that are to authenticate a request based on the account ID included in the request; receiving indications when a principal is moved across security boundaries of the network environment; and alter the catalog mapping for an account ID when a corresponding principal is moved across security boundaries, including altering an assignment mapping that the first authenticating authority is capable of authenticating requests for a first account ID in response to moving a first principal across security boundaries to be within the second security boundary and altering an assignment mapping that the second authenticating authority is capable of authenticating requests for a second account ID in response to moving a second principal across security boundaries to be within the first security boundary; wherein each of the first and second authentication authorities are further configured to; forwarding received requests to the super authority prior to determining the appropriateness of authenticating the request; receive referrals from the super authority, the referrals identifying other appropriate authenticating authorities that are to authenticate received requests based on the account ID included in a received request; pass received requests to appropriate identified authenticating authorities in response to receiving the referrals; receive referred requests from other authenticating authorities on behalf of principals, referred requests having been originally submitted to other authenticating authorities by principals, the super authority having subsequently referred the other authenticating authority to the first or second authentication authority based on the account ID included in a request; and authenticate referred requests even though the referred requests were originally submitted to the other authenticating authority.
-
Specification