MOVING PRINCIPALS ACROSS SECURITY BOUNDARIES WITHOUT SERVICE INTERRUPTION

US 20080184343A1
Filed: 03/31/2008
Published: 07/31/2008
Est. Priority Date: 09/22/2003
Status: Active Grant

First Claim

Patent Images

1. At an authenticating authority in a network environment, the authenticating authority configured to authenticate requests for a specified domain within the network environment, the authenticating authority communicatively coupled to one or more other authenticating authorities, each of the one or more other authenticating authorities configured to authenticate requests for one or more other specified domains within the network environment, a method for transferring an authentication request to an appropriate authenticating authority within the network environment, the method comprising:

receiving a request for access to resources within the network environment from a principal, the request including both an individual identifier and a domain identifier, the combination of the individual identifier and a domain identifier representing the identity of a principal;

forwarding at least part of the received request to a super authority prior to determining if the authenticating authority is the appropriate authenticating authority to authenticate the request, the super authority configured to direct access attempts to appropriate authenticating authorities, from among the one or more other authenticating authorities, for authentication, the super authority directing access by resolving combinations of individual identifiers and domain identifiers representing identities to appropriate authenticating authorities for authentication the requests, the super authority including an identity catalog with a plurality of mapping entries, each mapping entry mapping a combination of an individual identifier and an domain identifier representing an identity to an appropriate authenticating authority for authenticating requests for the identity;

receiving a referral from the super authority, the referral conveying the identify of an appropriate authenticating authority that is to authenticate the received request for the identity represented by the combination of the individual identifier and a domain identifier, the referral indicating to the authenticating authority that the authenticating authority is to pass the received request to the identified appropriate authentication authority to reduce resource consumption at the super authority; and

passing the received request from the authenticating authority to the identified appropriate authenticating authority in response to receiving the referral such that the identified appropriate authentication authority can authenticate the received request for the principal.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An improved network architecture employs a super authority having an identity catalog to direct login authentication tasks to appropriate authorities. Authentication tasks may be performed by authorities across namespace boundaries if so directed by the super authority, such that a principal account may be moved without alteration of the account ID. In an embodiment of the invention, the identity catalog comprises a listing associating account IDs with appropriate authenticating authorities.

Citations

20 Claims

1. At an authenticating authority in a network environment, the authenticating authority configured to authenticate requests for a specified domain within the network environment, the authenticating authority communicatively coupled to one or more other authenticating authorities, each of the one or more other authenticating authorities configured to authenticate requests for one or more other specified domains within the network environment, a method for transferring an authentication request to an appropriate authenticating authority within the network environment, the method comprising:
- receiving a request for access to resources within the network environment from a principal, the request including both an individual identifier and a domain identifier, the combination of the individual identifier and a domain identifier representing the identity of a principal;
  
  forwarding at least part of the received request to a super authority prior to determining if the authenticating authority is the appropriate authenticating authority to authenticate the request, the super authority configured to direct access attempts to appropriate authenticating authorities, from among the one or more other authenticating authorities, for authentication, the super authority directing access by resolving combinations of individual identifiers and domain identifiers representing identities to appropriate authenticating authorities for authentication the requests, the super authority including an identity catalog with a plurality of mapping entries, each mapping entry mapping a combination of an individual identifier and an domain identifier representing an identity to an appropriate authenticating authority for authenticating requests for the identity;
  
  receiving a referral from the super authority, the referral conveying the identify of an appropriate authenticating authority that is to authenticate the received request for the identity represented by the combination of the individual identifier and a domain identifier, the referral indicating to the authenticating authority that the authenticating authority is to pass the received request to the identified appropriate authentication authority to reduce resource consumption at the super authority; and
  
  passing the received request from the authenticating authority to the identified appropriate authenticating authority in response to receiving the referral such that the identified appropriate authentication authority can authenticate the received request for the principal.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method as recited in claim 1, wherein receiving a request for access to resources within the network environment from a principal comprises receiving a request from one of the one or more other specified domains.
  - 3. The method as recited in claim 1, wherein receiving a request for access to resources within the network environment from a principal comprises receiving a request a principal that was moved from one of the one or more other specified domains to the specified domain.
  - 4. The method as recited in claim 1, wherein receiving a request for access to resources within the network environment from a principal comprises receiving a user log in request.
  - 5. The method as recited in claim 1, wherein forwarding at least part of the received request to a super authority comprises forwarding the individual identifier and a domain identifier to the super authority.
  - 6. The method as recited in claim 1, wherein forwarding at least part of the received request to a super authority comprises forwarding at least part of the received request to a super authority having mapping entries that are at least partially based on organizational affiliation of principals within an organization.
  - 7. The method as recited in claim 1, wherein forwarding at least part of the received request to a super authority comprises forwarding at least part of the received request to a super authority to a super authority having mapping entries that are at least partially based on geographical location.
  - 8. The method as recited in claim 1, wherein forwarding at least part of the received request to a super authority comprises forwarding at least part of the received request to a super authority to a super authority that maintains a one-to-one mapping between identities and authenticating authorities
  - 9. The method as recited in claim 1, wherein forwarding at least part of the received request to a super authority comprises forwarding at least part of the received request to a super authority that maps at least two identities from different domains to the same authenticating authority.
  - 10. The method as recited in claim 1, wherein forwarding at least part of the received request to a super authority comprises forwarding at least part of the received request to a super authority that maps at least two identities from the same domain to different authenticating authorities.
  - 11. The method as recited in claim 1, wherein receiving a referral from the super authority comprises receiving a referral, the indicating that the authenticating authority is the appropriate authority for authenticating the received request.
  - 12. The method as recited in claim 1, wherein passing the received request from the authenticating authority to the identified appropriate authenticating authority comprises the authenticating authority authenticating the request.
  - 13. The method as recited in claim 1, further comprising:
    - receiving a referred request from one of the other authenticating authorities on behalf of a second principal, the request including second principal'"'"'s account ID, the second principal having originally submitted the referred request to one of the other authenticating authorities, the super authority having subsequently referred the other authenticating authority to the authenticating authority subsequent to submission of the request to the other authenticating authority; and
      
      the authenticating authority authenticating the referred request for the second principal even though the referred request was originally submitted to the other authenticating authority.

14. At an authenticating authority in a network environment, the authenticating authority configured to authenticate requests within a security boundary of the network environment, the authenticating authority communicatively coupled to one or more other authenticating authorities, each of the one or more other authenticating authorities configured to authenticate requests within other security boundaries of the network environment, a method for authenticating a request for access to resources within the network environment, the method comprising:
- moving a principal from the security boundary of the authenticating authority to within one of the other security boundaries without changing the principal'"'"'s account ID such that authenticating authority remains capable of authenticating requests from the principal;
  
  altering an identity catalog at a super authority to indicate that the authenticating authority is capable of authenticating requests for principal'"'"'s account ID in response to moving the principal across security boundaries;
  
  receiving a referred request from one of the other authenticating authorities on behalf of the principal, the request including principal'"'"'s account ID, the principal having originally submitted the referred request to the other authenticating authority, the super authority having subsequently referred the other authenticating authority to the authenticating authority subsequent to submission of the request to the other authenticating authority; and
  
  the authenticating authority authenticating the referred request for the principal even though the referred request was originally submitted to the other authenticating authority.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The method as recited in claim 14, wherein moving a principal from the security boundary of the authenticating authority to within one of the other security boundaries comprises moving the principal between organizational units within an organization.
  - 16. The method as recited in claim 14, wherein altering an identity catalog at a super authority comprises altering an identity catalog that maintains a one-to-one mapping between identities and authenticating authorities.
  - 17. The method as recited in claim 14, wherein altering an identity catalog at a super authority comprises altering an identity catalog that maps at least two identities from different security boundaries to the same authenticating authority.
  - 18. The method as recited in claim 14, wherein altering an identity catalog at a super authority comprises altering an identity catalog that maps at least two identities from the same domain to different authenticating authorities.
  - 19. The method as recited in claim 14, wherein the authenticating authority authenticating the referred request for the principal comprises authenticating a log in request that the principal submitted to other authenticating authority.

20. In a network environment, a system for authenticating requests for access to resources within the network environment, the system including:
- a first authenticating authority configured to authenticate requests within a first security boundary of the network environment;
  
  a second authenticating authority configured to authentication requests within a second security boundary of the network environment;
  
  a super authority configured to;
  
  receive requests including account IDs from authenticating authorities;
  
  locate from within a catalog mapping appropriate authenticating authorities that are to authenticate a request based on the account ID included in the request;
  
  receiving indications when a principal is moved across security boundaries of the network environment; and
  
  alter the catalog mapping for an account ID when a corresponding principal is moved across security boundaries, including altering an assignment mapping that the first authenticating authority is capable of authenticating requests for a first account ID in response to moving a first principal across security boundaries to be within the second security boundary and altering an assignment mapping that the second authenticating authority is capable of authenticating requests for a second account ID in response to moving a second principal across security boundaries to be within the first security boundary;
  
  wherein each of the first and second authentication authorities are further configured to;
  
  forwarding received requests to the super authority prior to determining the appropriateness of authenticating the request;
  
  receive referrals from the super authority, the referrals identifying other appropriate authenticating authorities that are to authenticate received requests based on the account ID included in a received request;
  
  pass received requests to appropriate identified authenticating authorities in response to receiving the referrals;
  
  receive referred requests from other authenticating authorities on behalf of principals, referred requests having been originally submitted to other authenticating authorities by principals, the super authority having subsequently referred the other authenticating authority to the first or second authentication authority based on the account ID included in a request; and
  
  authenticate referred requests even though the referred requests were originally submitted to the other authenticating authority.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Satagopan, Murli, Parham, Jeffrey B., Dixon, Brendan, Ward, Richard Bruce

Granted Patent

US 7,814,312 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06Q 20/3674   involving authentication

H04L 63/08   for authentication of entit...

H04L 63/0884   by delegation of authentica...

MOVING PRINCIPALS ACROSS SECURITY BOUNDARIES WITHOUT SERVICE INTERRUPTION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MOVING PRINCIPALS ACROSS SECURITY BOUNDARIES WITHOUT SERVICE INTERRUPTION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links