FEDERATED AUTHORIZATION FOR DISTRIBUTED COMPUTING
First Claim
1. A method for federated authorization comprising:
- receiving a request for an authorization assertion for a subject at an authorization policy service from a requesting process, wherein the authorization policy service assembles the authorization assertion comprising at least one digitally signed authorization data fragment associated with the subject, wherein the authorization data fragment specifies metadata for access of the subject to a resource;
sending the authorization assertion to the requesting process, wherein the at least one digitally signed authorization data fragment is utilized by a servicing process for autonomous determination of authorization of the subject to access the resource based on a trust relationship between the authorization policy service and the servicing process.
24 Assignments
0 Petitions
Accused Products
Abstract
Distributed computing systems can exchange authorization information in a manner which alleviates the need for a receiving system to utilize any external systems when making an authorization decision. The trusted authorization provider can digitally sign authorization snippets of information. The requestor sends the digitally signed authorization snippet with the request. Because both computing processes trust the same authorization provider, the servicer of the request is able to grant or deny access in a completely autonomous fashion without having to rely on external resources for authorization. A requesting process can determine the digitally signed authorization snippet corresponding with the request. The servicing process can rely on the digitally signed authorization snippet to perform the authorization.
-
Citations
20 Claims
-
1. A method for federated authorization comprising:
-
receiving a request for an authorization assertion for a subject at an authorization policy service from a requesting process, wherein the authorization policy service assembles the authorization assertion comprising at least one digitally signed authorization data fragment associated with the subject, wherein the authorization data fragment specifies metadata for access of the subject to a resource; sending the authorization assertion to the requesting process, wherein the at least one digitally signed authorization data fragment is utilized by a servicing process for autonomous determination of authorization of the subject to access the resource based on a trust relationship between the authorization policy service and the servicing process. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for federated authorization comprising:
a servicing process executing on a computer that receives a signed authorization data fragment comprising a symmetric or asymmetric encryption/decryption key for an encryption/decryption or digital signature algorithm and a request for access to a resource controlled by servicing process from a requesting process, wherein the servicing process autonomously determines authorization of the subject to the resource based on a trust relationship between the servicing process and a signer of the signed authorization data fragment. - View Dependent Claims (10, 11, 12, 13, 14)
-
15. A computer-readable storage medium comprising computer-executable instructions that when executed in a computing environment:
-
send a request to an authorization policy service for an authorization assertion for a subject; and receive the authorization assertion from the authorization policy service, wherein the authorization assertion comprises at least one digitally signed authorization data fragment associated with the subject, wherein the authorization data fragment specifies authorization metadata associated with access of the subject to a resource. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification