FEDERATED AUTHORIZATION FOR DISTRIBUTED COMPUTING

US 20080263644A1
Filed: 04/23/2007
Published: 10/23/2008
Est. Priority Date: 04/23/2007
Status: Abandoned Application

First Claim

Patent Images

1. A method for federated authorization comprising:

receiving a request for an authorization assertion for a subject at an authorization policy service from a requesting process, wherein the authorization policy service assembles the authorization assertion comprising at least one digitally signed authorization data fragment associated with the subject, wherein the authorization data fragment specifies metadata for access of the subject to a resource;

sending the authorization assertion to the requesting process, wherein the at least one digitally signed authorization data fragment is utilized by a servicing process for autonomous determination of authorization of the subject to access the resource based on a trust relationship between the authorization policy service and the servicing process.

View all claims

24 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Distributed computing systems can exchange authorization information in a manner which alleviates the need for a receiving system to utilize any external systems when making an authorization decision. The trusted authorization provider can digitally sign authorization snippets of information. The requestor sends the digitally signed authorization snippet with the request. Because both computing processes trust the same authorization provider, the servicer of the request is able to grant or deny access in a completely autonomous fashion without having to rely on external resources for authorization. A requesting process can determine the digitally signed authorization snippet corresponding with the request. The servicing process can rely on the digitally signed authorization snippet to perform the authorization.

Citations

20 Claims

1. A method for federated authorization comprising:
- receiving a request for an authorization assertion for a subject at an authorization policy service from a requesting process, wherein the authorization policy service assembles the authorization assertion comprising at least one digitally signed authorization data fragment associated with the subject, wherein the authorization data fragment specifies metadata for access of the subject to a resource;
  
  sending the authorization assertion to the requesting process, wherein the at least one digitally signed authorization data fragment is utilized by a servicing process for autonomous determination of authorization of the subject to access the resource based on a trust relationship between the authorization policy service and the servicing process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the authorization policy service is executed on a first computer and the requesting process is executed on a second computer different from the first computer.
  - 3. The method of claim 1, further comprising receiving authorization information for the subject from an authorization provider and wrapping the received authorization information with a digital signature.
  - 4. The method of claim 1, wherein the subject and a context is specified and the context comprises an application, service or executable.
  - 5. The method of claim 1, wherein the authorization assertion as a whole is digitally signed.
  - 6. The method of claim 1, wherein the trust relationship is based on digital signature algorithms.
  - 7. The method of claim 1, wherein the trust relationship is based on symmetric or asymmetric encryption algorithms.
  - 8. The method of claim 1, wherein the authorization assertion comprises a plurality of independently signed authorization data fragments embedded within an envelope having a queryable description to facilitate extraction of a particular signed authorization data fragment corresponding to a particular action or resource.

9. A system for federated authorization comprising:
- a servicing process executing on a computer that receives a signed authorization data fragment comprising a symmetric or asymmetric encryption/decryption key for an encryption/decryption or digital signature algorithm and a request for access to a resource controlled by servicing process from a requesting process, wherein the servicing process autonomously determines authorization of the subject to the resource based on a trust relationship between the servicing process and a signer of the signed authorization data fragment.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9, wherein the servicing process autonomously determines authorization of the subject to the resource by processing the signed authorization data fragment and evaluating the contents of the signed authorization data fragment and verifying the validity of the digital signature and the trust relationship between the servicing process and the signer of the authorization metadata fragment.
  - 11. The system of claim 9, wherein the subject comprises a person, a service, a role, a computer system, a computing process, a computing machine, an application or a computing entity.
  - 12. The system of claim 9, wherein the signed authorization data fragment comprises metadata comprising authorization rules for access to a resource.
  - 13. The system of claim 9, further comprising a requesting process on a client computer, wherein the requesting process requests an authorization assertion from an authorization policy service, the authorization assertion comprising a plurality of signed authorization data fragments specifying access authorizations of the subject to resources.
  - 14. The system of claim 13, wherein the requesting process extracts a signed authorization data fragment corresponding to a specific action or resource from the authorization assertion and sends the extracted signed authorization data fragment corresponding to the specific action or resource to the servicing process.

15. A computer-readable storage medium comprising computer-executable instructions that when executed in a computing environment:
- send a request to an authorization policy service for an authorization assertion for a subject; and
  
  receive the authorization assertion from the authorization policy service, wherein the authorization assertion comprises at least one digitally signed authorization data fragment associated with the subject, wherein the authorization data fragment specifies authorization metadata associated with access of the subject to a resource.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable storage medium of claim 15, comprising further instructions that when executed:
    - extract the at least one digitally signed authorization data fragment corresponding to a specific action from the authorization assertion.
  - 17. The computer-readable storage medium of claim 15, comprising further instructions that when executed:
    - send the extracted digitally signed authorization data fragment corresponding to the specific action to a servicing process.
  - 18. The computer-readable storage medium of claim 15, comprising further instructions that when executed:
    - extract the at least one digitally signed authorization data fragment corresponding to a specific action or resource from the authorization assertion based on a queryable envelope in which the at least one digitally signed authorization data fragment is embedded.
  - 19. The computer-readable storage medium of claim 15, comprising further instructions that when executed:
    - request a key from the authorization policy service, wherein the key is a symmetric or asymmetric key for an encryption/decryption or digital signature algorithm.
  - 20. The computer-readable storage medium of claim 19, comprising further instructions that when executed:
    - register the requested key with the servicing process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
Quest Software, Inc.
Inventors
Grinstein, Doron

Application Number

US11/738,952
Publication Number

US 20080263644A1
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

G06F 21/445 by mutual authentication, e...

FEDERATED AUTHORIZATION FOR DISTRIBUTED COMPUTING

First Claim

24 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

FEDERATED AUTHORIZATION FOR DISTRIBUTED COMPUTING

First Claim

24 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links