SYSTEM AND METHOD USING GLOBALLY UNIQUE IDENTITIES

US 20090133110A1
Filed: 11/13/2008
Published: 05/21/2009
Est. Priority Date: 11/13/2007
Status: Active Grant

First Claim

Patent Images

1. A method of securing access to a resource on a network using a global identifier, comprising:

obtaining a plurality of identifiers associated with a user of the network, each of the plurality of identifiers individually identifying the user;

generating a superset of the plurality of identifiers, as the global identifier;

establishing one or more policies associated with the global identifier of the user; and

restricting access to the resource on the network by the user based on the one or more policies associated with the global identifier.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described for creating a globally unique identity for a user or user-container by performing an iterative join where each participating back-end data source. The systems and methods include an ID-Unify (IDU) that performs identity virtualization and creates or generates a globally unique identifier for a user in operational environments in which there is a pre-existing conflict caused by the existence of different identities for a user in different authentication data sources.

145 Citations

23 Claims

1. A method of securing access to a resource on a network using a global identifier, comprising:
- obtaining a plurality of identifiers associated with a user of the network, each of the plurality of identifiers individually identifying the user;
  
  generating a superset of the plurality of identifiers, as the global identifier;
  
  establishing one or more policies associated with the global identifier of the user; and
  
  restricting access to the resource on the network by the user based on the one or more policies associated with the global identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, comprising allowing access to the resource when the user is authenticated and the one or more policies permit access by the user to the resource.
  - 3. The method of claim 1, wherein the obtaining of the plurality of identifiers includes:
    - determining a plurality of identifier storage locations, each identifier storage location storing one or more of the plurality of identifiers; and
      
      querying each of the identifier storage locations to obtain the plurality of identifiers.
  - 4. The method of claim 3, wherein the generating of the superset of the plurality of identifiers includes:
    - determining whether information associated with the user from different storage locations conflict; and
      
      if the user information from the different identified storage locations do not conflict, generating an aggregate join of the plurality of identifiers.
  - 5. The method of claim 1, wherein the generating of the superset of the plurality of identifiers includes generating an N-ary join of the plurality of identifiers.
  - 6. The method of claim 1, comprising:
    - storing the plurality of identifiers associated with the user in a plurality of identity source devices;
      
      receiving a request for accessing the resource from the user; and
      
      identifying the one or more policies to be applied to the request for access by the user by generating the superset of the plurality of identifiers each time from the stored plurality of identifiers for each request for access.
  - 7. The method of claim 1, wherein the plurality of identifiers is associated with the user or a user group identified with the user.
  - 8. The method of claim 3, comprising:
    - selecting one or more attributes of the global identifier for identifying the user when a conflict exists between information associated with the user from different identifier storage locations; and
      
      determining the one or more policies to be used for access control by matching the user information from the user or client system of the user regarding the one or more attributes to the one or more attributes in the global identifier.

9. A method of establishing a global unique identifier for access control, comprising:
- obtaining, by an identity server, a plurality of identifiers from a plurality of data sources, the plurality of identifiers being associated with a user of the network and each individually identifying the user; and
  
  establishing the global unique identifier for access control by generating a join of the plurality of identifiers, wherein the global unique identifier consolidates disparate forms of identification associated with the user from the plurality of data sources.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, wherein the join is one of an aggregate join or an N-ary join.
  - 11. The method of claim 10, wherein the join is one of a transitive join or a non-transitive join.
  - 12. The method of claim 9, wherein the join is a non-transitive N-ary join and the generating of the non-transitive N-ary includes:
    - performing a plurality of join iterations on the plurality of data sources, wherein a different data source of the plurality of data sources serves as a primary data source during each join iteration; and
      
      summing results from each join iteration.
  - 13. The method of claim 9, further comprising resolving a conflict between the plurality of identifiers.
  - 14. The method of claim 13, further comprising:
    - determining a plurality of attributes corresponding to the user, the plurality of identifiers including the plurality of attributes; and
      
      combining at least two attributes of the plurality of attributes to form a composite attribute,wherein the composite attribute is a non-conflicting attribute, and the global unique identifier includes the composite attribute.
  - 15. The method of claim 14, wherein the plurality of attributes include at least two of:
    - (1) information unique to the user;
      
      (2) a user name;
      
      (3) an email identification;
      
      (4) an employee identification;
      
      (5) a department identification;
      
      (6) a social security number;
      
      or (7) a telephone extension number.

16. An identity server configured to communication with an access server and a plurality of identity storage devices for generating a unique global identifier, the identity server comprising:
- an identity virtualization client for querying a plurality of identifiers associated with a user of the network, each of the plurality of identifiers individually identifying the user;
  
  an identity consolidation engine for generating a superset of the plurality of identifiers, as the unique global identifier; and
  
  an identity virtualization server for outputting the global identifier to global identify user devices.

17. An identity server for generating a unique global identifier for accessing secured resources on a network, the identity server comprising:
- an identity virtualization server for receiving an access request to access one or more secured resources on the network, the access request including a user identifier indicating a user requesting access to the one or more secured resources;
  
  an identity virtualization client for querying a plurality of devices for a plurality of identifiers associated with the user responsive to reception of the access request, each of the plurality of identifiers individually identifying the user;
  
  an identity consolidation engine for generating a superset of the plurality of identifiers, as the unique global identifier and for identifying one or more access policies associated with the unique global identifier; and
  
  a policy virtualization engine for permitting access to the one or more secured resources when the user is allowed to access the one or more secured resources based on the identified access policies.
- View Dependent Claims (18)
- - 18. The identity server of claim 17, wherein the policy virtualization engine restricts access to the one or more resources when the user is not permitted access to the one or more resources based on the identified access policies.

19. An identity authority configured to communicate identity certificates to identity requesting devices, comprising:
- an identity virtualization server for receiving an identity certification request including a user identifier from one device of the identity requesting devices;
  
  an identity virtualization client for querying a plurality of devices for a plurality of identifiers associated with the user responsive to reception of the identity certification request from the one device of the identity requesting devices;
  
  an identity consolidation engine for matching the received user identifier to at least one portion of a generated superset of the plurality of identifiers; and
  
  a policy virtualization engine for transmitting a certification to the one device of the identity requesting devices when the received user identifier matches to the at least one portion of the generated superset of the plurality of identifiers.
- View Dependent Claims (20, 21)
- - 20. The identity authority of claim 19, wherein the identity authority does not store the plurality of identifiers.
  - 21. The identity authority of claim 19, wherein the identity consolidation engine:
    - selects one or more attributes of the global identifier for identifying the user when a common individual identifier exists for respectively different users; and
      
      determines the one or more policies to be used for access control by matching user information received from the user or a client of the user regarding the selected one or more attributes to the one or more attributes in the global identifier.

22. A method of establishing a global unique identifier for access control, comprising:
- receiving a request from a user at a first computing environment for access to a resource located in a second computing environment separate from the first computing environment;
  
  obtaining, by an identity server in the second computing environment, a plurality of identifiers from a plurality of data sources, the plurality of identifiers being associated with the user and each individually identifying the user;
  
  establishing, by the server in the second computing environment, the global unique identifier for access control by generating a join of the plurality of identifiers, wherein the global unique identifier consolidates disparate forms of identification associated with the user from the plurality of data sources; and
  
  permitting access to the resource via the first computing environment based on the global unique identifier from the second computing environment.

23. A computer readable storage medium for storing program code for executing the method of securing access to a resource on a network using a global identifier, comprising:
- obtaining a plurality of identifiers associated with a user of the network, each of the plurality of identifiers individually identifying the user;
  
  generating a superset of the plurality of identifiers, as the global identifier;
  
  establishing one or more policies associated with the global identifier of the user; and
  
  restricting access to the resource on the network by the user based on the one or more policies associated with the global identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Applied Identity, Co.
Inventors
Roth, Virginia L., Shah, Shadab Munam, Kumar, Srinivas, Weber, Dean A.

Granted Patent

US 8,990,910 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/8
CPC Class Codes

H04L 61/4547   for personal communications...

H04L 61/4552   Lookup mechanisms between a...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

SYSTEM AND METHOD USING GLOBALLY UNIQUE IDENTITIES

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

145 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD USING GLOBALLY UNIQUE IDENTITIES

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

145 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links