EXTENSIBLE MECHANISM FOR SECURING OBJECTS USING CLAIMS

US 20090320103A1
Filed: 06/24/2008
Published: 12/24/2009
Est. Priority Date: 06/24/2008
Status: Active Grant

First Claim

Patent Images

1. ) An extensible system for providing security claims about a logical object wherein:

(a) a security broker is responsive to a registration request which identifies an unregistered claims provider by recording the identified claims provider as a registered claims provider;

(b) the registered claims provider is responsive to a claims request which identifies a secured object by providing at least one provider security claim asserted about the secured object; and

(c) the security broker is responsive to an access request from a client, the access request identifying a logical object, by;

(i) issuing a claims request to the registered claims provider, the claims request specifying the logical object as the secured object,(ii) receiving a provider security claim from the claims provider, and(iii) returning the provider security claim to the client.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An extensible mechanism for providing access control for logical objects in a network environment. A security broker is able to dynamically register one or more claims providers, each of which can assert one or more claims about logical objects. The claims providers may be purpose built or may be third party applications which expose data or business rules for use. Claims may be augmented by additional claims providers after the original claim is asserted. The applicability of claims may be scope limited either at the time the claims provider is registered or when the user requests that a security token be issued.

54 Citations

View as Search Results

20 Claims

1. ) An extensible system for providing security claims about a logical object wherein:
- (a) a security broker is responsive to a registration request which identifies an unregistered claims provider by recording the identified claims provider as a registered claims provider;
  
  (b) the registered claims provider is responsive to a claims request which identifies a secured object by providing at least one provider security claim asserted about the secured object; and
  
  (c) the security broker is responsive to an access request from a client, the access request identifying a logical object, by;
  
  (i) issuing a claims request to the registered claims provider, the claims request specifying the logical object as the secured object,(ii) receiving a provider security claim from the claims provider, and(iii) returning the provider security claim to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. ) The system of claim 1 wherein the security broker is further responsive to the registration request by associating an applicable scope with at least one claim which can be asserted by the claims provider and by issuing a claims request only if the logical object is within the applicable scope.
  - 3. ) The system of claim 2 wherein the applicable scope is specified, at least in part, by specifying one or more logical objects to which the at least one claim is to be applicable.
  - 4. ) The system of claim 2 wherein the applicable scope is specified, at least in part, by specifying a rule to be applied when generating the security claim to determine whether the at least one claim is applicable.
  - 5. ) The system of claim 1 wherein the security broker is further responsive to the client access request by issuing an augmentation request comprising an existing provider security claim and a second registered claims provider is responsive to the augmentation request by providing at least one additional provider security claim to the security broker.
  - 6. ) The system of claim 1 wherein the security broker is further responsive to the client access request by presenting a user with a choice of plural claims which can be asserted by one or more registered claims providers, retrieving a user claim selection, and sending the access request to the claims provider which can assert the selected claim.
  - 7. ) The system of claim 6 wherein the access request contains a criterion associated with the logical object and the security broker is further responsive to the client access request by only presenting the user with those claims which satisfy the criterion.
  - 8. ) The system of claim 1 wherein the security broker is further responsive to the client access request by identifying a characteristic of the client and by issuing a claims request to the registered claims provider only if the characteristic matches a predefined value associated with the claims provider.

9. ) An extensible method of securing access to an object on a computer network, the method comprising:
- (a) dynamically registering a claims provider;
  
  (b) receiving a request from a client to access a specified logical object;
  
  (c) requesting a security claim asserted about the specified logical object from the claims provider;
  
  (d) receiving the security claim from the claims provider; and
  
  (e) returning the security claim to the client
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. ) The method of claim 9 wherein the step of registering a claims provider comprises specifying an applicable scope for the security claim and wherein the step of requesting a security claim only requests the security claim from the claims provider if the logical object is within the applicable scope.
  - 11. ) The method of claim 10 wherein specifying the applicable scope comprises selecting one or more logical objects to which the at least one claim is to be applicable.
  - 12. ) The method of claim 10 wherein specifying the applicable scope comprises specifying a rule which will determine whether the at least one claim is applicable to a logical object and wherein the step of restricting the request comprises applying the rule to the specified logical object.
  - 13. ) The method of claim 9 further comprising the steps of registering a second claims provider and of augmenting the received security claim by requesting a secondary security claim from the second claims provider and receiving the secondary security claim in response and wherein both security claims are returned to the client.
  - 14. ) The method of claim 13 wherein the step of registering a claims provider comprises specifying an applicable scope the security claim and wherein the step of requesting a security claim only requests the security claim from the claims provider if the logical object is within the applicable scope.
  - 15. ) The method of claim 14 wherein the step of registering a second claims provider comprises specifying a second applicable scope for the secondary claim and wherein the step of requesting a secondary security claim only requests the secondary security claim from the second claims provider if the logical object is within the second applicable scope.
  - 16. ) The method of claim 13 wherein the specified steps are performed within a primary trust domain and the following steps are performed in a secondary trust domain:
    - (a) receiving a request from a client to access the specified logical object, the request comprising the security claim generated in the first trust domain;
      
      (b) verifying the security claim from the first trust domain;
      
      (c) generating a new security claim; and
      
      (d) returning both the existing security claim and the new security claim to the client.
  - 17. ) The method of claim 16 further comprising the following steps performed in the second trust domain:
    - (a) dynamically registering a secondary domain claims provider;
      
      (b) augmenting the new security claim by requesting an additional security claim from the second domain claims provider;
      
      (c) receiving the additional security claim from the secondary domain claims provider; and
      
      (d) also returning the additional security claim to the client.
  - 18. ) The method of claim 17 wherein the step of registering a secondary claims provider comprises specifying an applicable scope for the claim and wherein the step of requesting a security claim only requests a security claim from the claims provider if the logical object is within the applicable scope.

19. ) An extensible method of securing access to an object on a computer network, the method comprising:
- (a) dynamically registering a first claims provider and a second claims provider;
  
  (b) receiving a request from a client to access a specified logical object;
  
  (c) requesting a primary security claim asserted about the specified logical object from the first claims provider;
  
  (d) receiving the primary security claim from the first claims provider;
  
  (e) augmenting the primary security claim by supplying the primary security claim to the second claims provider and requesting a secondary security claim from the second claims provider;
  
  (f) receiving the secondary security claim in response; and
  
  (g) returning the primary security claim and the secondary security claim to the client.

20. ) The method of claim 20 wherein the steps of registering a primary claims provider and registering a secondary claims provider each comprises specifying an applicable scope for the security claim, wherein the steps of requesting a primary security claim and requesting a secondary security claim each only requests the security claim from the claims provider if the logical object is within the associated applicable scope.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Roy, Christian, Veeraraghavan, Venkatesh, Fong, Bryant, Treacy, Ambrose T., Dalzell, Javier, Schmitlin, Benoit

Granted Patent

US 8,990,896 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/335 for accessing specific reso...

H04L 63/08 for authentication of entit...

EXTENSIBLE MECHANISM FOR SECURING OBJECTS USING CLAIMS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

54 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

EXTENSIBLE MECHANISM FOR SECURING OBJECTS USING CLAIMS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links