METHOD AND SYSTEM FOR MULTI-PROTOCOL SINGLE LOGOUT

US 20100071056A1
Filed: 09/18/2008
Published: 03/18/2010
Est. Priority Date: 09/18/2008
Status: Active Grant

First Claim

Patent Images

1. A method for multi-protocol logout, comprising:

receiving, by a first identity provider, a logout request from a user agent, wherein the first identity provider executes in a federation manager;

initiating a logout on a service provider associated with the first identity provider based on the logout request by the first identity provider;

identifying, by the federation manager, a plurality of identity providers associated with the user agent, wherein the plurality of identity providers communicate using heterogeneous federation protocols;

initiating, by the federation manager, a logout on each of the plurality of identity providers based on the logout request using the plurality of heterogeneous federation protocols;

initiating, by the plurality of identity providers, a logout of each service provider corresponding to the plurality of identity providers;

identifying a status of each logout; and

sending the status to the user agent.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for multi-protocol logout. The method includes receiving, by a first identity provider, a logout request from a user agent, wherein the first identity provider executes in a federation manager, and initiating a logout on a service provider associated with the first identity provider based on the logout request by the first identity provider. The method further includes identifying, by the federation manager, a plurality of identity providers associated with the user agent, wherein the plurality of identity providers communicate using heterogeneous federation protocols, and initiating, by the federation manager, a logout on each of the plurality of identity providers based on the logout request using the plurality of heterogeneous federation protocols. The method further includes initiating, by the plurality of identity providers, a logout of each service provider corresponding to the plurality of identity providers, identifying a status of each logout, and sending the status to the user agent.

Citations

20 Claims

1. A method for multi-protocol logout, comprising:
- receiving, by a first identity provider, a logout request from a user agent, wherein the first identity provider executes in a federation manager;
  
  initiating a logout on a service provider associated with the first identity provider based on the logout request by the first identity provider;
  
  identifying, by the federation manager, a plurality of identity providers associated with the user agent, wherein the plurality of identity providers communicate using heterogeneous federation protocols;
  
  initiating, by the federation manager, a logout on each of the plurality of identity providers based on the logout request using the plurality of heterogeneous federation protocols;
  
  initiating, by the plurality of identity providers, a logout of each service provider corresponding to the plurality of identity providers;
  
  identifying a status of each logout; and
  
  sending the status to the user agent.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the plurality of identity providers each correspond to at least one service provider having an open session with the user agent.
  - 3. The method of claim 1, further comprising:
    - accessing a session cache for a circle of trust to identify a plurality of open sessions; and
      
      identifying a service provider for each of the plurality of open sessions to obtain identified service providers,wherein identifying the plurality of identity providers is based on the service provider for each of the plurality of open sessions.
  - 4. The method of claim 1, wherein initiating the logout on each of the plurality of identity providers comprises performing for each of the plurality of identity providers:
    - identifying a federation protocol of the plurality of federation protocols that corresponds to the identity provider;
      
      accessing a federation protocol single logout service provider interface to create a logout request in the federation protocol; and
      
      sending the logout request to the identity provider.
  - 5. The method of claim 1, wherein initiating the logout of each service provider corresponding to the plurality of identity providers comprises sending a command to perform a single logout to each service provider in the federation protocol of the plurality of federation protocols that corresponds to the service provider.
  - 6. The method of claim 1, wherein identifying the status of each logout comprises:
    - receiving, by the plurality of identity providers, the status from each service provider; and
      
      responding, by the plurality of identity providers, to the federation manager with the status.
  - 7. The method of claim 1, wherein the heterogeneous federation protocols comprise at least two selected from a group consisting of Security Assertion Markup Language (SAML) protocol, SAML version 2 (SAML v2) protocol, Web Services Federation (WS-Federation) protocol, and Identity Federation Framework (ID-FF) protocol.

8. A federation manager for multi-protocol logout, comprising:
- a multi-federation protocol manager;
  
  a plurality of identity providers in a circle of trust;
  
  wherein the federation manager when executed by a processor is configured to;
  
  receive a notification from a first identity provider of the plurality of identity providers that a user agent has requested to logout of a service provider associated with the first identity provider, wherein the first identity provider uses a first federation protocol;
  
  identify, in response to the notification, a second federation protocol used by the circle of trust;
  
  determine whether the user agent has an open session with a second identity provider of the plurality of identity providers in the circle of trust, wherein the second identity provider uses the second protocol;
  
  initiate a logout of the user agent on the second identity provider;
  
  initiate, in response to the logout, a logout of the user agent on a second service provider associated with the second identity provider; and
  
  send a status of the logout to the user agent.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The federation manager of claim 8, wherein determining whether the user agent has an open session with a second identity provider comprises:
    - accessing a session cache for the circle of trust to identify the open session; and
      
      identifying the second service provider based on the open session,wherein the second identity provider is identified as the second service provider.
  - 10. The federation manager of claim 8, wherein initiating the logout of the user agent on the second identity provider comprises:
    - identifying a federation protocol of the plurality of federation protocols that corresponds to the second identity provider;
      
      accessing a federation protocol single logout service provider interface corresponding to the federation protocol to create a logout request in the federation protocol; and
      
      sending the logout request to the second identity provider.
  - 11. The federation manager of claim 10, wherein initiating, in response to the logout, a logout of the user agent on the second service provider comprises sending a command to perform a single logout to the service provider according to the federation protocol.
  - 12. The federation manager of claim 8, wherein federation manager is further configured to identify the status of the logout, wherein the status is obtained by:
    - receiving, by the second identity provider, the status from the second service provider; and
      
      responding, by the second identity provider, to the federation manager with the status.
  - 13. The federation manager of claim 8, wherein the heterogeneous federation protocols comprise at least two selected from a group consisting of Security Assertion Markup Language (SAML) protocol, SAML version 2 (SAML v2) protocol, Web Services Federation (WS-Federation) protocol, and Identity Federation Framework (ID-FF) protocol.

14. A computer readable medium comprising computer readable program code embodied therein for causing a computer system to:
- receive, by a first identity provider, a logout request from a user agent, wherein the first identity provider executes in a federation manager;
  
  initiate a logout on a service provider associated with the first identity provider based on the logout request by the first identity provider;
  
  identify, by the federation manager, a plurality of identity providers associated with the user agent, wherein the plurality of identity providers communicate using heterogeneous federation protocols;
  
  initiate, by the federation manager, a logout on each of the plurality of identity providers based on the logout request using the plurality of heterogeneous federation protocols;
  
  initiate, by the plurality of identity providers, a logout of each service provider corresponding to the plurality of identity providers;
  
  identify a status of each logout; and
  
  send the status to the user agent.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer readable medium of claim 14, wherein the plurality of identity providers each correspond to at least one service provider having an open session with the user agent.
  - 16. The computer readable medium of claim 14, wherein the computer readable program code further causes a computer system to:
    - access a session cache for a circle of trust to identify a plurality of open sessions; and
      
      identify a service provider for each of the plurality of open sessions to obtain identified service providers,wherein identifying the plurality of identity providers is based on the service provider for each of the plurality of open sessions.
  - 17. The computer readable medium of claim 14, wherein initiating the logout on each of the plurality of identity providers comprises performing for each of the plurality of identity providers:
    - identifying a federation protocol of the plurality of federation protocols that corresponds to the identity provider;
      
      accessing a federation protocol single logout service provider interface to create a logout request in the federation protocol; and
      
      sending the logout request to the identity provider.
  - 18. The computer readable medium of claim 14, wherein initiating the logout of each service provider corresponding to the plurality of identity providers comprises sending a command to perform a single logout to each service provider in the federation protocol of the plurality of federation protocols that corresponds to the service provider.
  - 19. The computer readable medium of claim 14, wherein identifying the status of each logout comprises:
    - receiving, by the plurality of identity providers, the status from each service provider; and
      
      responding, by the plurality of identity providers, to the federation manager with the status.
  - 20. The computer readable medium of claim 14, wherein the heterogeneous federation protocols comprise at least two selected from a group consisting of Security Assertion Markup Language (SAML) protocol, SAML version 2 (SAML v2) protocol, Web Services Federation (WS-Federation) protocol, and Identity Federation Framework (ID-FF) protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Patterson, Andrew, Luo, Ping, Cheng, Qingwen, Angal, Rajeev

Granted Patent

US 8,099,768 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/16
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/0815   providing single-sign-on or...

H04L 69/18   Multiprotocol handlers, e.g...

METHOD AND SYSTEM FOR MULTI-PROTOCOL SINGLE LOGOUT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR MULTI-PROTOCOL SINGLE LOGOUT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links