GENERALIZED IDENTITY MEDIATION AND PROPAGATION
First Claim
1. A method of system independent mediation to provide secure access to a server application, comprising:
- retrieving, by an identity mapping module of a first enterprise service bus, an identity mapping policy for specifying correspondence between a first set of identities and a second set of identities, wherein the first set of identities correspond to a party and a client application, executed on a client computer, and the second set of identities correspond to the party and the server application, executed on a server computer;
retrieving, by an authentication module of the first enterprise service bus, an authentication policy for authenticating a first identity of the first set of identities and a second identity of the second set identities, wherein the first identity and the second identity are mapped to each other by the identity mapping module;
retrieving, by an authorization module of the first enterprise service bus, an authorization policy for authorizing the second identity for access to the server application;
providing a service, corresponding to a service request, from the server application to the party based upon a mapping of the first identity to the second identity by the mapping module, an authentication of the first and second identities by the authentication module and an authorization of the second identity by the authorization module.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided are techniques for providing security in a computing system with identity mediation policies that are enterprise service bus (EBS) independent. A mediator component performs service-level operation such as message brokering, identity mediation, and transformation to enhance interoperability among service consumers and service providers. A mediator component may also delegate identity related operations to a token service of handler. Identity mediation may include such operations as identity determination, or “identification,” authentication, authorization, identity transformation and security audit.
11 Citations
25 Claims
-
1. A method of system independent mediation to provide secure access to a server application, comprising:
-
retrieving, by an identity mapping module of a first enterprise service bus, an identity mapping policy for specifying correspondence between a first set of identities and a second set of identities, wherein the first set of identities correspond to a party and a client application, executed on a client computer, and the second set of identities correspond to the party and the server application, executed on a server computer; retrieving, by an authentication module of the first enterprise service bus, an authentication policy for authenticating a first identity of the first set of identities and a second identity of the second set identities, wherein the first identity and the second identity are mapped to each other by the identity mapping module; retrieving, by an authorization module of the first enterprise service bus, an authorization policy for authorizing the second identity for access to the server application; providing a service, corresponding to a service request, from the server application to the party based upon a mapping of the first identity to the second identity by the mapping module, an authentication of the first and second identities by the authentication module and an authorization of the second identity by the authorization module. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method of system independent mediation to provide secure access to a server application, comprising:
-
transmitting, to an identity mapping module of a first enterprise service bus, an identity mapping policy for specifying correspondence between a first set of identities and a second set of identities, wherein the first set of identities correspond to a party and a client application, executed on a client computer, and the second set of identities correspond to the party and the server application, executed on a server computer; transmitting, to an authentication module of the first enterprise service bus, an authentication policy for authenticating a first identity of the first set of identities and a second identity of the second set identities, wherein the first identity and the second identity are mapped to each other by the identity mapping module; transmitting, to an authorization module of the first enterprise service bus, an authorization policy for authorizing the second identity for access to the server application; executing a service, corresponding to a service request and the server application, for the party based upon a mapping of the first identity to the second identity by the mapping module, an authentication of the first and second identities by the authentication module and an authorization of the second identity by the authorization module. - View Dependent Claims (7, 8, 9, 10)
-
-
11. An enterprise service bus, comprising:
-
a processor; a computer-readable storage medium, coupled to the processor; an identity mapping module; an authentication module; an authorization module; and logic, stored on the computer-readable storage medium and executed on the processor, for; retrieving, by the identity mapping module, an identity mapping policy for specifying correspondence between a first set of identities and a second set of identities, wherein the first set of identities correspond to a party and a client application, executed on a client computer, and the second set of identities correspond to the party and a server application, executed on a server computer; retrieving, by the authentication module, an authentication policy for authenticating a first identity of the first set of identities and a second identity of the second set identities, wherein the first identity and the second identity are mapped to each other by the identity mapping module; and retrieving, by the authorization module, an authorization policy for authorizing the second identity for access to the server application. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A computer programming product for providing secure access to a server application, comprising:
-
a computer-readable storage medium; and logic, stored on the computer-readable storage medium for execution on a processor, for; retrieving, by an identity mapping module of a first enterprise service bus, an identity mapping policy for specifying correspondence between a first set of identities and a second set of identities, wherein the first set of identities correspond to a party and a client application, executed on a client computer, and the second set of identities correspond to the party and the server application, executed on a server computer; retrieving, by an authentication module of the first enterprise service bus, an authentication policy for authenticating a first identity of the first set of identities and a second identity of the second set identities, wherein the first identity and the second identity are mapped to each other by the identity mapping module; retrieving, by an authorization module of the first enterprise service bus, an authorization policy for authorizing the second identity for access to the server application; providing a service, corresponding to a service request, from the server application to the party based upon a mapping of the first identity to the second identity by the mapping module, an authentication of the first and second identities by the authentication module and an authorization of the second identity by the authorization module. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A computer programming product for providing secure access to a server application, comprising:
-
a computer-readable storage medium; and logic, stored on the computer-readable storage medium for execution on a processor, for; transmitting, to an identity mapping module of a first enterprise service bus, an identity mapping policy for specifying correspondence between a first set of identities and a second set of identities, wherein the first set of identities correspond to a party and a client application, executed on a client computer, and the second set of identities correspond to the party and the server application, executed on a server computer; transmitting, to an authentication module of the first enterprise service bus, an authentication policy for authenticating a first identity of the first set of identities and a second identity of the second set identities, wherein the first identity and the second identity are mapped to each other by the identity mapping module; transmitting, to an authorization module of the first enterprise service bus, an authorization policy for authorizing the second identity for access to the server application; executing a service, corresponding to a service request and the server application, for the party based upon a mapping of the first identity to the second identity by the mapping module, an authentication of the first and second identities by the authentication module and an authorization of the second identity by the authorization module. - View Dependent Claims (22, 23, 24, 25)
-
Specification