TRUSTED INTERMEDIARY FOR NETWORK LAYER CLAIMS-ENABLED ACCESS CONTROL
First Claim
1. An apparatus for use in a system comprising a computer in communication via at least one network with a network resource, the at least one network employing a network layer security protocol, the apparatus comprising at least one processor programmed to:
- (A) receive from the computer one or more requester claims describing attributes of one or more of the computer, a user of the computer, and a context in which access by the computer to the network resource is requested, the one or more requester claims being included in a communication formatted to comply with the network layer security protocol;
(B) request, on behalf of the network resource, one or more resource claims, the one or more resource claims describing attributes of one or more of the network resource, an organization to which the network resource is affiliated, an owner of the network resource, a stage of deployment of the network resource, and a sensitivity of the network resource;
(C) receive the one or more resource claims, the one or more resource claims being included in a communication formatted to comply with the network layer security protocol; and
(D) request an access control policy decision whether to grant or deny access by the computer to the network resource, the request providing information included in the one or more requester claims and the one or more resource claims, the request being included in a communication formatted to comply with the network layer security protocol, the access control policy decision being based at least in part on the information.
2 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the invention provide a trusted intermediary for use in a system in which access control decisions may be based at least in part on information provided in claims. The intermediary may request claims on behalf of a network resource to which access is requested, and submit the claims for a decision whether to grant or deny access. The decision may be based at least in part on one or more access control policies, which may be pre-set or dynamically generated. Because the intermediary requests the claims and submits the claims for an access control decision, the network resource (e.g., a server application) need not be configured to process claims information.
-
Citations
20 Claims
-
1. An apparatus for use in a system comprising a computer in communication via at least one network with a network resource, the at least one network employing a network layer security protocol, the apparatus comprising at least one processor programmed to:
-
(A) receive from the computer one or more requester claims describing attributes of one or more of the computer, a user of the computer, and a context in which access by the computer to the network resource is requested, the one or more requester claims being included in a communication formatted to comply with the network layer security protocol; (B) request, on behalf of the network resource, one or more resource claims, the one or more resource claims describing attributes of one or more of the network resource, an organization to which the network resource is affiliated, an owner of the network resource, a stage of deployment of the network resource, and a sensitivity of the network resource; (C) receive the one or more resource claims, the one or more resource claims being included in a communication formatted to comply with the network layer security protocol; and (D) request an access control policy decision whether to grant or deny access by the computer to the network resource, the request providing information included in the one or more requester claims and the one or more resource claims, the request being included in a communication formatted to comply with the network layer security protocol, the access control policy decision being based at least in part on the information. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for use in a system comprising a computer in communication via at least one network with a network resource, the at least one network employing a network layer security protocol, the method being performed in response to a request by the computer to access the network resource, the method comprising:
-
(A) receiving from the computer a request for one or more requester claims; (B) providing the one or more requester claims to the computer, the one or more requester claims being included in a communication formatted to comply with the network layer security protocol; (C) receiving from an intermediary a request for one or more resource claims, the request being sent on behalf of the network resource; and (D) providing the one or more resource claims to the intermediary, the one or more resource claims being included in a communication formatted to comply with the network layer security protocol. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. At least one tangible computer-readable storage medium article having instructions recorded thereon which, when executed by a computer, perform a method of requesting an access control policy decision, the method comprising:
(A) issuing a request for a decision whether to grant or deny access by a computer to a network resource, the request comprising information relating to the computer and information related to the network resource, the information relating to the computer being included in a communication formatted to comply with the network layer security protocol and describing attributes of one or more of the computer, a user of the computer, and a context in which access by the computer to the network resource is requested, the information relating to the network resource being included in a communication formatted to comply with the network layer security protocol and describing attributes of one or more of the network resource, an organization with which the network resource is affiliated, an owner of the network resource, a stage of deployment of the network resource, and a sensitivity of the network resource. - View Dependent Claims (17, 18, 19, 20)
Specification