TRUSTED INTERMEDIARY FOR NETWORK LAYER CLAIMS-ENABLED ACCESS CONTROL

US 20110321152A1
Filed: 06/24/2010
Published: 12/29/2011
Est. Priority Date: 06/24/2010
Status: Active Grant

First Claim

Patent Images

1. An apparatus for use in a system comprising a computer in communication via at least one network with a network resource, the at least one network employing a network layer security protocol, the apparatus comprising at least one processor programmed to:

(A) receive from the computer one or more requester claims describing attributes of one or more of the computer, a user of the computer, and a context in which access by the computer to the network resource is requested, the one or more requester claims being included in a communication formatted to comply with the network layer security protocol;

(B) request, on behalf of the network resource, one or more resource claims, the one or more resource claims describing attributes of one or more of the network resource, an organization to which the network resource is affiliated, an owner of the network resource, a stage of deployment of the network resource, and a sensitivity of the network resource;

(C) receive the one or more resource claims, the one or more resource claims being included in a communication formatted to comply with the network layer security protocol; and

(D) request an access control policy decision whether to grant or deny access by the computer to the network resource, the request providing information included in the one or more requester claims and the one or more resource claims, the request being included in a communication formatted to comply with the network layer security protocol, the access control policy decision being based at least in part on the information.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention provide a trusted intermediary for use in a system in which access control decisions may be based at least in part on information provided in claims. The intermediary may request claims on behalf of a network resource to which access is requested, and submit the claims for a decision whether to grant or deny access. The decision may be based at least in part on one or more access control policies, which may be pre-set or dynamically generated. Because the intermediary requests the claims and submits the claims for an access control decision, the network resource (e.g., a server application) need not be configured to process claims information.

Citations

20 Claims

1. An apparatus for use in a system comprising a computer in communication via at least one network with a network resource, the at least one network employing a network layer security protocol, the apparatus comprising at least one processor programmed to:
- (A) receive from the computer one or more requester claims describing attributes of one or more of the computer, a user of the computer, and a context in which access by the computer to the network resource is requested, the one or more requester claims being included in a communication formatted to comply with the network layer security protocol;
  
  (B) request, on behalf of the network resource, one or more resource claims, the one or more resource claims describing attributes of one or more of the network resource, an organization to which the network resource is affiliated, an owner of the network resource, a stage of deployment of the network resource, and a sensitivity of the network resource;
  
  (C) receive the one or more resource claims, the one or more resource claims being included in a communication formatted to comply with the network layer security protocol; and
  
  (D) request an access control policy decision whether to grant or deny access by the computer to the network resource, the request providing information included in the one or more requester claims and the one or more resource claims, the request being included in a communication formatted to comply with the network layer security protocol, the access control policy decision being based at least in part on the information.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The apparatus of claim 1, wherein the at least one processor is further programmed to allow the apparatus to operate as a gateway between the computer and the network resource.
  - 3. The apparatus of claim 1, wherein the system comprises a plurality of claim providers, (B) comprises requesting the one or more resource claims from one or more of the plurality of claim providers, and (C) comprises receiving the one or more resource claims from the one or more of the plurality of claim providers.
  - 4. The apparatus of claim 1, wherein (A) comprises receiving from the computer the one or more requester claims sent in accordance with a first protocol, and wherein the at least one processor is further programmed to:
    - (E) receive an access control policy decision indicating that access by the computer to the network resource is granted; and
      
      (F) send the request to the network resource in accordance with a second protocol.
  - 5. The apparatus of claim 1, wherein (A) comprises receiving the one or more requester claims embedded within a communication from the computer, and wherein the at least one processor is further programmed to extract the requester claims from the communication.
  - 6. The apparatus of claim 1, wherein the apparatus comprises a computer, and wherein the network resource resides on the computer.

7. A method for use in a system comprising a computer in communication via at least one network with a network resource, the at least one network employing a network layer security protocol, the method being performed in response to a request by the computer to access the network resource, the method comprising:
- (A) receiving from the computer a request for one or more requester claims;
  
  (B) providing the one or more requester claims to the computer, the one or more requester claims being included in a communication formatted to comply with the network layer security protocol;
  
  (C) receiving from an intermediary a request for one or more resource claims, the request being sent on behalf of the network resource; and
  
  (D) providing the one or more resource claims to the intermediary, the one or more resource claims being included in a communication formatted to comply with the network layer security protocol.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The method of claim 7, further comprising:
    - (E) receiving a request for an access control policy decision, the request providing information included in the one or more requester claims and the one or more resource claims; and
      
      (F) issuing an access control policy decision based at least in part on the information received in (E).
  - 9. The method of claim 8, wherein (E) comprises receiving the request for the access control policy decision from the network resource.
  - 10. The method of claim 7, wherein the one or more requester claims describe attributes of one or more of the computer, a user of the computer, a context in which access by the computer to the network resource is requested, and a strength of connection between the computer and the network resource.
  - 11. The method of claim 7, wherein the one or more resource claims describe attributes of one or more of the network resource, an organization to which the network resource is affiliated, an owner of the network resource, a stage of deployment of the network resource, and a sensitivity of the network resource.
  - 12. The method of claim 7, wherein (A) comprises receiving the request at a plurality of claim providers.
  - 13. The method of claim 12, wherein (C) comprises receiving the request for one or more resource claims at the same plurality of claim providers at which the request for one or more requester claims is received in (A).
  - 14. The method of claim 7, wherein (A) comprises receiving the request from a client application executing on the computer.
  - 15. The method of claim 7, wherein the network layer security protocol is IPsec.

16. At least one tangible computer-readable storage medium article having instructions recorded thereon which, when executed by a computer, perform a method of requesting an access control policy decision, the method comprising:
- (A) issuing a request for a decision whether to grant or deny access by a computer to a network resource, the request comprising information relating to the computer and information related to the network resource, the information relating to the computer being included in a communication formatted to comply with the network layer security protocol and describing attributes of one or more of the computer, a user of the computer, and a context in which access by the computer to the network resource is requested, the information relating to the network resource being included in a communication formatted to comply with the network layer security protocol and describing attributes of one or more of the network resource, an organization with which the network resource is affiliated, an owner of the network resource, a stage of deployment of the network resource, and a sensitivity of the network resource.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The at least one tangible computer-readable storage medium article of claim 16, further comprising instructions defining:
    - (B) receiving a decision to grant access by the computer to the network resource;
      
      (C) sending an access request to the network resource.
  - 18. The at least one tangible computer-readable storage medium article of claim 16, wherein the information relating to the computer and the information related to the network resource are included in at least one claim.
  - 19. The at least one tangible computer-readable storage medium article of claim 18, further comprising instructions defining an act, performed before (A), of requesting at least one claim comprising the information related to the network resource from one or more claims providers.
  - 20. The at least one tangible computer-readable storage medium article of claim 18, further comprising instructions defining an act, performed before (A), of receiving at least one claim comprising the information related to the computer, and wherein (A) comprises issuing, in response to receiving the at least one claim comprising the information related to the computer, a request that includes the at least one claim comprising the information related to the computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Schnell, Patrik, Ananiev, Oleg, Zavalkovsky, Arthur, Tor, Yair, Neystadt, Eugene (John), Rose, Daniel

Granted Patent

US 8,918,856 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/164 at the network layer

TRUSTED INTERMEDIARY FOR NETWORK LAYER CLAIMS-ENABLED ACCESS CONTROL

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

TRUSTED INTERMEDIARY FOR NETWORK LAYER CLAIMS-ENABLED ACCESS CONTROL

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links