Method and system for identity provider instance discovery
First Claim
1. A method of discovering an identity provider instance, the identity provider instance being one of a plurality of identity provider instances that comprise a logical IdP service, comprising:
- receiving a request for an identity provider instance, the request being associated with a service provider;
in response to receiving the request, selecting a particular one of the plurality of identity provider instances according to a selection criteria; and
returning a response to the request identifying the selected identity provider instance.
1 Assignment
0 Petitions
Accused Products
Abstract
An identity provider service comprises a plurality of identity provider instances, with at least one identity provider instance being remote from at least one other identity provider instance. A method of discovering an identity provider instance according to this disclosure begins upon receipt from a service provider (or from a discovery service to which the service provider redirects the user) of a request for an IdP instance. Preferably, the request for an IdP instance is received as a Web services request following receipt at the service provider of an end user client request to access an application. In response to receiving the request, an IdP instance is selected, preferably using one or more criteria, such as user proximity, instance load, instance availability, the existence of a prior IdP binding, or the like. Following the selection, a response to the request is generated and returned to the requesting service provider. Preferably, the response is a redirect to the selected IdP instance.
146 Citations
30 Claims
-
1. A method of discovering an identity provider instance, the identity provider instance being one of a plurality of identity provider instances that comprise a logical IdP service, comprising:
-
receiving a request for an identity provider instance, the request being associated with a service provider; in response to receiving the request, selecting a particular one of the plurality of identity provider instances according to a selection criteria; and returning a response to the request identifying the selected identity provider instance. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. Apparatus for discovering an identity provider instance, the identity provider instance being one of a plurality of identity provider instances that comprise a logical IdP service, comprising:
-
a processor; computer memory holding computer program instructions that when executed by the processor perform a method comprising; receiving a request for an identity provider instance, the request being associated with a service provider; in response to receiving the request, selecting a particular one of the plurality of identity provider instances according to a selection criteria; and returning a response to the request identifying the selected identity provider instance. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer program product in a computer readable medium for use in a data processing system for discovering an identity provider instance, the identity provider instance being one of a plurality of identity provider instances that comprise a logical IdP service, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method comprising:
-
receiving a request for an identity provider instance, the request being associated with a service provider; in response to receiving the request, selecting a particular one of the plurality of identity provider instances according to a selection criteria; and returning a response to the request identifying the selected identity provider instance. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A method to automatically select an identity provider (IdP) instance from among a set of identity provider instances comprising an enterprise IdP service, comprising:
-
clustering a plurality of identity provider instances at distributed locations to provide IdP discovery for a plurality of federated applications, each cluster comprising a plurality of identity provider instances; responsive to receipt at a cluster of a request for an identity provider instance, determining whether the request should be processed at the cluster; if it is determined that the request should be processed at the cluster, determining an appropriate cluster instance and returning a response to the request; and if it is determined that the request should not be processed at the cluster, redirecting the request to another cluster for servicing. - View Dependent Claims (29, 30)
-
Specification