System and method for policy-based inter-realm authentication within a distributed processing system
First Claim
Patent Images
1. In a distributed computing system wherein individual computers are linked together by a communication network, a method for inter-realm authentication comprising the steps of:
- a) requesting, by a client, an application server policy for an application server from a policy server;
b) when a policy reply from the policy server contains an authentication policy of the application server, requesting, by the client, an authentication path to the application server from an authentication routing server;
c) determining, by the authentication routing server, whether the authentication path is compliant with the authentication policy and authentication routing information;
d) when the authentication path is compliant with the authentication policy and the authentication routing information, providing, by the authentication routing server, verification of the authentication path to the client;
e) upon receiving the verification of the authentication path, requesting, by the client, an authentication certificate from an authentication server;
f) providing, by the authentication server, the authentication certificate to the client, wherein the authentication certificate is based on the authentication path;
g) upon receiving the authentication certificate, sending, by the client, a request to the application server, wherein the request includes the authentication certificate; and
h) verifying, by the application server, the client based on the authentication certificate.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method for defining a platform-independent policy framework for authentication of principals to servers in another realm, within a distributed data processing system. The present invention may be implemented on top of the Kerberos protocol, or any trusted third party network authentication protocol with inter-realm authentication mechanisms.
-
Citations
9 Claims
-
1. In a distributed computing system wherein individual computers are linked together by a communication network, a method for inter-realm authentication comprising the steps of:
-
a) requesting, by a client, an application server policy for an application server from a policy server; b) when a policy reply from the policy server contains an authentication policy of the application server, requesting, by the client, an authentication path to the application server from an authentication routing server; c) determining, by the authentication routing server, whether the authentication path is compliant with the authentication policy and authentication routing information; d) when the authentication path is compliant with the authentication policy and the authentication routing information, providing, by the authentication routing server, verification of the authentication path to the client; e) upon receiving the verification of the authentication path, requesting, by the client, an authentication certificate from an authentication server; f) providing, by the authentication server, the authentication certificate to the client, wherein the authentication certificate is based on the authentication path; g) upon receiving the authentication certificate, sending, by the client, a request to the application server, wherein the request includes the authentication certificate; and h) verifying, by the application server, the client based on the authentication certificate. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An inter-realm authentication apparatus for use in a distributed data processing system, the inter-realm authentication apparatus comprises:
-
an authentication server that includes; authentication information database for storing authentication routing information of the distributed data processing system; processing means, operably coupled to the authentication information database, for providing the authentication routing information upon request and for processing certificate requests by clients affiliated with the distributed data processing system; a policy server that includes; policy database for storing authentication policies of application servers; processing means, operably coupled to the policy database, for entering an authentication policy of an application server into the policy database and for processing requests for policy information by the clients; and an authentication routing server that is operably coupled to the authentication server and the policy server, wherein the authentication routing server, upon an authentication path request from a client to a target application server, determines whether the authentication path is compliant with the authentication routing information and the authentication policy of the target application server. - View Dependent Claims (8)
-
-
9. A computer readable storage medium for storing program instructions that, when read by at least one computer, causes the at least one computer to providing inter-realm authentication, the computer readable storage medium comprises:
-
first storage means for storing program instructions that cause the at least one computer to receive an application server policy request for an application server from a client; second storage means for storing program instructions that cause the at least one computer to generate a policy reply, and, when the policy reply contains an authentication policy of the application server, to receive an authentication path request between the application server and the client from the client; third storage means for storing program instructions that cause the at least one computer to determine whether the authentication path is compliant with the authentication policy and authentication routing information; fourth storage means for storing program instructions that cause the at least one computer to provide verification of the authentication path to the client when the authentication path is compliant with the authentication policy and the authentication routing information; fifth storage means for storing program instructions that cause the at least one computer to receive a request from the client, in response to the verification of the authentication path, for an authentication certificate; and sixth storage means for storing program instructions that cause the at least one computer to provide the authentication certificate to the client, wherein the authentication certificate is based on the authentication path.
-
Specification