Method and apparatus for managing network resources for externally authenticated users
First Claim
1. A method for managing network resources for externally authenticated users, the method comprising:
- authenticating a user in a first administrative domain;
generating a token for the user, the token assigning at least a first role for the user, the first role identifying the user as a member of a pre-defined class of users; and
configuring the token to identify the user by the first role to a component of a second administrative domain; and
receiving a request from the user to retrieve network resources from the second administrative domain and;
determining whether the user is authorized to access the network resources of the second administrative domain based on the first role in the token.
1 Assignment
0 Petitions
Accused Products
Abstract
A method is disclosed for managing network resources in multiple administrative domains. According to the method, a user is authenticated in a first administrative domain. A token is generated for the user that identifies the user as being assigned a role. The token is configured to identify the user by the role to a component of a second administrative domain. When the user requests a resource of the second administrative domain, its component examines the token and the role to determine whether to grant access to the resource. As a result, the second administrative domain may grant the user access to its resources without re-authenticating the user in the second administrative domain.
179 Citations
26 Claims
-
1. A method for managing network resources for externally authenticated users, the method comprising:
-
authenticating a user in a first administrative domain; generating a token for the user, the token assigning at least a first role for the user, the first role identifying the user as a member of a pre-defined class of users; and configuring the token to identify the user by the first role to a component of a second administrative domain; and receiving a request from the user to retrieve network resources from the second administrative domain and; determining whether the user is authorized to access the network resources of the second administrative domain based on the first role in the token. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method for managing network resources in multiple administrative domains, the method comprising:
-
in a first administrative domain; authenticating a user in response to a request to access one or more resources in the first administrative domain; generating a token for the user, the token assigning at least a first role to the user, the first role identifying the user as a member of a class of users; in second administrative domain; receiving a second request from the user to access one or more second resources in the second administrative domain, wherein the second request includes the token; identifying a first policy for the first role specified by the token; and managing access of the user to the second resources according to the first policy. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A method for managing network resources for externally authenticated users, the method comprising:
-
receiving a first request to authenticate a user in a first administrative domain; authenticating the user in the first administrative domain; generating a token for the user, wherein the token includes information defining a first role for the user, wherein the first role identifies the user as a member of a pre-defined class of users; receiving a second request from the user to access one or more network resources located in a second administrative domain; and determining whether to grant the user access to the network resources based on the role in the token and without re-authenticating the user in the second administrative domain.
-
-
19. A computer system for managing network resources, the computer system comprising:
-
a storage medium that stores identification information for users that access the network; processing resources located in a first administrative domain, the processing resources being configured to; authenticating a user in the first administrative domain; generate a token for the user in response to the user, the token identifying at least a first role for the user and identifying the user as a member of a pre-defined class of users; and configure the token to enable the user to be identified by the first role in a second administrative domain, wherein the user is provided access to a resource of the second administrative domain according to a policy for the first role; receiving a request from the user to retrieve network resources from the second administrative domain; determining whether the user is authorized to access the network resources of the second administrative domain based on the first role in the token. - View Dependent Claims (20, 21, 22)
-
-
23. A tangible computer-readable medium for managing network resources in multiple administrative domains, the computer-readable medium carrying instructions for performing the steps of:
-
assigning at least a first role to a plurality of users that access a first administrative domain; and causing each of the plurality of users to be identified by the first role on a component of the second administrative domain, wherein the first role identifies a policy that is shared by the plurality of users for accessing resources managed in the second administrative domain; receiving a request from the user to retrieve network resources from the second administrative domain and; determining whether the user is authorized to access the network resources of the second administrative domain based on the first role in the token. - View Dependent Claims (24, 25, 26)
-
Specification