Method and system for consolidated sign-off in a heterogeneous federated environment

US 7,219,154 B2
Filed: 12/31/2002
Issued: 05/15/2007
Est. Priority Date: 12/31/2002
Status: Active Grant

First Claim

Patent Images

1. A method for managing user sessions within a distributed data processing system, the method comprising:

in response to determining to logoff a user on a system within a first domain, obtaining a list of domains at which the first domain has initiated a logon operation for the user by providing an authentication assertion;

generating at a system in the first domain a set of logoff request messages, wherein the set of logoff request messages contains a logoff request message for the user for each domain in the list of domains, wherein a logoff request message comprises an authentication assertion for the user; and

sending a logoff request message from a system in the first domain to each domain in the list of domains.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is presented in which federated domains interact within a federated environment. Domains within a federation can initiate federated single-sign-on operations for a user at other federated domains. A point-of-contact server within a domain relies upon a trust proxy within the domain to manage trust relationships between the domain and the federation. Trust proxies interpret assertions from other federated domains as necessary. Trust proxies may have a trust relationship with one or more trust brokers, and a trust proxy may rely upon a trust broker for assistance in interpreting assertions. When a user requests to logoff from a domain that has initiated federated single-sign-on operations for the user at other federated domains, the domain initiates a consolidated logoff operation by requesting logoff operations at those other federated domains, which may also initiate logoff operations in a cascaded fashion to the domains at which they have initiated federated single-sign-on operations.

Citations

36 Claims

1. A method for managing user sessions within a distributed data processing system, the method comprising:
- in response to determining to logoff a user on a system within a first domain, obtaining a list of domains at which the first domain has initiated a logon operation for the user by providing an authentication assertion;
  
  generating at a system in the first domain a set of logoff request messages, wherein the set of logoff request messages contains a logoff request message for the user for each domain in the list of domains, wherein a logoff request message comprises an authentication assertion for the user; and
  
  sending a logoff request message from a system in the first domain to each domain in the list of domains.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 further comprising:
    - receiving at a system in the first domain a logoff request message from a system in a second domain to initiate a logoff operation for the user; and
      
      determining to logoff the user based on the request from a system in the second domain.
  - 3. The method of claim 2 wherein a logoff request message is a SOAP (Simple Object Access Protocol) publish message.
  - 4. The method of claim 3 wherein a system in the first domain has subscribed to logoff events.
  - 5. The method of claim 3 wherein a system in the first domain has subscribed to logoff events that are specifically for the user.
  - 6. The method of claim 1 further comprising:
    - extracting an authentication assertion from a logoff request message at a pointofcontact server within the first domain; and
      
      forwarding the extracted authentication assertion to a trust proxy within the first domain.
  - 7. The method of claim 6 further comprising:
    - in response to validating the extracted authentication assertion, returning to the point of-contact server a local security token that is valid within the first domain.
  - 8. The method of claim 7 further comprising:
    - in response to a determination of an inability to validate the extracted authentication assertion at the trust proxy, requesting a trust broker to validate the extracted authentication assertion.
  - 9. The method of claim 1 further comprising:
    - receiving at a system in the first domain a request from a client operated by the user to initiate a logoff operation; and
      
      determining to logoff the user based on the request from the user.
  - 10. The method of claim 1 wherein the user accesses a logoff resource at a system in the first domain.
  - 11. The method of claim 1 wherein a logoff request message is generated by a point-of-contact server within a federated domain.
  - 12. The method of claim 1 wherein a logoff request message is generated by a trust proxy server within a federated domain.

13. A data processing system for managing user sessions, the data processing system comprising:
- means for obtaining a list of domains at which the first domain has initiated a logon operation for the user by providing an authentication assertion in response to determining to logoff a user on a system within a first domain;
  
  means for generating at a system in the first domain a set of logoff request messages, wherein the set of logoff request messages contains a logoff request message for the user for each domain in the list of domains, wherein a logoff request message comprises an authentication assertion for the user; and
  
  means for sending a logoff request message from a system in the first domain to each domain in the list of domains.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The data processing system of claim 13 further comprising:
    - means for receiving at a system in the first domain a logoff request message from a system in a second domain to initiate a logoff operation for the user; and
      
      means for determining to logoff the user based on the request from a system in the second domain.
  - 15. The data processing system of claim 14 wherein a logoff request message is a SOAP (Simple Object Access Protocol) publish message.
  - 16. The data processing system of claim 15 wherein a system in the first domain has subscribed to logoff events.
  - 17. The data processing system of claim 15 wherein a system in the first domain has subscribed to logoff events that are specifically for the user.
  - 18. The data processing system of claim 13 further comprising:
    - means for extracting an authentication assertion from a logoff request message at a point-of-contact server within the first domain; and
      
      means for forwarding the extracted authentication assertion to a trust proxy within the first domain.
  - 19. The data processing system of claim 18 further comprising:
    - means for returning to the point-of-contact server a local security token that is valid within the first domain in response to validating the extracted authentication assertion.
  - 20. The data processing system of claim 19 further comprising:
    - means for requesting a trust broker to validate the extracted authentication assertion in response to a determination of an inability to validate the extracted authentication assertion at the trust proxy.
  - 21. The data processing system of claim 13 further comprising:
    - means for receiving at a system in the first domain a request from a client operated by the user to initiate a logoff operation; and
      
      means for determining to logoff the user based on the request from the user.
  - 22. The data processing system of claim 13 wherein the user accesses a logoff resource at a system in the first domain.
  - 23. The data processing system of claim 13 wherein a logoff request message is generated by a point-of-contact server within a federated domain.
  - 24. The data processing system of claim 13 wherein a logoff request message is generated by a trust proxy server within a federated domain.

25. A computer program product in a computer readable medium for managing user sessions in a data processing system, the computer program product comprising:
- means for obtaining a list of domains at which the first domain has initiated a logon operation for the user by providing an authentication assertion in response to determining to logoff a user on a system within a first domain;
  
  means for generating at a system in the first domain a set of logoff request messages, wherein the set of logoff request messages contains a logoff request message for the user for each domain in the list of domains, wherein a logoff request message comprises an authentication assertion for the user; and
  
  means for sending a logoff request message from a system in the first domain to each domain in the list of domains.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The computer program product of claim 25 further comprising:
    - means for receiving at a system in the first domain a logoff request message from a system in a second domain to initiate a logoff operation for the user; and
      
      means for determining to logoff the user based on the request from a system in the second domain.
  - 27. The computer program product of claim 26 wherein a logoff request message is a SOAP (Simple Object Access Protocol) publish message.
  - 28. The computer program product of claim 27 wherein a system in the first domain has subscribed to logoff events.
  - 29. The computer program product of claim 27 wherein a system in the first domain has subscribed to logoff events that are specifically for the user.
  - 30. The computer program product of claim 25 further comprising:
    - means for extracting an authentication assertion from a logoff request message at a point-of-contact server within the first domain; and
      
      means for forwarding the extracted authentication assertion to a trust proxy within the first domain.
  - 31. The computer program product of claim 30 further comprising:
    - means for returning to the point-of-contact server a local security token that is valid within the first domain in response to validating the extracted authentication assertion.
  - 32. The computer program product of claim 31 further comprising:
    - means for requesting a trust broker to validate the extracted authentication assertion in response to a determination of an inability to validate the extracted authentication assertion at the trust proxy.
  - 33. The computer program product of claim 25 further comprising:
    - means for receiving at a system in the first domain a request from a client operated by the user to initiate a logoff operation; and
      
      means for determining to logoff the user based on the request from the user.
  - 34. The computer program product of claim 25 wherein the user accesses a logoff resource at a system in the first domain.
  - 35. The computer program product of claim 25 wherein a logoff request message is generated by a point-of-contact server within a federated domain.
  - 36. The computer program product of claim 25 wherein a logoff request message is generated by a trust proxy server within a federated domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Wesley, Ajamu Akinwunmi, Nadalin, Anthony Joseph, Hinton, Heather Maria, Blakley, George Robert III
Primary Examiner(s)
Cardone; Jason
Assistant Examiner(s)
NGUYEN, MINH CHAU

Application Number

US10/334,325
Publication Number

US 20040128393A1
Time in Patent Office

1,596 Days
Field of Search

709/225, 709/229
US Class Current

709/229
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/104   Grouping of entities

H04L 67/10   in which an application is ...

Method and system for consolidated sign-off in a heterogeneous federated environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for consolidated sign-off in a heterogeneous federated environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links