Federated identity management within a distributed portal server

US 7,346,923 B2
Filed: 11/21/2003
Issued: 03/18/2008
Est. Priority Date: 11/21/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method of providing cross-domain authentication in a computing environment, comprising:

providing security credentials of an entity to an initial point of contact that provides content aggregation in the computing environment;

passing the provided credentials from the initial point of contact to a local trust proxy in a local security domain of the initial point of contact;

authenticating the entity with an authentication service in the local security domain, using the passed credentials, for accessing content from at least one local content service, each of the at least one local content services operable to provide its content from the local security domain for aggregation, by the initial point of contact, in an aggregated view;

responsive to a successful outcome of the authenticating, forwarding an authentication assertion for the successful outcome to a remote trust proxy in each of at least one selected remote security domains, the authentication assertion comprising an identification of the entity;

using the identification from the authentication assertion, by the remote trust proxy in each of the at least one selected remote security domains, to locate previously-stored security credentials usable for authenticating the entity in that remote security domain, wherein the located security credentials usable for authenticating the entity in at least one of the selected remote security domains differ from the security credentials of the entity provided to the initial point of contact; and

authenticating the entity with an authentication service in each of the at least one selected remote security domains, using the located security credentials usable for authenticating the entity in that remote security domain, for accessing other content from at least one remote content service that is operable in that remote security domain to provide its content from that remote security domain for aggregation, by the initial point of contact, in the aggregated view.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for federating identity management within a distributed portal server, leveraging Web services techniques and a number of industry standards. Identities are managed across autonomous security domains which may be comprised of independent trust models, authentication services, and user enrollment services. The disclosed techniques enable integrating third-party Web services-based portlets, which rely on various potentially-different security mechanisms, within a common portal page.

Citations

18 Claims

1. A computer-implemented method of providing cross-domain authentication in a computing environment, comprising:
- providing security credentials of an entity to an initial point of contact that provides content aggregation in the computing environment;
  
  passing the provided credentials from the initial point of contact to a local trust proxy in a local security domain of the initial point of contact;
  
  authenticating the entity with an authentication service in the local security domain, using the passed credentials, for accessing content from at least one local content service, each of the at least one local content services operable to provide its content from the local security domain for aggregation, by the initial point of contact, in an aggregated view;
  
  responsive to a successful outcome of the authenticating, forwarding an authentication assertion for the successful outcome to a remote trust proxy in each of at least one selected remote security domains, the authentication assertion comprising an identification of the entity;
  
  using the identification from the authentication assertion, by the remote trust proxy in each of the at least one selected remote security domains, to locate previously-stored security credentials usable for authenticating the entity in that remote security domain, wherein the located security credentials usable for authenticating the entity in at least one of the selected remote security domains differ from the security credentials of the entity provided to the initial point of contact; and
  
  authenticating the entity with an authentication service in each of the at least one selected remote security domains, using the located security credentials usable for authenticating the entity in that remote security domain, for accessing other content from at least one remote content service that is operable in that remote security domain to provide its content from that remote security domain for aggregation, by the initial point of contact, in the aggregated view.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method according to claim 1, wherein the forwarding further comprisesconsulting policy information to determine which of a plurality of remote security domains should be selected as the at least one selected remote security domains.
  - 3. The method according to claim 1, wherein the using the identification to locate previously-stored security credentials and the authenticating the entity using the located security credentials enable accessing the other content from remote content services in the selected remote security domains without requiring the entity to provide the previously-stored security credentials to the initial point of contact.
  - 4. The method according to claim 1, wherein the entity is an end user.
  - 5. The method according to claim 1, wherein the initial point of contact is a portal interface.
  - 6. The method according to claim 1, wherein the passing is performed by a proxy of the initial point of contact.
  - 7. The method according to claim 6, wherein the proxy of the initial point of contact performs a protocol conversion, when passing the provided credentials, from a first protocol used in the providing to a second protocol used by the trust proxy.
  - 8. The method according to claim 7, wherein the first protocol is Hypertext Transfer Protocol (“
    - HTTP”
      
      ) or a security-enhanced version thereof.
  - 9. The method according to claim 7, wherein the second protocol is Simple Object Access Protocol (“
    - SOAP”
      
      ).
  - 10. The method according to claim 1, further comprising forwarding the authentication assertion, by the remote trust proxy in each of the at least one selected remote security domains, to the authentication service in that remote security domain, which relies on the forwarded authentication assertion when authenticating the entity using the located security credentials.
  - 11. The method according to claim 10, wherein the successful outcome of authenticating in the local security domain and results of the authenticating each of the selected remote security domains are returned to the initial point of contact for use when creating the aggregated view.
  - 12. The method according to claim 11, further comprising using the returned successful outcome and the returned results of the authenticating in each of the selected remote security domains to determine, by the initial point of contact, which of the content and the other content can be aggregated by the initial point of contact in the aggregated view.
  - 13. The method according to claim 1, further comprising rendering, by the initial point of contact, the aggregated view.

14. A system for enabling an entity to have seamless access to a plurality of aggregated services which have different identity requirements, comprising:
- at least one computer, each comprising a processor; and
  
  instructions which execute on at least one of at least one computers, using the processor of the computer, to implement functions comprising;
  
  initially authenticating the entity, by a first authentication component in a local security domain, for access to a first service in the local security domain using an identity provided by the entity using an aggregation interface in the local security domain;
  
  mapping the provided identity, in each of at least one remote security domains, to the different identity requirements of at least one other service which is provided by that remote security domain and which is to be aggregated with the first service, thereby establishing mapped identity requirements for each of the at least one other services;
  
  subsequently authenticating the entity, by an authentication component in each of the at least one remote security domains, for access to each of the at least one other services which is provided by that remote security domain, using the mapped identity requirements; and
  
  aggregating each of the at least one other services and the first service, if the authentications thereof are successful, into an aggregated result accessible from the aggregation interface in the local security domain.
- View Dependent Claims (15, 16)
- - 15. The system according to claim 14, wherein the aggregated result is an aggregated view.
  - 16. The system according to claim 14, wherein the entity is a programmatic entity.

17. A computer program product for providing federated identity management within a distributed content aggregation framework, the computer program product embodied on one or more computer-usable storage media and comprising computer-usable program code for:
- providing, to the content aggregation framework by a using entity, initial identity information that identifies the using entity for accessing a first content source that is operable within a first security domain in which the content aggregation framework is operable;
  
  authenticating the using identity, using the initial identity information, by a first authentication service in the first security domain;
  
  conveying results of the authentication by the first authentication service to at least one selected other authentication service, each of which is associated with a remote security domain that is distinct from the first security domain, along with the initial identity information;
  
  using, in each remote security domain, the conveyed initial identity information to locate previously-stored identity information usable for authenticating the using identity in the remote security domain;
  
  using the located identity information, in each of the remote security domains, to authenticate the using entity to each of the selected other authentication services for accessing a remote content source operable within the remote security domain that is associated with that selected other authentication service, without requiring the using entity to provide the previously-stored identity information to the content aggregation framework; and
  
  aggregating content from the first content source and other content from each of the remote content sources for presentation in an aggregated view rendered by the content aggregation framework.
- View Dependent Claims (18)
- - 18. The computer program product according to claim 17, wherein the initial identity information is a name and password associated with the using entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Wesley, Ajamu A., Nadalin, Anthony J., Atkins, Barry D., Melgar, David O.
Primary Examiner(s)
TRUONG, THANHNGA B

Application Number

US10/719,490
Publication Number

US 20050114701A1
Time in Patent Office

1,579 Days
Field of Search

726 1- 5, 726 4- 6, 726/12, 726/18, 709/225, 709/229, 709/206, 709223-224
US Class Current

726/6
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/60   Digital content management,...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/08   for authentication of entit...

H04L 9/3226   using a predetermined code,...

H04L 9/3247   involving digital signatures

Federated identity management within a distributed portal server

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Federated identity management within a distributed portal server

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links