Federated identity management within a distributed portal server
First Claim
Patent Images
1. A computer-implemented method of providing cross-domain authentication in a computing environment, comprising:
- providing security credentials of an entity to an initial point of contact that provides content aggregation in the computing environment;
passing the provided credentials from the initial point of contact to a local trust proxy in a local security domain of the initial point of contact;
authenticating the entity with an authentication service in the local security domain, using the passed credentials, for accessing content from at least one local content service, each of the at least one local content services operable to provide its content from the local security domain for aggregation, by the initial point of contact, in an aggregated view;
responsive to a successful outcome of the authenticating, forwarding an authentication assertion for the successful outcome to a remote trust proxy in each of at least one selected remote security domains, the authentication assertion comprising an identification of the entity;
using the identification from the authentication assertion, by the remote trust proxy in each of the at least one selected remote security domains, to locate previously-stored security credentials usable for authenticating the entity in that remote security domain, wherein the located security credentials usable for authenticating the entity in at least one of the selected remote security domains differ from the security credentials of the entity provided to the initial point of contact; and
authenticating the entity with an authentication service in each of the at least one selected remote security domains, using the located security credentials usable for authenticating the entity in that remote security domain, for accessing other content from at least one remote content service that is operable in that remote security domain to provide its content from that remote security domain for aggregation, by the initial point of contact, in the aggregated view.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are disclosed for federating identity management within a distributed portal server, leveraging Web services techniques and a number of industry standards. Identities are managed across autonomous security domains which may be comprised of independent trust models, authentication services, and user enrollment services. The disclosed techniques enable integrating third-party Web services-based portlets, which rely on various potentially-different security mechanisms, within a common portal page.
-
Citations
18 Claims
-
1. A computer-implemented method of providing cross-domain authentication in a computing environment, comprising:
-
providing security credentials of an entity to an initial point of contact that provides content aggregation in the computing environment; passing the provided credentials from the initial point of contact to a local trust proxy in a local security domain of the initial point of contact; authenticating the entity with an authentication service in the local security domain, using the passed credentials, for accessing content from at least one local content service, each of the at least one local content services operable to provide its content from the local security domain for aggregation, by the initial point of contact, in an aggregated view; responsive to a successful outcome of the authenticating, forwarding an authentication assertion for the successful outcome to a remote trust proxy in each of at least one selected remote security domains, the authentication assertion comprising an identification of the entity; using the identification from the authentication assertion, by the remote trust proxy in each of the at least one selected remote security domains, to locate previously-stored security credentials usable for authenticating the entity in that remote security domain, wherein the located security credentials usable for authenticating the entity in at least one of the selected remote security domains differ from the security credentials of the entity provided to the initial point of contact; and authenticating the entity with an authentication service in each of the at least one selected remote security domains, using the located security credentials usable for authenticating the entity in that remote security domain, for accessing other content from at least one remote content service that is operable in that remote security domain to provide its content from that remote security domain for aggregation, by the initial point of contact, in the aggregated view. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for enabling an entity to have seamless access to a plurality of aggregated services which have different identity requirements, comprising:
-
at least one computer, each comprising a processor; and instructions which execute on at least one of at least one computers, using the processor of the computer, to implement functions comprising; initially authenticating the entity, by a first authentication component in a local security domain, for access to a first service in the local security domain using an identity provided by the entity using an aggregation interface in the local security domain; mapping the provided identity, in each of at least one remote security domains, to the different identity requirements of at least one other service which is provided by that remote security domain and which is to be aggregated with the first service, thereby establishing mapped identity requirements for each of the at least one other services; subsequently authenticating the entity, by an authentication component in each of the at least one remote security domains, for access to each of the at least one other services which is provided by that remote security domain, using the mapped identity requirements; and aggregating each of the at least one other services and the first service, if the authentications thereof are successful, into an aggregated result accessible from the aggregation interface in the local security domain. - View Dependent Claims (15, 16)
-
-
17. A computer program product for providing federated identity management within a distributed content aggregation framework, the computer program product embodied on one or more computer-usable storage media and comprising computer-usable program code for:
-
providing, to the content aggregation framework by a using entity, initial identity information that identifies the using entity for accessing a first content source that is operable within a first security domain in which the content aggregation framework is operable; authenticating the using identity, using the initial identity information, by a first authentication service in the first security domain; conveying results of the authentication by the first authentication service to at least one selected other authentication service, each of which is associated with a remote security domain that is distinct from the first security domain, along with the initial identity information; using, in each remote security domain, the conveyed initial identity information to locate previously-stored identity information usable for authenticating the using identity in the remote security domain; using the located identity information, in each of the remote security domains, to authenticate the using entity to each of the selected other authentication services for accessing a remote content source operable within the remote security domain that is associated with that selected other authentication service, without requiring the using entity to provide the previously-stored identity information to the content aggregation framework; and aggregating content from the first content source and other content from each of the remote content sources for presentation in an aggregated view rendered by the content aggregation framework. - View Dependent Claims (18)
-
Specification