Role-based authorization of network services using diversified security tokens

US 7,434,252 B2
Filed: 07/14/2004
Issued: 10/07/2008
Est. Priority Date: 07/14/2004
Status: Active Grant

First Claim

Patent Images

1. In a network environment that includes a service providing computing system and a network connected to the service providing computing system, the service providing computing system offering one or more services, the network being capable of delivering to the service providing computing system a plurality of service request messages associated with diversified security token types, a method for the service providing computing system to perform end-to-end role-based authorization regardless of the security token type used, the one or more services using the security tokens being associated with the received service request messages despite the received service request messages having diversified security token types, the method comprising the following:

an act of receiving a service request message over the network, the service request message requesting a specific service offered by the service providing computing system to authorized users, the service request including a security token of a designated security token type, the designated security token type comprising one of a plurality of selectable security token types, and a policy component corresponding to the designated security token type, the policy component comprising rules indicating how a message with the designated security token type is to be handled;

an act of accessing the security token of the designated security token type associated with the received service request message;

an act of accessing the rules of the corresponding policy component to determine how the received service request message with the security token of the designated security token type is to be handled;

an act of identifying one or more roles associated with the security token, each role being associated with a plurality of users, the one or more roles indicating one or more specific authorized services available to identities associated with the role;

an act of correlating the one or more identified roles with the accessed security token; and

an act of authorizing the requested service based on the accessed rules of the corresponding policy component and on the one or more identified correlated roles associated with the identity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mechanism for performing role-based authorization of the one or more services using security tokens associated with received service request messages. This role-based authentication is performed regardless of the type of security token associated with the received service request messages. Upon receiving a service request message over the network for a particular service offered by the service providing computing system, the service providing computing system accesses a security token associated with the received service request message. Then, the computing system identifies one or more roles that include the identity associated with the security token, and correlates the roles with the security token. These correlated roles are then used to authorize the requested service. This mechanism is performed regardless of the type of the security token.

Citations

36 Claims

1. In a network environment that includes a service providing computing system and a network connected to the service providing computing system, the service providing computing system offering one or more services, the network being capable of delivering to the service providing computing system a plurality of service request messages associated with diversified security token types, a method for the service providing computing system to perform end-to-end role-based authorization regardless of the security token type used, the one or more services using the security tokens being associated with the received service request messages despite the received service request messages having diversified security token types, the method comprising the following:
- an act of receiving a service request message over the network, the service request message requesting a specific service offered by the service providing computing system to authorized users, the service request including a security token of a designated security token type, the designated security token type comprising one of a plurality of selectable security token types, and a policy component corresponding to the designated security token type, the policy component comprising rules indicating how a message with the designated security token type is to be handled;
  
  an act of accessing the security token of the designated security token type associated with the received service request message;
  
  an act of accessing the rules of the corresponding policy component to determine how the received service request message with the security token of the designated security token type is to be handled;
  
  an act of identifying one or more roles associated with the security token, each role being associated with a plurality of users, the one or more roles indicating one or more specific authorized services available to identities associated with the role;
  
  an act of correlating the one or more identified roles with the accessed security token; and
  
  an act of authorizing the requested service based on the accessed rules of the corresponding policy component and on the one or more identified correlated roles associated with the identity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. A method in accordance with claim 1, wherein the act of accessing a security token associated with the received service request message comprises the following:
    - an act of accessing the security token from the received service request message itself.
  - 3. A method in accordance with claim 1, wherein the act of accessing a security token associated with the received service request message comprises the following:
    - an act of accessing a security token identification information from the received service request message; and
      
      an act of using the security token identification information to access the security token associated with the received service request message.
  - 4. A method in accordance with claim 1, wherein the service request message is a Simple Object Access Protocol (SOAP) envelope.
  - 5. A method in accordance with claim 1, wherein the one or more roles is a single role.
  - 6. A method in accordance with claim 1, wherein the one or more roles is a plurality of roles.
  - 7. A method in accordance with claim 1, wherein the accessed security token is a SAML security token type security token.
  - 8. A method in accordance with claim 1, wherein the accessed security token is an XrML security token type security token.
  - 9. A method in accordance with claim 1, wherein the accessed security token is a X.509 certificate.
  - 10. A method in accordance with claim 1, wherein the accessed security token is a username/password type security token.
  - 11. A method in accordance with claim 1, wherein the accessed security token is a SecurityContextToken.
  - 12. A method in accordance with claim 1, wherein the accessed security token is a DerivedKeyToken.
  - 13. A method in accordance with claim 1, wherein the act of authorizing the requested service using the one or more roles correlated with the security token that is associated with the service request message that requests the service comprises the following:
    - an act of accessing a metadata expression of the conditions that must be met in order to receive the requested service, at least one of the conditions including an indication that the security token must be correlated with a particular role of the one or more roles.
  - 14. A method in accordance with claim 1, wherein the act of authorizing the requested service using the one or more roles correlated with the security token that is associated with the service request message that requests the service comprises the following:
    - an act of executing an executable object that conditions access to the requested object at least upon the condition that the security token must be correlated with a particular role of the one or more roles.
  - 15. A method in accordance with claim 1, wherein the service request message is a first service request message, the security token is a first security token of a first security token type, the one or more roles being a first set of one or more roles, the requested service being a first requested service, the method further comprising the following:
    - an act of receiving a second service request message over the network, the second service request message requesting a second service offered by the service providing computing system;
      
      an act of accessing a second security token associated with the second received service request message, the second security token being of a second security token type that is different than the first security token type;
      
      an act of identifying a second set of one or more roles that include the identity associated with the second security token;
      
      an act of correlating the second set of one or more identified roles with the second accessed security token; and
      
      an act of authorizing the requested service using the second set of one or more roles correlated with the second security token that is associated with the second service request message that requests the second requested service.
  - 16. A method in accordance with claim 15 , wherein the first requested service and the second requested service is the same requested service.
  - 17. A method in accordance with claim 1 , further comprising the following:
    - an act of providing the requested service.
  - 18. A method in accordance with claim 1, further comprising:
    - receiving a new security token with which the service providing computing system is unfamiliar;
      
      registering a new security token manager plug-in component with the service providing computing system;
      
      automatically notifying the new security token manager plug-in component of the security token types for which the new security token manager plug-in provides security services.

19. A computer program product for use in a network environment that includes a service providing computing system and a network connected to the service providing computing system, the service providing computing system offering one or more services, the network being capable of delivering to the service providing computing system a plurality of service request messages associated with diversified security token types, the computer program product for allowing the service providing computing system to perform end-to-end role-based authorization regardless of the security token type used, the one or more services using the security tokens being associated with the received service request messages despite the received service request messages having diversified security token types, the computer program product comprising one or more recordable-type computer-readable media having computer-executable instructions that, when executed by one or more processors of the service providing computing system, causes the service providing computing system to perform the following:
- an act of receiving a service request message over the network, the service request message requesting a specific service offered by the service providing computing system to authorized users, the service request including a security token of a designated security token type, the designated security token type comprising one of a plurality of selectable security token types, and a policy component corresponding to the designated security token type, the policy component comprising rules indicating how a message with the designated security token type is to be handled;
  
  an act of accessing the security token of the designated security token type associated with the received service request message;
  
  an act of accessing the rules of the corresponding policy component to determine how the received service request message with the security token of the designated security token type is to be handled;
  
  an act of identifying one or more roles associated with the security token, each role being associated with a plurality of users, the one or more roles indicating one or more specific authorized services available to identities associated with the role;
  
  an act of correlating the one or more identified roles with the accessed security token; and
  
  an act of authorizing the requested service based on the accessed rules of the corresponding policy component and on the one or more identified correlated roles associated with the identity.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 20. A computer program product in accordance with claim 19, wherein the act of accessing a security token associated with the received service request message comprises the following:
    - an act of accessing the security token from the received service request message itself.
  - 21. A computer program product in accordance with claim 19, wherein the act of accessing a security token associated with the received service request message comprises the following:
    - an act of accessing a security token identification information from the received service request message; and
      
      an act of using the security token identification information to access the security token associated with the received service request message.
  - 22. A computer program product in accordance with claim 19, wherein the service request message is a Simple Object Access Protocol (SOAP) envelope.
  - 23. A computer program product in accordance with claim 19, wherein the one or more roles is a single role.
  - 24. A computer program product in accordance with claim 19, wherein the one or more roles is a plurality of roles.
  - 25. A computer program product in accordance with claim 19, wherein the accessed security token is a SAMIL security token type security token.
  - 26. A computer program product in accordance with claim 19, wherein the accessed security token is an XrML security token type security token.
  - 27. A computer program product in accordance with claim 19, wherein the accessed security token is a X.509 certificate.
  - 28. A computer program product in accordance with claim 19, wherein the accessed security token is a username/password type security token.
  - 29. A computer program product in accordance with claim 19, wherein the accessed security token is a SecurityContextToken.
  - 30. A computer program product in accordance with claim 19, wherein the accessed security token is a DerivedKeyToken.
  - 31. A computer program product in accordance with claim 19, wherein the act of authorizing the requested service using the one or more roles correlated with the security token that is associated with the service request message that requests the service comprises the following:
    - an act of accessing a metadata expression of the conditions that must be met in order to receive the requested service, at least one of the conditions including an indication that the security token must be correlated with a particular role of the one or more roles.
  - 32. A computer program product in accordance with claim 19, wherein the act of authorizing the requested service using the one or more roles correlated with the security token that is associated with the service request message that requests the service comprises the following:
    - an act of executing an executable object that conditions access to the requested object at least upon the condition that the security token must be correlated with a particular role of the one or more roles.
  - 33. A computer program product in accordance with claim 19, wherein the service request message is a first service request message, the security token is a first security token of a first security token type, the one or more roles being a first set of one or more roles, the requested service being a first requested service, the method further comprising the following in response to receiving a second service request message that requests a second service offered by the service providing computing system;
    - an act of accessing a second security token associated with the second received service request message, the second security token being of a second security token type that is different than the first security token type;
      
      an act of identifying a second set of one or more roles that include the identity associated with the second security token;
      
      an act of correlating the second set of one or more identified roles with the second accessed security token; and
      
      an act of authorizing the requested service using the second set of one or more roles correlated with the second security token that is associated with the second service request message that requests the second requested service.
  - 34. A computer program product in accordance with claim 33, wherein the first requested service and the second requested service is the same requested service.
  - 35. A computer program product in accordance with claim 19, the method further comprising the following:
    - an act of providing the requested service.

36. A computer system comprising the following:
- one or more processors;
  
  system memory;
  
  one or more recordable-type computer-readable media having thereon computer-executable instructions that, when executed by the one or more processors, causes the computing system to instantiate in system memory the following;
  
  a receiving module configured to receive a service request message over the network, the service request message requesting a specific service offered by the service providing computing system to authorized users, the service request including a security token of a designated security token type, the designated security token type comprising one of a plurality of selectable security token types, and a policy component corresponding to the designated security token type, the policy component comprising rules indicating how a message with the designated security token type is to be handled;
  
  a security token accessing module configured to access the security token of the designated security token type associated with the received service request message;
  
  a policy component rules accessing module configured to access the rules of the corresponding policy component to determine how the received service request message with the security token of the designated security token type is to be handled;
  
  a role identifying module configured to identify one or more roles associated with the security token, each role being associated with a plurality of users the one or more roles indicating one or more specific authorized services available to identities associated with the role;
  
  a role correlating module configured to correlate the one or more identified roles with the accessed security token; and
  
  a request service authorizing module configured to authorize the requested service based on the accessed rules of the corresponding policy component and on the one or more identified correlated roles associated with the identity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Wilson, Hervey O., Ballinger, Keith W., Mukherjee, Vick B., Ge, HongMei
Primary Examiner(s)
Song; Hosuk
Assistant Examiner(s)
Moran; Randal D

Application Number

US10/891,884
Publication Number

US 20060015933A1
Time in Patent Office

1,546 Days
Field of Search

713/172, 713/182, 713/185, 726/9, 726/10
US Class Current

726/10
CPC Class Codes

G06F 21/335   for accessing specific reso...

H04L 63/0823   using certificates cryptogr...

H04L 63/105   Multiple levels of security

Role-based authorization of network services using diversified security tokens

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Role-based authorization of network services using diversified security tokens

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links