Techniques for dynamically establishing and managing authentication and trust relationships

US 7,552,468 B2
Filed: 08/24/2007
Issued: 06/23/2009
Est. Priority Date: 09/30/2003
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a principal implemented in a computer-readable medium and to process on a device for performing the method, comprising:

receiving an access request from a first principal for access to a second principal, wherein the first principal makes the access request via a client device over a network, and wherein the first principal is a user and the second principal is an application that processes on another device of the network;

evaluating a contract to acquire a credential for the first principal; and

transmitting the credential to the first principal for use in interacting with the second principal over the network, wherein the credential includes authentication information, aggregated attributes and aggregated policies for use by the first principal in interacting with the second principal, and wherein the contract identifies identifier information for the first principal and an authentication technique for the first principal to authenticate to the second principal, and wherein the contract includes directives that permit attribute information and policies of the first principal to be assembled from a variety of data stores, and wherein the contract is a specification that indicates how, via the authentication technique, the first principal is to be authenticated to the second principal for a given situation and the contract provides a mechanism, via the directives, for assembling the attribute information and the policies needed for interactions between the first principal and second principal in the given situation, and the contact includes a global policy statement that restricts how the contract is used by the first principal when accessing other principals from predefined locations.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for dynamically establishing and managing authentication and trust relationships. An identity service acquires and evaluates contracts associated with relationships between principals. The contracts permit the identity service to assemble authentication information, aggregated attributes, and aggregated policies which will drive and define the various relationships. That assembled information is consumed by the principals during interactions with one another and constrains those interactions. In some embodiments, the constraints are dynamically modified during on-going interactions between the principals.

133 Citations

View as Search Results

15 Claims

1. A method for authenticating a principal implemented in a computer-readable medium and to process on a device for performing the method, comprising:
- receiving an access request from a first principal for access to a second principal, wherein the first principal makes the access request via a client device over a network, and wherein the first principal is a user and the second principal is an application that processes on another device of the network;
  
  evaluating a contract to acquire a credential for the first principal; and
  
  transmitting the credential to the first principal for use in interacting with the second principal over the network, wherein the credential includes authentication information, aggregated attributes and aggregated policies for use by the first principal in interacting with the second principal, and wherein the contract identifies identifier information for the first principal and an authentication technique for the first principal to authenticate to the second principal, and wherein the contract includes directives that permit attribute information and policies of the first principal to be assembled from a variety of data stores, and wherein the contract is a specification that indicates how, via the authentication technique, the first principal is to be authenticated to the second principal for a given situation and the contract provides a mechanism, via the directives, for assembling the attribute information and the policies needed for interactions between the first principal and second principal in the given situation, and the contact includes a global policy statement that restricts how the contract is used by the first principal when accessing other principals from predefined locations.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 further comprising determining if the first principal is authenticated based on the contract and if the first principal is not authenticated establishing an authentication session with the first principal to properly authenticate the first principal based on the contract.
  - 3. The method of claim 1 further comprising:
    - receiving an additional access request from the first principal for access to a third principal;
      
      evaluating a new contract to acquire a second credential for the first principal; and
      
      transmitting the second credential to the first principal for use in interacting with the third principal.
  - 4. The method of claim 1 further comprising removing the contract or revoking the credential when an expiring event is detected during a session with the first principal.
  - 5. The method of claim 1 further comprising:
    - receiving a new request from a third principal, wherein the new request desires attribute information associated with the first principal;
      
      acquiring a new contract for the third principal;
      
      evaluating the new contract to acquire a new credential for the third principal; and
      
      transmitting the new credential to the third principal for use in authenticating and interacting with the first principal to acquire the attribute information.
  - 6. The method of claim 1 further comprising:
    - receiving a modification to the contract from the first principal;
      
      determining if the modification is permissible according to the contract;
      
      updating the contract if the modification is permissible;
      
      deriving a modified credential from the contract; and
      
      transmitting the modified credential to the first principal for use in interacting with the second principal.

7. A method for authenticating a principal implemented in a computer-readable medium and to process on a device to perform the method, comprising:
- receiving first requests from a first principal to interact with one or more different principals, wherein the requests are made by the first principal via a client device and provided over a network and wherein the first principal is a user of the client device and the one or more different principals are applications that process on other devices of the network;
  
  acquiring first contracts for the first principal, wherein each first contract is associated with a different one of the one or more different principals;
  
  acquiring a second contract for each of the one or more different principals;
  
  selectively assembling and transmitting first credentials for the first requests for use by the first principal in interacting with the one or more different principals; and
  
  selectively assembling and transmitting second credentials for other requests associated with and used by the one or more different principals when interacting with the first principal or when interacting with different ones of the one or more different principals, and wherein the first and second contracts include identifier information for the first and second principals, respectively, and also include authentication techniques for the first and second principals to authenticate to one another, and wherein the first and second contracts further include directives for aggregating attributes and policies from a variety of data stores for each of the principals, and wherein each contract is a specification indicating specific authentication information, the authentication techniques, and the directives that indicate how the aggregated attributes and the policies are to be acquired for a particular contract, and wherein evaluation of each contract is done for a particular interaction between the first principal and one of the second principals and produces a particular set of credentials.
- View Dependent Claims (8, 9, 10)
- - 8. The method of claim 7 further comprising:
    - receiving modifications to one or more of the first contracts from the first principal or from one or more of the one or more different principals;
      
      selectively assembling and transmitting modified first credentials to the first principal based on the modifications.
  - 9. The method of claim 7 further comprising:
    - receiving modifications to one or more of the second contracts from the first principal or from the one or more of the one or more different principals;
      
      selectively assembling and transmitting modified second credentials to the one or more different principals affected by the modifications.
  - 10. The method of claim 7 further comprising:
    - detecting an event that renders one or more of the first or second contracts stale; and
      
      revoking one or more of the first or second credentials which are affected by the event.

11. A principal authentication system implemented in a computer-readable medium and process on devices of a network, comprising:
- a first principal service that processes on a client device of the first principal;
  
  a second principal service that processes on a client device of the second principal; and
  
  an identity service that processes on a different device of the network, wherein the identity service acquires and manages a first contract on behalf of the first principal service and a second contract on behalf of the second principal service, and wherein the identity service provides a first credential to the first principal service and a second credential to the second principal service, the credentials used by the first principal service and the second principal service to interact with one another, and wherein the first and second contracts identify identifier information and authentication techniques for the first and second principals, respectively, and wherein the first and second contracts include directives to aggregate attributes and policies for each of the first and second principals from a variety of data stores, and wherein each contract is a specification indicating specific authentication information, the authentication techniques, and the directives that indicate how the aggregated attributes and the policies are to be acquired for a particular contract, and wherein evaluation of each contract is done for a particular interaction between the first principal and the second principals and produces a particular credential.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The principal authentication system of claim 11 wherein the first or the second credential is dynamically modified by the identity service and communicated to the affected principal service.
  - 13. The principal authentication system of claim 12 wherein the dynamic modification to the first or the second credential is driven by modifications received from the first principal service or the second principal service.
  - 14. The principal authentication system of claim 12 wherein the dynamic modification to the first or the second credential is driven by modifications received from a third principal service authorized to provide the dynamic modification.
  - 15. The principal authentication system of claim 11 wherein the identity service includes alias identity information in at least one of the first and the second credentials.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Ward, Robert Mark, Carter, Stephen R, Burch, Lloyd Leon, Earl, Douglas G.
Primary Examiner(s)
Sheikh; Ayaz R
Assistant Examiner(s)
CHEN, SHIN HON

Application Number

US11/844,532
Publication Number

US 20070294750A1
Time in Patent Office

669 Days
Field of Search

726/5, 705/37, 380/25, 380/28, 380/9, 709/223, 709/224.2, 713/150, 713/156
US Class Current

726/5
CPC Class Codes

G06Q 40/04 Trading; Exchange, e.g. sto...

H04L 63/0815 providing single-sign-on or...

Techniques for dynamically establishing and managing authentication and trust relationships

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

133 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for dynamically establishing and managing authentication and trust relationships

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

133 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links