Techniques for dynamically establishing and managing authentication and trust relationships
First Claim
1. A method for authenticating a principal implemented in a computer-readable medium and to process on a device for performing the method, comprising:
- receiving an access request from a first principal for access to a second principal, wherein the first principal makes the access request via a client device over a network, and wherein the first principal is a user and the second principal is an application that processes on another device of the network;
evaluating a contract to acquire a credential for the first principal; and
transmitting the credential to the first principal for use in interacting with the second principal over the network, wherein the credential includes authentication information, aggregated attributes and aggregated policies for use by the first principal in interacting with the second principal, and wherein the contract identifies identifier information for the first principal and an authentication technique for the first principal to authenticate to the second principal, and wherein the contract includes directives that permit attribute information and policies of the first principal to be assembled from a variety of data stores, and wherein the contract is a specification that indicates how, via the authentication technique, the first principal is to be authenticated to the second principal for a given situation and the contract provides a mechanism, via the directives, for assembling the attribute information and the policies needed for interactions between the first principal and second principal in the given situation, and the contact includes a global policy statement that restricts how the contract is used by the first principal when accessing other principals from predefined locations.
11 Assignments
0 Petitions
Accused Products
Abstract
Techniques are provided for dynamically establishing and managing authentication and trust relationships. An identity service acquires and evaluates contracts associated with relationships between principals. The contracts permit the identity service to assemble authentication information, aggregated attributes, and aggregated policies which will drive and define the various relationships. That assembled information is consumed by the principals during interactions with one another and constrains those interactions. In some embodiments, the constraints are dynamically modified during on-going interactions between the principals.
-
Citations
15 Claims
-
1. A method for authenticating a principal implemented in a computer-readable medium and to process on a device for performing the method, comprising:
-
receiving an access request from a first principal for access to a second principal, wherein the first principal makes the access request via a client device over a network, and wherein the first principal is a user and the second principal is an application that processes on another device of the network; evaluating a contract to acquire a credential for the first principal; and transmitting the credential to the first principal for use in interacting with the second principal over the network, wherein the credential includes authentication information, aggregated attributes and aggregated policies for use by the first principal in interacting with the second principal, and wherein the contract identifies identifier information for the first principal and an authentication technique for the first principal to authenticate to the second principal, and wherein the contract includes directives that permit attribute information and policies of the first principal to be assembled from a variety of data stores, and wherein the contract is a specification that indicates how, via the authentication technique, the first principal is to be authenticated to the second principal for a given situation and the contract provides a mechanism, via the directives, for assembling the attribute information and the policies needed for interactions between the first principal and second principal in the given situation, and the contact includes a global policy statement that restricts how the contract is used by the first principal when accessing other principals from predefined locations. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for authenticating a principal implemented in a computer-readable medium and to process on a device to perform the method, comprising:
-
receiving first requests from a first principal to interact with one or more different principals, wherein the requests are made by the first principal via a client device and provided over a network and wherein the first principal is a user of the client device and the one or more different principals are applications that process on other devices of the network; acquiring first contracts for the first principal, wherein each first contract is associated with a different one of the one or more different principals; acquiring a second contract for each of the one or more different principals; selectively assembling and transmitting first credentials for the first requests for use by the first principal in interacting with the one or more different principals; and selectively assembling and transmitting second credentials for other requests associated with and used by the one or more different principals when interacting with the first principal or when interacting with different ones of the one or more different principals, and wherein the first and second contracts include identifier information for the first and second principals, respectively, and also include authentication techniques for the first and second principals to authenticate to one another, and wherein the first and second contracts further include directives for aggregating attributes and policies from a variety of data stores for each of the principals, and wherein each contract is a specification indicating specific authentication information, the authentication techniques, and the directives that indicate how the aggregated attributes and the policies are to be acquired for a particular contract, and wherein evaluation of each contract is done for a particular interaction between the first principal and one of the second principals and produces a particular set of credentials. - View Dependent Claims (8, 9, 10)
-
-
11. A principal authentication system implemented in a computer-readable medium and process on devices of a network, comprising:
-
a first principal service that processes on a client device of the first principal; a second principal service that processes on a client device of the second principal; and an identity service that processes on a different device of the network, wherein the identity service acquires and manages a first contract on behalf of the first principal service and a second contract on behalf of the second principal service, and wherein the identity service provides a first credential to the first principal service and a second credential to the second principal service, the credentials used by the first principal service and the second principal service to interact with one another, and wherein the first and second contracts identify identifier information and authentication techniques for the first and second principals, respectively, and wherein the first and second contracts include directives to aggregate attributes and policies for each of the first and second principals from a variety of data stores, and wherein each contract is a specification indicating specific authentication information, the authentication techniques, and the directives that indicate how the aggregated attributes and the policies are to be acquired for a particular contract, and wherein evaluation of each contract is done for a particular interaction between the first principal and the second principals and produces a particular credential. - View Dependent Claims (12, 13, 14, 15)
-
Specification