Federated identity brokering

US 7,581,248 B2
Filed: 06/28/2004
Issued: 08/25/2009
Est. Priority Date: 06/28/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A federated identity brokering method, within a gateway service/proxy, comprising the steps of:

intercepting a service request from a service requestor targeting a specific logical service;

comparing a security credential associated with said service request to credential requirements specified by said specific logical service;

modifying said security credential to comport with said credential requirements; and

,routing said intercepted service request with said modified security credential to said specific logical service, whereinsaid gateway service/proxy is disposed in a demilitarized zone, andsaid specific logical service disposed in a private network domain.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and apparatus for federated identity brokering. In accordance with the present invention, a credential processing gateway can be disposed between one or more logical services and one or more service requesting clients in a computer communications network. Acting as a proxy and a trusted authority to the logical services, the credential processing gateway can map the credentials of the service requesting clients to the certification requirements of the logical services. In this way, the credential processing gateway can act as a federated identity broker in providing identity certification services for a multitude of different service requesting clients without requiring the logical services to include a pre-configuration for specifically processing the credentials of particular service requesting clients.

Citations

16 Claims

1. A federated identity brokering method, within a gateway service/proxy, comprising the steps of:
- intercepting a service request from a service requestor targeting a specific logical service;
  
  comparing a security credential associated with said service request to credential requirements specified by said specific logical service;
  
  modifying said security credential to comport with said credential requirements; and
  
  ,routing said intercepted service request with said modified security credential to said specific logical service, whereinsaid gateway service/proxy is disposed in a demilitarized zone, andsaid specific logical service disposed in a private network domain.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein said intercepting step comprises the steps of:
    - retrieving an original service description for said specific logical service from a privately accessible registry disposed in the private network domain;
      
      expanding said original service description to include broader credential requirements;
      
      changing a service address in said expanded service description for said specific logical service to specify a proxy to said specific logical service for performing said comparing, modifying and routing steps; and
      
      ,publishing said expanded service description to a publicly accessible service registry, whereinsaid expanded service description is exposed for access by said service requestor.
  - 3. The method of claim 1, wherein said comparing step comprises the step of comparing a digital signature applied to said service request with a list of digital signatures accepted by said specific logical service.
  - 4. The method of claim 1, wherein said comparing step comprises the step of comparing an encryption scheme applied to said service request with a list of encryption schemes accepted by said specific logical service.
  - 5. The method of claim 1, wherein said comparing step comprises the step of comparing an authorization associated with said service request with a list of authorizations required by said specific logical service.
  - 6. The method of claim 3, wherein said modifying step comprises the steps of:
    - validating an incoming digital signature with a certifying authority not trusted by said logical service; and
      
      ,asserting a digital signature for said service request using a certifying authority which is trusted by said logical service.

7. A federated identity brokering system comprising:
- a gateway service/proxy configured for communicative coupling to a plurality of logical services and a plurality of service requestors;
  
  a private service description repository communicatively coupled to said gateway service/proxy and to said logical services and storing a plurality original endpoint service descriptions for said logical services, each of said original endpoint service descriptions indicating credential requirements for corresponding ones of said logical services; and
  
  ,a public service description repository communicatively coupled to said service requestors and said gateway service/proxy and storing expanded versions of said original endpoint service descriptions for said logical services, whereinsaid gateway service/proxy is disposed in a demilitarized zone, said logical services and said private service description repository are disposed in a private network domain, and wherein said public service description is exposed for access by said service requestors.
- View Dependent Claims (8, 9, 10)
- - 8. The system of claim 7, wherein said logical services are Web services.
  - 9. The system of claim 7, wherein said credentials specify at least one of a security assertion, a digital signature, an encryption scheme, and a security authorization.
  - 10. The system of claim 7, wherein said original endpoint service descriptions are formatted according to one of the Web services endpoint language (WSEL) and WS-Policy.

11. A machine readable storage having stored thereon a computer program for federated identity brokering, within a gateway service/proxy, the computer program comprising a routine set of instructions which when executed by a machine cause the machine to perform the steps of:
- intercepting a service request from a service requestor targeting a specific logical service;
  
  comparing a security credential associated with said service request to credential requirements specified by said specific logical service;
  
  modifying said security credential to comport with said credential requirements; and
  
  ,routing said intercepted service request with said modified security credential to said specific logical service, whereinsaid gateway service/proxy is disposed in a demilitarized zone, andsaid specific logical service disposed in a private network domain.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The machine readable storage of claim 11, wherein said intercepting step comprises the steps of:
    - retrieving an original service description for said specific logical service from a privately accessible registry disposed in the private network domain;
      
      expanding said original service description to include broader credential requirements;
      
      changing a service address in said expanded service description for said specific logical service to specify a proxy to said specific logical service for performing said comparing, modifying and routing steps; and
      
      ,publishing said expanded service description to a publicly accessible service registry, whereinsaid expanded service description is exposed for access by said service requestor.
  - 13. The machine readable storage of claim 11, wherein said comparing step comprises the step of comparing a digital signature applied to said service request with a list of digital signatures accepted by said specific logical service.
  - 14. The machine readable storage of claim 11, wherein said comparing step comprises the step of comparing an encryption scheme applied to said service request with a list of encryption schemes accepted by said specific logical service.
  - 15. The machine readable storage of claim 11, wherein said comparing step comprises the step of comparing an authorization associated with said service request with a list of authorizations required by said specific logical service.
  - 16. The machine readable storage of claim 13, wherein said modifying step comprises the steps of:
    - validating an incoming digital signature with a certifying authority not trusted by said logical service; and
      
      ,asserting a digital signature for said service request using a certifying authority which is trusted by said logical service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Nadalin, Anthony, Atkins, Barry D., Melgar, David O., Wesley, Ajamu A.
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
PERUNGAVOOR, VENKATANARAY

Application Number

US10/878,855
Publication Number

US 20060021010A1
Time in Patent Office

1,884 Days
Field of Search

726/12, 726 17- 21, 726/26
US Class Current

726/18
CPC Class Codes

H04L 63/0823 using certificates cryptogr...

H04L 9/40 Network security protocols

Federated identity brokering

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Federated identity brokering

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links