Provisioning aggregated services in a distributed computing environment

US 7,603,469 B2
Filed: 01/15/2002
Issued: 10/13/2009
Est. Priority Date: 01/15/2002
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of provisioning an aggregated service in a computing network, comprising steps of:

obtaining credentials of a user who requests to access an aggregated service;

locating, in a network-accessible registry, a service description document specifying a provisioning interface for the aggregated service, the aggregated service comprising an aggregation of a plurality of sub-services and the provisioning interface specifying how to invoke identity functions of the aggregated service;

analyzing the obtained credentials by invoking one or more of the identity functions, according to the specification thereof in the provisioning interface, to determine whether the user is authenticated for, and/or is authorized for, accessing the aggregated service;

allowing the user to access the aggregated service only if the analyzing step has a successful result; and

programmatically relaying identity information obtained by invoking one or more of the identity functions among at least two of the sub-services of the aggregated service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer program products are disclosed for provisioning software resources used with aggregated web services. The disclosed techniques enable heterogeneous identity systems to be joined in the dynamic, run-time web services integration environment. Authentication and authorization may now be performed for the aggregated service, as well as for its sub-services. SOAP (“Simple Object Access Protocol”) messages, as an example, may be used to relay identity information among distributed services, whereby credentials may be specified in the SOAP message header to accompany a service request specified in the SOAP message body.

85 Citations

View as Search Results

15 Claims

1. A computer-implemented method of provisioning an aggregated service in a computing network, comprising steps of:
- obtaining credentials of a user who requests to access an aggregated service;
  
  locating, in a network-accessible registry, a service description document specifying a provisioning interface for the aggregated service, the aggregated service comprising an aggregation of a plurality of sub-services and the provisioning interface specifying how to invoke identity functions of the aggregated service;
  
  analyzing the obtained credentials by invoking one or more of the identity functions, according to the specification thereof in the provisioning interface, to determine whether the user is authenticated for, and/or is authorized for, accessing the aggregated service;
  
  allowing the user to access the aggregated service only if the analyzing step has a successful result; and
  
  programmatically relaying identity information obtained by invoking one or more of the identity functions among at least two of the sub-services of the aggregated service.
- View Dependent Claims (2, 3, 4, 6, 7, 11, 12)
- - 2. The computer-implemented method according to claim 1, wherein an implementation of each of the identity functions of the aggregated service is provided by at least one of the sub-services.
  - 3. The computer-implemented method according to claim 1, wherein:
    - at least one of the sub-services has a local provisioning interface, the local provisioning interface specified in a corresponding service description document and comprising a specification of how to invoke one or more identity functions of the sub-service; and
      
      the identity functions in the provisioning interface of the aggregated service are selected from the local provisioning interfaces; and
      
      further comprising the step of;
      
      controlling access to each of the sub-services having the local provisioning interface, further comprising the steps of;
      
      determining whether the user is authenticated for, and/or authorized for, accessing the sub-service by invoking at least one of the one or more identity functions of the sub-service, according to the specification thereof in the local provisioning interface; and
      
      allowing the user to access the sub-service only if the determining step has a successful result.
  - 4. The computer-implemented method according to claim 3, wherein:
    - the step of obtaining credentials of the user also obtains sub-service credentials for at least one of the sub-services having the local provisioning interface; and
      
      the determining step uses the obtained sub-service credentials.
  - 6. The computer-implemented method according to claim 1, wherein the programmatic relaying comprises sending a message which specifies the identity information in a header of the message and which specifies a service request in a body of the message.
  - 7. The computer-implemented method according to claim 6, wherein the message is a SOAP (“
    - Simple Object Access Protocol”
      
      ) message.
  - 11. The method according to claim 1, wherein the identity information is initially obtained as a result of the analyzing step.
  - 12. The method according to claim 1, wherein the identity information comprises an authentication token generated by one of the invoked identity functions.

5. A computer-implemented method of provisioning an aggregated service in a computing network, comprising steps of:
- locating, in a network-accessible registry, a service description document specifying a provisioning interface for an aggregated service, the aggregated service comprising an aggregation of a plurality of sub-services and the provisioning interface specifying how to invoke identity functions of the aggregated service, wherein one or more operations of at least one of the sub-services is access-protected;
  
  obtaining, for at least one of the access-protected operations, operation-specific credentials of a user who requests to access the aggregated service; and
  
  controlling access to each of at least one of the access-protected operations, further comprising the steps of;
  
  analyzing the obtained operation-specific credentials by invoking one of more of the identity functions, according to the specification thereof in the provisioning interface, to determine whether the user can access the access-protected operation; and
  
  allowing the user to access the access-protected operation only if the step of analyzing the obtained operation-specific credentials determines that the user can access the access-protected operation.
- View Dependent Claims (8)
- - 8. The computer-implemented method according to claim 5, wherein the service description document in the network-accessible registry is located using standardized messages.

9. A system for provisioning an aggregated service in a computing network, comprising:
- means for obtaining credentials of a user who requests to access an aggregated service;
  
  means for locating, in a network-accessible registry, a service description document specifying a provisioning interface for the aggregated service, the aggregated service comprising an aggregation of a plurality of sub-services and the provisioning interface specifying how to invoke identity functions of the aggregated service, wherein the service description document is specified in a Web Services Description Language (“
  
  WSDL”
  
  ) markup language;
  
  means for analyzing the obtained credentials by invoking one or more of the identity functions, according to the specification thereof in the provisioning interface, to determine whether the user is authenticated for, and/or is authorized for, accessing the aggregated service; and
  
  means for allowing the user to access the aggregated service only if the means for analyzing has a successful result.

10. A computer program product for provisioning an aggregated service in a computing network, the computer program product embodied on one or more computer-readable media and comprising:
- computer-readable program code for obtaining credentials of a user who requests to access an aggregated service;
  
  computer-readable program code for locating, in a network-accessible registry, a service description document specifying a provisioning interface for the aggregated service, the aggregated service comprising an aggregation of a plurality of sub-services and the provisioning interface specifying how to invoke identity functions of the aggregated service;
  
  computer-readable program code for analyzing the obtained credentials by invoking one or more of the identity functions, according to the specification thereof in the provisioning interface, to determine whether the user is authenticated for, and/or is authorized for, accessing the aggregated service, wherein an implementation of at least one of the sub-services is located dynamically, at run-time; and
  
  computer-readable program code for allowing the user to access the aggregated service only if the computer-readable program code for analyzing has a successful result.

13. A computer-implemented method for provisioning an aggregated service in a computing network, comprising steps of:
- obtaining credentials of a user who requests to access an aggregated service;
  
  locating, in a network-accessible registry, a service description document specifying a provisioning interface for the aggregated service, the aggregated service comprising an aggregation of a plurality of sub-services and the provisioning interface specifying how to invoke identity functions of the aggregated service, wherein;
  
  at least two of the sub-services each have associated therewith an identity system for access control thereto;
  
  at least two of the associated identity systems are heterogeneous; and
  
  at least one selected one of the identity functions of the aggregated service enables dynamically joining at least two of the heterogeneous identity systems;
  
  analyzing the obtained credentials by invoking one or more of the identity functions, according to the specification thereof in the provisioning interface, to determine whether the user is authenticated for, and/or is authorized for, accessing the aggregated service; and
  
  allowing the user to access the aggregated service only if the analyzing step determines that the user is authenticated for, and/or is authorized for, accessing the aggregated service.
- View Dependent Claims (14, 15)
- - 14. The method according to claim 13, wherein the at least one selected identity function, upon invocation, identifies the identity system that stores information pertaining to users of the sub-service with which that identity system is associated.
  - 15. The method according to claim 14, wherein the dynamic joining is enabled by relaying the identification of the identity system among the dynamically-joined identity systems.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Fletcher, James C., Lindquist, David B., Wanderski, Michael C., Wesley, Ajamu A.
Primary Examiner(s)
JEAN GILLES, JUDE

Application Number

US10/047,811
Publication Number

US 20030135628A1
Time in Patent Office

2,828 Days
Field of Search

709/229, 709/202, 709/220, 709/328, 709/201, 709/217, 709/224, 709/227, 709/242, 709/225, 709/206, 707/10, 705/10, 705/57
US Class Current

709/229
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

H04L 67/02   based on web technology, e....

H04L 67/51   Discovery or management the...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

Provisioning aggregated services in a distributed computing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

85 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Provisioning aggregated services in a distributed computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links