Method and system for a runtime user account creation operation within a single-sign-on process in a federated computing environment

DC CAFC

US 7,631,346 B2
Filed: 04/01/2005
Issued: 12/08/2009
Est. Priority Date: 04/01/2005
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method for managing user authentication within a distributed data processing system, wherein a first system and a second system interact within a federated computing environment and support single-sign-on operations in order to provide access to protected resources, at least one of the first system and the second system comprising a processor, the method comprising;

triggering a single-sign-on operation on behalf of the user in order to obtain access to a protected resource that is hosted by the second system, wherein the second system requires a user account for the user to complete the single-sign-on operation prior to providing access to the protected resource;

receiving from the first system at the second system an identifier associated with the user; and

creating a user account for the user at the second system based at least in part on the received identifier associated with the user after triggering the single-sign-on operation but before generating at the second system a response for accessing the protected resource, wherein the created user account supports single-sign-on operations between the first system and the second system on behalf of the user.

View all claims

1 Assignment

Timeline View

Assignment View

Litigations

7 Petitions

Accused Products

Abstract

A method, system, apparatus, and computer program product are presented to support computing systems of different enterprises that interact within a federated computing environment. Federated single-sign-on operations can be initiated at the computing systems of federation partners on behalf of a user even though the user has not established a user account at a federation partner prior to the initiation of the single-sign-on operation. For example, an identity provider can initiate a single-sign-on operation at a service provider while attempting to obtain access to a controlled resource on behalf of a user. When the service provider recognizes that it does not have a linked user account for the user that allows for a single-sign-on operation with the identity provider, the service provider creates a local user account. The service provider can also pull user attributes from the identity provider as necessary to perform the user account creation operation.

Citations

20 Claims

1. A method for managing user authentication within a distributed data processing system, wherein a first system and a second system interact within a federated computing environment and support single-sign-on operations in order to provide access to protected resources, at least one of the first system and the second system comprising a processor, the method comprising;
- triggering a single-sign-on operation on behalf of the user in order to obtain access to a protected resource that is hosted by the second system, wherein the second system requires a user account for the user to complete the single-sign-on operation prior to providing access to the protected resource;
  
  receiving from the first system at the second system an identifier associated with the user; and
  
  creating a user account for the user at the second system based at least in part on the received identifier associated with the user after triggering the single-sign-on operation but before generating at the second system a response for accessing the protected resource, wherein the created user account supports single-sign-on operations between the first system and the second system on behalf of the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 further comprising:
    - creating an alias identifier for the user at the first system after triggering the single-sign-on operation.
  - 3. The method of claim 1 further comprising:
    - sending a message from the second system to the first system to pull authentication information for the user from the first system to the second system in order to trigger the single-sign-on operation for the user at the second system.
  - 4. The method of claim 1 further comprising:
    - receiving a message from the first system at the second system to push authentication information for the user from the first system to the second system in order to trigger the single-sign-on operation for the user at the second system.
  - 5. The method of claim 1 further comprising:
    - in response to a determination at the second system that the second system does not have sufficient user attribute information to complete creation of a user account for the user at the second system, sending a request message from the second system to the first system to retrieve user attribute information; and
      
      receiving at the second system from the first system a response message that contains user attribute information that is employed by the second system to complete creation of a user account for the user at the second system.
  - 6. The method of claim 5 further comprising:
    - employing a front-channel information retrieval mechanism to obtain user attribute information.
  - 7. The method of claim 6 further comprising:
    - using HyperText Transport Protocol (HTTP) in the front-channel information retrieval mechanism.
  - 8. The method of claim 5 further comprising:
    - employing a back-channel information retrieval mechanism to obtain user attribute information.
  - 9. The method of claim 8 further comprising:
    - using Simple Object Access Protocol (SOAP) in the back-channel information retrieval mechanism.
  - 10. The method of claim 5 further comprising:
    - performing a preliminary user account creation operation to commence creation of the user account for the user prior to retrieving user attribute information for the user; and
      
      performing a concluding user account creation operation to complete creation of the user account for the user after retrieving user attribute information for the user.
  - 11. The method of claim 5 further comprising:
    - retrieving user attribute information from a fourth system by the first system.
  - 12. The method of claim 1 wherein the first system supports an identity provider and the second system supports a service provider.
  - 13. The method of claim 12 further comprising:
    - prompting the user by the service provider to provide or to select an identifier for the identity provider prior to receiving an identifier associated with the user.
  - 14. The method of claim 1 further comprising:
    - in response to a determination at the second system that the second system does not have sufficient user attribute information to complete creation of a user account for the user at the second system, sending a request message to a fourth system to retrieve user attribute information; and
      
      receiving at the second system from the fourth system a response message that contains user attribute information that is employed by the second system to complete creation of a user account for the user at the second system.

15. A computer program product on a computer-readable medium for managing user authentication within a data processing system, wherein a first system and a second system interact within a federated computing environment and support single-sign-on operations in order to provide access to protected resources, at least one of the first system and the second system comprising a processor, the computer program product holding computer program instructions which when executed by the data processing system perform a method comprising:
- triggering a single-sign-on operation on behalf of the user in order to obtain access to a protected resource that is hosted by the second system, wherein the second system requires a user account for the user to complete the single-sign-on operation prior to providing access to the protected resource;
  
  receiving from the first system at the second system an identifier associated with the user; and
  
  creating a user account for the user at the second system based at least in part on the received identifier associated with the user after triggering the single-sign-on operation but before generating at the second system a response for accessing the protected resource, wherein the created user account supports single-sign-on operations between the first system and the second system on behalf of the user.
- View Dependent Claims (16, 17)
- - 16. The computer program product of claim 15 wherein the method further comprises:
    - creating an alias identifier for the user at the first system after triggering the single-sign-on operation.
  - 17. The computer program product of claim 15 wherein the method further comprises:
    - sending a request message from the second system to the first system to retrieve user attribute information in response to a determination at the second system that the second system does not have sufficient user attribute information to complete creation of a user account for the user at the second system; and
      
      receiving at the second system from the first system a response message that contains user attribute information that is employed by the second system to complete creation of a user account for the user at the second system.

18. An apparatus for managing user authentication within a data processing system, wherein a first system and a second system interact within a federated computing environment and support single-sign-on operations in order to provide access to protected resources, at least one of the first system and the second system comprising a processor, the apparatus comprising:
- a processor;
  
  a computer memory holding computer program instructions which when executed by the processor perform a method comprising;
  
  triggering a single-sign-on operation on behalf of the user in order to obtain access to a protected resource that is hosted by the second system, wherein the second system requires a user account for the user to complete the single-sign-on operation prior to providing access to the protected resource;
  
  receiving from the first system at the second system an identifier associated with the user; and
  
  creating a user account for the user at the second system based at least in part on the received identifier associated with the user after triggering the single-sign-on operation but before generating at the second system a response for accessing the protected resource, wherein the created user account supports single-sign-on operations between the first system and the second system on behalf of the user.
- View Dependent Claims (19, 20)
- - 19. The apparatus of claim 18 wherein the method further comprises:
    - creating an alias identifier for the user at the first system after triggering the single-sign-on operation.
  - 20. The apparatus of claim 18 wherein the method further comprises:
    - sending a request message from the second system to the first system to retrieve user attribute information in response to a determination at the second system that the second system does not have sufficient user attribute information to complete creation of a user account for the user at the second system; and
      
      receiving at the second system from the first system a response message that contains user attribute information that is employed by the second system to complete creation of a user account for the user at the second system.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Weeden, Shane Bradley, Raghavan, Venkat, Milman, Ivan Matthew, Hinton, Heather Maria
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
RAHIM, MONJUR

Application Number

US11/097,587
Publication Number

US 20060236382A1
Time in Patent Office

1,712 Days
Field of Search

726/6, 726/5, 726/4, 726/8, 709/223, 709/229, 709/219, 713/202, 713/186, 713/169, 380/279, 715/500
US Class Current

726/8
CPC Class Codes

G06F 21/41 where a single sign-on prov...

H04L 63/0815 providing single-sign-on or...

Method and system for a runtime user account creation operation within a single-sign-on process in a federated computing environment

First Claim

1 Assignment

Litigations

7 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for a runtime user account creation operation within a single-sign-on process in a federated computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

Litigations

7 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links