Method and system for identity provider migration using federated single-sign-on operation

US 7,657,639 B2
Filed: 07/21/2006
Issued: 02/02/2010
Est. Priority Date: 07/21/2006
Status: Active Grant

First Claim

Patent Images

1. A method for operating a federated computational environment, wherein a first user account for a user is managed at a first identity provider, wherein a second user account for the user is managed at a second identity provider, wherein a third user account for the user is managed at a service provider, wherein the first identity provider, the second identity provider, and the service provider operate within the federated computational environment, the computer-implemented method comprising:

receiving at the service provider a request to access by the user a protected resource that is managed by the service provider;

performing, after receiving the request to access the protected resource, a federated single-sign-on operation for the user between the service provider and the first identity provider;

modifying, prior to sending a response to the request to access the protected resource, information in the third user account to indicate that the service provider relies upon the second identity provider to authenticate the user on behalf of the service provider rather than the first identity provider; and

sending a response for the request to access the protected resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is presented for performing an identity provider migration operation with respect to a user within a federated computational environment, wherein the user has a first user account at a first identity provider, a second user account at a second identity provider, and a third user account at a service provider. A request to access a resource is received by the service provider, after which a federated single-sign-on operation for the user is performed between the service provider and the first identity provider. Prior to sending a response to the request to access the protected resource, information in the third user account is modified to indicate that the service provider relies upon the second identity provider to authenticate the user on behalf of the service provider rather than the first identity provider. A response for the request to access the resource is then returned by the service provider.

116 Citations

45 Claims

1. A method for operating a federated computational environment, wherein a first user account for a user is managed at a first identity provider, wherein a second user account for the user is managed at a second identity provider, wherein a third user account for the user is managed at a service provider, wherein the first identity provider, the second identity provider, and the service provider operate within the federated computational environment, the computer-implemented method comprising:
- receiving at the service provider a request to access by the user a protected resource that is managed by the service provider;
  
  performing, after receiving the request to access the protected resource, a federated single-sign-on operation for the user between the service provider and the first identity provider;
  
  modifying, prior to sending a response to the request to access the protected resource, information in the third user account to indicate that the service provider relies upon the second identity provider to authenticate the user on behalf of the service provider rather than the first identity provider; and
  
  sending a response for the request to access the protected resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 further comprising:
    - triggering the request for the protected resource by a direct request from the user to the service provider.
  - 3. The method of claim 1 further comprising:
    - triggering the request for the protected resource by an indirect request from the user to the second identity provider.
  - 4. The method of claim 1 further comprising:
    - establishing, prior to receiving the request to access the protected resource, a first alias identifier for the user between the first identity provider and the service provider to link the first user account and the third user account.
  - 5. The method of claim 4 further comprising:
    - establishing, after receiving the request to access the protected resource and prior to sending the response to the request to access the protected resource, a second alias identifier for the user between the second identity provider and the service provider to link the second user account and the third user account.
  - 6. The method of claim 5 further comprising:
    - employing by the service provider the second alias identifier for the user in place of the first alias identifier during federated single-sign-on operations.
  - 7. The method of claim 5 further comprising:
    - replacing by the service provider an alias mapping for the user.
  - 8. The method of claim 5 further comprising:
    - replacing by the service provider an alias mapping for the user during the federated single-sign-on operation.
  - 9. The method of claim 1 further comprising:
    - extracting by the service provider identifying information for the first identity provider from a cookie in order to determine by the service provider to use the first identity provider to perform the federated single-sign-on operation for the user.
  - 10. The method of claim 1 further comprising:
    - prompting the user by the service provider to obtain identifying information for the first identity provider in order to determine by the service provider to use the first identity provider to perform the federated single-sign-on operation for the user.
  - 11. The method of claim 1 further comprising:
    - modifying, prior to receiving at the service provider the request to access the protected resource, information in the first user account to indicate that operations with respect to the first user account are restricted until the user completes an identity provider migration operation.
  - 12. The method of claim 1 further comprising:
    - modifying, after receiving at the service provider the request to access the protected resource and prior to sending by the service provider the response to the request to access the protected resource, information in the first user account to indicate that the user has completed an identity provider migration operation with respect to the service provider.
  - 13. The method of claim 1 further comprising:
    - modifying, after receiving at the service provider the request to access the protected resource and prior to sending by the service provider the response to the request to access the protected resource, information in the first user account to indicate that the first user account is deactivated.
  - 14. The method of claim 1 further comprising:
    - prompting, after receiving at the service provider the request to access the protected resource and prior to sending by the service provider the response to the request to access the protected resource, the user by the first identity provider to obtain identifying information for the second identity provider in order to determine an identity of the second identity provider to perform the federated single-sign-on operation for the user.
  - 15. The method of claim 1 further comprising:
    - prompting, after receiving at the service provider the request to access the protected resource and prior to sending by the service provider the response to the request to access the protected resource, the user by the service provider to obtain identifying information for the second identity provider in order to determine an identity of the second identity provider to perform the federated single-sign-on operation for the user.

16. A computer program product on a computer readable storage medium for use in a data processing system for operating a federated computational environment, wherein a first user account for a user is managed at a first identity provider, wherein a second user account for the user is managed at a second identity provider, wherein a third user account for the user is managed at a service provider, wherein the first identity provider, the second identity provider, and the service provider operate within the federated computational environment, the computer program product comprising:
- instructions for receiving at the service provider a request to access by the user a protected resource that is managed by the service provider;
  
  instructions for performing, after receiving the request to access the protected resource, a federated single-sign-on operation for the user between the service provider and the first identity provider;
  
  instructions for modifying, prior to sending a response to the request to access the protected resource, information in the third user account to indicate that the service provider relies upon the second identity provider to authenticate the user on behalf of the service provider rather than the first identity provider; and
  
  instructions for sending a response for the request to access the protected resource.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The computer program product of claim 16 further comprising:
    - instructions for triggering the request for the protected resource by a direct request from the user to the service provider.
  - 18. The computer program product of claim 16 further comprising:
    - instructions for triggering the request for the protected resource by an indirect request from the user to the second identity provider.
  - 19. The computer program product of claim 16 further comprising:
    - instructions for establishing, prior to receiving the request to access the protected resource, a first alias identifier for the user between the first identity provider and the service provider to link the first user account and the third user account.
  - 20. The computer program product of claim 19 further comprising:
    - instructions for establishing, after receiving the request to access the protected resource and prior to sending the response to the request to access the protected resource, a second alias identifier for the user between the second identity provider and the service provider to link the second user account and the third user account.
  - 21. The computer program product of claim 20 further comprising:
    - instructions for employing by the service provider the second alias identifier for the user in place of the first alias identifier during federated single-sign-on operations.
  - 22. The computer program product of claim 20 further comprising:
    - instructions for replacing by the service provider an alias mapping for the user.
  - 23. The computer program product of claim 20 further comprising:
    - instructions for replacing by the service provider an alias mapping for the user during the federated single-sign-on operation.
  - 24. The computer program product of claim 16 further comprising:
    - instructions for extracting by the service provider identifying information for the first identity provider from a cookie in order to determine by the service provider to use the first identity provider to perform the federated single-sign-on operation for the user.
  - 25. The computer program product of claim 16 further comprising:
    - instructions for prompting the user by the service provider to obtain identifying information for the first identity provider in order to determine by the service provider to use the first identity provider to perform the federated single-sign-on operation for the user.
  - 26. The computer program product of claim 16 further comprising:
    - instructions for modifying, prior to receiving at the service provider the request to access the protected resource, information in the first user account to indicate that operations with respect to the first user account are restricted until the user completes an identity provider migration operation.
  - 27. The computer program product of claim 16 further comprising:
    - instructions for modifying, after receiving at the service provider the request to access the protected resource and prior to sending by the service provider the response to the request to access the protected resource, information in the first user account to indicate that the user has completed an identity provider migration operation with respect to the service provider.
  - 28. The computer program product of claim 16 further comprising:
    - instructions for modifying, after receiving at the service provider the request to access the protected resource and prior to sending by the service provider the response to the request to access the protected resource, information in the first user account to indicate that the first user account is deactivated.
  - 29. The computer program product of claim 16 further comprising:
    - instructions for prompting, after receiving at the service provider the request to access the protected resource and prior to sending by the service provider the response to the request to access the protected resource, the user by the first identity provider to obtain identifying information for the second identity provider in order to determine an identity of the second identity provider to perform the federated single-sign-on operation for the user.
  - 30. The computer program product of claim 16 further comprising:
    - instructions for prompting, after receiving at the service provider the request to access the protected resource and prior to sending by the service provider the response to the request to access the protected resource, the user by the service provider to obtain identifying information for the second identity provider in order to determine an identity of the second identity provider to perform the federated single-sign-on operation for the user.

31. An apparatus for operating a federated computational environment, wherein a first user account for a user is managed at a first identity provider, wherein a second user account for the user is managed at a second identity provider, wherein a third user account for the user is managed at a service provider, wherein the first identity provider, the second identity provider, and the service provider operate within the federated computational environment, the apparatus comprising:
- a processor;
  
  a data store in which a set of set of instructions are stored, the set of instructions that when executed by the processor carry out an identity provider migration operation;
  
  wherein the set of instructions comprise;
  
  instructions for receiving at the service provider a request to access by the user a protected resource that is managed by the service provider;
  
  instructions for performing, after receiving the request to access the protected resource, a federated single-sign-on operation for the user between the service provider and the first identity provider;
  
  instructions for modifying, prior to sending a response to the request to access the protected resource, information in the third user account to indicate that the service provider relies upon the second identity provider to authenticate the user on behalf of the service provider rather than the first identity provider; and
  
  instructions for sending a response for the request to access the protected resource.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 32. The apparatus of claim 31 further comprising:
    - instructions for triggering the request for the protected resource by a direct request from the user to the service provider.
  - 33. The apparatus of claim 31 further comprising:
    - instructions for triggering the request for the protected resource by an indirect request from the user to the second identity provider.
  - 34. The apparatus of claim 31 further comprising:
    - instructions for establishing, prior to receiving the request to access the protected resource, a first alias identifier for the user between the first identity provider and the service provider to link the first user account and the third user account.
  - 35. The apparatus of claim 34 further comprising:
    - instructions for establishing, after receiving the request to access the protected resource and prior to sending the response to the request to access the protected resource, a second alias identifier for the user between the second identity provider and the service provider to link the second user account and the third user account.
  - 36. The apparatus of claim 35 further comprising:
    - instructions for employing by the service provider the second alias identifier for the user in place of the first alias identifier during federated single-sign-on operations.
  - 37. The apparatus of claim 35 further comprising:
    - instructions for replacing by the service provider an alias mapping for the user.
  - 38. The apparatus of claim 35 further comprising:
    - instructions for replacing by the service provider an alias mapping for the user during the federated single-sign-on operation.
  - 39. The apparatus of claim 31 further comprising:
    - instructions for extracting by the service provider identifying information for the first identity provider from a cookie in order to determine by the service provider to use the first identity provider to perform the federated single-sign-on operation for the user.
  - 40. The apparatus of claim 31 further comprising:
    - instructions for prompting the user by the service provider to obtain identifying information for the first identity provider in order to determine by the service provider to use the first identity provider to perform the federated single-sign-on operation for the user.
  - 41. The apparatus of claim 31 further comprising:
    - instructions for modifying, prior to receiving at the service provider the request to access the protected resource, information in the first user account to indicate that operations with respect to the first user account are restricted until the user completes an identity provider migration operation.
  - 42. The apparatus of claim 31 further comprising:
    - instructions for modifying, after receiving at the service provider the request to access the protected resource and prior to sending by the service provider the response to the request to access the protected resource, information in the first user account to indicate that the user has completed an identity provider migration operation with respect to the service provider.
  - 43. The apparatus of claim 31 further comprising:
    - instructions for modifying, after receiving at the service provider the request to access the protected resource and prior to sending by the service provider the response to the request to access the protected resource, information in the first user account to indicate that the first user account is deactivated.
  - 44. The apparatus of claim 31 further comprising:
    - instructions for prompting, after receiving at the service provider the request to access the protected resource and prior to sending by the service provider the response to the request to access the protected resource, the user by the first identity provider to obtain identifying information for the second identity provider in order to determine an identity of the second identity provider to perform the federated single-sign-on operation for the user.
  - 45. The apparatus of claim 31 further comprising:
    - instructions for prompting, after receiving at the service provider the request to access the protected resource and prior to sending by the service provider the response to the request to access the protected resource, the user by the service provider to obtain identifying information for the second identity provider in order to determine an identity of the second identity provider to perform the federated single-sign-on operation for the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Hinton, Heather M.
Primary Examiner(s)
Etienne; Ario
Assistant Examiner(s)
GEORGANDELLIS, ANDREW C

Application Number

US11/459,118
Publication Number

US 20080021997A1
Time in Patent Office

1,292 Days
Field of Search

709/225, 709/229, 709/227, 726/8
US Class Current

709/229
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

H04L 63/104 Grouping of entities

Method and system for identity provider migration using federated single-sign-on operation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

116 Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for identity provider migration using federated single-sign-on operation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

116 Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links