Enterprise service-to-service trust framework
First Claim
1. In an enterprise computing network, a system for providing authorization and authentication in response to a service request from a client computer, the system comprising:
- a centralized policy server comprising a centralized policy repository, the centralized policy repository comprising;
(a) an information store configured to store a plurality of sets of trust information, each of the plurality of sets of trust information comprising trust information about one of a plurality of services;
(b) one or more authorization models, each of the one or more authorization models comprising information about a mode of interaction between two or more services, the one or more authorization models comprising a first authorization model defining a first mode of interaction between a first service on a first server computer and a second service on a second server computer, the mode of interaction defining an authentication or authorization technique to be used between the first service and the second service;
(c) one or more authentication policies, each of the one or more authentication policies defining a set of authentication requirements for a particular service, the one or more authentication policies comprising a first authentication policy that defines an authentication requirement that the first service on the first server computer must meet in order to authenticate with the second service on the second server computer; and
(d) one or more authorization policies, each of the one or more authentication policies defining a set of authorization requirements for a particular service, the one or more authorization policies comprising a first authorization policy that defines an authorization requirement for the first service to authorize with the second service;
the first server computer comprising a first processor and a first set of instructions executable by the first processor, the first set of instructions comprising;
(a) instructions to receive the first service the service request from the client computer;
(b) instructions to ascertain that the service request requests an operation to be performed by the second service at the second server computer;
(c) instructions to obtain from the centralized policy repository an identifier of the second service;
(d) instructions to transmit an operation request for reception by the second server computer, the operation request comprising the identifier of the first service and requesting performance of the operation;
the second server computer comprising a second processor and a second set of instructions executable by the second processor, the second set of instructions comprising;
(a) instructions to receive, with the second service, the operation request from the first server computer;
(b) instructions to transmit an authentication request for reception by the centralized policy server, the authentication request comprising the identifier;
(c) instructions to transmit an authorization request for reception by the centralized policy server; and
(d) instructions to provide the requested operation, based on an authentication status and an authorization status of the first server; and
an application programming interface (“
API”
) configured allow the first service and the second service to communicate with the centralized policy repository;
wherein the centralized policy server further comprises a third processor and a third set of instructions executable by the third processor, the third set of instructions comprising;
(a) instructions to receive the authentication request;
(b) instructions to identify the first service, based on the identifier;
(c) instructions to determine, based on the first authentication policy, a set of authentication information for the first service, the set of authentication information being sufficient to authenticate the first service;
(d) instructions to provide the set of authentication information to the second server computer;
(d) instructions to receive the authorization request;
(e) instructions to determine, based on an authorization policy for the second service, a set of authorization information for the first service, the set of authorization information being sufficient to indicate whether the first service is authorized for the second service; and
(f) instructions to provide the set of authorization information to the second server computer.
2 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the invention provide a trust framework for governing service-to-service interactions. This trust framework can provide enhanced security and/or manageability over prior systems. Merely by way of example, in some cases, an information store can be used to store information security information (such as trust information, credentials, etc.) for a variety of services across an enterprise. In other cases, the trust framework can provide authentication policies to define and/or control authentication between services (such as, for example, types of authentication credentials and/or protocols are required to access a particular service—either as a user and/or as another service—and/or types of authentication credentials and/or protocols a service may be enabled to use to access another service). Alternatively and/or additionally, the trust framework can provide authorization policies to define and/or control authorization between services.
111 Citations
23 Claims
-
1. In an enterprise computing network, a system for providing authorization and authentication in response to a service request from a client computer, the system comprising:
-
a centralized policy server comprising a centralized policy repository, the centralized policy repository comprising; (a) an information store configured to store a plurality of sets of trust information, each of the plurality of sets of trust information comprising trust information about one of a plurality of services; (b) one or more authorization models, each of the one or more authorization models comprising information about a mode of interaction between two or more services, the one or more authorization models comprising a first authorization model defining a first mode of interaction between a first service on a first server computer and a second service on a second server computer, the mode of interaction defining an authentication or authorization technique to be used between the first service and the second service; (c) one or more authentication policies, each of the one or more authentication policies defining a set of authentication requirements for a particular service, the one or more authentication policies comprising a first authentication policy that defines an authentication requirement that the first service on the first server computer must meet in order to authenticate with the second service on the second server computer; and (d) one or more authorization policies, each of the one or more authentication policies defining a set of authorization requirements for a particular service, the one or more authorization policies comprising a first authorization policy that defines an authorization requirement for the first service to authorize with the second service; the first server computer comprising a first processor and a first set of instructions executable by the first processor, the first set of instructions comprising; (a) instructions to receive the first service the service request from the client computer; (b) instructions to ascertain that the service request requests an operation to be performed by the second service at the second server computer; (c) instructions to obtain from the centralized policy repository an identifier of the second service; (d) instructions to transmit an operation request for reception by the second server computer, the operation request comprising the identifier of the first service and requesting performance of the operation; the second server computer comprising a second processor and a second set of instructions executable by the second processor, the second set of instructions comprising; (a) instructions to receive, with the second service, the operation request from the first server computer; (b) instructions to transmit an authentication request for reception by the centralized policy server, the authentication request comprising the identifier; (c) instructions to transmit an authorization request for reception by the centralized policy server; and (d) instructions to provide the requested operation, based on an authentication status and an authorization status of the first server; and an application programming interface (“
API”
) configured allow the first service and the second service to communicate with the centralized policy repository;wherein the centralized policy server further comprises a third processor and a third set of instructions executable by the third processor, the third set of instructions comprising; (a) instructions to receive the authentication request; (b) instructions to identify the first service, based on the identifier; (c) instructions to determine, based on the first authentication policy, a set of authentication information for the first service, the set of authentication information being sufficient to authenticate the first service; (d) instructions to provide the set of authentication information to the second server computer; (d) instructions to receive the authorization request; (e) instructions to determine, based on an authorization policy for the second service, a set of authorization information for the first service, the set of authorization information being sufficient to indicate whether the first service is authorized for the second service; and (f) instructions to provide the set of authorization information to the second server computer.
-
-
2. In a computer environment comprising a plurality of services distributed across a plurality of network nodes, the plurality of services comprising a target service that is configured to perform a requested operation and a source service that requests the requested operation, an apparatus for of providing authentication and authorization among the plurality of services, the apparatus comprising:
a computer readable storage medium having encoded thereon a set of one or more instructions executable by a computer system to perform one or more operations, the set of instructions comprising; instructions for maintaining, at a centralized policy repository on the computer system, an authentication policy for the target service, the authentication policy defining an authentication requirement that the source service must meet in order to authenticate with the target service; instructions for maintaining, at the centralized policy repository on the computer system, an authorization policy for the target service; instructions for receiving, at the centralized policy repository on the computer system, a first request from the target service, the first request comprising a request for authentication information about the source service; instructions for determining, at the centralized policy repository and based on the authentication policy for the target service, a set of trust information required by the target service for authentication; instructions for providing a first response to the target service from the centralized policy repository, the first response comprising information for authenticating the source service; instructions for receiving, at the centralized policy repository, a second request from the target service, the second request comprising a request for authorization information about an authorization of the source service to access the target service; instructions for determining, at the centralized policy repository and based on the authorization policy for the target service, a set of authorization requirements for the source service; and instructions for providing a second response to the target from the centralized policy repository, the second response comprising information about authorizing the source service. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
14. In a computer environment comprising a plurality of services distributed across a plurality of network nodes, a method of providing a service-to-service trust framework to allow interoperability between two or more services, the method comprising:
-
providing, at a centralized policy repository on a computer system, an information store configured to store trust information related to each of the plurality of services; providing one or more authorization model to define an interaction between the two or more services, wherein the two or more services comprise a target service that is configured to perform a requested operation and a source service that requests the requested operation, the one or more authorization models comprising a first authorization model defining a first mode of interaction between the source service and the target service, the first mode of interaction defining an authentication or authorization technique to be used between the source service and the target service; providing, at the centralized policy repository on the computer system, at least one authentication policy for the target service to define a set of authentication requirements that the source service must meet in order to authenticate with the target service; providing, at the centralized policy repository on a computer system, at least one authorization policy for the target service to define a set of authorization requirements the target service; and providing, at the computer system, an application programming interface (“
API”
) to allow each of the two or more services to communicate with the information store. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. In a computer environment comprising a plurality of services distributed across a plurality of network nodes, an apparatus for implementing a service-to-service trust framework for facilitating interactions between two or more services, the apparatus comprising:
a computer readable medium having encoded thereon a set of instructions executable by one or more computer systems, the set of instructions comprising; instructions for providing an information store configured to store trust information related to each of the plurality of services; instructions for providing one or more authorization model to define an interaction between the two or more services, wherein the two or more services comprise a target service that is configured to perform a requested operation and a source service that requests the operation, the one or more authorization models comprise a first authorization model defining a first mode of interaction between the source service and the target service, the first mode of interaction defining an authentication or authorization technique to be used between the source service and the target service; instructions for providing at least one authentication policy for the target service to define a set of authentication requirements that the source service must meet in order to authenticate with the target service; instructions for providing at least one authorization policy for the target service to define a set of authorization requirements for the target service; and instructions for providing an application programming interface (“
API”
) to allow each of the two or more services to communicate with the information store.
Specification