Method and system for user enrollment of user attribute storage in a federated environment

US 7,725,562 B2
Filed: 12/31/2002
Issued: 05/25/2010
Est. Priority Date: 12/31/2002
Status: Active Grant

First Claim

Patent Images

1. A method for managing user attribute information within a data processing system, the method comprising:

receiving an enrollment request message from a first service provider at a second service provider, wherein the enrollment request message informs the second service provider of a set of one or more identifiers of attribute information providers, wherein each of the attribute information providers is a service provider that maintains user attribute information for a user of a client device;

extracting by the second service provider the set of one or more identifiers of attribute information providers from the enrollment request message;

generating by the second service provider a persistent token for the user, wherein the persistent token comprises the set of one or more identifiers of attribute information providers; and

managing the persistent token.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system is presented for facilitating storage and retrieval of user attribute information within a federated environment at entities that manage such information as a service. Through enrollment processes, certain domains inform online service providers of identities of attribute information providers that may be used to retrieve user attribute information for a particular user. When performing a user-specific operation with respect to a requested resource, e.g., for personalizing documents using user attribute information or for determining user access privileges for the resource, an e-commerce service provider requires user attribute information, which is retrieved from an attribute information provider that has been previously specified through an enrollment operation. The e-commerce service provider may store the identity of the user'"'"'s attribute information providers in a persistent token, e.g., an HTTP cookie, that is available when the user sends a request for access to a resource.

Citations

48 Claims

1. A method for managing user attribute information within a data processing system, the method comprising:
- receiving an enrollment request message from a first service provider at a second service provider, wherein the enrollment request message informs the second service provider of a set of one or more identifiers of attribute information providers, wherein each of the attribute information providers is a service provider that maintains user attribute information for a user of a client device;
  
  extracting by the second service provider the set of one or more identifiers of attribute information providers from the enrollment request message;
  
  generating by the second service provider a persistent token for the user, wherein the persistent token comprises the set of one or more identifiers of attribute information providers; and
  
  managing the persistent token.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 further comprising:
    - storing the persistent token in a client-side datastore at a client device operated by the user.
  - 3. The method of claim 2 further comprising:
    - using an HTTP (Hypertext Transport Protocol) redirection message to set the persistent token.
  - 4. The method of claim 2 wherein the persistent token is stored as an HTTP cookie.
  - 5. The method of claim 1 further comprising:
    - storing the persistent token in a server-side datastore.
  - 6. The method of claim 1 further comprising:
    - receiving from the user a request for a resource at the second service provider;
      
      obtaining the persistent token for the user;
      
      extracting the set of one or more identifiers of attribute information providers from the persistent token;
      
      retrieving user attribute information for the user from at least one attribute information provider identified in the set of one or more identifiers of attribute information providers; and
      
      performing a customization operation for the resource or an access control decision for the resource based on the retrieved user attribute information for the user.

7. A data processing system for managing user attribute information, the data processing system comprising:
- a processor;
  
  a computer memory holding computer program instructions which when executed by the processor perform a method comprising;
  
  receiving an enrollment request message from a first service provider at a second service provider, wherein the enrollment request message informs the second service provider of a set of one or more identifiers of attribute information providers, wherein each of the attribute information providers is a service provider that maintains user attribute information for a user of a client device;
  
  extracting by the second service provider the set of one or more identifiers of attribute information providers from the enrollment request message;
  
  generating by the second service provider a persistent token for the user, wherein the persistent token comprises the set of one or more identifiers of attribute information providers; and
  
  managing the persistent token.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The data processing system of claim 7 wherein the method further comprises:
    - storing the persistent token in a client-side datastore at a client device operated by the user.
  - 9. The data processing system of claim 8 wherein the method further comprises:
    - using an HTTP (Hypertext Transport Protocol) redirection message to set the persistent token.
  - 10. The data processing system of claim 8 wherein the persistent token is stored as an HTTP cookie.
  - 11. The data processing system of claim 7 wherein the method further comprises:
    - storing the persistent token in a server-side datastore.
  - 12. The data processing system of claim 7 further comprising wherein the method further comprises:
    - receiving from the user a request for a resource at the second service provider;
      
      obtaining the persistent token for the user;
      
      extracting the set of one or more identifiers of attribute information providers from the persistent token;
      
      retrieving user attribute information for the user from at least one attribute information provider identified in the set of one or more identifiers of attribute information providers; and
      
      performing a customization operation for the resource or an access control decision for the resource based on the retrieved user attribute information for the user.

13. A computer program product in a computer readable medium for managing user attribute information in a data processing system, the computer program product holding computer program instructions which when executed by the data processing system perform a method comprising:
- receiving an enrollment request message from a first service provider at a second service provider, wherein the enrollment request message informs the second service provider of a set of one or more identifiers of attribute information providers, wherein each of the attribute information providers is a service provider that maintains user attribute information for a user of a client device;
  
  extracting by the second service provider the set of one or more identifiers of attribute information providers from the enrollment request message;
  
  generating by the second service provider a persistent token for the user, wherein the persistent token comprises the set of one or more identifiers of attribute information providers; and
  
  managing the persistent token.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer program product of claim 13 wherein the method further comprises:
    - storing the persistent token in a client-side datastore at a client device operated by the user.
  - 15. The computer program product of claim 14 wherein the method further comprises:
    - using an HTTP (Hypertext Transport Protocol) redirection message to set the persistent token.
  - 16. The computer program product of claim 14 wherein the persistent token is stored as an HTTP cookie.
  - 17. The computer program product of claim 13 wherein the method further comprises:
    - storing the persistent token in a server-side datastore.
  - 18. The computer program product of claim 13 wherein the method further comprises:
    - receiving from the user a request for a resource at the second service provider;
      
      obtaining the persistent token for the user;
      
      extracting the set of one or more identifiers of attribute information providers from the persistent token;
      
      retrieving user attribute information for the user from at least one attribute information provider identified in the set of one or more identifiers of attribute information providers; and
      
      performing a customization operation for the resource or an access control decision for the resource based on the retrieved user attribute information for the user.

19. A method for managing user attribute information within a data processing system, the method comprising:
- receiving a request message at a first service provider from a client device;
  
  initiating by the first service provider an enrollment operation for a user of the client device in response to receiving the request message;
  
  obtaining at the first service provider a set of one or more identifiers of attribute information providers, wherein each of the attribute information providers is a service provider that maintains user attribute information for the user; and
  
  enrolling the set of one or more identifiers of attribute information providers at a second service provider.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 20. The method of claim 19 further comprising:
    - sending an enrollment request message from the first service provider to the second service provider, wherein the enrollment request message informs the second service provider of the set of one or more identifiers of attribute information providers.
  - 21. The method of claim 19 further comprising:
    - receiving an authentication assertion at the first service provider from a third service provider that authenticated the user.
  - 22. The method of claim 19 further comprising:
    - receiving the set of one or more identifiers of attribute information providers as input from the user.
  - 23. The method of claim 19 further comprising:
    - retrieving the set of one or more identifiers of attribute information providers from administratively configured information.
  - 24. The method of claim 19 wherein the set of one or more identifiers of attribute information providers are prioritized.
  - 25. The method of claim 19 further comprising:
    - receiving an identifier for the second service provider as input from the user.
  - 26. The method of claim 19 further comprising:
    - retrieving an identifier for the second service provider from administratively configured information.
  - 27. The method of claim 19 further comprising:
    - allowing the user to be partially enrolled if the enrolling step fails at one or more of additional service providers.
  - 28. The method of claim 19 wherein an identifier for a service provider or a domain may comprise a network path, a Uniform Resource Identifier (URI), or a unique name.

29. A data processing system for managing user attribute information, the data processing system comprising:
- a processor;
  
  a computer memory holding computer program instructions which when executed by the processor perform a method comprising;
  
  receiving a request message at a first service provider from a client device;
  
  initiating by the first service provider an enrollment operation for a user of the client device in response to receiving the request message;
  
  obtaining at the first service provider a set of one or more identifiers of attribute information providers, wherein each of the attribute information providers is a service provider that maintains user attribute information for the user; and
  
  enrolling the set of one or more identifiers of attribute information providers at a second service provider.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 30. The data processing system of claim 29 wherein the method further comprises:
    - sending an enrollment request message from the first service provider to the second service provider, wherein the enrollment request message informs the second service provider of the set of one or more identifiers of attribute information providers.
  - 31. The data processing system of claim 29 wherein the method further comprises:
    - receiving an authentication assertion at the first service provider from a third service provider that authenticated the user.
  - 32. The data processing system of claim 29 wherein the method further comprises:
    - receiving the set of one or more identifiers of attribute information providers as input from the user.
  - 33. The data processing system of claim 29 wherein the method further comprises:
    - retrieving the set of one or more identifiers of attribute information providers from administratively configured information.
  - 34. The data processing system of claim 29 wherein the set of one or more identifiers of attribute information providers are prioritized.
  - 35. The data processing system of claim 29 wherein the method further comprises:
    - receiving an identifier for the second service provider as input from the user.
  - 36. The data processing system of claim 29 wherein the method further comprises:
    - retrieving an identifier for the second service provider from administratively configured information.
  - 37. The data processing system of claim 29 wherein the method further comprises:
    - allowing the user to be partially enrolled if the enrolling step fails at one or more of additional service providers.
  - 38. The data processing system of claim 29 wherein an identifier for a service provider or a domain may comprise a network path, a Uniform Resource Identifier (URI), or a unique name.

39. A computer program product in a computer readable medium for managing user attribute information in a data processing system, the computer program product holding computer program instructions which when executed by the data processing system perform a method comprising:
- receiving a request message at a first service provider from a client device;
  
  initiating by the first service provider an enrollment operation for a user of the client device in response to receiving the request message;
  
  obtaining at the first service provider a set of one or more identifiers of attribute information providers, wherein each of the attribute information providers is a service provider that maintains user attribute information for the user; and
  
  enrolling the set of one or more identifiers of attribute information providers at a second service provider.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48)
- - 40. The computer program product of claim 39 wherein the method further comprises:
    - sending an enrollment request message from the first service provider to the second service provider, wherein the enrollment request message informs the second service provider of the set of one or more identifiers of attribute information providers.
  - 41. The computer program product of claim 39 wherein the method further comprises:
    - receiving an authentication assertion at the first service provider from a third service provider that authenticated the user.
  - 42. The computer program product of claim 39 wherein the method further comprises:
    - receiving the set of one or more identifiers of attribute information providers as input from the user.
  - 43. The computer program product of claim 39 wherein the method further comprises:
    - retrieving the set of one or more identifiers of attribute information providers from administratively configured information.
  - 44. The computer program product of claim 39 wherein the set of one or more identifiers of attribute information providers are prioritized.
  - 45. The computer program product of claim 39 wherein the method further comprises:
    - receiving an identifier for the second service provider as input from the user.
  - 46. The computer program product of claim 39 wherein the method further comprises:
    - retrieving an identifier for the second service provider from administratively configured information.
  - 47. The computer program product of claim 39 wherein the method further comprises:
    - allowing the user to be partially enrolled if the enrolling step fails at one or more of additional service providers.
  - 48. The computer program product of claim 39 wherein an identifier for a service provider or a domain may comprise a network path, a Uniform Resource Identifier (URI), or a unique name.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Advanced Micro Devices, Inc., PayPal, Inc. (PayPal Holdings, Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Nadalin, Anthony Joseph, Hinton, Heather Maria, Pfitzmann, Birgit Monika, Blakley, George Robert III
Primary Examiner(s)
Donaghue; Larry
Assistant Examiner(s)
NGUYEN, MINH CHAU

Application Number

US10/334,326
Publication Number

US 20040128390A1
Time in Patent Office

2,702 Days
Field of Search

709/225, 709/229
US Class Current

709/219
CPC Class Codes

H04L 63/0807 using tickets, e.g. Kerbero...

H04L 63/104 Grouping of entities

Method and system for user enrollment of user attribute storage in a federated environment

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

48 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for user enrollment of user attribute storage in a federated environment

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

48 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links