Systems and methods for enabling trust in a federated collaboration
First Claim
1. A computer-implemented method for communicating over a federated network, the method comprising:
- receiving, by an identity-providing computing device associated with an identity provider, an indication of a request by a requester for access to a resource of a service provider associated with a service-provider computing device;
transmitting, by the identity-providing computing device, a digital public key to a trusted third-party computing device associated with a trusted third party of the identity provider and the service provider;
receiving, by the identity-providing computing device, a digital certificate from the trusted third-party computing device, the digital certificate indicating that the trusted third party has audited and approved policies of the identity provider for compliance with policies of the trusted third party for communicating on the federated network,wherein the digital certificate contains a digital private key associated with the provided digital public key;
responsive to a determination that a trust relationship exists, specifying, by the identity-providing computing device, an identity-assertion data structure defined by the third party policy, the identity-assertion data structure comprising at least one attribute associated with the requester;
associating, by the identity-providing computing device, the identity-assertion data structure with the request;
digitally signing, by the identity-providing computing device, the identity-assertion data structure using the associated digital private key contained in the received digital certificate; and
transmitting, by the identity-providing computing device, the digitally-signed identity-assertion data structure to the service-provider computing device.
4 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods consistent with the present invention enable explicit and multilateral trust across a community of federated servers via a network. A trusted third party establishes a framework of policies and procedures governing a federation. Organizations joining the federation submit to an audit process of internal policies and procedures to ensure compliance with the policies and procedures of the federation. Upon successful completion of an audit, an organization may receive a digital certificate containing the digital public key of the organization and indicating approval of the trusted third party. The organization may then use the associated digital private key for signing security assertions associated with a request for resources from another federation service provider. The service provider may trust the assertion from the organization based on trust placed in trusted third party by the service provider and the trust placed in the organization by the trusted third party.
102 Citations
44 Claims
-
1. A computer-implemented method for communicating over a federated network, the method comprising:
-
receiving, by an identity-providing computing device associated with an identity provider, an indication of a request by a requester for access to a resource of a service provider associated with a service-provider computing device; transmitting, by the identity-providing computing device, a digital public key to a trusted third-party computing device associated with a trusted third party of the identity provider and the service provider; receiving, by the identity-providing computing device, a digital certificate from the trusted third-party computing device, the digital certificate indicating that the trusted third party has audited and approved policies of the identity provider for compliance with policies of the trusted third party for communicating on the federated network, wherein the digital certificate contains a digital private key associated with the provided digital public key; responsive to a determination that a trust relationship exists, specifying, by the identity-providing computing device, an identity-assertion data structure defined by the third party policy, the identity-assertion data structure comprising at least one attribute associated with the requester; associating, by the identity-providing computing device, the identity-assertion data structure with the request; digitally signing, by the identity-providing computing device, the identity-assertion data structure using the associated digital private key contained in the received digital certificate; and transmitting, by the identity-providing computing device, the digitally-signed identity-assertion data structure to the service-provider computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An identity-providing computing system associated with an identity provider for providing communicating over a federated network, the system comprising:
-
a communication device; a memory device storing computer-executable instructions; and a processor configured to execute the instructions to cause the identity-providing computing system to; receive an indication of a request by a requester to access a resource of a service-provider computing device associated with a service provider; transmit, via the communication device, a digital public key to a trusted third-party computing device associated with a trusted third party of the identity provider and the service provider; receive, via the communication device, a digital certificate from the trusted third-party computing device, the digital certificate indicating that the trusted third party has audited and approved policies of the identity provider for compliance with policies of the trusted third party for communicating on the federated network, wherein the digital certificate contains a digital private key associated with the provided digital public key; specify, responsive to a determination that a trust relationship exists, an identity-assertion data structure defined by the third-party policy, the identity-assertion data structure comprising at least one attribute associated with the requester; associate the identity-assertion data structure with the request; digitally sign the identity-assertion data structure using the associated digital private key contained in the received digital certificate; and transmit, via the communication device, the digitally-signed identity-assertion data structure to the service-provider computing device over the network. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A non-transitory computer-readable storage medium storing instructions which, when executed by an identity-providing computing device associated with an identity provider, cause the identity-providing computing device to perform a method for communicating over a federated network, the method comprising:
-
receiving an indication of a request by a requester to access a resource of a service provider associated with a service-provider computing device; transmitting a digital public key to a trusted third-party computing device associated with a trusted third party of the identity provider and the service provider; receiving a digital certificate from the trusted third-party computing device, the digital certificate indicating that the trusted third party has audited and approved policies of the identity provider for compliance with policies of the trusted third party for communicating on the federated network, wherein the digital certificate contains a digital private key associated with the provided digital public key; responsive to a determination that a trust relationship exists, specifying an identity-assertion data structure defined by the third-party policy, the identity-assertion data structure comprising at least one attribute associated with the requester; associating the identity-assertion data structure with the request; digitally signing the identity-assertion data structure using the associated digital private key contained in the received digital certificate; and transmitting the digitally-signed identity-assertion data structure to the service-provider computing device.
-
-
22. A computer-implemented method for communicating over a federated network, the method comprising:
-
determining, by an identity-providing computing device associated with an identity provider, credentials associated with a requester requesting access to a resource of a service provider associated with a service-provider computing device; transmitting, by the identity-providing computing device, a digital public key to a trusted third-party computing device associated with a trusted third party of the identity provider and the service provider; receiving, by the identity-providing computing device, a digital certificate from the trusted third-party computing device, the digital certificate indicating that the trusted third party has audited and approved policies of the identity provider for compliance with policies of the trusted third party for communicating on the federated network, wherein the digital certificate contains a digital private key associated with the provided digital public key; creating, by the identity-providing computing device, a first data structure comprising an identity-assertion defined by the third-party policy, wherein the first data structure comprises at least one attribute associated with the credentials; associating, by the identity-providing computing device, the first data structure with a second data structure containing the request for access to the resource of the service provider; digitally signing, by the identity-providing computing device, a set comprising the first data structure and second data structure using the associated digital private key contained in the received digital certificate, to yield a resulting digitally-signed identity-assertion data structure; providing, by the identity-providing computing device, the digitally-signed identity-assertion data structure to the service-provider computing device via the network; and receiving, by the identity-providing computing device, the requested resource via the network from the service-provider computing device, wherein the service-provider computing device transmits the requested resource based on a first trust relationship between the service provider and the trusted third party and on a second trust relationship between the trusted third party and the identity provider. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31)
-
-
32. An identity-providing computing system associated with an identity provider for communicating over a federated network, the system comprising:
-
a communication device; a memory device storing computer-executable instructions; and a processor configured to execute the instructions to cause the identity-providing computing system to; determine credentials associated with a requester requesting access to a resource from a service-provider computing device associated with a service provider; transmit, via the communication device, a digital public key to a trusted third-party computing device associated with a trusted third party of the identity provider and the service provider; receive, via the communication device, a digital certificate from the trusted third-party computing device, the digital certificate indicating that the trusted third party has audited and approved policies of the identity provider for compliance with policies of the trusted third party for communicating on the federated network, wherein the digital certificate contains a digital private key associated with the provided digital public key; create a first data structure comprising an identity assertion defined by the third-party policy, wherein the first data structure comprises at least one attribute associated with the credentials; group the first data structure with a second data structure containing the request for access to the resource of the service provider; digitally sign the group comprising the first data structure and second data structure using the associated digital private key contained in the received digital certificate, to yield a resulting digitally-signed identity-assertion data structure; transmit, using the communication device, the resulting digitally-signed identity-assertion data structure to the service-provider computing device via the network; and receive, via the communication device, the requested resource via the network from the service-provider computing device, wherein the service-provider computing device transmits the requested resource based on a first trust relationship between the service provider and the trusted third party and on a second trust relationship between the trusted third party and the identity provider. - View Dependent Claims (33, 34, 35, 36, 37, 38, 39)
-
-
40. A non-transitory computer-readable storage medium storing code that, when executed by an identity-providing computing device associated with an identity provider, causes the identity-providing computing device to perform a method for communicating over a federated network, the method comprising:
-
determining credentials associated with a requester requesting access to a resource of a service provider associated with a service-provider computing device; transmitting a digital public key to a trusted third-party computing device associated with a trusted third party of the identity provider and the service provider; receiving a digital certificate from the trusted third-party computing device, the digital certificate indicating that the trusted third party has audited and approved policies of the identity provider for compliance with policies of the trusted third party for communicating on the federated network, wherein the digital certificate contains a digital private key associated with the provided digital public key; creating a first data structure comprising an identity assertion consistent with the third-party policy for communicating on the federated network, wherein the first data structure comprises at least one attribute associated with the credentials; associating the first data structure with a second data structure containing the request for the resource of the service provider; digitally signing, using the associated digital private key contained in received digital certificate, a set comprising the first data structure and second data structure to yield a resulting digitally-signed identity-assertion data structure; providing the digitally-signed identity-assertion data structure to the service-provider computing device via the network; and receiving the requested resource via the network from the service-provider computing device, wherein the service-provider computing device transmits the requested resource based on a first trust relationship between the service provider and the trusted third party and on a second trust relationship between the trusted third party and the identity provider.
-
-
41. A method for enabling transitive trust in a federated network configuration including an identity-provider computing associated with an identity provider and a service-provider computing device associated with a service provider, the method comprising:
developing, by actions of a trusted third party of the identity provider and the service provider, policies related to operating the federated network configuration, wherein the policies include procedures for; associating, by the identity-provider computing device, attributes of a requester with a request to access to a resource of the service provider computing device; transmitting, by the identity-providing computing device, a digital public key to a trusted third-party computing device associated with the trusted third party; receiving, by the identity-providing computing device, a digital certificate from the trusted third-party computing device, the digital certificate being issued to the identity provider by the trusted third party and indicating that the trusted third party has audited and approved policies of the identity provider for compliance with policies of the trusted third party for communicating on the federated network, wherein the digital certificate contains a digital private key associated with the provided digital public key; responsive to a determination that a trust relationship exists, specifying, by the identity-providing computing device, an identity-assertion data structure defined by the third-party policy, the identity-assertion data structure including the attributes; digitally signing, by the identity-providing computing device, the identity-assertion data structure using the associated digital private key contained in the received digital certificate; transmitting, by the identity-providing computing device, the digitally-signed identity-assertion data structure to the service provider computing device; transmitting the requested resource, by the service-provider computing device, to the identity-providing computing device based on a first trust relationship established between the service provider and the trusted third party and on a second trust relationship established between the trusted third party and the identity provider; granting access to the third-party policy for communicating on the federated network; auditing an applicant to the federated network configuration for compliance with the policy; and issuing a digital certificate to the applicant based on a result of the audit.
-
42. A computer-implemented method for communicating on a federated network including a service-provider computing device associated with a service provider and an identity-provider computing device associated with an identity provider, the method comprising:
-
receiving, by the service provider-computing device, a digitally-signed identity-assertion data structure from the identity-provider computing device including a request to access a resource of the service-provider and at least one attribute associated with the requester, the data structure signed using digital private key contained in a digital certificate received by the identity-provider computing device from a trusted third-party computing device associated with a trusted third party of the identity provider and the service provider, the digital certificate indicating that the trusted third party has audited and approved policies of the identity provider for compliance with policies of the trusted third party for communicating on the federated network; determining, by the service-provider computing device, whether the digital certificate issued to the identity provider complies with the policies of the trusted third party for communicating on the federated network; parsing, by the service-provider computing device, the identity-assertion data structure to determine whether the content of the identity-assertion data structure complies with the policies of the trusted third party for communicating on the federated network; and when it is determined that either the digital certificate or the content of the identity-assertion data structure does not comply with the policies of the trusted third party for communicating on the federated network; logging a breach of the third-party policy by transmitting a notification of breach to an audit server maintained by the trusted third party. - View Dependent Claims (43, 44)
-
Specification