Federated single sign-on (F-SSO) request processing using a trust chain having a custom module

US 8,141,139 B2
Filed: 11/14/2007
Issued: 03/20/2012
Est. Priority Date: 11/14/2007
Status: Active Grant

First Claim

Patent Images

1. A method, operative within a federated environment in which a token service fulfills requests by executing a module chain comprising a set of modules, comprising:

responsive to receipt of a token, initiating processing of the module chain within a data processing system;

during processing of the module chain within the data processing system, attempting to validate a value of a name-value pair based on a rule, wherein the rule is determined based on one or more invocation parameters of the module chain; and

returning a response.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Federated single sign on (F-SSO) uses a token service that fulfills requests by executing a module chain comprising a set of modules. F-SSO runtime processing is enhanced by enabling a federated entity user to define a custom module to include in the chain. The custom module includes one or more name-value pairs, wherein a given name-value pair has a value that may be validated against an entity-defined rule. The rule is determined during the processing of the custom module based on one or more invocation parameters of the module chain. In a runtime operation, F-SSO begins in response to receipt of a token. In response, the processing of the module chain that includes the custom module is initiated. During processing of the custom module, an attempt is made to validate the value of a name-value pair based on the rule. If the value of the name-value pair based on the rule can be validated, processing of the module chain continues. This approach enables finer granularity on the information that can be asserted or required as part of an F-SSO flow.

Citations

25 Claims

1. A method, operative within a federated environment in which a token service fulfills requests by executing a module chain comprising a set of modules, comprising:
- responsive to receipt of a token, initiating processing of the module chain within a data processing system;
  
  during processing of the module chain within the data processing system, attempting to validate a value of a name-value pair based on a rule, wherein the rule is determined based on one or more invocation parameters of the module chain; and
  
  returning a response.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method as described in claim 1 wherein the value of the name-value pair is attempted to be validated upon execution of a custom module within the module chain.
  - 3. The method as described in claim 2 wherein the rule is associated with the custom module in an off-line process.
  - 4. The method as described in claim 2 wherein the invocation parameters of the module chain include an identity of the custom module and an issuer of the token.
  - 5. The method as described in claim 1 wherein, if the value of the name-value pair is validated, the response is an output token.
  - 6. The method as described in claim 1 wherein, if the value of the name-value pair cannot be validated, the response is an error.
  - 7. The method as described in claim 1 wherein, if the value of the name-value pair cannot be validated, the response is a condition authorization.
  - 8. The method as described in claim 1 wherein the rule identifies a condition that must be satisfied by a user of a first entity attempting to execute a federated single sign-on (F-SSO) to the federated environment.
  - 9. The method as described in claim 8 further including re-using the rule for a user of a second entity.
  - 10. The method as described in claim 1 further including:
    - generating an internal representation of information in the token; and
      
      evaluating the internal representation to determine if all name-value pairs expected to be in the token are contained within the token;
      
      wherein the evaluating step is performed on a name of each name-value pair.
  - 11. The method as described in claim 1 wherein the value in the name-value pair is associated with a single value or a multi-value.
  - 12. The method as described in claim 1 wherein the module chain is a dynamic chain.

13. A method, operative within a federated environment in which a token service fulfills requests by executing a module chain comprising a set of modules, comprising:
- defining a custom module to include one or more name-value pairs, wherein a given name-value pair has a value that may be validated against a rule;
  
  responsive to receipt of a token, initiating processing of the module chain that includes the custom module within a computing entity;
  
  during processing of the custom module within the computing entity, attempting to validate the value of a name-value pair based on the rule, wherein the rule is determined during the processing of the custom module based on one or more invocation parameters of the module chain; and
  
  returning a response.
- View Dependent Claims (14, 15, 16)
- - 14. The method as described in claim 13 wherein the invocation parameters are one of:
    - an identity of the custom module, and an identity of token issuer.
  - 15. The method as described in claim 13 wherein the token is received upon a user of a first entity attempting a federated single sign-on (F-SSO) to the federated environment.
  - 16. The method as described in claim 13 further including:
    - generating an internal representation of information in the token; and
      
      evaluating the internal representation to determine if all name-value pairs expected to be in the token are contained within the token;
      
      wherein the evaluating step is performed on a name of each name-value pair.

17. A computer program product for use in a federated environment in which a token service fulfills request by executing a trust chain comprising a set of modules, comprising:
- a non-transitory computer-readable medium having computer program instructions that, when executed by a data processing system, perform the following steps;
  
  responsive to receipt of a token, initiating processing of the module chain;
  
  during processing of the module chain, attempting to validate a value of a name-value pair based on a rule, wherein the rule is determined based on one or more invocation parameters of the module chain; and
  
  returning a response.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The computer program product as described in claim 17 wherein the value of the name-value pair is attempted to be validated upon execution of a custom module within the module chain.
  - 19. The computer program product as described in claim 17 wherein, if the value of the name-value pair is validated, the response is an output token.
  - 20. The computer program product as described in claim 17 wherein, if the value of the name-value pair cannot be validated, the response is an error.
  - 21. The computer program product as described in claim 17 wherein, if the value of the name-value pair cannot be validated, the response is a condition authorization.
  - 22. The computer program product as described in claim 17 wherein the invocation parameters of the module chain include an identity of the custom module and an issuer of the token.

23. A data processing system for use in a federated environment in which a token service fulfills requests by executing a module chain comprising a set of modules, comprising:
- a processor;
  
  computer memory holding computer program instructions that, when executed by the processor, perform the following operations;
  
  defining a custom module to include one or more name-value pairs, wherein a given name-value pair has a value that may be validated against a rule;
  
  responsive to receipt of a token, initiating processing of the module chain that includes the custom module;
  
  during processing of the custom module, attempting to validate the value of a name-value pair based on the rule, wherein the rule is determined during the processing of the custom module based on one or more invocation parameters of the module chain; and
  
  returning a response.
- View Dependent Claims (24, 25)
- - 24. The data processing system as described in claim 23 wherein the invocation parameters are one of:
    - an identity of the custom module, and an identity of token issuer.
  - 25. The data processing system as described in claim 23 wherein the operations further include:
    - generating an internal representation of information in the token; and
      
      evaluating the internal representation to determine if all name-value pairs expected to be in the token are contained within the token;
      
      wherein the evaluating step is performed on a name of each name-value pair.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hinton, Heather Maria, Wardrop, Patrick Ryan, Salmon, Parley Avery
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US11/939,749
Publication Number

US 20090125972A1
Time in Patent Office

1,588 Days
Field of Search

None
US Class Current

726/8
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/0815   providing single-sign-on or...

H04L 63/126   the source of the received ...

Federated single sign-on (F-SSO) request processing using a trust chain having a custom module

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Federated single sign-on (F-SSO) request processing using a trust chain having a custom module

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links