Method and system for policy-based initiation of federation management

US 8,151,317 B2
Filed: 07/07/2006
Issued: 04/03/2012
Est. Priority Date: 07/07/2006
Status: Active Grant

First Claim

Patent Images

1. A method for performing a federation protocol operation within a data processing system, the computer-implemented method comprising:

receiving a message;

in response to a determination that the message is associated with a federated user lifecycle management (FULM) operation such that subsequent processing of the message requires execution of a first federation protocol operation, filtering, by a policy filter mechanism, the message against a set of policies to determine a subset of one or more applicable policies, the set of policies stored in a database;

in response to a determination that an applicable policy of the set of policies should be applied, suspending processing of the message by the first federation protocol operation;

enforcing an applicable policy by performing a second federation protocol operation as indicated by the applicable policy prior to performing the first federation protocol operation; and

in response to concluding enforcement of the applicable policy, initiating the first federation protocol operation against the message.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, a system, an apparatus, and a computer program product is presented for performing federation protocol operations within a data processing system. A message is received. In response to a determination that subsequent processing of the message requires execution of a first federation protocol operation, the message is filtered against a set of policies to determine a subset of one or more applicable policies. An applicable policy is enforced by performing a second federation protocol operation as indicated by the applicable policy prior to performing the first federation protocol operation. In response to concluding enforcement of the applicable policy, the first federation protocol operation is initiated.

40 Citations

View as Search Results

30 Claims

1. A method for performing a federation protocol operation within a data processing system, the computer-implemented method comprising:
- receiving a message;
  
  in response to a determination that the message is associated with a federated user lifecycle management (FULM) operation such that subsequent processing of the message requires execution of a first federation protocol operation, filtering, by a policy filter mechanism, the message against a set of policies to determine a subset of one or more applicable policies, the set of policies stored in a database;
  
  in response to a determination that an applicable policy of the set of policies should be applied, suspending processing of the message by the first federation protocol operation;
  
  enforcing an applicable policy by performing a second federation protocol operation as indicated by the applicable policy prior to performing the first federation protocol operation; and
  
  in response to concluding enforcement of the applicable policy, initiating the first federation protocol operation against the message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1 further comprising:
    - implementing the first federation protocol operation in accordance with specifications of a first federation; and
      
      implementing the second federation protocol operation in accordance with specifications of a second federation, wherein the first federation and the second federation are not identical.
  - 3. The method of claim 1 wherein the first federation protocol operation and the second federation protocol operation are implemented in accordance with specifications of a first federation.
  - 4. The method of claim 1 wherein successful completion of the second federation protocol operation is not required in order to successfully complete the first federation protocol operation.
  - 5. The method of claim 1 further comprising:
    - determining an applicable policy based upon characteristics of the first federation protocol operation as indicated within the received message.
  - 6. The method of claim 1 further comprising:
    - determining whether a policy in the set of policies is an applicable policy based upon attributes for an identifier that is indicated within the received message.
  - 7. The method of claim 6 further comprising:
    - analyzing the message to determine an identifier that is associated with a transaction that generated the message;
      
      obtaining attributes of the identifier;
      
      evaluating a rule of the policy using the attributes of the identifier; and
      
      in response to positive evaluation of the rule that triggers enforcement of the policy, suspending performance of the first federation protocol operation.
  - 8. The method of claim 7 further comprising:
    - employing additional parameter values other than attributes of the identifier while evaluating the rule.
  - 9. The method of claim 7 further comprising:
    - in response to triggering the evaluated rule, determining from the policy the second federation protocol operation that is to be performed; and
      
      initiating the second federation protocol operation.
  - 10. The method of claim 1 further comprising:
    - in response to concluding the second federation protocol operation as indicated by the applicable policy, storing information that indicates success or failure in enforcing the applicable policy.
  - 11. The method of claim 1 further comprising:
    - determining whether a policy in the set of policies is an applicable policy based upon stored information that indicates previous success or failure in enforcing a policy.
  - 12. The method of claim 1 wherein the received message is an inbound message at an identity provider.
  - 13. The method of claim 1 wherein the received message is an outbound message at a service provider.
  - 14. The method of claim 1 further comprising:
    - determining by an identity provider that the received message is an authentication request from a requesting federation partner for an identifier; and
      
      enforcing a policy that requires, in response to a determination that an alias with the requesting federation partner for the identifier is greater than a predetermined time value, an initiation of a “
      
      Register Name Identifier”
      
      (RNI) operation to update the alias.
  - 15. The method of claim 1 further comprising:
    - determining by an identity provider that the received message is an authentication request from a requesting federation partner for an identifier; and
      
      enforcing a policy that requires, in response to a determination that a session for the identifier is greater than a predetermined time value, an initiation of a re-authentication operation.
  - 16. The method of claim 15 wherein the enforced policy is a shared policy between the identity provider and the federation partner.
  - 17. The method of claim 1 further comprising:
    - determining by an identity provider that the received message is an authentication request for an identifier from a federation partner within a given federation; and
      
      enforcing a policy that requires a logout of operations for the identifier within federations other than the given federation.
  - 18. The method of claim 1 further comprising:
    - determining by an identity provider that the received message is an authentication response to a requesting federation partner for a user; and
      
      enforcing a policy that requires, in response to a determination that an authentication operation has not been completed due to insufficient user attribute information for the user;
      
      interacting with the user by the identity provider to obtain additional user attribute information for the user;
      
      generating a new credential for the user.
  - 19. The method of claim 1 further comprising:
    - determining by an identity provider that the received message is a response to a requesting federation partner for a user in which the response contains personally identifiable information about the user that requires consent by the user before releasing the personally identifiable information to the federation partner; and
      
      enforcing a policy that requires, in response to a determination that the user has not provided consent to releasing the information to the federation partner, interacting with the user by the identity provider to obtain consent from the user for releasing the personally identifiable information to the federation partner.
  - 20. The method of claim 1 further comprising:
    - determining by an identity provider that the received message is a response to a requesting federation partner; and
      
      enforcing a policy that requires additional attributes to be added to the response prior to sending the response to the federation partner.

21. A computer program product on a non-transitory computer readable storage medium for use within a data processing system for performing a federation protocol operation, the computer program product holding computer program instructions which when executed by the data processing system perform a method comprising:
- receiving a message;
  
  in response to a determination that the message is associated with a federated user lifecycle management (FULM) operation such that subsequent processing of the message requires execution of a first federation protocol operation, filtering the message against a set of policies to determine a subset of one or more applicable policies in response to a determination that subsequent processing of the message requires execution of a first federation protocol operation;
  
  in response to a determination that an applicable policy of the set of policies should be applied, suspending processing of the message by the first federation protocol operation;
  
  enforcing an applicable policy by performing a second federation protocol operation as indicated by the applicable policy prior to performing the first federation protocol operation; and
  
  initiating the first federation protocol operation in response to concluding enforcement of the applicable policy against the message.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. The computer program product of claim 21 wherein the method further comprises:
    - implementing the first federation protocol operation in accordance with specifications of a first federation; and
      
      implementing the second federation protocol operation in accordance with specifications of a second federation, wherein the first federation and the second federation are not identical.
  - 23. The computer program product of claim 21 wherein successful completion of the second federation protocol operation is not required in order to successfully complete the first federation protocol operation.
  - 24. The computer program product of claim 21 wherein the method further comprises:
    - determining an applicable policy based upon characteristics of the first federation protocol operation as indicated within the received message.
  - 25. The computer program product of claim 21 wherein the method further comprises:
    - determining whether a policy in the set of policies is an applicable policy based upon attributes for an identifier that is indicated within the received message.
  - 26. The computer program product of claim 21 wherein the method further comprises:
    - evaluating a rule of the policy;
      
      suspending performance of the first federation protocol operation in response to positive evaluation of the rule that triggers enforcement of the policy;
      
      determining from the policy the second federation protocol operation that is to be performed in response to triggering the evaluated rule; and
      
      initiating the second federation protocol operation.
  - 27. The computer program product of claim 21 wherein the method further comprises:
    - determining by an identity provider that the received message is an authentication request from a requesting federation partner for an identifier; and
      
      enforcing a policy that requires, in response to a determination that an alias with the requesting federation partner for the identifier is greater than a predetermined time value, an initiation of a “
      
      Register Name Identifier”
      
      (RNI) operation to update the alias.
  - 28. The computer program product of claim 21 wherein the method further comprises:
    - determining by an identity provider that the received message is an authentication request from a requesting federation partner for an identifier; and
      
      enforcing a policy that requires, in response to a determination that a session for the identifier is greater than a predetermined time value, an initiation of a re-authentication operation.
  - 29. The computer program product of claim 21 wherein the method further comprises:
    - determining by an identity provider that the received message is an authentication request for an identifier from a federation partner within a given federation; and
      
      enforcing a policy that requires a logout of operations for the identifier within federations other than the given federation.

30. An apparatus of a data processing system for performing a federation protocol operation, the apparatus comprising:
- a processor;
  
  a computer memory holding computer program instructions which when executed by the processor perform a method comprising;
  
  receiving a message;
  
  in response to a determination that the message is associated with a federated user lifecycle management (FULM) operation such that subsequent processing of the message requires execution of a first federation protocol operation, filtering the message against a set of policies to determine a subset of one or more applicable policies in response to a determination that subsequent processing of the message requires execution of a first federation protocol operation;
  
  in response to a determination that an applicable policy of the set of policies should be applied, suspending processing of the message by the first federation protocol operation;
  
  enforcing an applicable policy by performing a second federation protocol operation as indicated by the applicable policy prior to performing the first federation protocol operation; and
  
  initiating the first federation protocol operation in response to concluding enforcement of the applicable policy against the message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hinton, Heather M., Wardrop, Patrick R.
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
MEHEDI, MORSHED D

Application Number

US11/456,118
Publication Number

US 20080010665A1
Time in Patent Office

2,097 Days
Field of Search

726/1, 726/8
US Class Current

726/1
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06Q 99/00   Subject matter not provided...

H04L 63/0815   providing single-sign-on or...

H04L 63/20   for managing network securi...

Method and system for policy-based initiation of federation management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

40 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for policy-based initiation of federation management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links