Identity brokering in a network element

US 8,266,327 B2
Filed: 06/15/2006
Issued: 09/11/2012
Est. Priority Date: 06/21/2005
Status: Active Grant

First Claim

Patent Images

1. A data processing apparatus, comprising:

a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto;

one or more processors;

a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface;

logic comprising one or more stored instructions which when executed by the one or more processors causes;

receiving over the network, from a message sender, an application-layer message comprising one or more of the packets;

receiving, from a user, a user-defined message identity policy that defines first identity information in a transport-layer protocol header of the application-layer message and that defines whether to extract;

the first identity information from the transport-layer protocol header second identity information from an application-layer protocol header of the application-layer message and third identity information from a message body of the application-layer message;

extracting the first identity information, the second identity information and the third identity information as specified in the message identity policy;

determining one or more authentication operations to authenticate the first identity information, the second identity information and the third identity information;

performing the one or more authentication operations, and in response, receiving one or more message sender identity attributes;

performing a sign-on operation to a destination server of the message sender using the one or more message sender identity attributes;

performing a responsive operation using the received application-layer message and the one or more message sender identity attributes;

binding the one or more message sender identity attributes to a previously created outbound application-layer message.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network infrastructure element such as a router or switch performs brokering network user identity and credential information. An application or administrative user can declare a policy for user identity information extraction, authentication and authorization. Based on the policy, the network element extracts user identity information or credentials from a transport-layer message header, application-layer message header, and message body. Based on the policy, the network element performs one or more authentication or authorization operations with the user identity information or credentials. As a result, a network element can broker identity information among incompatible applications and perform identity operations for the applications.

543 Citations

29 Claims

1. A data processing apparatus, comprising:
- a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto;
  
  one or more processors;
  
  a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface;
  
  logic comprising one or more stored instructions which when executed by the one or more processors causes;
  
  receiving over the network, from a message sender, an application-layer message comprising one or more of the packets;
  
  receiving, from a user, a user-defined message identity policy that defines first identity information in a transport-layer protocol header of the application-layer message and that defines whether to extract;
  
  the first identity information from the transport-layer protocol header second identity information from an application-layer protocol header of the application-layer message and third identity information from a message body of the application-layer message;
  
  extracting the first identity information, the second identity information and the third identity information as specified in the message identity policy;
  
  determining one or more authentication operations to authenticate the first identity information, the second identity information and the third identity information;
  
  performing the one or more authentication operations, and in response, receiving one or more message sender identity attributes;
  
  performing a sign-on operation to a destination server of the message sender using the one or more message sender identity attributes;
  
  performing a responsive operation using the received application-layer message and the one or more message sender identity attributes;
  
  binding the one or more message sender identity attributes to a previously created outbound application-layer message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 9, 10, 11)
- - 2. The apparatus of claim 1, comprising a router or switch for a packet-switched network.
  - 3. The apparatus of claim 1, wherein the logic comprises further instructions which when executed cause forwarding the outbound application-layer message to a next endpoint using an outbound transport protocol that is specified in the message identity policy.
  - 4. The apparatus of claim 1, wherein the message identity policy further specifies the one or more authentication operations to authenticate the one or more of the first identity information, second identity information, and third identity information.
  - 5. The apparatus of claim 1, wherein the logic comprises further instructions which when executed cause:
    - receiving over the network the application-layer message in a first application-layer message format;
      
      extracting from the received application-layer message one or more session identity attributes;
      
      creating the outbound application-layer message in a second application-layer message format that is different from the first application-layer message format;
      
      storing the session identity attributes in the outbound application-layer message according to the second application-layer message format.
  - 6. The apparatus of claim 1, wherein the logic comprises further instructions which when executed cause:
    - receiving over the network the application-layer message in a first application-layer message format;
      
      extracting from the received application-layer message one or more session identity attributes;
      
      creating the outbound application-layer message in a second application-layer message format that is different from the first application-layer message format;
      
      creating a normalized session object that can store the session identity attributes in a format independent of the first application-layer message format and the second application-layer message format;
      
      storing the session identity attributes in the outbound application-layer message according to the second application-layer message format.
  - 7. The apparatus of claim 1, wherein the logic comprises further instructions which when executed cause selecting the next endpoint from among a plurality of endpoint identifiers based on the one or more message sender identity attributes.
  - 9. The apparatus of claim 1, wherein any one or more of the first identity information, second identity information, and third identity information specifies a message sender using a first identity domain of a first network, and wherein the message sender identity attributes identify the message sender using a second identity domain of a second network, wherein the second identity domain is different from the first identity domain.
  - 10. The apparatus of claim 9, wherein the logic operable to perform creating an outbound application-layer message comprises logic operable to perform transforming any one or more of the first identity information, second identity information, and third identity information from the first identity domain into the message sender identity attributes in the second identity domain.
  - 11. The apparatus of claim 1, wherein the logic for performing a responsive operation comprises logic operable to perform any one of:
    - creating an outbound application-layer message that includes the message sender identity attributes, and forwarding the outbound application-layer message to a next endpoint;
      
      dropping the received application-layer message; and
      
      forwarding the received application-layer message to an alternate recipient.

8. A non-transitory computer-readable storage medium encoded with logic to perform identity brokering in a network element, the logic comprising one or more stored instructions which when executed by one or more processors causes:
- receiving over a network, from a message sender, an application-layer message comprising one or more packets;
  
  receiving, from a user, a user-defined message identity policy that defines first identity information in a transport-layer protocol header of the application-layer message and that defines whether to extract;
  
  the first identity information from the transport-layer protocol header second identity information from an application-layer protocol header of the application-layer message and third identity information from a message body of the application-layer message;
  
  extracting the first identity information, the second identity information and the third identity information as specified in the message identity policy;
  
  determining one or more authentication operations to authenticate the first identity information, the second identity information and the third identityinformation;
  
  performing the one or more authentication operations, and in response, receiving one or more message sender identity attributes;
  
  performing a sign-on operation to a destination server of the message sender using the one or more message sender identify attributes;
  
  creating an outbound application-layer message that includes the message sender identity attributes;
  
  forwarding the outbound application-layer message to a next endpoint;
  
  binding the one or more message sender identity attributes to a previously created outbound application-layer message;
  
  wherein the method is performed by one or more processors.

12. A data processing apparatus, comprising:
- a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto;
  
  one or more processors;
  
  a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface;
  
  means for receiving over the network, from a message sender, an application-layer message comprising one or more of the packets;
  
  means for receiving, from a user, a user-defined message identity policy that defines first identity information in a transport-layer protocol header of the application-layer message and that defines whether to extract;
  
  the first identity information from the transport-layer protocol header and second identity information from an application-layer protocol header of the application-layer message and third identity information from a message body of the application-layer message;
  
  means for extracting the first identity information, the second identity information and the third identity information as specified in the message identity policy;
  
  means for determining one or more authentication operations to authenticate the first identity information, the second identity information and the third identity information;
  
  means for performing the one or more authentication operations, and in response,receiving one or more message sender identity attributes;
  
  means for performing a sign-on operation to a destination server of the message sender using the one or more message sender identify attributes;
  
  means for performing a responsive operation using the received application-layer message and the one or more message sender identity attributes;
  
  means for binding the one or more message sender identity attributes to a previously created outbound application-layer message.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The apparatus of claim 12, comprising a router or switch for a packet-switched network.
  - 14. The apparatus of claim 12, further comprising means for forwarding the outbound application-layer message to a next endpoint using an outbound transport protocol that is specified in the message identity policy.
  - 15. The apparatus of claim 12, wherein the message identity policy further specifies the one or more authentication operations to authenticate the one or more of the first identity information, second identity information, and third identity information.
  - 16. The apparatus of claim 12, further comprising:
    - means for receiving over the network the application-layer message in a first application-layer message format;
      
      means for extracting from the received application-layer message one or more session identity attributes;
      
      means for creating the outbound application-layer message in a second application-layer message format that is different from the first application-layer message format;
      
      means for storing the session identity attributes in the outbound application-layer message according to the second application-layer message format.
  - 17. The apparatus of claim 12, further comprising:
    - means for receiving over the network the application-layer message in a first application-layer message format;
      
      means for extracting from the received application-layer message one or more session identity attributes;
      
      means for creating the outbound application-layer message in a second application-layer message format that is different from the first application-layer message format;
      
      means for creating a normalized session object that can store the session identity attributes in a format independent of the first application-layer message format and the second application-layer message format;
      
      means for storing the session identity attributes in the outbound application-layer message according to the second application-layer message format.
  - 18. The apparatus of claim 12, further comprising means for selecting the next endpoint from among a plurality of endpoint identifiers based on the one or more message sender identity attributes.
  - 19. The apparatus of claim 12, wherein any one or more of the first identity information, second identity information, and third identity information specifies a message sender using a first identity domain of a first network, and wherein the message sender identity attributes identify the message sender using a second identity domain of a second network, wherein the second identity domain is different from the first identity domain.
  - 20. The apparatus of claim 19, wherein the means for creating an outbound application-layer message comprises means for transforming any one or more of the first identity information, second identity information, and third identity information from the first identity domain into the message sender identity attributes in the second identity domain.

21. A computer-implemented method, comprising:
- receiving over a network, from a message sender, an application-layer message comprising one or more packets;
  
  receiving, from a user, a user-defined message identity policy that defines first identity information in a transport-layer protocol header of the application-layer message and that defines whether to extract;
  
  the first identity information from the transport-layer protocol header, second identity information in an application-layer protocol header of the application-layer message, and third identity information from a message body of the application-layer message;
  
  extracting the first identity information, the second identity information and the third identity information as specified in the message identity policy;
  
  determining one or more authentication operations to authenticate the first identity information, the second identity information and the third identity information;
  
  performing the one or more authentication operations, and in response, receiving one or more message sender identity attributes;
  
  performing a sign-on operation to a destination server of the message sender using the one or more message sender identify attributes;
  
  creating an outbound application-layer message that includes the message sender identity attributes;
  
  performing a responsive operation using the received application-layer message and the one or more message sender identity attributes;
  
  binding the one or more message sender identity attributes to a previously created outbound application-layer message;
  
  wherein the method is performed by one or more processors.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. The method of claim 21, wherein the first receiving step comprises receiving the application-layer message in any of a router or switch for a packet-switched network.
  - 23. The method of claim 21, further comprising forwarding the outbound application-layer message to a next endpoint using an outbound transport protocol that is specified in the message identity policy.
  - 24. The method of claim 21, wherein the message identity policy further specifies the one or more authentication operations to authenticate the one or more of the first identity information, second identity information, and third identity information.
  - 25. The method of claim 21, further comprising:
    - receiving over the network the application-layer message in a first application-layer message format;
      
      extracting from the received application-layer message one or more session identity attributes;
      
      creating the outbound application-layer message in a second application-layer message format that is different from the first application-layer message format;
      
      storing the session identity attributes in the outbound application-layer message according to the second application-layer message format.
  - 26. The method of claim 21, further comprising:
    - receiving over the network the application-layer message in a first application-layer message format;
      
      extracting from the received application-layer message one or more session identity attributes;
      
      creating the outbound application-layer message in a second application-layer message format that is different from the first application-layer message format;
      
      creating a normalized session object that can store the session identity attributes in a format independent of the first application-layer message format and the second application-layer message format;
      
      storing the session identity attributes in the outbound application-layer message according to the second application-layer message format.
  - 27. The method of claim 21, further comprising selecting the next endpoint from among a plurality of endpoint identifiers based on the one or more message sender identity attributes.
  - 28. The method of claim 21, wherein any one or more of the first identity information, second identity information, and third identity information specifies a message sender using a first identity domain of a first network, and wherein the message sender identity attributes identify the message sender using a second identity domain of a second network, wherein the second identity domain is different from the first identity domain.
  - 29. The method of claim 28, wherein creating an outbound application-layer message comprises transforming any one or more of the first identity information, second identity information, and third identity information from the first identity domain into the message sender identity attributes in the second identity domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Kumar, Sandeep, Raman, Rajesh, Dashora, Vinod
Primary Examiner(s)
Patel, Haresh N
Assistant Examiner(s)
SHAW, PETER C

Application Number

US11/455,011
Publication Number

US 20070005801A1
Time in Patent Office

2,280 Days
Field of Search

709/250, 709/223, 709/227, 709/229, 713/156, 713/170
US Class Current

709/250
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/5003   Managing SLA; Interaction b...

H04L 41/5096   wherein the managed service...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 67/14   Session management for real...

H04L 67/563   Data redirection of data ne...

H04L 67/564   Enhancement of application ...

H04L 67/565   Conversion or adaptation of...

H04L 67/63   Routing a service request d...

H04L 69/32   Architecture of open system...

H04L 69/321   Interlayer communication pr...

H04L 69/40   for recovering from a failu...

Identity brokering in a network element

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

543 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Identity brokering in a network element

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

543 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links