Identity brokering in a network element
First Claim
1. A data processing apparatus, comprising:
- a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto;
one or more processors;
a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface;
logic comprising one or more stored instructions which when executed by the one or more processors causes;
receiving over the network, from a message sender, an application-layer message comprising one or more of the packets;
receiving, from a user, a user-defined message identity policy that defines first identity information in a transport-layer protocol header of the application-layer message and that defines whether to extract;
the first identity information from the transport-layer protocol header second identity information from an application-layer protocol header of the application-layer message and third identity information from a message body of the application-layer message;
extracting the first identity information, the second identity information and the third identity information as specified in the message identity policy;
determining one or more authentication operations to authenticate the first identity information, the second identity information and the third identity information;
performing the one or more authentication operations, and in response, receiving one or more message sender identity attributes;
performing a sign-on operation to a destination server of the message sender using the one or more message sender identity attributes;
performing a responsive operation using the received application-layer message and the one or more message sender identity attributes;
binding the one or more message sender identity attributes to a previously created outbound application-layer message.
1 Assignment
0 Petitions
Accused Products
Abstract
A network infrastructure element such as a router or switch performs brokering network user identity and credential information. An application or administrative user can declare a policy for user identity information extraction, authentication and authorization. Based on the policy, the network element extracts user identity information or credentials from a transport-layer message header, application-layer message header, and message body. Based on the policy, the network element performs one or more authentication or authorization operations with the user identity information or credentials. As a result, a network element can broker identity information among incompatible applications and perform identity operations for the applications.
543 Citations
29 Claims
-
1. A data processing apparatus, comprising:
-
a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto; one or more processors; a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface; logic comprising one or more stored instructions which when executed by the one or more processors causes; receiving over the network, from a message sender, an application-layer message comprising one or more of the packets; receiving, from a user, a user-defined message identity policy that defines first identity information in a transport-layer protocol header of the application-layer message and that defines whether to extract;
the first identity information from the transport-layer protocol header second identity information from an application-layer protocol header of the application-layer message and third identity information from a message body of the application-layer message;extracting the first identity information, the second identity information and the third identity information as specified in the message identity policy; determining one or more authentication operations to authenticate the first identity information, the second identity information and the third identity information; performing the one or more authentication operations, and in response, receiving one or more message sender identity attributes; performing a sign-on operation to a destination server of the message sender using the one or more message sender identity attributes; performing a responsive operation using the received application-layer message and the one or more message sender identity attributes; binding the one or more message sender identity attributes to a previously created outbound application-layer message. - View Dependent Claims (2, 3, 4, 5, 6, 7, 9, 10, 11)
-
-
8. A non-transitory computer-readable storage medium encoded with logic to perform identity brokering in a network element, the logic comprising one or more stored instructions which when executed by one or more processors causes:
-
receiving over a network, from a message sender, an application-layer message comprising one or more packets; receiving, from a user, a user-defined message identity policy that defines first identity information in a transport-layer protocol header of the application-layer message and that defines whether to extract;
the first identity information from the transport-layer protocol header second identity information from an application-layer protocol header of the application-layer message and third identity information from a message body of the application-layer message;extracting the first identity information, the second identity information and the third identity information as specified in the message identity policy; determining one or more authentication operations to authenticate the first identity information, the second identity information and the third identity information; performing the one or more authentication operations, and in response, receiving one or more message sender identity attributes; performing a sign-on operation to a destination server of the message sender using the one or more message sender identify attributes; creating an outbound application-layer message that includes the message sender identity attributes; forwarding the outbound application-layer message to a next endpoint; binding the one or more message sender identity attributes to a previously created outbound application-layer message; wherein the method is performed by one or more processors.
-
-
12. A data processing apparatus, comprising:
-
a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto; one or more processors; a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface; means for receiving over the network, from a message sender, an application-layer message comprising one or more of the packets; means for receiving, from a user, a user-defined message identity policy that defines first identity information in a transport-layer protocol header of the application-layer message and that defines whether to extract;
the first identity information from the transport-layer protocol header and second identity information from an application-layer protocol header of the application-layer message and third identity information from a message body of the application-layer message;means for extracting the first identity information, the second identity information and the third identity information as specified in the message identity policy; means for determining one or more authentication operations to authenticate the first identity information, the second identity information and the third identity information; means for performing the one or more authentication operations, and in response, receiving one or more message sender identity attributes; means for performing a sign-on operation to a destination server of the message sender using the one or more message sender identify attributes; means for performing a responsive operation using the received application-layer message and the one or more message sender identity attributes; means for binding the one or more message sender identity attributes to a previously created outbound application-layer message. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A computer-implemented method, comprising:
-
receiving over a network, from a message sender, an application-layer message comprising one or more packets; receiving, from a user, a user-defined message identity policy that defines first identity information in a transport-layer protocol header of the application-layer message and that defines whether to extract;
the first identity information from the transport-layer protocol header, second identity information in an application-layer protocol header of the application-layer message, and third identity information from a message body of the application-layer message;extracting the first identity information, the second identity information and the third identity information as specified in the message identity policy; determining one or more authentication operations to authenticate the first identity information, the second identity information and the third identity information; performing the one or more authentication operations, and in response, receiving one or more message sender identity attributes; performing a sign-on operation to a destination server of the message sender using the one or more message sender identify attributes; creating an outbound application-layer message that includes the message sender identity attributes; performing a responsive operation using the received application-layer message and the one or more message sender identity attributes; binding the one or more message sender identity attributes to a previously created outbound application-layer message; wherein the method is performed by one or more processors. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
-
Specification