Transforming claim based identities to credential based identities
First Claim
1. A method to be executed at least in part in a computing device including a memory storing instructions and a processor executing an application in conjunction with the stored instructions for transforming a claim based identity to a credential based identity, the method comprising:
- receiving at a secure store service residing on an application server a claim based identity via a security token issued by a trusted authority to a client entity at a front end server through a secure store service proxy residing at the front end server;
mapping a credential to the claim based identity;
validating the claim at the secure store service on the application server;
storing the credential in a secure manner in a Secure Store Database (SSD) associated with the secure store service;
encrypting on the application server the credential stored in the secure store database associated with the secure store service utilizing a master key generated and managed by a key manager;
synchronizing the master key to a new service instance at the key manager;
in response to receiving the security token for each request to access a resource associated with the secure store service, retrieving the credential from a secure store database;
employing a credential manager for decrypting the retrieved credential on the application server;
returning the decrypted credential to the client entity of the request for use in authorization of the client entity to an access controlled resource;
backing up and restoring the SSD at the key manager; and
enabling a user and an administrator to at least one from a set of;
create, read, and delete an application employing an application management API declared by an application manager.
2 Assignments
0 Petitions
Accused Products
Abstract
Claim based identities are transformed to a set of credentials and securely stored in a secure data store using a number of encryption schemes. The credentials are then used to authenticate applications requiring specific credential types. For each call to the secure store system, a client application may provide a claims token issued by a trusted source, which is used to search for corresponding credentials in the secure data store if the credentials have been created previously for the user.
-
Citations
18 Claims
-
1. A method to be executed at least in part in a computing device including a memory storing instructions and a processor executing an application in conjunction with the stored instructions for transforming a claim based identity to a credential based identity, the method comprising:
-
receiving at a secure store service residing on an application server a claim based identity via a security token issued by a trusted authority to a client entity at a front end server through a secure store service proxy residing at the front end server; mapping a credential to the claim based identity; validating the claim at the secure store service on the application server; storing the credential in a secure manner in a Secure Store Database (SSD) associated with the secure store service; encrypting on the application server the credential stored in the secure store database associated with the secure store service utilizing a master key generated and managed by a key manager; synchronizing the master key to a new service instance at the key manager; in response to receiving the security token for each request to access a resource associated with the secure store service, retrieving the credential from a secure store database; employing a credential manager for decrypting the retrieved credential on the application server; returning the decrypted credential to the client entity of the request for use in authorization of the client entity to an access controlled resource; backing up and restoring the SSD at the key manager; and enabling a user and an administrator to at least one from a set of;
create, read, and delete an application employing an application management API declared by an application manager. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-readable memory device with instructions stored thereon for transforming a claim based identity to a credential based identity, the instructions comprising:
-
receiving a claim at a Secure Token Service (STS); providing a security token upon authenticating the claim; receiving at a secure store service (SSS) residing on an application server a claim based identity via the security token issued by a trusted authority to a client entity at a front end server through a SSS proxy residing at the front end server, wherein the a trust relationship between the SSS and the STS has been established; authenticating the claim based identity; requesting a credential from a credential manager through the SSS proxy; retrieving the requested credential form the credential manager; upon receiving the credential request, validating the claim; mapping the credential to the claim based on the security token; encrypting the credential stored in the secure store database associated with the SSS using a master key generated and managed by a key manager and stored in a registry associated with the application server; synchronizing the master key to a new service instance at the key manager; modifying a master secret key at the key manager and storing the master secret key at the registry associated with the application server, wherein the master secret key includes the master key and the credential encrypted with a trusted source provided pass phrase; storing the encrypted credential in a secure manner in a Secure Store Database (SSD) associated with the SSS for use in authorization of subsequent requests for access by a user associated with the claim through providing the credential mapped to the claim; decrypting the encrypted credential at the credential manager; receiving the decrypted credential form the credential manager at the SSS; providing the decrypted credential from the SSS to the client entity through the SSS proxy; backing up and restoring the SSD by the key manager; and enabling one of the user and an administrator to at least one from a set of;
create, read, and delete an application employing an application management API declared by an application manager. - View Dependent Claims (11, 12, 13)
-
-
14. A system for transforming a claim based identity to a credential based identity, the system comprising:
a web server including a memory and a processor coupled to the memory, the processor configured to execute; a Security Token Service (STS) executed on a web server for receiving a request for a security token from a client application and providing the security token to the client application upon authentication of a user associated with the claim, wherein the security token is a Security Assertions Markup Language (SAML) token; a first Secure Store Service (SSS) proxy for handling requests from rich clients and web browser clients; a second SSS proxy for handling requests from web browser clients only; an application server including a memory and a processor coupled to the memory, the processor configured to execute a Secure Store Service (SSS) that includes; an SSS application for; validating the claim; authenticating the claim based identity; mapping credentials to the claim based on a received security token, wherein the credentials are created based on a Single Sign-On (SSO) claim based identity without relying on dependencies of underlying SSO architecture; in response to receiving a request for access to a resource, searching for stored credentials in a secure store database associated with the SSS corresponding to the security token associated with a user submitting the request and providing the stored credentials to the user through one of the first SSS proxy and second SSS proxy; a credential manager for; receiving and associating the credentials mapped to the claim with applications from the secure store database; and encrypting and decrypting the credentials stored in the secure store database and upon request by the SSS, sending the decrypted credentials to the SSS; a key manager for; encrypting the credentials for storing in the secure store database associated with the SSS using a master key; encrypting the master key using an administrator provided pass phrase as a master secret key, wherein the master secret key is stored along with the encrypted credentials in a registry associated with the application server; synchronizing the master key to a new service instance at the key manager; modifying the master secret key at the key manager and storing the master secret key at the registry associated with the application server; backing up and restoring the secure store database; and the secure store database for storing the encrypted credentials and the master key, wherein the secure store database is hosted on a database server and managed by the application server. - View Dependent Claims (15, 16, 17, 18)
Specification