Push artifact binding for communication in a federated identity system

US 8,302,168 B2
Filed: 10/30/2008
Issued: 10/30/2012
Est. Priority Date: 01/18/2008
Status: Expired due to Fees

First Claim

Patent Images

1. A data processing system comprising:

a service provider addressable through a Uniform Resource Locator and to offer a plurality of services associated with corresponding second Uniform Resource Locators stored in a federated identity record at a Domain Name Service; and

an identity provider to handle a federated action by determining that a user request is to be conveyed to the service provider, retrieving one of the second Uniform Resource Locators from the federated identity record at the Domain Name Service corresponding to a federated service in the user request, and sending a request or assertion as a push message over a back-channel communication pathway to the service provider at the one of the second Uniform Resource Locators,the service provider to handle the federated action by sending a response to the message over the back-channel communication pathway to the identity provider including a third Uniform Resource Locator to which the user is to be directed, and the identity provider to redirect the user to the third Uniform Resource Locator specified in the response.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data processing system implements push artifact binding for communication in a federated identity system. A federated identity system in the data processing system comprises an initiator that handles a federated action by determining that a user is to be conveyed to a recipient, constructing an appropriate message request or assertion to be sent to the recipient, and sending the message as a push message over a back-channel communication pathway directed to the recipient'"'"'s location. The federated identity system further comprises a recipient that handles the federated action by responding to the message by forming a Uniform Resource Locator (URL) to which the user can be directed. The initiator redirects the user to the URL specified in the recipient response.

36 Citations

21 Claims

1. A data processing system comprising:
- a service provider addressable through a Uniform Resource Locator and to offer a plurality of services associated with corresponding second Uniform Resource Locators stored in a federated identity record at a Domain Name Service; and
  
  an identity provider to handle a federated action by determining that a user request is to be conveyed to the service provider, retrieving one of the second Uniform Resource Locators from the federated identity record at the Domain Name Service corresponding to a federated service in the user request, and sending a request or assertion as a push message over a back-channel communication pathway to the service provider at the one of the second Uniform Resource Locators,the service provider to handle the federated action by sending a response to the message over the back-channel communication pathway to the identity provider including a third Uniform Resource Locator to which the user is to be directed, and the identity provider to redirect the user to the third Uniform Resource Locator specified in the response.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 21)
- - 2. The system according to claim 1 further comprising:
    - the identity provider to perform artifact binding to first use the back-channel communication pathway to communicate the push message to push redirection by the identity provider to the service provider at the one of the second Uniform Resource Locators, followed by redirecting the user.
  - 3. The system according to claim 1 further comprising:
    - the identity provider to operate as an initiator or a recipient; and
      
      the service provider to operate as the initiator when the identity provider operates as the recipient, and to operate as the recipient when the identity provider operates as the initiator.
  - 4. The system according to claim 3 further comprising:
    - at least one intermediary comprising a federation router, broker, or proxy to communicate from the initiator to the recipient.
  - 5. The system according to claim 1 further comprising:
    - the service provider to further handle the federated action by combining a unique identifier equivalent to an artifact binding into the third Uniform Resource Locator to which the user is to be directed.
  - 6. The system according to claim 1 further comprising:
    - the service provider to handle the federated action by determining that the user request is to be conveyed to a second service provider, the service provider to operate as an intermediary by sending the message over the back-channel communication pathway to the second service provider without redirecting the user to the second service provider, the second service provider to send the third Uniform Resource Locator over the back-channel communication pathway to the identity provider via the service provider operating as an intermediary.
  - 7. The system according to claim 6 further comprising:
    - the service provider to handle the federated action by determining that the user request is to be conveyed to an additional service provider, sending the message over the back-channel communication pathway to the additional service provider, and performing the determining and sending actions for at least one additional service provider to a final service provider, wherein a back-channel response from the at least one additional service provider is to propagate to the identity provider over the back-channel communication pathway, and the identity provider is to redirect the user with only a single redirect, the single redirect directed to the third Uniform Resource Locator specified in the response of the final service provider.
  - 8. The system according to claim 1 further comprising:
    - a final service provider; and
      
      a plurality of intermediaries to propagate a response from the final service provider through to the identity provider to cause only a single redirect of the user in response to the user request to reach the federated service.
  - 9. The system according to claim 1 wherein:
    - the back-channel communication pathway is based on a Simple Object Access Protocol (SOAP).
  - 21. The system according to claim 1 wherein retrieving the one of the second Universal Resource Locators from the federated identity record at the Domain Name Service comprises not relying on an initial meta-data exchange between the identity provider and the service provider.

10. A method to communicate in a federated identity system comprising:
- for a service provider addressable through a Uniform Resource Locator, storing second Uniform Resource Locators corresponding to a plurality of services offered by the service provider in a federated identity record at a Domain Name Service;
  
  handling a federated action at an identity provider by;
  
  determining that a user request is to be conveyed to the service provider;
  
  retrieving one of the second Uniform Resource Locators from the federated identity record at the Domain Name Service corresponding to a federated service in the user request; and
  
  sending a request or assertion as a push message over a back-channel communication pathway to the service provider at the one of the second Uniform Resource Locators;
  
  handling the federated action at the service provider by sending a response to the message over the back-channel communication pathway to the identity provider including a third Uniform Resource Locator to which the user is to be directed; and
  
  redirecting the user to the third Uniform Resource Locator specified in the response.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method according to claim 10 further comprising handling the federated action at the service provider by combining a unique identifier equivalent to an artifact binding into the third Uniform Resource Locator to which the user is to be directed.
  - 12. The method according to claim 10 further comprising:
    - handling the federated action at the service provider by;
      
      determining that the user request is to be conveyed to a second service provider, the service provider to operate as an intermediary by sending the message over the back-channel communication pathway to the second service provider without redirecting the user to the second service provider, the second service provider to send the third Uniform Resource Locator over the back-channel communication pathway to the identity provider via the second service provider operating as an intermediary.
  - 13. The method according to claim 12 further comprising:
    - handling the federated action at the service provider by;
      
      determining that the user request is to be conveyed to an additional service provider;
      
      sending the message over the back-channel communication pathway to the additional service provider; and
      
      performing the determining and sending actions for at least one additional service provider to a final service provider, wherein a back-channel response from the at least one additional service provider is to propagate to the identity provider over the back-channel communication pathway, and the identity provider is to redirect the user with only a single redirect, the single redirect directed to the third Universal Resource Locator specified in the response of the final service provider.
  - 14. The method according to claim 10 wherein:
    - the identity provider is to operate as an initiator or a recipient; and
      
      the service provider is to operate as the initiator when the identity provider operates as the recipient, and to operate as the recipient when the identity provider operates as the initiator.
  - 15. The method according to claim 10 further comprising:
    - the identity provider and the service provider to communicate via at least one intermediary that is a federation router, broker, or proxy.
  - 16. The method according to claim 10 further comprising:
    - propagating from a final service provider through a plurality of intermediaries to the identity provider to cause only a single redirect of the user in response to the request to reach the federated service.
  - 17. The method according to claim 10 further comprising:
    - replacing a plurality of Uniform Resource Locators associated with a plurality of federation node services by a single back-channel communication service Uniform Resource Locator, wherein the single back-channel communication service Uniform Resource Locator is the third Uniform Resource Locator to redirect the user to one of the plurality of Uniform Resource Locators.

18. A tangible computer readable storage device or storage disk comprising instructions to, at least:
- cause a controller in a service provider addressable through a Uniform Resource Locator to store second Uniform Resource Locators corresponding to a plurality of services offered by the service provider in a federated identity record at a Domain Name Service;
  
  cause a controller in an identity provider to determine that a user request is to be conveyed to the service provider;
  
  cause the controller in the identity provider to retrieve one of the second Uniform Resource Locators from the federated identity record at the Domain Name Service corresponding to a federated service in the user request;
  
  cause the controller in the identity provider to send a request or assertion as a push message over a back-channel communication pathway to the service provider at the one of the second Uniform Resource Locators;
  
  cause the controller in the service provider to send a response to the message over the back-channel communication pathway to the identity provider including a third Uniform Resource Locator to which the user is to be directed;
  
  cause the controller in the service provider to combine a unique identifier equivalent to an artifact binding into the third Uniform Resource Locator to which the user is to be directed; and
  
  cause the controller in the identity provider to redirect the user to the third Universal Resource Locator specified in the response.
- View Dependent Claims (19, 20)
- - 19. The tangible computer readable storage device or storage disk according to claim 18 further comprising instructions to, at least:
    - cause the controller in the service provider to determine that the user request is to be conveyed to a second service provider, the service provider to operate as an intermediary by sending the message over the back-channel communication pathway to the second service provider without redirecting the user to the second service provider, wherein the instructions cause a controller in the second service provider to send the third Uniform Resource Locator over the back-channel communication pathway to the identity provider.
  - 20. The tangible computer readable storage device or storage disk according to claim 19 further comprising instructions to, at least:
    - cause the controller in the service provider to determine that the user request is to be conveyed to an additional service provider;
      
      cause the controller in the service provider to send the message over the back-channel communication pathway to the additional service provider; and
      
      cause the controller in the service provider to determine that the user request is to be conveyed to an additional service provider, the instructions to cause a controller in the additional service provider to send the message to a final service provider, wherein a back-channel response from the at least one additional service provider is to propagate to the identity provider over the back channel communication pathway.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Tulshibagwale, Atul, Rouault, Jason
Primary Examiner(s)
Smithers, Matthew
Assistant Examiner(s)
Sholeman, Abu

Application Number

US12/261,913
Publication Number

US 20090187974A1
Time in Patent Office

1,461 Days
Field of Search

726 3- 6, 726/12, 726/14, 713/185, 713/168, 713/182, 713/183, 709/225, 709/229, 707/782, 707/784
US Class Current

726/5
CPC Class Codes

H04L 63/20 for managing network securi...

Push artifact binding for communication in a federated identity system

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Push artifact binding for communication in a federated identity system

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links