Authentication of a principal in a federation

US 8,418,234 B2
Filed: 12/15/2005
Issued: 04/09/2013
Est. Priority Date: 12/15/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method of authentication of a principal in a federation, the method implemented by an identity provider, the identity provider comprising a module of automated computing machinery that includes a computer processor and a computer memory operatively coupled to the computer processor, the method comprising:

receiving, at the identity provider, an authentication request specifying a service provider'"'"'s authentication policy, the authentication request having been generated at the service provider in response to receipt at the service provider of a request of the principal for access to a resource of the service provider and a determination by the service provider that an authentication credential of the request does not satisfy the service provider'"'"'s authentication policy;

authenticating the principal by the identity provider according to the service provider'"'"'s authentication policy;

recording in session data of the identity provider an authentication credential satisfying the service provider'"'"'s authentication policy; and

sending an authentication response from the identity provider to the service provider, the authentication response including the authentication credential satisfying the service provider'"'"'s authentication policy, the authentication credential adapted to be recordable in session data of the service provider.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer program products are disclosed that give entities flexibility to implement custom authentication methods of other entities for authentication of a principal in a federation by authenticating the principal by an identity provider according to a service provider'"'"'s authentication policy and recording in session data of the identity provider an authentication credential satisfying the service provider'"'"'s authentication policy. Authentication of a principal in a federation is also carried out by authenticating the principal by the identity provider according to an identity provider'"'"'s authentication policy. Authentication of a principal in a federation is further carried out by receiving in the identity provider an authentication request from the service provider, the authentication request specifying the service provider'"'"'s authentication policy.

24 Citations

View as Search Results

12 Claims

1. A method of authentication of a principal in a federation, the method implemented by an identity provider, the identity provider comprising a module of automated computing machinery that includes a computer processor and a computer memory operatively coupled to the computer processor, the method comprising:
- receiving, at the identity provider, an authentication request specifying a service provider'"'"'s authentication policy, the authentication request having been generated at the service provider in response to receipt at the service provider of a request of the principal for access to a resource of the service provider and a determination by the service provider that an authentication credential of the request does not satisfy the service provider'"'"'s authentication policy;
  
  authenticating the principal by the identity provider according to the service provider'"'"'s authentication policy;
  
  recording in session data of the identity provider an authentication credential satisfying the service provider'"'"'s authentication policy; and
  
  sending an authentication response from the identity provider to the service provider, the authentication response including the authentication credential satisfying the service provider'"'"'s authentication policy, the authentication credential adapted to be recordable in session data of the service provider.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprises authenticating the principal by the identity provider according to an identity provider'"'"'s authentication policy.
  - 3. The method of claim 1 wherein authenticating the principal further comprises authenticating the principal by an access manager of the identity provider.
  - 4. The method of claim 1 wherein authenticating the principal further comprises authenticating the principal by an authentication proxy of the identity provider.
  - 5. The method of claim 1 wherein the principal is represented as a web service described in a Web Services Description Language (WSDL) document and the receiving occurs at a web services endpoint described in the document.

6. A system for authentication of a principal in a federation, the system comprising an identity provider including a computer processor and a computer memory operatively coupled to the computer processor, the computer memory having disposed within it computer program instructions capable of:
- receiving, at the identity provider, an authentication request specifying a service provider'"'"'s authentication policy, the authentication request having been generated at the service provider in response to receipt at the service provider of a request of the principal for access to a resource of the service provider and a determination by the service provider that an authentication credential of the request does not satisfy the service provider'"'"'s authentication policy;
  
  authenticating the principal by the identity provider according to the service provider'"'"'s authentication policy;
  
  recording in session data of the identity provider an authentication credential satisfying the service provider'"'"'s authentication policy; and
  
  sending an authentication response from the identity provider to the service provider, the authentication response including the authentication credential satisfying the service provider'"'"'s authentication policy, the authentication credential adapted to be recordable in session data of the service provider.
- View Dependent Claims (7)
- - 7. The system of claim 6 wherein the principal is represented as a web service described in a Web Services Description Language (WSDL) document and the receiving occurs at a web services endpoint described in the document.

8. A computer program product for authentication of a principal in a federation, the computer program product including computer program instructions disposed upon a non-transitory computer readable storage medium, the computer program instructions, when executed in an identity provider, capable of:
- receiving, at the identity provider, an authentication request specifying a service provider'"'"'s authentication policy, the authentication request having been generated at the service provider in response to receipt at the service provider of a request of the principal for access to a resource of the service provider and a determination by the service provider that an authentication credential of the request does not satisfy the service provider'"'"'s authentication policy;
  
  authenticating the principal by the identity provider according to the service provider'"'"'s authentication policy;
  
  recording in session data of the identity provider an authentication credential satisfying the service provider'"'"'s authentication policy; and
  
  sending an authentication response from the identity provider to the service provider, the authentication response including the authentication credential satisfying the service provider'"'"'s authentication policy, the authentication credential adapted to be recordable in session data of the service provider.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The computer program product of claim 8 further comprising computer program instructions capable of authenticating the principal by the identity provider according to an identity provider'"'"'s authentication policy.
  - 10. The computer program product of claim 8 wherein authenticating the principal further comprises authenticating the principal by an access manager of the identity provider.
  - 11. The computer program product of claim 8 wherein authenticating the principal further comprises authenticating the principal by an authentication proxy of the identity provider.
  - 12. The computer program product of claim 8 wherein the principal is represented as a web service described in a Web Services Description Language (WSDL) document and the receiving occurs at a web services endpoint described in the document.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hinton, Heather M., Moran, Anthony S.
Primary Examiner(s)
Yalew, Fikremariam A

Application Number

US11/304,945
Publication Number

US 20070143829A1
Time in Patent Office

2,672 Days
Field of Search

None
US Class Current

726/5
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/0884   by delegation of authentica...

H04L 63/102   Entity profiles

H04L 67/14   Session management for real...

Authentication of a principal in a federation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication of a principal in a federation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links