Method and apparatus for multi-domain identity interoperability and compliance verification

US 8,434,129 B2
Filed: 08/04/2008
Issued: 04/30/2013
Est. Priority Date: 08/02/2007
Status: Active Grant

First Claim

Patent Images

1. A method of providing identity federation deployment comprising:

utilizing a pre-generated schema stored in a memory of a computer system for generating a deployment system including a deployment profile for interoperability between two or more service providers (SP) and/or identity providers (IDP) (SP/IDPs);

providing a validation environment, the validation environment comprising one or more virtual SP/IDPs implemented on one or more computer systems, the virtual SP/IDP representing a customer configuration, the virtual SP/IDP to interact with a third party pre-production partner SP/IDP on a remote computer system through standard interaction methods, to validate that the virtual SP/IDPs are capable of interoperation at the deployment level with the third party pre-production SP/IDPs; and

creating a customized quality assurance environment on a server to continuously monitor compliance of a live customer federation hub with the pre-generated schema, the quality assurance environment to monitor the interfacing of at least one live customer endpoint and a live third party SP or IDP, wherein monitoring the interfacing of the at least one live customer endpoint and the live third party SP or IDP comprises decrypting, parsing, and assembling an identity-related communication between the SP and the IDP.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus to provide identity management deployment interoperability and compliance verification. In one embodiment, the system also provides on-demand services including automated certification, monitoring, alerting, routing, and translation of tokens for federated identity related interactions between multi-domain identity management systems is provided.

63 Citations

View as Search Results

20 Claims

1. A method of providing identity federation deployment comprising:
- utilizing a pre-generated schema stored in a memory of a computer system for generating a deployment system including a deployment profile for interoperability between two or more service providers (SP) and/or identity providers (IDP) (SP/IDPs);
  
  providing a validation environment, the validation environment comprising one or more virtual SP/IDPs implemented on one or more computer systems, the virtual SP/IDP representing a customer configuration, the virtual SP/IDP to interact with a third party pre-production partner SP/IDP on a remote computer system through standard interaction methods, to validate that the virtual SP/IDPs are capable of interoperation at the deployment level with the third party pre-production SP/IDPs; and
  
  creating a customized quality assurance environment on a server to continuously monitor compliance of a live customer federation hub with the pre-generated schema, the quality assurance environment to monitor the interfacing of at least one live customer endpoint and a live third party SP or IDP, wherein monitoring the interfacing of the at least one live customer endpoint and the live third party SP or IDP comprises decrypting, parsing, and assembling an identity-related communication between the SP and the IDP.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the schema is one of:
    - the SP is a client, and the SP is designed to interface with one or more IDPs; and
      
      the IDP is the client and designed to interface with one or more SPs.
  - 3. The method of claim 1, further comprising:
    - rolling out the quality assurance environment to a pre-production environment.
  - 4. The method of claim 3, wherein the pre production version of the SP/IDP is a service provider client.
  - 5. The method of claim 3, further comprising:
    - rolling out a live customer environment in which a fully deployed version of an SP interface with a fully deployed version of the IDP; and
      
      providing a tap to monitor communications between the SP and the IDP, in the live customer environment, thereby providing the continuous compliance monitoring.
  - 6. The method of claim 5, wherein monitoring communications between the SP and the IDP comprises:
    - validating the identity-related communication.
  - 7. The method of claim 6, wherein validating the identity-related communication comprises comparing the monitored communication to the deployment profile;
    - andgenerating a validation report.
  - 8. The method of claim 1, further comprising:
    - providing an automated endpoint validation and independent real-time certification service for technical implementation conformance, allowing a customer to perform partner federation on-boarding and compliance certification for any protocol.
  - 9. The method of claim 8, wherein the protocols may include one or more of Security Assertion Markup Language (SAML), WS-Federation, WS-*, OpenID, OAuth, OpenID Connect, and Identity Federation protocols.
  - 10. The method of claim 8, wherein the federation and compliance certification is further independent of one or more of authentication formats, policies, privacy regulatory requirements, security models, trust domains, business rules, and identity management (IDM) implementations.
  - 11. The method of claim 1, further comprising;
    - providing an extra endpoint, the endpoint one of an Identity Provider (IDP), Service Provider (SP), or Relying Party (RP), in the live customer federation hub to capture and validate tokens, encryption, assurance levels, claims, and attributes allowing new entities to join the federation in a customer hub setup.
  - 12. The method of claim 1, further comprising:
    - providing ID assurance verification services.
  - 13. The method of claim 1, wherein the process further comprises:
    - on-boarding the customer to a second federation, wherein the second federation has a different set of requirements from the first federation, the on-boarding including setting up a configuration which enables the customer to interact with the first federation and the second federation.
  - 14. The method of claim 1, further comprising:
    - setting up a hosted federation routing and translation service for the federation partner on-boarding.
  - 15. The method of claim 1, wherein the SPs and IDPs are set up in the form of one of:
    - hub and spoke, point-to-point, many-to-many, and one-to-many configurations.
  - 16. The method of claim 15, wherein the form is replicated as a virtual implementation, such that all entities in the virtual hub and spoke elements are used for validation.

17. A deployment system to enable deployment of a compliant federation hub, the system comprising:
- a pre-generated schema stored in memory, to generate a deployment system including a deployment profile for interoperability between two or more service providers (SPs) and/or identity providers (IDPs) (SP/IDP);
  
  a validation environment, including a virtual SP/IDP representing a customer configuration, the virtual SP/IDP to interact with a pre-production third-party partner endpoint implemented on a computer system, to validate that the customer configuration is capable of interoperation with the third-party partner endpoint;
  
  a deployment environment implemented on a server, including customized quality assurance to continuously monitor compliance of the live endpoints in the customer federation with the pre-generated schema, by monitoring communications, wherein monitoring the communications comprises decrypting, parsing, and assembling an identity-related communication between the SP and the IDP.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the monitoring of the communications comprises a tap within the live endpoint, to obtain copies of communications.
  - 19. The system of claim 18, wherein the tap further decrypts, parses, and assembles identity-related communication between the end points, to monitor compliance.
  - 20. The system of claim 17, wherein the monitoring comprises an extra endpoint within the quality assurance environment of the live federation hub, the extra end point interacting with the live endpoints in the federation, to monitor compliance based on the interactions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
FuGen Solutions, Inc. (8K Miles Software Services Ltd.)
Original Assignee
FuGen Solutions, Inc. (8K Miles Software Services Ltd.)
Inventors
Kannappan, Lakshmanan, Simha, Vijay S., Prafullchandra, Hemma
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Okeke, Izunna

Application Number

US12/185,809
Publication Number

US 20090089625A1
Time in Patent Office

1,730 Days
Field of Search

726/1, 726/2, 726/3, 726/4, 726/22, 726/23, 726/24, 726/25, 726/17, 713/168, 713/170
US Class Current

726/3
CPC Class Codes

G06F 21/64   Protecting data integrity, ...

G06Q 10/10   Office automation; Time man...

G06Q 30/06   Buying, selling or leasing ...

H04L 63/0815   providing single-sign-on or...

Method and apparatus for multi-domain identity interoperability and compliance verification

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

63 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for multi-domain identity interoperability and compliance verification

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links