Method and system for federated provisioning

US 8,607,322 B2
Filed: 07/21/2004
Issued: 12/10/2013
Est. Priority Date: 07/21/2004
Status: Active Grant

First Claim

Patent Images

1. A data processing system comprising:

a point-of-contact server, wherein the point-of-contact server receives incoming requests for access to resources identifiable within a domain, wherein the domain is associated with a plurality of domains within a federated computing environment;

a trust proxy, wherein the trust proxy generates one or more authentication assertions and/or attribute assertions sent from the domain and validates one or more authentication assertions and/or attribute assertions received at the domain; and

an application server that interfaces with the point-of-contact server and the trust proxy, in response to provisioning a user at the domain, for initiating provisioning of the user in at least one other domain in the plurality of domains within the federated computing environment by sending a provisioning request;

the provisioning request associated with a provisioning operation being one of;

creation of a user record, pushing updated user attributes to a user record, pulling updated user attributes for a user record, deletion of a user account, and unlinking of one or more user accounts.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and a system are presented in which federated domains interact within a federated environment. Domains within a federation can initiate federated single-sign-on operations for a user at other federated domains. A point-of-contact server within a domain relies upon a trust proxy within the domain to manage trust relationships between the domain and the federation. Trust proxies interpret assertions from other federated domains as necessary. Trust proxies may have a trust relationship with one or more trust brokers, and a trust proxy may rely upon a trust broker for assistance in interpreting assertions. When a user is provisioned at a particular federated domain, the federated domain can provision the user to other federated domains within the federated environment. A provision operation may include creating or deleting an account for a user, pushing updated user account information including attributes, and requesting updates on account information including attributes.

46 Citations

View as Search Results

25 Claims

1. A data processing system comprising:
- a point-of-contact server, wherein the point-of-contact server receives incoming requests for access to resources identifiable within a domain, wherein the domain is associated with a plurality of domains within a federated computing environment;
  
  a trust proxy, wherein the trust proxy generates one or more authentication assertions and/or attribute assertions sent from the domain and validates one or more authentication assertions and/or attribute assertions received at the domain; and
  
  an application server that interfaces with the point-of-contact server and the trust proxy, in response to provisioning a user at the domain, for initiating provisioning of the user in at least one other domain in the plurality of domains within the federated computing environment by sending a provisioning request;
  
  the provisioning request associated with a provisioning operation being one of;
  
  creation of a user record, pushing updated user attributes to a user record, pulling updated user attributes for a user record, deletion of a user account, and unlinking of one or more user accounts.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The data processing system of claim 1 wherein the point-of-contact server further comprises:
    - computer program instructions that, when executed by a processor, invoke the application server to process federated provisioning requests.
  - 3. The data processing system of claim 1 wherein the application server further comprises:
    - computer program instructions that, when executed by a processor, invoke the trust proxy to generate a security token to be associated with a federated provisioning request or a federated provisioning response to demonstrate a trust relationship between a requester and a responder.
  - 4. The data processing system of claim 1 wherein the point-of-contact server and the trust proxy perform front-end processing for functionality associated with the federated computing environment while interfacing with at least one back-end application.
  - 5. The data processing system of claim 4 wherein the application server further comprises:
    - computer program instructions that, when executed by a processor, interfaces with an identity management subsystem as a back-end application.
  - 6. The data processing system of claim 1 wherein the point-of-contact server further comprises:
    - computer program instructions that, when executed by a processor, associates an assertion with an outgoing request from the point-of-contact server to a different domain within the federated computing environment.
  - 7. The data processing system of claim 1 wherein the trust proxy further comprises:
    - computer program instructions that, when executed by a processor, maintains trust relationships with different domains within the federated computing environment.
  - 8. The data processing system of claim 1 wherein the trust proxy further comprises:
    - computer program instructions that, when executed by a processor, interoperates with a trust broker to obtain assistance in translating an assertion that has been received from a different domain within the federated computing environment.
  - 9. The data processing system of claim 1 wherein the application server supports at least one web service.
  - 10. The data processing system of claim 9 wherein a web service is supported in accordance with web-services-based provisioning standard as exemplified by the WS-Provisioning standard.
  - 11. The data processing system of claim 1 wherein the application server initiates provisioning of the user in at least one other domain in an automated manner in response to provisioning a user at the domain.
  - 12. The data processing system of claim 1 wherein the provisioning operation is initiated in an automated manner in response to provisioning of the user within the domain.

13. A machine-implemented method for providing federated functionality within a data processing system, the method comprising:
- receiving an incoming request at a point-of-contact server to provision a user within a domain, wherein the domain is associated with a plurality of domains within a federated computing environment;
  
  validating at a trust proxy one or more security assertions received at the domain through the point-of-contact server;
  
  responsive to provisioning the user within the domain, initiating a provisioning operation in at least one other domain in the plurality of domains within the federated computing environment by sending a provisioning request;
  
  the provisioning request associated with a provisioning operation being one of;
  
  creation of a user record at the other domain, pushing updated user attributes to a user record at the other domain, pulling updated user attributes for a user record, deletion of a user account, and unlinking of one or more user accounts.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method of claim 13 where security assertions are distinct from the user-specific information contained in the provisioning request.
  - 15. The method of claim 13 wherein the trust proxy is able to apply an authorization decision to the incoming request.
  - 16. The method of claim 13 wherein the incoming request is interpreted as initiating a request for user-specific information and/or attributes about the user from the domain.
  - 17. The method of claim 13 further comprising:
    - extracting user-specific information that is associated with the user from the provisioning request;
      
      performing the provisioning operation by invoking an identity management application within the domain;
      
      creating, modifying, or deleting one or more user-specific entries in one or more datastores for the user by the identity management application.
  - 18. The method of claim 13 further comprising:
    - extracting user-specific information that is associated with the user from the provisioning request;
      
      creating, modifying, or deleting one or more user-specific entries in one or more datastores for the user;
      
      detecting the user-specific activity within the domain by the identity management application; and
      
      provisioning the user within the domain such that the user subsequently has access to controlled resources within the domain.

19. A computer program product on a non-transitory computer readable medium for use in a data processing system for providing federated functionality within the data processing system, the computer program product holding computer program instructions which when executed by the data processing system perform a method comprising:
- receiving an incoming request at a point-of-contact server to provision a user within a domain, wherein the domain is associated with a plurality of domains within a federated computing environment;
  
  validating at a trust proxy one or more security assertions received at the domain through the point-of-contact server; and
  
  responsive to provisioning the user within the domain, initiating a provisioning operation in at least one other domain in the plurality of domains within the federated computing environment by sending a provisioning request;
  
  the provisioning request associated with a provisioning operation being one of;
  
  creation of a user record, pushing updated user attributes to a user record, pulling updated user attributes for a user record, deletion of a user account, and unlinking of one or more user accounts.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The computer program product on a non-transitory computer readable medium of claim 19 where security assertions are distinct from the user-specific information contained in the provisioning request.
  - 21. The computer program product on a non-transitory computer readable medium of claim 19 wherein the trust proxy applies an authorization decision to the incoming request.
  - 22. The computer program product on a non-transitory computer readable medium of claim 19 wherein the incoming request is interpreted as initiating a request for user-specific information and/or attributes about the user from the domain.
  - 23. The computer program product on a non-transitory computer readable medium of claim 19 wherein the method further comprises:
    - extracting user-specific information that is associated with the user from the provisioning request;
      
      performing the provisioning operation by invoking an identity management application within the domain;
      
      creating, modifying, or deleting one or more user-specific entries in one or more datastores for the user by the identity management application.
  - 24. The computer program product on a non-transitory computer readable medium of claim 19 wherein the method further comprises:
    - extracting user-specific information that is associated with the user from the provisioning request;
      
      creating, modifying, or deleting one or more user-specific entries in one or more datastores for the user;
      
      detecting the user-specific activity within the domain by the identity management application; and
      
      provisioning the user within the domain such that the user subsequently has access to controlled resources within the domain.
  - 25. The computer program product on a non-transitory computer readable medium of claim 19 wherein the provisioning operation is initiated in an automated manner in response to provisioning of the user within the domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Hinton, Heather Maria, Turner, Brian James, Moran, Anthony Scott, Weeden, Shane, Glazer, Ian Michael, Bray, Gavin George, Raghavan, Venkat
Primary Examiner(s)
Powers, William
Assistant Examiner(s)
SHAIFER HARRIMAN, DANT B

Application Number

US10/896,351
Publication Number

US 20060021019A1
Time in Patent Office

3,429 Days
Field of Search

726/10
US Class Current

726/10
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/0407   wherein the identity of one...

H04L 63/0815   providing single-sign-on or...

Method and system for federated provisioning

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

46 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for federated provisioning

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links