Method and system for federated provisioning
First Claim
1. A data processing system comprising:
- a point-of-contact server, wherein the point-of-contact server receives incoming requests for access to resources identifiable within a domain, wherein the domain is associated with a plurality of domains within a federated computing environment;
a trust proxy, wherein the trust proxy generates one or more authentication assertions and/or attribute assertions sent from the domain and validates one or more authentication assertions and/or attribute assertions received at the domain; and
an application server that interfaces with the point-of-contact server and the trust proxy, in response to provisioning a user at the domain, for initiating provisioning of the user in at least one other domain in the plurality of domains within the federated computing environment by sending a provisioning request;
the provisioning request associated with a provisioning operation being one of;
creation of a user record, pushing updated user attributes to a user record, pulling updated user attributes for a user record, deletion of a user account, and unlinking of one or more user accounts.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and a system are presented in which federated domains interact within a federated environment. Domains within a federation can initiate federated single-sign-on operations for a user at other federated domains. A point-of-contact server within a domain relies upon a trust proxy within the domain to manage trust relationships between the domain and the federation. Trust proxies interpret assertions from other federated domains as necessary. Trust proxies may have a trust relationship with one or more trust brokers, and a trust proxy may rely upon a trust broker for assistance in interpreting assertions. When a user is provisioned at a particular federated domain, the federated domain can provision the user to other federated domains within the federated environment. A provision operation may include creating or deleting an account for a user, pushing updated user account information including attributes, and requesting updates on account information including attributes.
46 Citations
25 Claims
-
1. A data processing system comprising:
-
a point-of-contact server, wherein the point-of-contact server receives incoming requests for access to resources identifiable within a domain, wherein the domain is associated with a plurality of domains within a federated computing environment; a trust proxy, wherein the trust proxy generates one or more authentication assertions and/or attribute assertions sent from the domain and validates one or more authentication assertions and/or attribute assertions received at the domain; and an application server that interfaces with the point-of-contact server and the trust proxy, in response to provisioning a user at the domain, for initiating provisioning of the user in at least one other domain in the plurality of domains within the federated computing environment by sending a provisioning request; the provisioning request associated with a provisioning operation being one of;
creation of a user record, pushing updated user attributes to a user record, pulling updated user attributes for a user record, deletion of a user account, and unlinking of one or more user accounts. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A machine-implemented method for providing federated functionality within a data processing system, the method comprising:
-
receiving an incoming request at a point-of-contact server to provision a user within a domain, wherein the domain is associated with a plurality of domains within a federated computing environment; validating at a trust proxy one or more security assertions received at the domain through the point-of-contact server; responsive to provisioning the user within the domain, initiating a provisioning operation in at least one other domain in the plurality of domains within the federated computing environment by sending a provisioning request; the provisioning request associated with a provisioning operation being one of;
creation of a user record at the other domain, pushing updated user attributes to a user record at the other domain, pulling updated user attributes for a user record, deletion of a user account, and unlinking of one or more user accounts. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A computer program product on a non-transitory computer readable medium for use in a data processing system for providing federated functionality within the data processing system, the computer program product holding computer program instructions which when executed by the data processing system perform a method comprising:
-
receiving an incoming request at a point-of-contact server to provision a user within a domain, wherein the domain is associated with a plurality of domains within a federated computing environment; validating at a trust proxy one or more security assertions received at the domain through the point-of-contact server; and responsive to provisioning the user within the domain, initiating a provisioning operation in at least one other domain in the plurality of domains within the federated computing environment by sending a provisioning request; the provisioning request associated with a provisioning operation being one of;
creation of a user record, pushing updated user attributes to a user record, pulling updated user attributes for a user record, deletion of a user account, and unlinking of one or more user accounts. - View Dependent Claims (20, 21, 22, 23, 24, 25)
-
Specification