Federated authentication for mailbox replication

US 8,752,152 B2
Filed: 12/14/2009
Issued: 06/10/2014
Est. Priority Date: 12/14/2009
Status: Active Grant

First Claim

Patent Images

1. A method to be executed at least in part in a computing device for employing federated authentication in data replication across authentication boundaries, the method comprising:

receiving a request at a first server of a second domain for data replication from a first service operating in a first domain at a second service operating in the second domain, wherein the request includes a federated token associated with the first service;

establishing a guarantee of trustworthiness of a third party trust broker across authentication boundaries from a registration authority;

passing the federated token to the third party trust broker issuing the federated token from the first server of the second domain to have the third party trust broker perform an authentication of the federated token by performing a confirmation that the federated token is created by the third party trust broker and is coming from the first domain;

receiving one of;

the confirmation and a denial from the third party trust broker at the first server of the second domain;

submitting an authorization request to an authorization server of the second domain from the first server of the second domain using authentication related data associated with the federated token securely stored at the third party trust broker;

receiving one of a confirmation and a denial from the authorization server of the second domain based on a comparison of at least one desired capability to a configuration of the second domain; and

responding to the first service with an affirmation of the request if a confirmation is received from the third party trust broker and the authorization server of the second domain.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data replication mechanism is proposed that relies on existing federation infrastructure enabling distributed authentication instead of storing and using explicit credentials for a remote forest. The data replication mechanism requests a federation token with data replication capabilities targeted to the remote forest and passes this token to the remote forest in lieu of explicit credentials.

31 Citations

View as Search Results

19 Claims

1. A method to be executed at least in part in a computing device for employing federated authentication in data replication across authentication boundaries, the method comprising:
- receiving a request at a first server of a second domain for data replication from a first service operating in a first domain at a second service operating in the second domain, wherein the request includes a federated token associated with the first service;
  
  establishing a guarantee of trustworthiness of a third party trust broker across authentication boundaries from a registration authority;
  
  passing the federated token to the third party trust broker issuing the federated token from the first server of the second domain to have the third party trust broker perform an authentication of the federated token by performing a confirmation that the federated token is created by the third party trust broker and is coming from the first domain;
  
  receiving one of;
  
  the confirmation and a denial from the third party trust broker at the first server of the second domain;
  
  submitting an authorization request to an authorization server of the second domain from the first server of the second domain using authentication related data associated with the federated token securely stored at the third party trust broker;
  
  receiving one of a confirmation and a denial from the authorization server of the second domain based on a comparison of at least one desired capability to a configuration of the second domain; and
  
  responding to the first service with an affirmation of the request if a confirmation is received from the third party trust broker and the authorization server of the second domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the federated token includes an identity of the second service as target and the at least one desired capability at the second service.
  - 3. The method of claim 2, further comprising:
    - authorizing the request at the second service based on information associated with the first service stored by the second service at the second domain.
  - 4. The method of claim 1, wherein the at least one desired capability includes one of:
    - mailbox data replication and public folder data replication of an electronic mail system.
  - 5. The method of claim 1, wherein the confirmation from the third party trust broker indicates that the federated token was generated by the third party trust broker and originated from the first service.
  - 6. The method of claim 1, wherein the first service and the second service establish a trust relationship with the third party trust broker prior to processing the request.
  - 7. The method of claim 1, wherein the request received from the first service is in response to a user request received by the first service.
  - 8. The method of claim 1, further comprising:
    - sending data to be replicated along with the affirmation of the request to the first service.
  - 9. The method of claim 1, wherein the first domain and the second domain are separated by the authentication boundaries.
  - 10. The method of claim 9, wherein the authentication boundaries include the Internet.

11. A system for facilitating data replication in electronic mail services employing federated authentication, the system comprising:
- a first server associated with a first domain executing a first service, the first service performing actions including;
  
  establish a trust relationship with a third party trust broker by executing a process to;
  
  exchange a certificate of the first service with the third party trust broker; and
  
  retrieve a federation metadata of the third party trust broker;
  
  receive a request for data replication;
  
  request a federated token from the third party trust broker;
  
  pass the federated token along with the request to a target service in a second domain that is separated from the first domain by at least one authentication boundary; and
  
  a second server associated with the second domain executing a second service identified as the target service in the federated token, the second service performing actions including;
  
  establish a trust relationship with the third party trust broker by executing another process to;
  
  exchange another certificate of the second service with the third party trust broker; and
  
  retrieve another federation metadata of the third party trust broker;
  
  pass the received federated token to the third party trust broker;
  
  receive one of;
  
  a confirmation and a denial from the third party trust broker;
  
  submit an authorization request to an authorization server of the second domain using authentication related data associated with the federated token securely stored at the third party trust broker;
  
  receive one of a confirmation and a denial from the authorization server of the second domain based on a comparison of at least one desired capability to a configuration of the second domain;
  
  respond to the first service with an affirmation of the request if a confirmation is received from the third party trust broker and the authorization server of the second domain; and
  
  manage and securely store the authentication related data associated with the federated token at the third party trust broker.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11, wherein the authorization server is further configured to authorize the request based on the at least one desired capability included in the federated token and information associated with the first service stored at the second domain.
  - 13. The system of claim 11, wherein the first service, the second service, and the third party trust broker communicate over one of:
    - the same network and separate networks.
  - 14. The system of claim 11, wherein at least one of the first service and the second service is an electronic mail application.
  - 15. The system of claim 11, wherein at least one of the first service and the second service is a distributed electronic mail service executed by a plurality of servers.

16. A computer-readable memory device with instructions stored thereon for employing federated authentication in data replication across authentication boundaries, the instructions comprising:
- establishing a guarantee of trustworthiness of a third party trust broker across authentication boundaries from a registration authority;
  
  establishing individual trust relationships between a first service operating in a first domain and the third party trust broker, and a second service operating in a second domain and the third party trust broker by;
  
  exchanging a certificate of the first and second services with the third party trust broker; and
  
  retrieving a federation metadata of the third party trust broker;
  
  receiving a request for data replication at the first service;
  
  requesting a federated token from the third party trust broker at the first service;
  
  passing the federated token along with the request from the first service to a server of the second service without exchanging a credential, wherein the federated token includes at least one desired capability at the second service;
  
  passing the federated token to the third party trust broker issuing the federated token from the second service to have the third party trust broker perform an authentication of the federated token by performing a confirmation that the federated token is created by the third party trust broker and is coming from the first domain;
  
  receiving one of;
  
  the confirmation and a denial from the third party trust broker at the server of the second service;
  
  submitting an authorization request to an authorization server of the second domain from the server of the second service using authentication related data associated with the federated token securely stored at the third party trust broker;
  
  receiving one of a confirmation and a denial from the authorization server of the second domain based on a comparison of at least one desired capability to a configuration of the second service;
  
  if a confirmation is received from the third party trust broker, authorizing the request by comparing the at least one desired capability to a configuration of the second service at the authorization server of the second domain;
  
  responding to the first service with an affirmation of the request and requested data by the second service; and
  
  managing and securely storing the authentication related data associated with the federated token at the third party trust broker.
- View Dependent Claims (17, 18, 19)
- - 17. The computer-readable memory device of claim 16, wherein the request is for at least one of:
    - a mailbox data replication and a public folder data replication over the Internet.
  - 18. The computer-readable memory device of claim 17, wherein the instructions further comprise:
    - submitting an attribute change to the second service along with the federated token.
  - 19. The computer-readable memory device of claim 16, wherein the first domain and the second domain are websites.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Kol, Ayla, Gavrilov, Dmitri, Clark, Bradford, Kress, Brian T., Kleewein, James C.
Primary Examiner(s)
Vaughan, Michael R

Application Number

US12/637,043
Publication Number

US 20110145565A1
Time in Patent Office

1,639 Days
Field of Search

None
US Class Current

726/9
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 51/00   User-to-user messaging in p...

H04L 51/42   Mailbox-related aspects, e....

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 67/53   using third party service p...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3271   using challenge-response

Federated authentication for mailbox replication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

31 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Federated authentication for mailbox replication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others