Federated authentication for mailbox replication
First Claim
Patent Images
1. A method to be executed at least in part in a computing device for employing federated authentication in data replication across authentication boundaries, the method comprising:
- receiving a request at a first server of a second domain for data replication from a first service operating in a first domain at a second service operating in the second domain, wherein the request includes a federated token associated with the first service;
establishing a guarantee of trustworthiness of a third party trust broker across authentication boundaries from a registration authority;
passing the federated token to the third party trust broker issuing the federated token from the first server of the second domain to have the third party trust broker perform an authentication of the federated token by performing a confirmation that the federated token is created by the third party trust broker and is coming from the first domain;
receiving one of;
the confirmation and a denial from the third party trust broker at the first server of the second domain;
submitting an authorization request to an authorization server of the second domain from the first server of the second domain using authentication related data associated with the federated token securely stored at the third party trust broker;
receiving one of a confirmation and a denial from the authorization server of the second domain based on a comparison of at least one desired capability to a configuration of the second domain; and
responding to the first service with an affirmation of the request if a confirmation is received from the third party trust broker and the authorization server of the second domain.
2 Assignments
0 Petitions
Accused Products
Abstract
A data replication mechanism is proposed that relies on existing federation infrastructure enabling distributed authentication instead of storing and using explicit credentials for a remote forest. The data replication mechanism requests a federation token with data replication capabilities targeted to the remote forest and passes this token to the remote forest in lieu of explicit credentials.
31 Citations
19 Claims
-
1. A method to be executed at least in part in a computing device for employing federated authentication in data replication across authentication boundaries, the method comprising:
-
receiving a request at a first server of a second domain for data replication from a first service operating in a first domain at a second service operating in the second domain, wherein the request includes a federated token associated with the first service; establishing a guarantee of trustworthiness of a third party trust broker across authentication boundaries from a registration authority; passing the federated token to the third party trust broker issuing the federated token from the first server of the second domain to have the third party trust broker perform an authentication of the federated token by performing a confirmation that the federated token is created by the third party trust broker and is coming from the first domain; receiving one of;
the confirmation and a denial from the third party trust broker at the first server of the second domain;submitting an authorization request to an authorization server of the second domain from the first server of the second domain using authentication related data associated with the federated token securely stored at the third party trust broker; receiving one of a confirmation and a denial from the authorization server of the second domain based on a comparison of at least one desired capability to a configuration of the second domain; and responding to the first service with an affirmation of the request if a confirmation is received from the third party trust broker and the authorization server of the second domain. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for facilitating data replication in electronic mail services employing federated authentication, the system comprising:
-
a first server associated with a first domain executing a first service, the first service performing actions including; establish a trust relationship with a third party trust broker by executing a process to; exchange a certificate of the first service with the third party trust broker; and retrieve a federation metadata of the third party trust broker; receive a request for data replication; request a federated token from the third party trust broker; pass the federated token along with the request to a target service in a second domain that is separated from the first domain by at least one authentication boundary; and a second server associated with the second domain executing a second service identified as the target service in the federated token, the second service performing actions including; establish a trust relationship with the third party trust broker by executing another process to; exchange another certificate of the second service with the third party trust broker; and retrieve another federation metadata of the third party trust broker;
pass the received federated token to the third party trust broker;receive one of;
a confirmation and a denial from the third party trust broker;submit an authorization request to an authorization server of the second domain using authentication related data associated with the federated token securely stored at the third party trust broker; receive one of a confirmation and a denial from the authorization server of the second domain based on a comparison of at least one desired capability to a configuration of the second domain; respond to the first service with an affirmation of the request if a confirmation is received from the third party trust broker and the authorization server of the second domain; and manage and securely store the authentication related data associated with the federated token at the third party trust broker. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A computer-readable memory device with instructions stored thereon for employing federated authentication in data replication across authentication boundaries, the instructions comprising:
-
establishing a guarantee of trustworthiness of a third party trust broker across authentication boundaries from a registration authority; establishing individual trust relationships between a first service operating in a first domain and the third party trust broker, and a second service operating in a second domain and the third party trust broker by; exchanging a certificate of the first and second services with the third party trust broker; and retrieving a federation metadata of the third party trust broker; receiving a request for data replication at the first service; requesting a federated token from the third party trust broker at the first service; passing the federated token along with the request from the first service to a server of the second service without exchanging a credential, wherein the federated token includes at least one desired capability at the second service; passing the federated token to the third party trust broker issuing the federated token from the second service to have the third party trust broker perform an authentication of the federated token by performing a confirmation that the federated token is created by the third party trust broker and is coming from the first domain; receiving one of;
the confirmation and a denial from the third party trust broker at the server of the second service;submitting an authorization request to an authorization server of the second domain from the server of the second service using authentication related data associated with the federated token securely stored at the third party trust broker; receiving one of a confirmation and a denial from the authorization server of the second domain based on a comparison of at least one desired capability to a configuration of the second service; if a confirmation is received from the third party trust broker, authorizing the request by comparing the at least one desired capability to a configuration of the second service at the authorization server of the second domain; responding to the first service with an affirmation of the request and requested data by the second service; and managing and securely storing the authentication related data associated with the federated token at the third party trust broker. - View Dependent Claims (17, 18, 19)
-
Specification