Identity provider instance discovery

US 8,838,792 B2
Filed: 02/28/2013
Issued: 09/16/2014
Est. Priority Date: 12/03/2010
Status: Active Grant

First Claim

Patent Images

1. A method of automated discovery of an identity provider instance (IdP), the identity provider instance being one of a plurality of identity provider instances that comprise a logical IdP service, comprising:

receiving a request for an identity provider instance, the request being issued to the logical IdP service automatically by a service provider in response to receipt at the service provider of an end user request to obtain a service from an application associated with the service provider;

in response to receiving the request for the identity provider instance, selecting a particular one of the plurality of identity provider instances according to a selection criteria; and

returning to the service provider a response to the request for the identity provider instance, the response identifying the selected identity provider instance;

wherein at least one of the receiving, selecting and returning steps being carried out by software executing in a hardware element.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of discovering an identity provider instance according to this disclosure begins upon receipt from a service provider (or from a discovery service to which the service provider redirects the user) of a request for an IdP instance. Preferably, the request for an IdP instance is received as a Web services request following receipt at the service provider of an end user client request to access an application. In response to receiving the request, an IdP instance is selected, preferably using one or more criteria, such as user proximity, instance load, instance availability, the existence of a prior IdP binding, or the like. Following the selection, a response to the request is generated and returned to the requesting service provider. Preferably, the response is a redirect to the selected IdP instance.

Citations

12 Claims

1. A method of automated discovery of an identity provider instance (IdP), the identity provider instance being one of a plurality of identity provider instances that comprise a logical IdP service, comprising:
- receiving a request for an identity provider instance, the request being issued to the logical IdP service automatically by a service provider in response to receipt at the service provider of an end user request to obtain a service from an application associated with the service provider;
  
  in response to receiving the request for the identity provider instance, selecting a particular one of the plurality of identity provider instances according to a selection criteria; and
  
  returning to the service provider a response to the request for the identity provider instance, the response identifying the selected identity provider instance;
  
  wherein at least one of the receiving, selecting and returning steps being carried out by software executing in a hardware element.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as described in claim 1 wherein the selection criteria is a capability associated with one or more identity provider instances.
  - 3. The method as described in claim 1 wherein the selection criteria is one of:
    - a network proximity between an computing entity and one or more of the identity provider instances, a geographic proximity between a computing entity and one or more of the identity provider instances, a load associated with one or more of the identity provider instances, availability of one or more identity provider instances, a performance metric associated with one or more identity provider instances, and an existing binding associated with one or more identity provider instances.
  - 4. The method as described in claim 1 wherein the request for an identity provider instance is a Web service request that is generated by the service provider.
  - 5. The method as described in claim 1 wherein the request for an identity provider instance is received following selection of an identity provider associated with the plurality of identity provider instances.
  - 6. The method as described in claim 1 wherein the plurality of identity provider instances include at least one cluster of identity provider instances that are co-located with one another.
  - 7. The method as described in claim 1 wherein the plurality of identity provider instances includes at least first and second clusters of identity provider instances, the first cluster being located remote from the second cluster.
  - 8. The method as described in claim 1 further including maintaining at least first and second identity provider instances in a synchronized state.
  - 9. The method as described in claim 1 wherein the logical IdP service is a logical enterprise IdP service.

10. A method to automatically select an identity provider (IdP) instance from among a set of identity provider instances comprising an enterprise IdP service, comprising:
- clustering a plurality of identity provider instances at distributed locations to provide automated IdP discovery for a plurality of federated applications, each cluster comprising a plurality of identity provider instances;
  
  responsive to receipt at a cluster of a request for an identity provider instance, the request being issued to the enterprise IdP service automatically by a service provider in response to receipt at the service provider of an end user request to obtain a service from a federated application associated with the service provider, determining whether the request for the identity provider instance should be processed at the cluster;
  
  if it is determined that the request for the identity provider instance should be processed at the cluster, determining an appropriate cluster instance and returning to the service provider a response to the request for the identity provider instance; and
  
  if it is determined that the request for the identity provider instance should not be processed at the cluster, redirecting the request for the identity provider instance to another cluster for servicing;
  
  wherein at least one of the determining steps is carried out by software executing in a hardware element.
- View Dependent Claims (11, 12)
- - 11. The method as described in claim 10 further including maintaining a synchronized state across the distributed locations.
  - 12. The method as described in claim 10 wherein a determination that the request should not be processed at the cluster is made if an identity provider instance is unavailable, if an identity provider instance does not provide a given capability, or for load balancing purposes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
McCarty, Richard James
Primary Examiner(s)
Pham, Chi
Assistant Examiner(s)
CHOWDHURY, FAHMIDA S

Application Number

US13/781,294
Publication Number

US 20130179573A1
Time in Patent Office

565 Days
Field of Search
US Class Current

709/225
CPC Class Codes

G06F 9/505   considering the load

H04L 41/00   Arrangements for maintenanc...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 67/02   based on web technology, e....

H04L 67/51   Discovery or management the...

Identity provider instance discovery

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Identity provider instance discovery

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links