Identity provider instance discovery
First Claim
1. A method of automated discovery of an identity provider instance (IdP), the identity provider instance being one of a plurality of identity provider instances that comprise a logical IdP service, comprising:
- receiving a request for an identity provider instance, the request being issued to the logical IdP service automatically by a service provider in response to receipt at the service provider of an end user request to obtain a service from an application associated with the service provider;
in response to receiving the request for the identity provider instance, selecting a particular one of the plurality of identity provider instances according to a selection criteria; and
returning to the service provider a response to the request for the identity provider instance, the response identifying the selected identity provider instance;
wherein at least one of the receiving, selecting and returning steps being carried out by software executing in a hardware element.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of discovering an identity provider instance according to this disclosure begins upon receipt from a service provider (or from a discovery service to which the service provider redirects the user) of a request for an IdP instance. Preferably, the request for an IdP instance is received as a Web services request following receipt at the service provider of an end user client request to access an application. In response to receiving the request, an IdP instance is selected, preferably using one or more criteria, such as user proximity, instance load, instance availability, the existence of a prior IdP binding, or the like. Following the selection, a response to the request is generated and returned to the requesting service provider. Preferably, the response is a redirect to the selected IdP instance.
-
Citations
12 Claims
-
1. A method of automated discovery of an identity provider instance (IdP), the identity provider instance being one of a plurality of identity provider instances that comprise a logical IdP service, comprising:
-
receiving a request for an identity provider instance, the request being issued to the logical IdP service automatically by a service provider in response to receipt at the service provider of an end user request to obtain a service from an application associated with the service provider; in response to receiving the request for the identity provider instance, selecting a particular one of the plurality of identity provider instances according to a selection criteria; and returning to the service provider a response to the request for the identity provider instance, the response identifying the selected identity provider instance; wherein at least one of the receiving, selecting and returning steps being carried out by software executing in a hardware element. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method to automatically select an identity provider (IdP) instance from among a set of identity provider instances comprising an enterprise IdP service, comprising:
-
clustering a plurality of identity provider instances at distributed locations to provide automated IdP discovery for a plurality of federated applications, each cluster comprising a plurality of identity provider instances; responsive to receipt at a cluster of a request for an identity provider instance, the request being issued to the enterprise IdP service automatically by a service provider in response to receipt at the service provider of an end user request to obtain a service from a federated application associated with the service provider, determining whether the request for the identity provider instance should be processed at the cluster; if it is determined that the request for the identity provider instance should be processed at the cluster, determining an appropriate cluster instance and returning to the service provider a response to the request for the identity provider instance; and if it is determined that the request for the identity provider instance should not be processed at the cluster, redirecting the request for the identity provider instance to another cluster for servicing; wherein at least one of the determining steps is carried out by software executing in a hardware element. - View Dependent Claims (11, 12)
-
Specification