Privacy-preserving user attribute release and session management
First Claim
1. A method comprising the steps of:
- validating an externally-generated security token issued to a user;
extracting one or more claims from the validated externally-generated security token;
creating a session object to hold the extracted one or more claims;
issuing a plurality of internally-generated security tokens based on the session object to identify the user to respective protected resources in one or more local domains of an entity;
validating a given one of the internally-generated security tokens in conjunction with a request from the user for access to a given protected resource in a given one of the local domains using an access control module associated with the given local domain;
selectively releasing, by an internal issuing authority to the access control module associated with the given local domain, information associated with at least one extracted claim responsive to validation of the internally-generated security token; and
granting or denying access of the user to the given protected resource based on the selectively-released information;
wherein the externally-generated and internally-generated security tokens are respectively generated externally and internally relative to the entity;
wherein selectively releasing information associated with at least one extracted claim comprises releasing different sets of one or more user attributes in conjunction with different access requests directed to different ones of the protected resources; and
wherein said steps are performed by at least one processing device comprising a processor coupled to a memory.
9 Assignments
0 Petitions
Accused Products
Abstract
An information processing system comprises one or more processing devices of at least one processing platform. In one embodiment, the system comprises cloud infrastructure that is configured to validate an externally-generated security token issued to a user, to extract one or more claims from the validated externally-generated security token, and to create a session object to hold the extracted claim or claims. The cloud infrastructure issues an internally-generated security token based on the session object that allows the user to be identified to a protected resource. The internally-generated security token is validated in conjunction with a request from the user for access to the protected resource, and information associated with at least one extracted claim is selectively released responsive to validation of the internally-generated security token. Access of the user to the protected resource is granted or denied based on the selectively-released information.
-
Citations
28 Claims
-
1. A method comprising the steps of:
-
validating an externally-generated security token issued to a user; extracting one or more claims from the validated externally-generated security token; creating a session object to hold the extracted one or more claims; issuing a plurality of internally-generated security tokens based on the session object to identify the user to respective protected resources in one or more local domains of an entity; validating a given one of the internally-generated security tokens in conjunction with a request from the user for access to a given protected resource in a given one of the local domains using an access control module associated with the given local domain; selectively releasing, by an internal issuing authority to the access control module associated with the given local domain, information associated with at least one extracted claim responsive to validation of the internally-generated security token; and granting or denying access of the user to the given protected resource based on the selectively-released information; wherein the externally-generated and internally-generated security tokens are respectively generated externally and internally relative to the entity; wherein selectively releasing information associated with at least one extracted claim comprises releasing different sets of one or more user attributes in conjunction with different access requests directed to different ones of the protected resources; and wherein said steps are performed by at least one processing device comprising a processor coupled to a memory. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. An apparatus comprising:
-
information technology infrastructure comprising one or more processing devices, each of such processing devices comprising a processor coupled to a memory;
said one or more processing devices being configured to perform the steps of;validating an externally-generated security token issued to a user; extracting one or more claims from the validated externally-generated security token; creating a session object to hold the extracted one or more claims; issuing a plurality of internally-generated security tokens based on the session object to identify the user to protected resources in respective ones of one or more local domains of an entity; validating a given one of the internally-generated security tokens in conjunction with a request from the user for access to a given protected resource in a given one of the local domains using an access control module associated with the given local domain; selectively releasing, by an internal issuing authority to the access control module associated with the given local domain, information associated with at least one extracted claim responsive to validation of the internally-generated security token; and granting or denying access of the user to the given protected resource based on the selectively-released information; wherein the externally-generated and internally-generated security tokens are respectively generated externally and internally relative to the entity that controls access to the protected resources; and wherein selectively releasing information associated with at least one extracted claim comprises releasing different sets of one or more user attributes in conjunction with different access requests directed to different one of the protected resources. - View Dependent Claims (25, 26)
-
-
27. An apparatus comprising:
-
a claims extractor configured to extract one or more claims from a validated security token of a first type; a token generator configured to issue a plurality of security tokens of a second type responsive to the validation of the security token of the first type, the plurality of security tokens of the second type identifying a user to protected resources in respective ones of one or more local domains; and access control modules associated with respective ones of the protected resources; wherein a given one of the security tokens of the second type is validated in conjunction with a request from the user for access to a given protected resource by its associated access control module, and information associated with at least one extracted claim is selectively released by an internal issuing authority to the access control module associated with the given protected resource responsive to validation of the security token of the second type; and wherein the access control module associated with the given protected resource grants or denies access of the user to the given protected resource based on the selectively-released information; and wherein the issuing authority is configured to selectively release information comprising different sets of one or more user attributes in conjunction with different access requests to different ones of the protected resources. - View Dependent Claims (28)
-
Specification