Generalized identity mediation and propagation

US 8,863,225 B2
Filed: 06/29/2010
Issued: 10/14/2014
Est. Priority Date: 06/29/2010
Status: Expired due to Fees

First Claim

Patent Images

1. An enterprise service bus, comprising:

a plurality of processors;

a computer-readable storage medium, coupled to the plurality of processors;

an identity mapping module;

an authentication module;

an authorization module; and

logic, stored on the computer-readable storage medium and executed on the plurality of processors, for;

retrieving, by the identity mapping module, an identity mapping policy for specifying direct and one-to-one correspondences between each identity of a first set of identities and each identity of a second set of identities, wherein the first set of identities correspond to a party and a client application, executed on a client computer, and the second set of identities correspond to the party and a server application, executed on a server computer;

retrieving, by the authentication module, an authentication policy for authenticating a first identity of the first set of identities and a second identity of the second set identities, wherein the first identity and the second identity are mapped to each other by the identity mapping module;

retrieving, by the authorization module, an authorization policy for authorizing the second identity for access to the server application andproviding a service, corresponding to a service request, from the server application to the party based upon a mapping of the first identity to the second identity, an authentication of the first and second identities and an authorization of the second identity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are techniques for providing security in a computing system with identity mediation policies that are enterprise service bus (EBS) independent. A mediator component performs service-level operation such as message brokering, identity mediation, and transformation to enhance interoperability among service consumers and service providers. A mediator component may also delegate identity related operations to a token service of handler. Identity mediation may include such operations as identity determination, or “identification,” authentication, authorization, identity transformation and security audit.

10 Citations

20 Claims

1. An enterprise service bus, comprising:
- a plurality of processors;
  
  a computer-readable storage medium, coupled to the plurality of processors;
  
  an identity mapping module;
  
  an authentication module;
  
  an authorization module; and
  
  logic, stored on the computer-readable storage medium and executed on the plurality of processors, for;
  
  retrieving, by the identity mapping module, an identity mapping policy for specifying direct and one-to-one correspondences between each identity of a first set of identities and each identity of a second set of identities, wherein the first set of identities correspond to a party and a client application, executed on a client computer, and the second set of identities correspond to the party and a server application, executed on a server computer;
  
  retrieving, by the authentication module, an authentication policy for authenticating a first identity of the first set of identities and a second identity of the second set identities, wherein the first identity and the second identity are mapped to each other by the identity mapping module;
  
  retrieving, by the authorization module, an authorization policy for authorizing the second identity for access to the server application andproviding a service, corresponding to a service request, from the server application to the party based upon a mapping of the first identity to the second identity, an authentication of the first and second identities and an authorization of the second identity.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The enterprise service bus of claim 1, further comprising:
    - an audit module; and
      
      logic, stored on the computer-readable storage medium and executed on the plurality of processors, forretrieving, by the audit module of the first enterprise service bus, and audit policy for auditing the mapping module, the authentication module and the authorization module to produce an audit trail; and
      
      storing, on the computer-readable storage media, the audit trail.
  - 3. The enterprise service bus of claim 2, wherein the audit trail comprises one or more of:
    - a log file;
      
      a plurality of database records; and
      
      a plurality electronic messages to an appropriate party.
  - 4. The enterprise service bus of claim 1, the logic further comprising logic, stored on the computer-readable storage medium and executed on the plurality of processors, for:
    - retrieving, by the identity mapping module, a second identity mapping policy for specifying correspondence between the first set of identities and the second set of identities;
      
      retrieving, by the authentication module, a second authentication policy for authenticating the first identity of the first set of identities and the second identity of the second set identities; and
      
      retrieving, by the authorization module, a second authorization policy for authorizing the second identity for access to the server application.
  - 5. The enterprise service bus of claim 1, further comprising:
    - a transformation module; and
      
      stored on the computer-readable storage medium and executed on the plurality of processors, for;
      
      retrieving by the transformation module, a transformation policy; and
      
      modifying, by the transformation module, the service request based upon the transformation policy.

6. A non-transitory computer-readable storage medium storing a computer programming product for providing secure access to a server application, comprising:
- logic, stored on the computer-readable storage medium for execution on a processor, for;
  
  retrieving, by an identity mapping module of a first enterprise service bus, an identity mapping policy for specifying direct and one-to-one correspondences between a first set of identities and a second set of identities, wherein the first set of identities correspond to a party and a client application, executed on a client computer, and the second set of identities correspond to the party and the server application, executed on a server computer;
  
  retrieving, by an authentication module of the first enterprise service bus, an authentication policy for authenticating a first identity of the first set of identities and a second identity of the second set identities, wherein the first identity and the second identity are mapped to each other by the identity mapping module;
  
  retrieving, by an authorization module of the first enterprise service bus, an authorization policy for authorizing the second identity for access to the server application;
  
  providing a service, corresponding to a service request, from the server application to the party based upon a mapping of the first identity to the second identity by the mapping module, an authentication of the first and second identities by the authentication module and an authorization of the second identity by the authorization module.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer programming product of claim 6, the logic further comprising logic for:
    - retrieving, by an audit module of the first enterprise service bus, and audit policy for auditing the mapping module, to authentication module and the authorization module to produce an audit trail; and
      
      storing, on a computer-readable storage media, the audit trail.
  - 8. The computer programming product of claim 7, wherein the audit trail comprises one or more of:
    - a log file;
      
      a plurality of database records; and
      
      a plurality of electronic messages to an appropriate party.
  - 9. The computer programming product of claim 6, the logic further comprising logic for;
    - retrieving, by a second identity mapping module, a second authentication module and a second authorization module, each corresponding to a second enterprise service bus, the identity mapping policy, the authentication policy and the authorization policy, respectively, wherein the second enterprise service bus is a different type of enterprise service bus than the first enterprise service bus;
      
      providing the service from the server application to the party based upon a mapping of the first identity to the second identity by the second mapping module, an authentication of the first and second identities by the second authentication module and an authorization of the second identity by the second authorization module.
  - 10. The computer programming product of claim 6, the logic further comprising logic for:
    - retrieving by a transformation module of the first enterprise service bus, a transformation policy; and
      
      modifying, by the transformation module, the service request based upon the transformation policy.

11. A non-transitory computer-readable storage medium storing a computer programming product for providing secure access to a server application, comprising:
- logic, stored on the computer-readable storage medium for execution on a processor, for;
  
  transmitting, to an identity mapping module of a first enterprise service bus, an identity mapping policy for specifying direct and one-to-one correspondences between a first set of identities and a second set of identities, wherein the first set of identities correspond to a party and a client application, executed on a client computer, and the second set of identities correspond to the party and the server application, executed on a server computer;
  
  transmitting, to an authentication module of the first enterprise service bus, an authentication policy for authenticating a first identity of the first set of identities and a second identity of the second set identities, wherein the first identity and the second identity are mapped to each other by the identity mapping module;
  
  transmitting, to an authorization module of the first enterprise service bus, an authorization policy for authorizing the second identity for access to the server application;
  
  executing a service, corresponding to a service request and the server application, for the party based upon a mapping of the first identity to the second identity by the mapping module, an authentication of the first and second identities by the authentication module and an authorization of the second identity by the authorization module.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer programming product of claim 11, the logic further comprising logic for:
    - transmitting, to an audit module of the first enterprise service bus, and audit policy for auditing the mapping module, the authentication module and the authorization module to produce an audit trail; and
      
      storing, on a computer-readable storage media, the audit trail.
  - 13. The computer programming product of claim 12, wherein the audit trail comprises one or more of:
    - a log file;
      
      a plurality of database records; and
      
      a plurality of electronic messages to an appropriate party.
  - 14. The computer programming product of claim 11, the logic further comprising logic for:
    - transmitting, to a second identity mapping module, a second authentication module and a second authorization module, each corresponding to a second enterprise service bus, the identity mapping policy, the authentication policy and the authorization policy, respectively, wherein the second enterprise service bus is a different type of enterprise service bus than the first enterprise service bus;
      
      executing the service for the party based upon a mapping of the first identity to the second identity by the second mapping module, an authentication of the first and second identities by the second authentication module and an authorization of the second identity by the second authorization module.
  - 15. The computer programming product of claim 11, the logic further comprising logic for:
    - transmitting to a transformation module of the first enterprise service bus, a transformation policy; and
      
      modifying, by the transformation module, the service request based upon the transformation policy.

16. A method, comprising:
- retrieving an identity mapping policy for specifying direct and one-to-one correspondences between each identity of a first set of identities and each identity of a second set of identities, wherein the first set of identities correspond to a party and a client application, executed on a client computer, and the second set of identities correspond to the party and a server application, executed on a server computer;
  
  retrieving an authentication policy for authenticating a first identity of the first set of identities and a second identity of the second set identities, wherein the first identity and the second identity are mapped to each other by the identity mapping module;
  
  retrieving an authorization policy for authorizing the second identity for access to the server application andproviding a service, corresponding to a service request, from the server application to the party based upon a mapping of the first identity to the second identity, an authentication of the first and second identities and an authorization of the second identity.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, further comprising:
    - retrieving to produce an audit trail; and
      
      storing, on a computer-readable storage media, the audit trail.
  - 18. The method of claim 17, wherein the audit trail comprises one or more of;
    - a log file;
      
      a plurality of database records; and
      
      a plurality of electronic messages to an appropriate party.
  - 19. The enterprise service bus of claim 16, further comprising:
    - retrieving a second identity mapping policy for specifying correspondence between the first set of identities and the second set of identities;
      
      retrieving a second authentication policy for authenticating the first identity of the first set of identities and the second identity of the second set identities; and
      
      retrieving a second authorization policy for authorizing the second identity for access to the server application.
  - 20. The method of claim 16, further comprising:
    - retrieving a transformation policy; and
      
      modifying the service request based upon the transformation policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Milman, Ivan M., Oberhofer, Martin, Fot, Dmitriy
Primary Examiner(s)
Perungavoor, Venkat
Assistant Examiner(s)
Mehrmanesh, Amir

Application Number

US12/826,614
Publication Number

US 20110321136A1
Time in Patent Office

1,568 Days
Field of Search

726 1- 5, 709/224, 709/242, 713/200, 713/201, 713168-171
US Class Current

726/1
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Generalized identity mediation and propagation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Generalized identity mediation and propagation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links