Trusted intermediary for network layer claims-enabled access control
First Claim
1. An apparatus for use in a system comprising a computer in communication via at least one network with a network resource, the at least one network employing a network layer security protocol, the apparatus comprising:
- at least one processor coupled to a memory, the at least one processor programmed to;
(A) receive from the computer a request for access to the network resource and one or more requester claims describing attributes of one or more of the computer, a user of the computer, and a context in which access by the computer to the network resource is requested, the one or more requester claims being included in a communication formatted to comply with the network layer security protocol;
(B) in response to receiving from the computer the request for access to the network resource, request from a claims provider, on behalf of the network resource, one or more resource claims, the one or more resource claims describing attributes of one or more of the network resource, an organization to which the network resource is affiliated, an owner of the network resource, a stage of deployment of the network resource, and a sensitivity of the network resource;
(C) receive from the claims provider the one or more resource claims, the one or more resource claims being included in a communication formatted to comply with the network layer security protocol;
(D) request an access control policy decision whether to grant or deny access by the computer to the network resource, the request providing information included in the one or more requester claims and the one or more resource claims, the request being included in a communication formatted to comply with the network layer security protocol, the access control policy decision being based at least in part on the information and an access control policy that is dynamically generated;
(E) receive an access control policy decision indicating that access by the computer to the network resource is granted; and
(F) removing the one or more requester claims from the request before sending the request to the network resource in accordance with a second protocol.
2 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the invention provide a trusted intermediary for use in a system in which access control decisions may be based at least in part on information provided in claims. The intermediary may request claims on behalf of a network resource to which access is requested, and submit the claims for a decision whether to grant or deny access. The decision may be based at least in part on one or more access control policies, which may be pre-set or dynamically generated. Because the intermediary requests the claims and submits the claims for an access control decision, the network resource (e.g., a server application) need not be configured to process claims information.
-
Citations
17 Claims
-
1. An apparatus for use in a system comprising a computer in communication via at least one network with a network resource, the at least one network employing a network layer security protocol, the apparatus comprising:
-
at least one processor coupled to a memory, the at least one processor programmed to; (A) receive from the computer a request for access to the network resource and one or more requester claims describing attributes of one or more of the computer, a user of the computer, and a context in which access by the computer to the network resource is requested, the one or more requester claims being included in a communication formatted to comply with the network layer security protocol; (B) in response to receiving from the computer the request for access to the network resource, request from a claims provider, on behalf of the network resource, one or more resource claims, the one or more resource claims describing attributes of one or more of the network resource, an organization to which the network resource is affiliated, an owner of the network resource, a stage of deployment of the network resource, and a sensitivity of the network resource; (C) receive from the claims provider the one or more resource claims, the one or more resource claims being included in a communication formatted to comply with the network layer security protocol; (D) request an access control policy decision whether to grant or deny access by the computer to the network resource, the request providing information included in the one or more requester claims and the one or more resource claims, the request being included in a communication formatted to comply with the network layer security protocol, the access control policy decision being based at least in part on the information and an access control policy that is dynamically generated; (E) receive an access control policy decision indicating that access by the computer to the network resource is granted; and (F) removing the one or more requester claims from the request before sending the request to the network resource in accordance with a second protocol. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for use in a system comprising a computer in communication via at least one network with a network resource, the at least one network employing a network layer security protocol, the method being performed in response to a request by the computer to access the network resource, the method comprising:
-
(A) by a claims provider, receiving from the computer a request for one or more requester claims that describe attributes of one or more of the computer, a user of the computer, a context in which access by the computer to the network resource is requested, and a strength of connection between the computer and the network resource; (B) by the claims provider, providing the one or more requester claims to the computer, the one or more requester claims being included in a communication formatted to comply with the network layer security protocol, the one or more requested claims retrieved from a static claim repository and a dynamic claim store; (C) by the claims provider, receiving from an intermediary a request for one or more resource claims that describe attributes of one or more of the network resource, an organization to which the network resource is affiliated, an owner of the network resource, a stage of deployment of the network resource, and a sensitivity of the network resource, the request being sent on behalf of the network resource; and (D) by the claims provider, providing the one or more resource claims to the intermediary, the one or more resource claims being included in a communication formatted to comply with the network layer security protocol. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. At least one computer-readable storage memory having instructions recorded thereon which, when executed by a computer, perform a method of requesting an access control policy decision, the method comprising:
-
receiving, from a claims provider, at least one claim comprising information related to the computer; responsive to receiving a request from the computer for access to a network resource, requesting at least one claim comprising information related to the network resource from the claims provider; and (A) responsive to receiving the request from the computer for access to the network resource, issuing a request for a decision whether to grant or deny access by the computer to the network resource, the request comprising the information relating to the computer that describes attributes of one or more of the computer, a user of the computer, and a context in which access by the computer to the network resource is requested, and, the information related to the network resource that describes attributes of one or more of the network resource, an organization with which the network resource is affiliated, an owner of the network resource, a stage of deployment of the network resource, and a sensitivity of the network resource, the information relating to the computer being included in a communication formatted to comply with the network layer security protocol, the information relating to the network resource being included in a communication formatted to comply with the network layer security protocol; (B) receiving a decision to grant access by the computer to the network resource; and (C) removing the at least one claim comprising information related to the computer from the request before sending the request for access to the network resource. - View Dependent Claims (16, 17)
-
Specification