Dynamic identity context propagation
First Claim
1. A method for propagating identity context information, the method comprising:
- receiving, at a computer, a service request initiated by a user requesting a web application to invoke one or more web services, the service request requesting conversion of an authentication token included in the service request into service-side identity context information pertaining to the user;
extracting, by the computer, first and second sets of security claims from the authentication token,the first set of security claims having been retrieved from identity context information pertaining to the user generated in response to the user being authenticating to the web application, the identity context information having a set of one or more identity-related attributes and a set of one or more security claims related to characteristics of the user, the user'"'"'s environment, or combinations thereof, andthe second set of security claims having been created based on runtime information different from the identity context information;
validating, by the computer, the extracted first and second sets of security claims;
generating, by the computer system, the service-side identity context information pertaining to the user based upon the extracted first and second sets of security claims; and
propagating, by the computer, the service-side identity context information pertaining to the user in an identity context object to at least one of the one or more web services.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are provided for dynamically propagating identity context for a user in a Service-Oriented Architecture. Methods and apparatus are provided that include receiving a request to invoke a web service, retrieving first security claims from application identity context information pertaining to a user, generating second security claims at runtime, packaging the first and second security claims into an authentication token, and transmitting the authentication token to a second computer system in a service request. The second computer system can be configured to extract the first and second security claims from the authentication token, validate the extracted first and second security claims, generate identity context information based upon the extracted first and second security claims, and publish and propagate the identity content information in an identity context object. The second computer system can verify that the security claims conform to corresponding security claim schemas stored in a claims dictionary.
26 Citations
27 Claims
-
1. A method for propagating identity context information, the method comprising:
-
receiving, at a computer, a service request initiated by a user requesting a web application to invoke one or more web services, the service request requesting conversion of an authentication token included in the service request into service-side identity context information pertaining to the user; extracting, by the computer, first and second sets of security claims from the authentication token, the first set of security claims having been retrieved from identity context information pertaining to the user generated in response to the user being authenticating to the web application, the identity context information having a set of one or more identity-related attributes and a set of one or more security claims related to characteristics of the user, the user'"'"'s environment, or combinations thereof, and the second set of security claims having been created based on runtime information different from the identity context information; validating, by the computer, the extracted first and second sets of security claims; generating, by the computer system, the service-side identity context information pertaining to the user based upon the extracted first and second sets of security claims; and propagating, by the computer, the service-side identity context information pertaining to the user in an identity context object to at least one of the one or more web services. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer-readable medium storing a computer program product for propagating identity context information which when executed by a processor of a computer causes the processor to:
-
receive a service request initiated by a user requesting a web application to invoke one or more web services, the service request requesting conversion of an authentication token included in the service request into service-side identity context information pertaining to the user; extract first and second sets of security claims from the authentication token, the first set of security claims having been retrieved from identity context information pertaining to the user generated in response to the user being authenticating to the web application, the identity context information having a set of one or more identity-related attributes and a set of one or more security claims related to characteristics of the user, the user'"'"'s environment, or combinations thereof, and the second set of security claims having been created based on based on runtime information different from the identity context information; validate the extracted first and second sets of security claims; generate the service-side identity context information pertaining to the user based upon the extracted first and second sets of security claims; and propagate the service-side identity context information pertaining to the user in an identity context object to at least one of the one or more web services. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A system for propagating identity context information, the system comprising:
-
a hardware processor; and a memory storing a set of instructions which when executed by the processor cause the processor to; receive a service request initiated by a user requesting a web application to invoke one or more web services, the service request requesting conversion of an authentication token included in the service request into service-side identity context information pertaining to the user; extract first and second sets of security claims from the authentication token, the first set of security claims having been retrieved from identity context information pertaining to the user generated in response to the user being authenticating to the web application, the identity context information having a set of one or more identity-related attributes and a set of one or more security claims related to characteristics of the user, the user'"'"'s environment, or combinations thereof, and the second set of security claims having been created based on based on runtime information different from the identity context information; validate the extracted first and second sets of security claims; generate the service-side identity context information pertaining to the user based upon the extracted first and second sets of security claims; and propagate the service-side identity context information pertaining to the user in an identity context object to one or more web services. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
-
Specification