Dynamic identity context propagation

US 8,966,572 B2
Filed: 06/01/2012
Issued: 02/24/2015
Est. Priority Date: 09/30/2011
Status: Active Grant

First Claim

Patent Images

1. A method for propagating identity context information, the method comprising:

receiving, at a computer, a service request initiated by a user requesting a web application to invoke one or more web services, the service request requesting conversion of an authentication token included in the service request into service-side identity context information pertaining to the user;

extracting, by the computer, first and second sets of security claims from the authentication token,the first set of security claims having been retrieved from identity context information pertaining to the user generated in response to the user being authenticating to the web application, the identity context information having a set of one or more identity-related attributes and a set of one or more security claims related to characteristics of the user, the user'"'"'s environment, or combinations thereof, andthe second set of security claims having been created based on runtime information different from the identity context information;

validating, by the computer, the extracted first and second sets of security claims;

generating, by the computer system, the service-side identity context information pertaining to the user based upon the extracted first and second sets of security claims; and

propagating, by the computer, the service-side identity context information pertaining to the user in an identity context object to at least one of the one or more web services.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for dynamically propagating identity context for a user in a Service-Oriented Architecture. Methods and apparatus are provided that include receiving a request to invoke a web service, retrieving first security claims from application identity context information pertaining to a user, generating second security claims at runtime, packaging the first and second security claims into an authentication token, and transmitting the authentication token to a second computer system in a service request. The second computer system can be configured to extract the first and second security claims from the authentication token, validate the extracted first and second security claims, generate identity context information based upon the extracted first and second security claims, and publish and propagate the identity content information in an identity context object. The second computer system can verify that the security claims conform to corresponding security claim schemas stored in a claims dictionary.

26 Citations

View as Search Results

27 Claims

1. A method for propagating identity context information, the method comprising:
- receiving, at a computer, a service request initiated by a user requesting a web application to invoke one or more web services, the service request requesting conversion of an authentication token included in the service request into service-side identity context information pertaining to the user;
  
  extracting, by the computer, first and second sets of security claims from the authentication token,the first set of security claims having been retrieved from identity context information pertaining to the user generated in response to the user being authenticating to the web application, the identity context information having a set of one or more identity-related attributes and a set of one or more security claims related to characteristics of the user, the user'"'"'s environment, or combinations thereof, andthe second set of security claims having been created based on runtime information different from the identity context information;
  
  validating, by the computer, the extracted first and second sets of security claims;
  
  generating, by the computer system, the service-side identity context information pertaining to the user based upon the extracted first and second sets of security claims; and
  
  propagating, by the computer, the service-side identity context information pertaining to the user in an identity context object to at least one of the one or more web services.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 further comprising publishing the service-side identity content information pertaining to the user as the identity context object available to the one or more web services.
  - 3. The method of claim 1 wherein validating, by the computer, the extracted first and second sets of security claims comprises verifying that the first and second security sets of claims conform to corresponding first and second sets of claim schemas stored in a claims dictionary.
  - 4. The method of claim 1 wherein extracting, by the computer, the first and second sets of security claims from the authentication token comprises extracting at least one security claim from the second set of security claims generated based upon a security policy associated with the web application.
  - 5. The method of claim 4 wherein the at least one security claim is generated based upon characteristics of the user, the characteristics determined at runtime based upon the security policy.
  - 6. The method of claim 1 wherein extracting, by the computer, the first and second sets of security claims from the authentication token comprises extracting at least one static security claims from the second set of claims defined prior to runtime and received from a claims dictionary or defined by a security policy.
  - 7. The method of claim 1 wherein extracting, by the computer, the first and second sets of security claims from the authentication token comprises extracting at least one security claims provided by a Security Token Service from the second set of security claims.
  - 8. The method of claim 1 wherein extracting, by the computer, the first and second sets of security claims from the authentication token comprises extracting at least one security claim in the first set of security claims generated based on one or more characteristics of the user'"'"'s machine, including an indication of whether anti-virus software is enabled, a firewall is enabled, or a combination thereof.
  - 9. The method of claim 1 wherein receiving, at the computer, the service request instructing the web service to convert the included authentication token into the service-side identity context information pertaining to the user comprises receiving a subject in the authentication token generated based on a user identity retrieved from identity context information associated with the web application.

10. A non-transitory computer-readable medium storing a computer program product for propagating identity context information which when executed by a processor of a computer causes the processor to:
- receive a service request initiated by a user requesting a web application to invoke one or more web services, the service request requesting conversion of an authentication token included in the service request into service-side identity context information pertaining to the user;
  
  extract first and second sets of security claims from the authentication token,the first set of security claims having been retrieved from identity context information pertaining to the user generated in response to the user being authenticating to the web application, the identity context information having a set of one or more identity-related attributes and a set of one or more security claims related to characteristics of the user, the user'"'"'s environment, or combinations thereof, andthe second set of security claims having been created based on based on runtime information different from the identity context information;
  
  validate the extracted first and second sets of security claims;
  
  generate the service-side identity context information pertaining to the user based upon the extracted first and second sets of security claims; and
  
  propagate the service-side identity context information pertaining to the user in an identity context object to at least one of the one or more web services.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The non-transitory computer-readable medium of claim 10 wherein the computer program product further causes the processor to publish the service-side identity content information pertaining to the user as the identity context object available to the one or more web services.
  - 12. The non-transitory computer-readable medium of claim 11 wherein to validate the extracted first and second sets of security claims the computer program product causes the processor to verify that the first and second security sets of claims conform to corresponding first and second sets of claim schemas stored in a claims dictionary.
  - 13. The non-transitory computer-readable medium of claim 10 wherein to extract the first and second sets of security claims from the authentication token the computer program product causes the processor to extract at least one security claim from the second set of security claims generated based upon a security policy associated with the web application.
  - 14. The non-transitory computer-readable medium of claim 13 wherein the at least one security claim is generated based upon characteristics of the user, the characteristics determined at runtime based upon the security policy.
  - 15. The non-transitory computer-readable medium of claim 10 wherein to extract the first and second sets of security claims from the authentication token the computer program product causes the processor to extract at least one static security claims from the second set of claims defined prior to runtime and received from a claims dictionary or defined by a security policy.
  - 16. The non-transitory computer-readable medium of claim 10 wherein to extract the first and second sets of security claims from the authentication token the computer program product causes the processor to extract at least one security claims provided by a Security Token Service from the second set of security claims.
  - 17. The non-transitory computer-readable medium of claim 10 wherein to extract the first and second sets of security claims from the authentication token the computer program product causes the processor to extract at least one security claim in the first set of security claims generated based on one or more characteristics of the user'"'"'s machine, including an indication of whether anti-virus software is enabled, a firewall is enabled, or a combination thereof.
  - 18. The non-transitory computer-readable medium of claim 10 wherein to receive the service request instructing the web service to convert the included authentication token into the service-side identity context information pertaining to the user the computer program product causes the processor to receive a subject in the authentication token generated based on a user identity retrieved from identity context information associated with the web application.

19. A system for propagating identity context information, the system comprising:
- a hardware processor; and
  
  a memory storing a set of instructions which when executed by the processor cause the processor to;
  
  receive a service request initiated by a user requesting a web application to invoke one or more web services, the service request requesting conversion of an authentication token included in the service request into service-side identity context information pertaining to the user;
  
  extract first and second sets of security claims from the authentication token,the first set of security claims having been retrieved from identity context information pertaining to the user generated in response to the user being authenticating to the web application, the identity context information having a set of one or more identity-related attributes and a set of one or more security claims related to characteristics of the user, the user'"'"'s environment, or combinations thereof, andthe second set of security claims having been created based on based on runtime information different from the identity context information;
  
  validate the extracted first and second sets of security claims;
  
  generate the service-side identity context information pertaining to the user based upon the extracted first and second sets of security claims; and
  
  propagate the service-side identity context information pertaining to the user in an identity context object to one or more web services.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The system of claim 19 wherein the set of instructions further cause the processor to publish the service-side identity content information pertaining to the user as the identity context object available to the one or more web services.
  - 21. The system of claim 20 wherein to validate the extracted first and second sets of security claims the set of instructions cause the processor to verify that the first and second security sets of claims conform to corresponding first and second sets of claim schemas stored in a claims dictionary.
  - 22. The system of claim 19 wherein to extract the first and second sets of security claims from the authentication token the set of instructions cause the processor to extract at least one security claim from the second set of security claims generated based upon a security policy associated with the web application.
  - 23. The system of claim 22 wherein the at least one security claim is generated based upon characteristics of the user, the characteristics determined at runtime based upon the security policy.
  - 24. The system of claim 19 wherein to extract the first and second sets of security claims from the authentication token the set of instructions cause the processor to extract at least one static security claims from the second set of claims defined prior to runtime and received from a claims dictionary or defined by a security policy.
  - 25. The system of claim 19 wherein to extract the first and second sets of security claims from the authentication token the set of instructions cause the processor to extract at least one security claims provided by a Security Token Service from the second set of security claims.
  - 26. The system of claim 19 wherein to extract the first and second sets of security claims from the authentication token the set of instructions cause the processor to extract at least one security claim in the first set of security claims generated based on one or more characteristics of the user'"'"'s machine, including an indication of whether anti-virus software is enabled, a firewall is enabled, or a combination thereof.
  - 27. The system of claim 19 wherein to receive the service request instructing the web service to convert the included authentication token into the service-side identity context information pertaining to the user the set of instructions cause the processor to receive a subject in the authentication token generated based on a user identity retrieved from identity context information associated with the web application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Kavantzas, Nickolas, Guo, Jiandong, Gupta, Pratibha
Primary Examiner(s)
Chen, Shin-Hon

Application Number

US13/486,848
Publication Number

US 20130086629A1
Time in Patent Office

998 Days
Field of Search

None
US Class Current

726/1
CPC Class Codes

G06F 21/33   using certificates

G06F 21/6218   to a system of files or obj...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Dynamic identity context propagation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic identity context propagation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links