Identity assertion framework
First Claim
1. A system comprising:
- a processor-implemented first security token service configured to receive a request for a first token from a consumer and to issue the first token to the consumer, the first security token service associated with a first security domain, the first token issued according to a first issuing policy of the first security domain, the first security domain including a first service provider;
a processor-implemented second service provider within a second security domain, configured toreceive the first token andmake a determination that the first token is valid in the second security domain;
a hardware-processor-implemented second security token service configured toreceive the first token from the second service provider based on the determination that the first token is valid in the second security domain,make a determination that the first token was issued by the first security token service, andvalidate the first token according to a local federation policy that defines a federation agreement between the first security domain and the second security domain; and
a processor-implemented central authority configured to issue a federation token based on identifying a centralized federation policy of the central authority that defines a federation agreement between the first and a third security domains, the federation token being valid to a third service provider in the third security domain and to the first service provider in the first security domain, and being accepted by the third service provider in the third security domain and the first service provider in the first security domain in allowing the consumer to invoke consumer sessions.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for implementing an identity assertion framework to authenticate a user in a federation of security domains are provided. A first security token service (STS) is configured to receive a request for a first token from a consumer and to issue the first token to the consumer. The first STS is associated with a first security domain, and the first token is issued according to a first issuing policy of the first security domain. A service provider within a second security domain receives the first token and makes a determination whether the first token is invalid in the second security domain. A second STS receives the first token from the service provider, determines that the first token was issued by the first STS, and validates the first token according to a federation policy between the first security domain and the second security domain.
28 Citations
19 Claims
-
1. A system comprising:
-
a processor-implemented first security token service configured to receive a request for a first token from a consumer and to issue the first token to the consumer, the first security token service associated with a first security domain, the first token issued according to a first issuing policy of the first security domain, the first security domain including a first service provider; a processor-implemented second service provider within a second security domain, configured to receive the first token and make a determination that the first token is valid in the second security domain; a hardware-processor-implemented second security token service configured to receive the first token from the second service provider based on the determination that the first token is valid in the second security domain, make a determination that the first token was issued by the first security token service, and validate the first token according to a local federation policy that defines a federation agreement between the first security domain and the second security domain; and a processor-implemented central authority configured to issue a federation token based on identifying a centralized federation policy of the central authority that defines a federation agreement between the first and a third security domains, the federation token being valid to a third service provider in the third security domain and to the first service provider in the first security domain, and being accepted by the third service provider in the third security domain and the first service provider in the first security domain in allowing the consumer to invoke consumer sessions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 15, 16)
-
-
11. A method comprising:
-
at a first security token service, receiving a request for a first token from a consumer, and issuing the first token to a consumer, the first security token service associated with a first security domain, the first token issued according to a first issuing policy of the first security domain, the first security domain including a first service provider; at a second service provider within a second security domain, receiving the first token and making a determination that the first token is valid in the second security domain; at a second security token service, receiving the first token from the second service provider based on the determination that the first token is valid in the second security domain, determining, using one or more hardware processors, that the first token was issued by the first security token service, validating the first token according to a local federation policy that defines a federation agreement between the first security domain and the second security domain; and at a central authority, issuing a federation token based on identifying a centralized federation policy of the central authority that defines a federation agreement between the first and a third security domains, the federation token being valid to a third service provider in the third security domain and to the first service provider in the first security domain, and being accepted by the third service provider in the third security domain and the first service provider in the first security domain in allowing the consumer to invoke consumer sessions. - View Dependent Claims (12, 13, 14, 17, 18)
-
-
19. A non-transitory computer-readable medium comprising instructions that when executed by one or more hardware processors, cause the one or more hardware processors to perform operations comprising:
-
at a first security token service, receiving a request for a first token from a consumer, and issuing the first token to a consumer, the first security token service associated with a first security domain, the first token issued according to a first issuing policy of the first security domain, the first security domain including a first service provider; at a second service provider within a second security domain, receiving the first token and making a determination that the first token is valid in the second security domain; at a second security token service, receiving the first token from the second service provider based on the determination that the first token is valid in the second security domain, determining that the first token was issued by the first security token service, validating the first token according to a local federation policy that defines a federation agreement between the first security domain and the second security domain; and at a central authority, issuing a federation token based on identifying a centralized federation policy of the central authority that defines a federation agreement between the first and a third security domains, the federation token being valid to a third service provider in the third security domain and to first service provider in the first security domain, and being accepted by third service provider in the third security domain and the first service provider in the first security domain in allowing the consumer to invoke consumer sessions.
-
Specification