Extensible mechanism for securing objects using claims

US 8,990,896 B2
Filed: 06/24/2008
Issued: 03/24/2015
Est. Priority Date: 06/24/2008
Status: Active Grant

First Claim

Patent Images

1. An extensible system within a computer network for providing a security claim about a first object for accessing a second object, the extensible system comprising:

a security broker, wherein the security broker comprises a computing system that;

identifies at least one application associated with the first object that has information regarding the first object'"'"'s membership in a group, wherein the at least one application is one of;

an email application and a resource management application; and

records the at least one identified application as a registered claims provider in a dynamic set of registered claims providers;

the dynamic set of registered claims providers, wherein the dynamic set of registered claims providers comprise a plurality of applications running on the computing system or on another computing system within the computer network, the dynamic set of registered claims providers configured to;

receive a claims request for authenticating the first object to the second object, wherein access to the second object is limited to members of the group; and

provide at least one security claim identifying the first object as a member of the group to the security broker; and

the first object, wherein the first object is a client computing system within the computer network, the first object configured to;

receive the at least one security claim; and

provide the at least one security claim to the second object, wherein the first object is allowed access to the second object upon receipt of the at least one security claim identifying the first object as a member of the group.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An extensible mechanism for providing access control for logical objects in a network environment. A security broker is able to dynamically register one or more claims providers, each of which can assert one or more claims about logical objects. The claims providers may be purpose built or may be third party applications which expose data or business rules for use. Claims may be augmented by additional claims providers after the original claim is asserted. The applicability of claims may be scope limited either at the time the claims provider is registered or when the user requests that a security token be issued.

Citations

20 Claims

1. An extensible system within a computer network for providing a security claim about a first object for accessing a second object, the extensible system comprising:
- a security broker, wherein the security broker comprises a computing system that;
  
  identifies at least one application associated with the first object that has information regarding the first object'"'"'s membership in a group, wherein the at least one application is one of;
  
  an email application and a resource management application; and
  
  records the at least one identified application as a registered claims provider in a dynamic set of registered claims providers;
  
  the dynamic set of registered claims providers, wherein the dynamic set of registered claims providers comprise a plurality of applications running on the computing system or on another computing system within the computer network, the dynamic set of registered claims providers configured to;
  
  receive a claims request for authenticating the first object to the second object, wherein access to the second object is limited to members of the group; and
  
  provide at least one security claim identifying the first object as a member of the group to the security broker; and
  
  the first object, wherein the first object is a client computing system within the computer network, the first object configured to;
  
  receive the at least one security claim; and
  
  provide the at least one security claim to the second object, wherein the first object is allowed access to the second object upon receipt of the at least one security claim identifying the first object as a member of the group.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the security broker associates an applicable scope with at least one security claim which can be asserted by the dynamic set of registered claims providers and issues a claims request only if the first object is within the applicable scope.
  - 3. The system of claim 2, wherein the applicable scope is specified, at least in part, by specifying one or more objects to which the at least one security claim is to be applicable.
  - 4. The system of claim 2, wherein the applicable scope is specified, at least in part, by specifying a rule to be applied when generating the at least one security claim to determine whether the at least one security claim is applicable.
  - 5. The system of claim 1, wherein the security broker issues an augmentation request comprising an existing security claim to the dynamic set of registered claims providers, wherein the dynamic set of registered claims providers is responsive to the augmentation request by providing at least one additional security claim to the security broker.
  - 6. The system of claim 1, wherein the security broker further:
    - presents a user with a choice of a plurality of security claims that can be asserted by one or more registered claims providers of the dynamic set of registered claims providers;
      
      retrieves a selection of at least one security claim of the plurality of security claims; and
      
      sends a claims request to at least one registered claims provider of the dynamic set of registered claims providers that can assert the selected security claim.
  - 7. The system of claim 6, wherein the security broker:
    - receives an access request that contains a criterion associated with the first object; and
      
      presents the user with only those security claims which satisfy the criterion.
  - 8. The system of claim 1, wherein the security broker:
    - receives a characteristic of the first object; and
      
      issues a claims request to the dynamic set of registered claims providers only if the characteristic matches a predefined value associated with at least one registered claims provider within the dynamic set of registered claims providers.

9. An extensible method of securing access to a second object by a first object on a computer network, the method comprising:
- receiving a request from the first object to access the second object, wherein access to the second object is limited by membership in a group;
  
  dynamically registering a first claims provider to a dynamic set of claims providers, wherein the first claims provider is an application associated with the first object that has information regarding the first object'"'"'s membership in the group, wherein the first claims provider is one of;
  
  an email application and a resource management application, and wherein the first claims provider asserts a first security claim that is logically linked to the first object'"'"'s membership in the group;
  
  requesting the first security claim from the first claims provider; and
  
  providing the first security claim to the second object, wherein the first object is allowed access to the second object upon receipt of the first security claim by the second object.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method of claim 9, wherein dynamically registering the first claims provider to the dynamic set of claims providers comprises specifying an applicable scope for one or more security claims that can be asserted by the first claims provider, and wherein requesting the first security claim from the first claims provider further comprises only requesting the first security claim from the first claims provider when the first object is within the applicable scope.
  - 11. The method of claim 10, wherein specifying the applicable scope comprises identifying one or more objects for which the first claims provider may assert at least one security claim.
  - 12. The method of claim 10, wherein specifying the applicable scope further comprises specifying a rule for determining whether an object is included in the one or more objects, applying the rule to the first object, and only requesting the first security claim from the first claims provider when the first object is one of the one or more objects.
  - 13. The method of claim 9, further comprising:
    - dynamically registering a second claims provider to the dynamic set of registered claims providers;
      
      sending an augmentation request to the second claims provider, the augmentation request requesting a second security claim; and
      
      receiving the second security claim; and
      
      providing the second security claim to the second object.
  - 14. The method of claim 13, wherein dynamically registering the second claims provider to the dynamic set of registered claims providers comprises specifying a second applicable scope for one or more security claims that can be asserted by the second claims provider, and wherein requesting the second security claim further comprises only requesting the second security claim from the claims provider when the first object is within the second applicable scope.
  - 15. The method of claim 13, wherein the second security claim is generated in a primary trust domain, the method further comprising:
    - receiving a request from the first object to access a third object in a secondary trust domain, wherein access to the third object is limited by membership in the group;
      
      receiving and verifying the second security claim from the primary trust domain;
      
      generating a new security claim based on the verified second security claim; and
      
      returning the new security claim to the first object, wherein the first object is allowed access to the third object in the secondary trust domain upon receipt of the new security claim by the third object.
  - 16. The method of claim 15, further comprising:
    - dynamically registering a secondary domain claims provider;
      
      sending an augmentation request to the secondary domain claims provider requesting an additional security claim;
      
      receiving the additional security claim from the secondary domain claims provider; and
      
      returning the additional security claim to the first object.
  - 17. The method of claim 16, wherein dynamically registering the second claims provider comprises specifying a third applicable scope for one or more additional security claims, and wherein requesting the additional security claim from the second claims provider further comprises only requesting the additional security claim from the second claims provider when the first object is within the third applicable scope.

18. An extensible method of securing access to an object by a client on a computer network, the method comprising:
- receiving a request from the client to access the object, wherein access to the object is limited by membership in a group;
  
  dynamically registering a first claims provider and a second claims provider to a dynamic set of registered claims providers, wherein the first claims provider is a client-side application that has information regarding the client'"'"'s membership in the group, wherein the client-side application comprises one of;
  
  an email application and a resource management application, and wherein the first claims provider asserts a primary security claim that is logically linked to the client'"'"'s membership in the group;
  
  requesting the primary security claim from the first claims provider;
  
  receiving the primary security claim from the first claims provider;
  
  requesting a secondary security claim by sending an augmentation request with a security token comprising the primary security claim to the second claims provider;
  
  receiving the security token comprising the primary security claim and the secondary security claim in response; and
  
  providing the security token to the object, wherein the client is allowed access to the object upon receipt of the security token by the object.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, wherein dynamically registering a first claims provider to the dynamic set of registered claims providers comprises specifying a first applicable scope for one or more primary security claims and dynamically registering a second claims provider to the dynamic set of registered claims providers comprises specifying a second applicable scope for one or more secondary security claims, wherein requesting the primary security claim further comprises only requesting the primary security claim from the first claims provider when the object is within the first applicable scope, and wherein requesting the secondary security claim further comprises only requesting the secondary security claim from the second claims provider when the object is within the second applicable scope.
  - 20. The method of claim 18, wherein when the client-side application is an email application, membership in the group is identified based on a distribution list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Veeraraghavan, Venkatesh, Dalzell, Javier, Schmitlin, Benoit, Treacy, Ambrose T., Fong, Bryant, Roy, Christian
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Woldemariam, Nega

Application Number

US12/144,880
Publication Number

US 20090320103A1
Time in Patent Office

2,464 Days
Field of Search

726/2, 726/21, 726/26, 726/22, 726/34, 713/100, 713/150, 711/100, 711/105, 711/111, 711/112, 709/211, 709/212, 709/216, 709/217, 709/229
US Class Current

726/4
CPC Class Codes

G06F 21/335 for accessing specific reso...

H04L 63/08 for authentication of entit...

Extensible mechanism for securing objects using claims

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Extensible mechanism for securing objects using claims

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links