Extensible mechanism for securing objects using claims
First Claim
1. An extensible system within a computer network for providing a security claim about a first object for accessing a second object, the extensible system comprising:
- a security broker, wherein the security broker comprises a computing system that;
identifies at least one application associated with the first object that has information regarding the first object'"'"'s membership in a group, wherein the at least one application is one of;
an email application and a resource management application; and
records the at least one identified application as a registered claims provider in a dynamic set of registered claims providers;
the dynamic set of registered claims providers, wherein the dynamic set of registered claims providers comprise a plurality of applications running on the computing system or on another computing system within the computer network, the dynamic set of registered claims providers configured to;
receive a claims request for authenticating the first object to the second object, wherein access to the second object is limited to members of the group; and
provide at least one security claim identifying the first object as a member of the group to the security broker; and
the first object, wherein the first object is a client computing system within the computer network, the first object configured to;
receive the at least one security claim; and
provide the at least one security claim to the second object, wherein the first object is allowed access to the second object upon receipt of the at least one security claim identifying the first object as a member of the group.
2 Assignments
0 Petitions
Accused Products
Abstract
An extensible mechanism for providing access control for logical objects in a network environment. A security broker is able to dynamically register one or more claims providers, each of which can assert one or more claims about logical objects. The claims providers may be purpose built or may be third party applications which expose data or business rules for use. Claims may be augmented by additional claims providers after the original claim is asserted. The applicability of claims may be scope limited either at the time the claims provider is registered or when the user requests that a security token be issued.
-
Citations
20 Claims
-
1. An extensible system within a computer network for providing a security claim about a first object for accessing a second object, the extensible system comprising:
-
a security broker, wherein the security broker comprises a computing system that; identifies at least one application associated with the first object that has information regarding the first object'"'"'s membership in a group, wherein the at least one application is one of;
an email application and a resource management application; andrecords the at least one identified application as a registered claims provider in a dynamic set of registered claims providers; the dynamic set of registered claims providers, wherein the dynamic set of registered claims providers comprise a plurality of applications running on the computing system or on another computing system within the computer network, the dynamic set of registered claims providers configured to; receive a claims request for authenticating the first object to the second object, wherein access to the second object is limited to members of the group; and provide at least one security claim identifying the first object as a member of the group to the security broker; and the first object, wherein the first object is a client computing system within the computer network, the first object configured to; receive the at least one security claim; and provide the at least one security claim to the second object, wherein the first object is allowed access to the second object upon receipt of the at least one security claim identifying the first object as a member of the group. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An extensible method of securing access to a second object by a first object on a computer network, the method comprising:
-
receiving a request from the first object to access the second object, wherein access to the second object is limited by membership in a group; dynamically registering a first claims provider to a dynamic set of claims providers, wherein the first claims provider is an application associated with the first object that has information regarding the first object'"'"'s membership in the group, wherein the first claims provider is one of;
an email application and a resource management application, and wherein the first claims provider asserts a first security claim that is logically linked to the first object'"'"'s membership in the group;requesting the first security claim from the first claims provider; and providing the first security claim to the second object, wherein the first object is allowed access to the second object upon receipt of the first security claim by the second object. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. An extensible method of securing access to an object by a client on a computer network, the method comprising:
-
receiving a request from the client to access the object, wherein access to the object is limited by membership in a group; dynamically registering a first claims provider and a second claims provider to a dynamic set of registered claims providers, wherein the first claims provider is a client-side application that has information regarding the client'"'"'s membership in the group, wherein the client-side application comprises one of;
an email application and a resource management application, and wherein the first claims provider asserts a primary security claim that is logically linked to the client'"'"'s membership in the group;requesting the primary security claim from the first claims provider; receiving the primary security claim from the first claims provider; requesting a secondary security claim by sending an augmentation request with a security token comprising the primary security claim to the second claims provider; receiving the security token comprising the primary security claim and the secondary security claim in response; and providing the security token to the object, wherein the client is allowed access to the object upon receipt of the security token by the object. - View Dependent Claims (19, 20)
-
Specification