System and method using globally unique identities

US 8,990,910 B2
Filed: 11/13/2008
Issued: 03/24/2015
Est. Priority Date: 11/13/2007
Status: Active Grant

First Claim

Patent Images

1. A method of establishing a global unique identifier for access control, comprising:

obtaining, by an identity server, a plurality of identifiers each used individually for identity-based access control and correspondingly obtained from a disparate data source, the plurality of identifiers being associated with a user of a network and each individually uniquely identifying the user;

resolving a conflict between the plurality of identifiers; and

establishing a global unique identifier for access control by generating a join of the plurality of identifiers, wherein the global unique identifier consolidates disparate forms of identification associated with the user from the plurality of data sources.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described for creating a globally unique identity for a user or user-container by performing an iterative join where each participating back-end data source. The systems and methods include an ID-Unify (IDU) that performs identity virtualization and creates or generates a globally unique identifier for a user in operational environments in which there is a pre-existing conflict caused by the existence of different identities for a user in different authentication data sources.

Citations

23 Claims

1. A method of establishing a global unique identifier for access control, comprising:
- obtaining, by an identity server, a plurality of identifiers each used individually for identity-based access control and correspondingly obtained from a disparate data source, the plurality of identifiers being associated with a user of a network and each individually uniquely identifying the user;
  
  resolving a conflict between the plurality of identifiers; and
  
  establishing a global unique identifier for access control by generating a join of the plurality of identifiers, wherein the global unique identifier consolidates disparate forms of identification associated with the user from the plurality of data sources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 19)
- - 2. The method of claim 1 comprising:
    - establishing one or more policies associated with the global unique identifier; and
      
      restricting access to a resource on the network by the user based on the one or more policies associated with the global unique identifier.
  - 3. The method of claim 2, comprising allowing access to the resource when the user is authenticated and the one or more policies permit access by the user to the resource.
  - 4. The method of claim 2, wherein the obtaining of the plurality of identifiers includes:
    - determining a plurality of identifier storage locations, each identifier storage location storing one or more of the plurality of identifiers; and
      
      querying each of the identifier storage locations to obtain the plurality of identifiers.
  - 5. The method of claim 4, wherein the generating of the global unique identifier includes:
    - determining whether information associated with the user from the plurality of identifier storage locations conflict; and
      
      if the user information from the plurality of identifier storage locations do not conflict, generating an aggregate join of the plurality of identifiers.
  - 6. The method of claim 4, comprising:
    - selecting one or more attributes of the global unique identifier for identifying the user when a conflict exists between information associated with the user from the plurality of identifier storage locations; and
      
      determining the one or more policies to be used for access control by matching user information from the user or a client system of the user regarding the one or more attributes to the one or more attributes in the global unique identifier.
  - 7. The method of claim 2, wherein the generating of the global unique identifier includes generating an N-ary join of the plurality of identifiers.
  - 8. The method of claim 1, comprising:
    - storing the plurality of identifiers associated with the user in a plurality of identity source devices;
      
      receiving a request for accessing the resource from the user; and
      
      identifying the one or more policies to be applied to the request for access by the user by generating the global unique identifier each time from the stored plurality of identifiers for each request for access.
  - 9. The method of claim 2, wherein the plurality of identifiers is associated with the user or a user group identified with the user.
  - 10. The method of claim 1, wherein the join is one of an aggregate join or an N-ary join.
  - 11. The method of claim 10, wherein the join is one of a transitive join or a nontransitive join.
  - 12. The method of claim 1, wherein the join is a non-transitive N-ary join and the generating of the non-transitive N-ary join includes:
    - performing a plurality of join iterations on the plurality of data sources, wherein a different data source of the plurality of data sources serves as a primary data source during each join iteration; and
      
      summing results from each join iteration.
  - 13. The method of claim 1, wherein resolving the conflict between the plurality of identifiers comprises providing one or both of reconciliation or normalization of one or more redundant identities.
  - 14. The method of claim 1, further comprising:
    - determining a plurality of attributes corresponding to the user, the plurality of identifiers including the plurality of attributes; and
      
      combining at least two attributes of the plurality of attributes to form a composite attribute,wherein the composite attribute is a non-conflicting attribute, and the global unique identifier includes the composite attribute.
  - 15. The method of claim 14, wherein the plurality of attributes include at least two of:
    - (1) information unique to the user;
      
      (2) a user name;
      
      (3) an email identification;
      
      (4) an employee identification;
      
      (5) a department identification;
      
      (6) a social security number;
      
      or (7) a telephone extension number.
  - 16. The method of claim 1, wherein resolving the conflict between the plurality of identifiers comprises resolving one or more ambiguous identities.
  - 17. The method of claim 1, wherein resolving the conflict between the plurality of identifiers comprises combining two or more attributes to form a composite attribute corresponding to the user.
  - 19. The identity server of claim 16, wherein the identity consolidation engine is configured to resolve the conflict between the plurality of identifiers by one or both of reconciliation or normalization of one or more redundant identities.

18. An identity server configured to communicate with an access server and a plurality of identity storage devices for generating a unique global identifier, the identity server comprising:
- an identity virtualization client configured for querying a plurality of identifiers associated with a user of the network, each of the plurality of identifiers used individually for identity-based access control and correspondingly obtained from a disparate identity storage device, and individually uniquely identifying the user;
  
  an identity consolidation engine configured for resolving a conflict between the plurality of identifiers and generating a unique global identifier for access control by generating a join of the plurality of identifiers, wherein the unique global identifier consolidates disparate forms of identification associated with the user from the plurality of identity storage devices.

20. An identity server configured for generating a unique global identifier for accessing secured resources on a network, the identity server comprising:
- an identity virtualization server configured for receiving an access request to access one or more secured resources on the network, the access request including a user identifier indicating a user requesting access to the one or more secured resources;
  
  an identity virtualization client configured for querying a plurality of devices for a plurality of identifiers associated with the user responsive to reception of the access request, each of the plurality of identifiers used individually for identity-based access control and correspondingly obtained from a disparate device, and individually uniquely identifying the user;
  
  an identity consolidation engine configured for resolving a conflict between the plurality of identifiers, for generating a unique global identifier for access control by generating a join of the plurality of identifiers, and for identifying one or more access policies associated with the unique global identifier, wherein the unique global identifier consolidates disparate forms of identification associated with the user from the plurality of devices; and
  
  a policy virtualization engine configured for permitting access to the one or more secured resources when the user is allowed to access the one or more secured resources based on the identified access policies.
- View Dependent Claims (21)
- - 21. The identity server of claim 20, wherein the policy virtualization engine is configured to restrict access to the one or more resources when the user is not permitted access to the one or more resources based on the identified access policies.

22. A method of establishing a global unique identifier for access control, comprising:
- receiving a request from a user at a first computing environment for access to a resource located in a second computing environment separate from the first computing environment;
  
  obtaining, by an identity server in the second computing environment, a plurality of identifiers from a plurality of data sources, the plurality of identifiers being associated with the user and each used individually for identity-based access control and correspondingly obtained from a disparate data source, and individually uniquely identifying the user;
  
  resolving a conflict between the plurality of identifiers;
  
  establishing, by the server in the second computing environment, the global unique identifier for access control by generating a join of the plurality of identifiers, wherein the global unique identifier consolidates disparate forms of identification associated with the user from the plurality of data sources; and
  
  permitting access to the resource via the first computing environment based on the global unique identifier from the second computing environment.

23. A non-transitory computer readable storage medium for storing program code for executing a method of securing access to a resource on a network using a global identifier, comprising:
- obtaining a plurality of identifiers associated with a user of the network, each of the plurality of identifiers used individually for identity-based access control and correspondingly obtained from a disparate data source, and individually uniquely identifying the user;
  
  resolving a conflict between the plurality of identifiers;
  
  generating a global identifier for access control by generating a join of the plurality of identifiers, wherein the global identifier consolidates disparate forms of identification associated with the user from the plurality of data sources;
  
  establishing one or more policies associated with the global identifier of the user; and
  
  restricting access to the resource on the network by the user based on the one or more policies associated with the global identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Kumar, Srinivas, Weber, Dean A., Roth, Virginia L., Shah, Shadab Munam
Primary Examiner(s)
GOODCHILD, WILLIAM J

Application Number

US12/270,278
Publication Number

US 20090133110A1
Time in Patent Office

2,322 Days
Field of Search

726/8
US Class Current

726/8
CPC Class Codes

H04L 61/4547   for personal communications...

H04L 61/4552   Lookup mechanisms between a...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

System and method using globally unique identities

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method using globally unique identities

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links