Dynamically selecting an identity provider for a single sign-on request

US 9,276,869 B2
Filed: 01/02/2013
Issued: 03/01/2016
Est. Priority Date: 01/02/2013
Status: Active Grant

First Claim

Patent Images

1. A method for enabling access to a protected resource in a federated distributed data processing environment, comprising:

in association with a service provider, maintaining a data set that associates information identifying one or more identity providers with one or more request attributes, the service provider executing on a data processing machine having a hardware element;

upon receipt by the service provider of a request to access the protected resource, determining whether the request originates from an identity provider;

when the request does not originate from an identity provider, determining, using information in the data set, whether one or more attributes of the request are associated with a recognized identity provider as indicated in the data set; and

when one or more of the attributes of the request are associated with a recognized identity provider, automatically redirecting the request to the recognized identity provider.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An identity provider (IdP) discovery service operative at a service provider (SP) is described. In operation, and as valid requests are received by the SP via normal IdP-initiated flows, the SP builds-up knowledge about the relationship between the IdP (that redirected the request) and the initiator of the request. The IdP instance typically is inferred from an HTTP referrer field, and information about the initiator may be ascertained from client-specific information, such as client system IP address, client DNS domain, a domain of a user e-mail address, a target URL for the incoming request, or the value associated with a particular HTTP header field. This knowledge is maintained in one or more mapping table(s) that associate request attributes-to-IdP instance data. The mappings are then used to facilitate IdP discovery for a new incoming request to the SP that has been determined to originate from other than an IdP.

Citations

21 Claims

1. A method for enabling access to a protected resource in a federated distributed data processing environment, comprising:
- in association with a service provider, maintaining a data set that associates information identifying one or more identity providers with one or more request attributes, the service provider executing on a data processing machine having a hardware element;
  
  upon receipt by the service provider of a request to access the protected resource, determining whether the request originates from an identity provider;
  
  when the request does not originate from an identity provider, determining, using information in the data set, whether one or more attributes of the request are associated with a recognized identity provider as indicated in the data set; and
  
  when one or more of the attributes of the request are associated with a recognized identity provider, automatically redirecting the request to the recognized identity provider.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as described in claim 1 wherein, if the request originates from an identity provider, the data set is updated with information about one or more attributes of the request, and an identifier associated with the identity provider.
  - 3. The method as described in claim 2 further including:
    - processing the request without redirection to an identity provider.
  - 4. The method as described in claim 1 wherein the one or more request attributes include one of:
    - a client system IP address, a client DNS domain, a domain associated with a user identifier, a target URL for the request, and a value associated with header associated with the request.
  - 5. The method as described in claim 1 wherein the step of determining whether the request originates from an identity provider examines a field of a request header.
  - 6. The method as described in claim 1, further comprising:
    - enabling access to the protected resource following receipt at the service provider of a redirection indicating that an end user has been authenticated at the recognized identity provider.
  - 7. The method as described in claim 1, further including:
    - when the request does not originate from an identity provider but one or more of the attributes of the request cannot be associated with a recognized identity provider, redirecting the request to an interface from which an identity provider selection is made.

8. Apparatus operating in a federated distributed data processing environment, comprising:
- a processor;
  
  a data store in which is maintained a data set that associates information identifying one or more identity providers with one or more request attributes; and
  
  computer memory holding computer program instructions that when executed by the processor perform a method for enabling access to a protected resource, the method comprising;
  
  upon receipt of a request to access the protected resource, determining whether the request originates from an identity provider;
  
  when the request does not originate from an identity provider, determining, using information in the data set, whether one or more attributes of the request are associated with a recognized identity provider as indicated in the data set; and
  
  when one or more of the attributes of the request are associated with a recognized identity provider, automatically redirecting the request to the recognized identity provider.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus as described in claim 8 wherein, if the request originates from an identity provider, the method further includes:
    - updating the data set with information about one or more attributes of the request, and an identifier associated with the identity provider.
  - 10. The apparatus as described in claim 9 wherein the method further includes:
    - processing the request without redirection to an identity provider.
  - 11. The apparatus as described in claim 8 wherein the one or more request attributes include one of:
    - a client system IP address, a client DNS domain, a domain associated with a user identifier, a target URL for the request, and a value associated with header associated with the request.
  - 12. The apparatus as described in claim 8 wherein the step of determining whether the request originates from an identity provider examines a field of a request header.
  - 13. The apparatus as described in claim 8, wherein the method further includes:
    - enabling access to the protected resource following receipt at the service provider of a redirection indicating that an end user has been authenticated at the recognized identity provider.
  - 14. The apparatus as described in claim 8, wherein the method further includes:
    - when the request does not originate from an identity provider but one or more of the attributes of the request cannot be associated with a recognized identity provider, redirecting the request to an interface from which an identity provider selection is made.

15. A computer program product in a non-transitory computer-readable storage medium for use in a data processing system for providing identity provider discovery services, the data processing system associated with a federated distributed data processing system, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method for enabling access to a protected resource, the method comprising:
- maintaining a data set that associates information identifying one or more identity providers with one or more request attributes;
  
  upon receipt of a request to access the protected resource, determining whether the request originates from an identity provider;
  
  when the request does not originate from an identity provider, determining, using information in the data set, whether one or more attributes of the request are associated with a recognized identity provider as indicated in the data set; and
  
  when one or more of the attributes of the request are associated with a recognized identity provider, automatically redirecting the request to the recognized identity provider.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer program product as described in claim 15 wherein, if the request originates from an identity provider, the method further includes:
    - updating the data set with information about one or more attributes of the request, and an identifier associated with the identity provider.
  - 17. The computer program product as described in claim 16 wherein the method further includes:
    - processing the request without redirection to an identity provider.
  - 18. The computer program product as described in claim 15 wherein the one or more request attributes include one of:
    - a client system IP address, a client DNS domain, a domain associated with a user identifier, a target URL for the request, and a value associated with header associated with the request.
  - 19. The computer program product as described in claim 15 wherein the step of determining whether the request originates from an identity provider examines a field of a request header.
  - 20. The computer program product as described in claim 15, wherein the method further includes:
    - enabling access to the protected resource following receipt at the service provider of a redirection indicating that an end user has been authenticated at the recognized identity provider.
  - 21. The computer program product as described in claim 15, wherein the method further includes:
    - when the request does not originate from an identity provider but one or more of the attributes of the request cannot be associated with a recognized identity provider, redirecting the request to an interface from which an identity provider selection is made.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Dodd, William D., O'Donnell, William J., Spring, Eduardo N., Liang, Chunlong
Primary Examiner(s)
Etienne, Ario
Assistant Examiner(s)
Halim, Sahera

Application Number

US13/732,727
Publication Number

US 20140189123A1
Time in Patent Office

1,154 Days
Field of Search

709/226
US Class Current

1/1
CPC Class Codes

H04L 47/70   Admission control; Resource...

H04L 63/0815   providing single-sign-on or...

H04L 67/02   based on web technology, e....

H04L 67/63   Routing a service request d...

Dynamically selecting an identity provider for a single sign-on request

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamically selecting an identity provider for a single sign-on request

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links