Dynamically selecting an identity provider for a single sign-on request
First Claim
1. A method for enabling access to a protected resource in a federated distributed data processing environment, comprising:
- in association with a service provider, maintaining a data set that associates information identifying one or more identity providers with one or more request attributes, the service provider executing on a data processing machine having a hardware element;
upon receipt by the service provider of a request to access the protected resource, determining whether the request originates from an identity provider;
when the request does not originate from an identity provider, determining, using information in the data set, whether one or more attributes of the request are associated with a recognized identity provider as indicated in the data set; and
when one or more of the attributes of the request are associated with a recognized identity provider, automatically redirecting the request to the recognized identity provider.
1 Assignment
0 Petitions
Accused Products
Abstract
An identity provider (IdP) discovery service operative at a service provider (SP) is described. In operation, and as valid requests are received by the SP via normal IdP-initiated flows, the SP builds-up knowledge about the relationship between the IdP (that redirected the request) and the initiator of the request. The IdP instance typically is inferred from an HTTP referrer field, and information about the initiator may be ascertained from client-specific information, such as client system IP address, client DNS domain, a domain of a user e-mail address, a target URL for the incoming request, or the value associated with a particular HTTP header field. This knowledge is maintained in one or more mapping table(s) that associate request attributes-to-IdP instance data. The mappings are then used to facilitate IdP discovery for a new incoming request to the SP that has been determined to originate from other than an IdP.
-
Citations
21 Claims
-
1. A method for enabling access to a protected resource in a federated distributed data processing environment, comprising:
-
in association with a service provider, maintaining a data set that associates information identifying one or more identity providers with one or more request attributes, the service provider executing on a data processing machine having a hardware element; upon receipt by the service provider of a request to access the protected resource, determining whether the request originates from an identity provider; when the request does not originate from an identity provider, determining, using information in the data set, whether one or more attributes of the request are associated with a recognized identity provider as indicated in the data set; and when one or more of the attributes of the request are associated with a recognized identity provider, automatically redirecting the request to the recognized identity provider. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. Apparatus operating in a federated distributed data processing environment, comprising:
-
a processor; a data store in which is maintained a data set that associates information identifying one or more identity providers with one or more request attributes; and computer memory holding computer program instructions that when executed by the processor perform a method for enabling access to a protected resource, the method comprising; upon receipt of a request to access the protected resource, determining whether the request originates from an identity provider; when the request does not originate from an identity provider, determining, using information in the data set, whether one or more attributes of the request are associated with a recognized identity provider as indicated in the data set; and when one or more of the attributes of the request are associated with a recognized identity provider, automatically redirecting the request to the recognized identity provider. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product in a non-transitory computer-readable storage medium for use in a data processing system for providing identity provider discovery services, the data processing system associated with a federated distributed data processing system, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method for enabling access to a protected resource, the method comprising:
-
maintaining a data set that associates information identifying one or more identity providers with one or more request attributes; upon receipt of a request to access the protected resource, determining whether the request originates from an identity provider; when the request does not originate from an identity provider, determining, using information in the data set, whether one or more attributes of the request are associated with a recognized identity provider as indicated in the data set; and when one or more of the attributes of the request are associated with a recognized identity provider, automatically redirecting the request to the recognized identity provider. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification