Attribute-based access control
First Claim
1. A method for performing attribute-based access control across a first and a second security domain in a federated processing environment, the method comprising:
- receiving, in the second security domain, a security token from a first service provider in the first security domain, where the security token comprises access control attributes and a signature of an identity provider in the first security domain,receiving, from an identity provider in the second security domain access control information associated with a request to process an online transaction in the second security domain;
mapping the access control information into additional access control attributes compatible with a format of the access control attributes of the received security token;
appending the mapped additional access control attributes into the received security token;
re-signing, with a private key associated with a certificate of a second service provider in the second security domain, the received security token appended with the mapped additional access control attributes; and
issuing the re-signed received security token for consuming, using the appended mapped additional access control attributes, by any service provider in the second security domain.
1 Assignment
0 Petitions
Accused Products
Abstract
Attribute-based access control is performed across a first and a second security domain in a federated distributed processing environment. A security token received in the second security domain from a first service provider in the first security domain includes access control attributes. Access control information associated with a request to process an online transaction in the second security domain is received from an identity provider in the second security domain. The access control information is mapped into access control attributes compatible with a format of the access control attributes of the received security token. The mapped access control attributes are appended to the received security token to create a modified security token. The modified security token is signed with a certificate of a second service provider in the second security domain, and the modified security token is issued for consuming by any service provider in the second security domain.
13 Citations
24 Claims
-
1. A method for performing attribute-based access control across a first and a second security domain in a federated processing environment, the method comprising:
-
receiving, in the second security domain, a security token from a first service provider in the first security domain, where the security token comprises access control attributes and a signature of an identity provider in the first security domain, receiving, from an identity provider in the second security domain access control information associated with a request to process an online transaction in the second security domain; mapping the access control information into additional access control attributes compatible with a format of the access control attributes of the received security token; appending the mapped additional access control attributes into the received security token; re-signing, with a private key associated with a certificate of a second service provider in the second security domain, the received security token appended with the mapped additional access control attributes; and issuing the re-signed received security token for consuming, using the appended mapped additional access control attributes, by any service provider in the second security domain. - View Dependent Claims (2, 3, 4, 5, 16, 17, 18)
-
-
6. An apparatus for performing attribute-based access control across a first and a second security domain in a federated processing environment, the apparatus comprising:
-
a memory; and at least one processor programmed to; receive, in the second security domain, a security token from a first service provider in the first security domain, where the security token comprises access control attributes and a signature of an identity provider in the first security domain; receive, from an identity provider in the second security domain, access control information associated with a request to process an online transaction in the second security domain; map, within the memory, the access control information into additional access control attributes compatible with a format of the access control attributes of the received security token; append the mapped additional access control attributes into the received security token; re-sign, with a private key associated with a certificate of a second service provider in the second security domain the received security token appended with the mapped additional access control attributes; and issue the re-signed received security token for consuming, using the appended mapped additional access control attributes, by any service provider in the second security domain. - View Dependent Claims (7, 8, 9, 10, 19, 20, 21)
-
-
11. A computer program product, comprising:
-
a computer readable storage medium having computer readable program code embodied therewith, where the computer readable storage medium is not a transitory signal per se and where the computer readable program code when executed on a computer causes the computer to, as part of performing attribute-based access control across a first and a second security domain in a federated processing environment; receive, in the second security domain, a security token from a first service provider in the first security domain, where the security token comprises access control attributes and a signature of an identity provider in the first security domain; receive from an identity provider in the second security domain access control information associated with a request to process an online transaction in the second security domain; map the access control information into additional access control attributes compatible with a format of the access control attributes of the received security token; append the mapped additional access control attributes into the received security token; re-sign, with a private key associated with a certificate of a second service provider in the second security domain, the received security token appended with the mapped additional access control attributes; and issue the re-signed received security token for consuming, using the appended mapped additional access control attributes, by any service provider in the second security domain. - View Dependent Claims (12, 13, 14, 15, 22, 23, 24)
-
Specification