Attribute-based access control

US 9,769,152 B2
Filed: 02/10/2015
Issued: 09/19/2017
Est. Priority Date: 02/20/2014
Status: Active Grant

First Claim

Patent Images

1. A method for performing attribute-based access control across a first and a second security domain in a federated processing environment, the method comprising:

receiving, in the second security domain, a security token from a first service provider in the first security domain, where the security token comprises access control attributes and a signature of an identity provider in the first security domain,receiving, from an identity provider in the second security domain access control information associated with a request to process an online transaction in the second security domain;

mapping the access control information into additional access control attributes compatible with a format of the access control attributes of the received security token;

appending the mapped additional access control attributes into the received security token;

re-signing, with a private key associated with a certificate of a second service provider in the second security domain, the received security token appended with the mapped additional access control attributes; and

issuing the re-signed received security token for consuming, using the appended mapped additional access control attributes, by any service provider in the second security domain.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Attribute-based access control is performed across a first and a second security domain in a federated distributed processing environment. A security token received in the second security domain from a first service provider in the first security domain includes access control attributes. Access control information associated with a request to process an online transaction in the second security domain is received from an identity provider in the second security domain. The access control information is mapped into access control attributes compatible with a format of the access control attributes of the received security token. The mapped access control attributes are appended to the received security token to create a modified security token. The modified security token is signed with a certificate of a second service provider in the second security domain, and the modified security token is issued for consuming by any service provider in the second security domain.

13 Citations

View as Search Results

24 Claims

1. A method for performing attribute-based access control across a first and a second security domain in a federated processing environment, the method comprising:
- receiving, in the second security domain, a security token from a first service provider in the first security domain, where the security token comprises access control attributes and a signature of an identity provider in the first security domain,receiving, from an identity provider in the second security domain access control information associated with a request to process an online transaction in the second security domain;
  
  mapping the access control information into additional access control attributes compatible with a format of the access control attributes of the received security token;
  
  appending the mapped additional access control attributes into the received security token;
  
  re-signing, with a private key associated with a certificate of a second service provider in the second security domain, the received security token appended with the mapped additional access control attributes; and
  
  issuing the re-signed received security token for consuming, using the appended mapped additional access control attributes, by any service provider in the second security domain.
- View Dependent Claims (2, 3, 4, 5, 16, 17, 18)
- - 2. The method of claim 1, where consuming, using the appended mapped additional access control attributes, the re-signed received security token comprises validating the re-signed received security token by verifying a re-signed signature of the second service provider and content of the re-signed received security token using a public key of the certificate of the second service provider.
  - 3. The method of claim 1, further comprising transmitting the re-signed received security token appended with the mapped additional access control attributes by a secure network protocol to a third service provider in a third security domain.
  - 4. The method of claim 1, where receiving, in the second security domain, the security token from the first service provider in the first security domain comprises receiving, in the second security domain, the security token from the first service provider in the first security domain via a secure network protocol.
  - 5. The method of claim 1, where the security token is a security assertion markup language (SAML) token.
  - 16. The method of claim 1, where, by the re-signing of the received security token appended with the mapped additional access control attributes, the second service provider becomes an asserting party in the second security domain and asserts to all service providers in the second security domain that it has added the access control information provided by the identity provider in the second security domain to the received security token.
  - 17. The method of claim 1, where the online transaction in the second security domain comprises at least a second transaction of a transaction processing chain that involves multiple distinct websites across multiple security domains, and where the second service provider in the second security domain comprises a next transaction website in the transaction processing chain after a website transaction involving a website hosted by the first service provider in the first security domain.
  - 18. The method of claim 1, further comprising:
    - removing the signature of the identity provider in the first security domain from the received security token; and
      
      updating the received security token with an identifier of the second service provider in the second security domain, where the second service provider in the second security domain becomes a new issuer of the received security token in the second security domain.

6. An apparatus for performing attribute-based access control across a first and a second security domain in a federated processing environment, the apparatus comprising:
- a memory; and
  
  at least one processor programmed to;
  
  receive, in the second security domain, a security token from a first service provider in the first security domain, where the security token comprises access control attributes and a signature of an identity provider in the first security domain;
  
  receive, from an identity provider in the second security domain, access control information associated with a request to process an online transaction in the second security domain;
  
  map, within the memory, the access control information into additional access control attributes compatible with a format of the access control attributes of the received security token;
  
  append the mapped additional access control attributes into the received security token;
  
  re-sign, with a private key associated with a certificate of a second service provider in the second security domain the received security token appended with the mapped additional access control attributes; and
  
  issue the re-signed received security token for consuming, using the appended mapped additional access control attributes, by any service provider in the second security domain.
- View Dependent Claims (7, 8, 9, 10, 19, 20, 21)
- - 7. The apparatus of claim 6, where consuming, using the appended mapped additional access control attributes, the re-signed received security token comprises the at least one processor validating the re-signed received security token by verifying a re-signed signature of the second service provider and content of the re-signed received security token using a public key of the certificate of the second service provider.
  - 8. The apparatus of claim 6, where the at least one processor is further programmed to transmit the re-signed received security token appended with the mapped additional access control attributes by a secure network protocol to a third service provider in a third security domain.
  - 9. The apparatus of claim 6, where, in being programmed to receive, in the second security domain, the security token from the first service provider in the first security domain, the at least one processor is programmed to receive, in the second security domain, the security token from the first service provider in the first security domain via a secure network protocol.
  - 10. The apparatus of claim 6, where the security token is a security assertion markup language (SAML) token.
  - 19. The apparatus of claim 6, where, by the re-signing of the received security token appended with the mapped additional access control attributes, the second service provider becomes an asserting party in the second security domain and asserts to all service providers in the second security domain that it has added the access control information provided by the identity provider in the second security domain to the received security token.
  - 20. The apparatus of claim 6, where the online transaction in the second security domain comprises at least a second transaction of a transaction processing chain that involves multiple distinct websites across multiple security domains, and where the second service provider in the second security domain comprises a next transaction website in the transaction processing chain after a website transaction involving a website hosted by the first service provider in the first security domain.
  - 21. The apparatus of claim 6, where the at least one processor is further programmed to:
    - remove the signature of the identity provider in the first security domain from the received security token; and
      
      update the received security token with an identifier of the second service provider in the second security domain, where the second service provider in the second security domain becomes a new issuer of the received security token in the second security domain.

11. A computer program product, comprising:
- a computer readable storage medium having computer readable program code embodied therewith, where the computer readable storage medium is not a transitory signal per se and where the computer readable program code when executed on a computer causes the computer to, as part of performing attribute-based access control across a first and a second security domain in a federated processing environment;
  
  receive, in the second security domain, a security token from a first service provider in the first security domain, where the security token comprises access control attributes and a signature of an identity provider in the first security domain;
  
  receive from an identity provider in the second security domain access control information associated with a request to process an online transaction in the second security domain;
  
  map the access control information into additional access control attributes compatible with a format of the access control attributes of the received security token;
  
  append the mapped additional access control attributes into the received security token;
  
  re-sign, with a private key associated with a certificate of a second service provider in the second security domain, the received security token appended with the mapped additional access control attributes; and
  
  issue the re-signed received security token for consuming, using the appended mapped additional access control attributes, by any service provider in the second security domain.
- View Dependent Claims (12, 13, 14, 15, 22, 23, 24)
- - 12. The computer program product of claim 11, where consuming, using the appended mapped additional access control attributes, the re-signed received security token comprises validating the re-signed received security token by verifying a re-signed signature of the second service provider and content of the re-signed received security token using a public key of the certificate of the second service provider.
  - 13. The computer program product of claim 11, where the computer readable program code when executed on the computer further causes the computer to transmit the re-signed received security token appended with the mapped additional access control attributes by a secure network protocol to a third service provider in a third security domain.
  - 14. The computer program product of claim 11, where, in causing the computer to receive, in the second security domain, the security token from the first service provider in the first security domain, the computer readable program code when executed on the computer causes the computer to receive, in the second security domain, the security token from the first service provider in the first security domain via a secure network protocol.
  - 15. The computer program product of claim 11, where the security token is a security assertion markup language (SAML) token.
  - 22. The computer program product of claim 11, where, by the re-signing of the received security token appended with the mapped additional access control attributes, the second service provider becomes an asserting party in the second security domain and asserts to all service providers in the second security domain that it has added the access control information provided by the identity provider in the second security domain to the received security token.
  - 23. The computer program product of claim 11, where the online transaction in the second security domain comprises at least a second transaction of a transaction processing chain that involves multiple distinct websites across multiple security domains, and where the second service provider in the second security domain comprises a next transaction website in the transaction processing chain after a website transaction involving a website hosted by the first service provider in the first security domain.
  - 24. The computer program product of claim 11, where the computer readable program code when executed on the computer further causes the computer to:
    - remove the signature of the identity provider in the first security domain from the received security token; and
      
      update the received security token with an identifier of the second service provider in the second security domain, where the second service provider in the second security domain becomes a new issuer of the received security token in the second security domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Flamini, Elisabetta, Penfold, Colin R.
Primary Examiner(s)
LANIER, BENJAMIN E

Application Number

US14/618,824
Publication Number

US 20150237041A1
Time in Patent Office

952 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

Attribute-based access control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

13 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Attribute-based access control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links