SCIM to LDAP mapping using subtype attributes

US 10,791,087 B2
Filed: 09/15/2017
Issued: 09/29/2020
Est. Priority Date: 09/16/2016
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium having instructions stored thereon that, when executed by at least one processor, cause the processor to map System for Cross-domain Identity Management (SCIM) resources comprising a flat data model to Lightweight Directory Access Protocol (LDAP) entries comprising a tree-based hierarchical data model, the mapping comprising:

receiving a request for an on-premises LDAP-based application to access a cloud-based SCIM server to provide identity services to the LDAP-based application;

providing an LDAP DIT including a plurality of LDAP Directory Information Tree (DIT) entries that describe LDAP containers, users and groups, each LDAP DIT entry including a Distinguished Name (DN) and a plurality of LDAP attribute-value pairs, the DN providing LDAP DIT hierarchical information that uniquely identifies the LDAP DIT entry and describes a hierarchical position of the LDAP DIT entry in the LDAP DIT, each LDAP attribute-value pair including an attribute name and one or more attribute values;

providing a SCIM directory including a plurality of SCIM resource entries, each SCIM resource entry including a plurality of SCIM attributes, each SCIM attribute including a name and one or more values;

converting the plurality of SCIM resource entries to corresponding LDAP DIT entries, including, for each SCIM resource entry that has a SCIM complex multi-valued attribute (CMVA), mapping the SCIM CMVA to a plurality of LDAP attributes in the corresponding LDAP DIT entry using LDAP attribute subtypes that comprise an optional subtype expression added after an LDAP attribute name, the converting comprising providing a different LDAP subtype expression for each set of sub-attributes for a CMVA while keeping the subtype expression the same within each of sub-attributes;

the converting the plurality of SCIM resource entries to corresponding LDAP DIT entries further including, for each SCIM resource entry, mapping each SCIM simple attribute (SA) to an LDAP attribute and when converting corresponding LDAP rows back to SCIM data, the SCIM sub-attributes are grouped within one set of CMVA sub-attributes based on the subtype expression, and, for each SCIM resource entry, mapping each SCIM simple multi-valued attribute (SMVA) to an LDAP attribute; and

after the converting, providing the identity services to the LDAP-based application from the SCIM server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for mapping SCIM resources to LDAP entries is provided. An LDAP Directory Information Tree (DIT), including a plurality of LDAP DIT entries that describe LDAP containers, users and groups, is provided. Each LDAP DIT entry includes a Distinguished Name and a plurality of LDAP attribute-value pairs, each of which include an attribute name and one or more attribute values. A SCIM directory, including a plurality of SCIM resource entries, is also provided. Each SCIM resource entry includes a plurality of SCIM attributes, each of which includes a name and one or more values. The plurality of SCIM resource entries are converted to corresponding LDAP DIT entries, and, for each SCIM resource entry that has a SCIM CMVA, the SCIM CMVA is mapped to a plurality of LDAP attributes in the corresponding LDAP DIT entry using LDAP attribute subtypes.

417 Citations

18 Claims

1. A non-transitory computer-readable medium having instructions stored thereon that, when executed by at least one processor, cause the processor to map System for Cross-domain Identity Management (SCIM) resources comprising a flat data model to Lightweight Directory Access Protocol (LDAP) entries comprising a tree-based hierarchical data model, the mapping comprising:
- receiving a request for an on-premises LDAP-based application to access a cloud-based SCIM server to provide identity services to the LDAP-based application;
  
  providing an LDAP DIT including a plurality of LDAP Directory Information Tree (DIT) entries that describe LDAP containers, users and groups, each LDAP DIT entry including a Distinguished Name (DN) and a plurality of LDAP attribute-value pairs, the DN providing LDAP DIT hierarchical information that uniquely identifies the LDAP DIT entry and describes a hierarchical position of the LDAP DIT entry in the LDAP DIT, each LDAP attribute-value pair including an attribute name and one or more attribute values;
  
  providing a SCIM directory including a plurality of SCIM resource entries, each SCIM resource entry including a plurality of SCIM attributes, each SCIM attribute including a name and one or more values;
  
  converting the plurality of SCIM resource entries to corresponding LDAP DIT entries, including, for each SCIM resource entry that has a SCIM complex multi-valued attribute (CMVA), mapping the SCIM CMVA to a plurality of LDAP attributes in the corresponding LDAP DIT entry using LDAP attribute subtypes that comprise an optional subtype expression added after an LDAP attribute name, the converting comprising providing a different LDAP subtype expression for each set of sub-attributes for a CMVA while keeping the subtype expression the same within each of sub-attributes;
  
  the converting the plurality of SCIM resource entries to corresponding LDAP DIT entries further including, for each SCIM resource entry, mapping each SCIM simple attribute (SA) to an LDAP attribute and when converting corresponding LDAP rows back to SCIM data, the SCIM sub-attributes are grouped within one set of CMVA sub-attributes based on the subtype expression, and, for each SCIM resource entry, mapping each SCIM simple multi-valued attribute (SMVA) to an LDAP attribute; and
  
  after the converting, providing the identity services to the LDAP-based application from the SCIM server.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-readable medium of claim 1, wherein the SCIM CMVA has a sub-attribute value, and a name of an LDAP attribute subtype includes a hashcode of the SCIM CMVA sub-attribute value.
  - 3. The computer-readable medium of claim 2, wherein the hashcode of the SCIM CMVA sub-attribute value is calculated by a perfect hash function.
  - 4. The computer-readable medium of claim 3, wherein the name of the LDAP attribute subtype includes a hashcode of a first SCIM CMVA sub-attribute value and a second SCIM CMVA sub-attribute value.
  - 5. The computer readable medium of claim 1, wherein converting the plurality of SCIM resource entries to corresponding LDAP DIT entries further includes, for each SCIM resource entry, mapping each SCIM simple complex attribute (SCA) to a plurality of LDAP attributes.
  - 6. The computer-readable medium of claim 1, further comprising using the mapping in a multi-tenant cloud based identity management system to allow on-premises SCIM-based applications and LDAP-based applications to access a cloud based SCIM server.

7. A method for mapping System for Cross-domain Identity Management (SCIM) resources comprising a flat data model to Lightweight Directory Access Protocol (LDAP) entries comprising a tree-based hierarchical data model, the method comprising:
- receiving a request for an on-premises LDAP-based application to access a cloud-based SCIM server to provide identity services to the LDAP-based application;
  
  providing an LDAP DIT including a plurality of LDAP Directory Information Tree (DIT) entries that describe LDAP containers, users and groups, each LDAP DIT entry including a Distinguished Name (DN) and a plurality of LDAP attribute-value pairs, the DN providing LDAP DIT hierarchical information that uniquely identifies the LDAP DIT entry and describes a hierarchical position of the LDAP DIT entry in the LDAP DIT, each LDAP attribute-value pair including an attribute name and one or more attribute values;
  
  providing a SCIM directory including a plurality of SCIM resource entries, each SCIM resource entry including a plurality of SCIM attributes, each SCIM attribute including a name and one or more values;
  
  converting the plurality of SCIM resource entries to corresponding LDAP DIT entries, including, for each SCIM resource entry that has a SCIM complex multi-valued attribute (CMVA), mapping the SCIM CMVA to a plurality of LDAP attributes in the corresponding LDAP DIT entry using LDAP attribute subtypes that comprise an optional expression added after an LDAP attribute name, the converting comprising providing a different LDAP subtype expression for each set of sub-attributes for a CMVA while keeping the subtype expression the same within each of sub-attributes;
  
  the converting the plurality of SCIM resource entries to corresponding LDAP DIT entries further including, for each SCIM resource entry, mapping each SCIM simple attribute (SA) to an LDAP attribute and when converting corresponding LDAP rows back to SCIM data, the SCIM sub-attributes are grouped within one set of CMVA sub-attributes based on the subtype expression, and, for each SCIM resource entry, mapping each SCIM simple multi-valued attribute (SMVA) to an LDAP attribute; and
  
  after the converting, providing the identity services to the LDAP-based application from the SCIM server.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein the SCIM CMVA has a sub-attribute value, and a name of an LDAP attribute subtype includes a hashcode of the SCIM CMVA sub-attribute value.
  - 9. The method of claim 8, wherein the hashcode of the SCIM CMVA sub-attribute value is calculated by a perfect hash function.
  - 10. The method of claim 9, wherein the name of the LDAP attribute subtype includes a hashcode of a first SCIM CMVA sub-attribute value and a second SCIM CMVA sub-attribute value.
  - 11. The method of claim 7, wherein converting the plurality of SCIM resource entries to corresponding LDAP DIT entries further includes, for each SCIM resource entry, mapping each SCIM simple attribute (SA) to an LDAP attribute.
  - 12. The method of claim 7, further comprising using the mapping in a multi-tenant cloud based identity management system to allow on-premises SCIM-based applications and LDAP-based applications to access a cloud based SCIM server.

13. A system for mapping System for Cross-domain Identity Management (SCIM) resources comprising a flat data model to Lightweight Directory Access Protocol (LDAP) entries comprising a tree-based hierarchical data model, the system comprising:
- one or more processors, coupled to a network, configured to;
  
  receive a request for an on-premises LDAP-based application to access a cloud-based SCIM server to provide identity services to the LDAP-based application;
  
  provide an LDAP DIT including a plurality of LDAP Directory Information Tree (DIT) entries that describe LDAP containers, users and groups, each LDAP DIT entry including a Distinguished Name (DN) and a plurality of LDAP attribute-value pairs, the DN providing LDAP DIT hierarchical information that uniquely identifies the LDAP DIT entry and describes a hierarchical position of the LDAP DIT entry in the LDAP DIT, each LDAP attribute-value pair including an attribute name and one or more attribute values;
  
  a second processor, coupled to the network, configured to;
  
  provide a SCIM directory including a plurality of SCIM resource entries, each SCIM resource entry including a plurality of SCIM attributes, each SCIM attribute including a name and one or more values; and
  
  convert the plurality of SCIM resource entries to corresponding LDAP DIT entries, including, for each SCIM resource entry that has a SCIM complex multi-valued attribute (CMVA), mapping the SCIM CMVA to a plurality of LDAP attributes in the corresponding LDAP DIT entry using LDAP attribute subtypes that comprise an optional expression added after an LDAP attribute name, the converting comprising providing a different LDAP subtype expression for each set of sub-attributes for a CMVA while keeping the subtype expression the same within each of sub-attributes;
  
  the converting the plurality of SCIM resource entries to corresponding LDAP DIT entries further including, for each SCIM resource entry, mapping each SCIM simple attribute (SA) to an LDAP attribute and when converting corresponding LDAP rows back to SCIM data, the SCIM sub-attributes are grouped within one set of CMVA sub-attributes based on the subtype expression, and, for each SCIM resource entry, mapping each SCIM simple multi-valued attribute (SMVA) to an LDAP attribute; and
  
  after the converting, providing the identity services to the LDAP-based application from the SCIM server.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein the SCIM CMVA has a sub-attribute value, and a name of an LDAP attribute subtype includes a hashcode of the SCIM CMVA sub-attribute value.
  - 15. The system of claim 14, wherein the name of the LDAP attribute subtype includes a hashcode of a first SCIM CMVA sub-attribute value and a second SCIM CMVA sub-attribute value.
  - 16. The system of claim 13, wherein converting the plurality of SCIM resource entries to corresponding LDAP DIT entries further includes, for each SCIM resource entry, mapping each SCIM simple attribute (SA) to an LDAP attribute.
  - 17. The system of claim 13, wherein converting the plurality of SCIM resource entries to corresponding LDAP DIT entries further includes, for each SCIM resource entry, mapping each SCIM simple multi-valued attribute (SMVA) to an LDAP attribute.
  - 18. The system of claim 13, further comprising using the mapping in a multi-tenant cloud based identity management system to allow on-premises SCIM-based applications and LDAP-based applications to access a cloud based SCIM server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Medam, Venkateswara Reddy, Sastry, Hari, Xu, Xiaoxiao, Frost, Michael Ray
Primary Examiner(s)
Channavajjala, Srirama

Application Number

US15/705,619
Publication Number

US 20180083915A1
Time in Patent Office

1,110 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/2246   Trees, e.g. B+trees

H04L 61/10   of different types

H04L 61/45   Network directories; Name-t...

H04L 61/4505   using standardised director...

H04L 61/4523   using lightweight directory...

H04L 61/4552   Lookup mechanisms between a...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/104   Grouping of entities

H04L 67/01   Protocols

SCIM to LDAP mapping using subtype attributes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

417 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

SCIM to LDAP mapping using subtype attributes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

417 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links