Method and system for providing an open and interoperable system

US 20050015593A1
Filed: 07/14/2003
Published: 01/20/2005
Est. Priority Date: 07/14/2003
Status: Active Grant

First Claim

Patent Images

1. A method of configuring an open interoperable security assertions markup language (SAML) session comprising:

receiving a first entity identifier of a first entity by a second entity;

receiving a first account mapping between said first entity and said second entity by said second entity;

storing said first entity identifier and said first account mapping as a first record in a first partner list accessable to said second entity;

receiving a second entity identifier of said second entity by said first entity;

receiving a second account mapping between said second entity and said first entity by said first entity; and

storing said second entity identifier and said second account mapping as a second record in a second partner list accessable to said first entity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention provide an open and interoperable single sign-on session in a heterogeneous communication network. The open and interoperable single sign-on system is configured by exchanging an entity identifier, an account mapping, an attribute mapping, a site attribute list, an action mapping and/or the like. The entity identifier, account mapping, attribute mapping, site attribute list, action mapping and the like for each partner entity is stored in a partner list accessable to the particular entity. Thereafter, the open and interoperable single sign-on session may be provided upon receipt of a SAML request or assertion containing an entity identifier. The entity identifier contained in the SAML request or assertion is looked-up in the partner list of the particular entity which received the SAML request or assertion. A record containing a matching entity identifier provides the applicable account mapping, attribute mapping, site attribute list, and/or action mapping. The one or more mappings are then utilized to process the SAML request or assertion.

27 Citations

View as Search Results

41 Claims

1. A method of configuring an open interoperable security assertions markup language (SAML) session comprising:
- receiving a first entity identifier of a first entity by a second entity;
  
  receiving a first account mapping between said first entity and said second entity by said second entity;
  
  storing said first entity identifier and said first account mapping as a first record in a first partner list accessable to said second entity;
  
  receiving a second entity identifier of said second entity by said first entity;
  
  receiving a second account mapping between said second entity and said first entity by said first entity; and
  
  storing said second entity identifier and said second account mapping as a second record in a second partner list accessable to said first entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein said first account mapping is implemented as a java class.
  - 3. The method according to claim 1, wherein said first account mapping defines a mapping of a subject between said second entity and said first entity.
  - 4. The method according to claim 1, further comprising:
    - receiving one or more mappings between said first entity and said second entity by said second entity, wherein the mappings are selected from the group consisting of an attribute mapping, a site attribute list, an account mapping, and an action mapping;
      
      storing said one or more mappings between said first entity and said second entity as a part of said first record in said first partner list accessible to said second entity;
      
      receiving one or more mappings between said second entity and said first entity by said first entity, wherein the mappings are selected from the group consisting of an attribute mapping, a site attribute list, an account mapping, and an action mapping; and
      
      storing said one or more mappings between said second entity and said first entity as part of said second record in said second partner list accessible to said first entity.
  - 5. The method according to claim 4, wherein said attribute mapping, said site attribute list, said account mapping, and said action mapping are implemented as a java class.
  - 6. The method according to claim 4, wherein said attribute mapping defines a mapping of an attribute between said second entity and said first entity.
  - 7. The method according to claim 4, wherein said site attribute list defines a list of attribute to be exchanged between said second entity and said first entity.
  - 8. The method according to claim 4, wherein said action mapping defines a mapping of an authorization of said second entity to an authorization of said first entity.
  - 9. The method according to claim 1, further comprising:
    - receiving a first client certificate of said first entity by said second entity;
      
      receiving a first network address of said first entity by said second entity;
      
      storing said first client certificate and said first network address as another part of said first record in said first partner list accessable to said second entity;
      
      receiving a second client certificate of said second entity by said first entity;
      
      receiving a second network address of said second entity by said first entity; and
      
      storing said second client certificate and said second network address as another part of said second record in said second partner list accessable to said first entity.

10. A method of providing an open interoperable security assertions markup language (SAML) session comprising:
- receiving a SAML request, comprising an entity identifier, by a first entity;
  
  searching a partner list of said first entity for a record containing a matching entity identifier, wherein said record contains an account mapping; and
  
  processing said SAML request in accordance with said account mapping.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The method according to claim 10, wherein said account mapping defines a mapping of an account of said second entity to an account of said first entity.
  - 12. The method according to claim 10, further comprising:
    - searching a partner list of said first entity for a record containing a matching entity identifier, wherein said record contains an attribute mapping; and
      
      processing said SAML assertion in accordance with said attribute mapping.
  - 13. The method according to claim 12, wherein said attribute mapping defines a mapping of an attribute of said second entity to said first entity.
  - 14. The method according to claim 12, wherein said attribute mapping defines a mapping of an attribute namespace of said second entity is to said first entity.
  - 15. The method according to claim 10, further comprising:
    - searching a partner list of said first entity for a record containing a matching entity identifier, wherein said record contains an action mapping; and
      
      processing said SAML assertion in accordance with said action mapping.
  - 16. The method according to claim 15, wherein said action mapping defines a mapping of an authorization decision of said second entity to an authorization decision of said first entity.
  - 17. The method according to claim 10, further comprising sending a SAML assertion in response to said SAML request.
  - 18. The method according to claim 17, further comprising:
    - searching a partner list of said first entity for a record containing a matching entity identifier, wherein said record contains a site attribute list; and
      
      generating said SAML assertion in accordance with said site attribute list.
  - 19. The method according to claim 18, wherein said site attribute list defines an attribute that is to be returned by said second entity to said first entity.

20. A system for configuring an open and interoperable security assertions markup language (SAML) session comprising:
- a first entity comprising;
  
  a first administration module for receiving a first entity identifier of a second entity and a first account mapping between said second entity and said first entity; and
  
  a first partner list, accessible by said first administration module, for storing said first entity identifier and said first account mapping; and
  
  said second entity comprising;
  
  a second administration module for receiving a second identifier of said first entity and a second account mapping between said first entity and said second entity; and
  
  a second partner list, accessible by said second administration module, for storing said second entity identifier and said second account mapping.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
- - 21. The system according to claim 20, wherein said first account mapping defines a mapping of a subject between said second entity and said first entity.
  - 22. The system according to claim 20, wherein:
    - said first administration module receives a first attribute mapping between said second entity and said first entity;
      
      said first partner list stores said first attribute mapping;
      
      said second administration module receives a second attribute mapping between said first entity and said second entity; and
      
      said second partner list stores said second attribute mapping.
  - 23. The system according to claim 22, wherein said attribute mapping defines a mapping of an attribute of said second entity ito said first entity.
  - 24. The system according to claim 20, wherein:
    - said first administration module receives a first site attribute list between said second entity and said first entity;
      
      said first partner list stores said first site attribute list;
      
      said second administration module receives a second site attribute list between said first entity and said second entity; and
      
      said second partner list stores said second site attribute list.
  - 25. The system according to claim 24, wherein said site attribute list defines an attribute that is to be returned by said second entity to said first entity.
  - 26. The system according to claim 20, wherein:
    - said first administration module receives a first action mapping between said second entity and said first entity;
      
      said first partner list stores said first action mapping;
      
      said second administration module receives a second action mapping between said first entity and said second entity; and
      
      said second partner list stores said second action mapping.
  - 27. The system according to claim 26, wherein said action mapping defines a mapping of an authorization decision of said second entity to an authorization decision of said first entity.

28. A system for providing an open and interoperable security assertions markup language (SAML) session comprising:
- a first entity comprising a first session module for generating and sending a SAML request; and
  
  a first partner list, accessible by said first session module, comprising a first plurality of records each comprising an entity identifier and a corresponding account mapping; and
  
  a second entity, communicatively coupled to said first entity, comprising;
  
  a second session module for receiving and processing said SAML request in accordance with an account mapping between said second entity and said first entity; and
  
  a second partner list, accessible by said second session module, comprising a second plurality of records each comprising an entity identifier and a corresponding account mapping.
- View Dependent Claims (29, 30, 31, 32)
- - 29. The system according to claim 28, wherein said second session module looks-up an entity identifier contained in said SAML request in said partner list to determine said account mapping.
  - 30. The system according to claim 28, wherein said second partner list further comprises an attribute mapping between said first entity and said second entity, and wherein said SAML request is further processed according to said attribute mapping.
  - 31. The system according to claim 28, wherein said second partner list further comprises an action mapping between said first entity and said second entity, and wherein said SAML request is further processed according to said action mapping.
  - 32. The system according to claim 28, wherein said first partner list further comprises a site attribute list between said first entity and said second entity, and wherein said second session module generates a SAML assertion in accordance with said site attribute list.

33. A computer readable-medium containing a plurality of instructions which when executed cause a network device to implement a method of providing an open and interoperable single sign-on session comprising:
- receiving a first entity identifier, a first account mapping, a first attribute mapping, a first site attribute list and a first action mapping by said second entity;
  
  storing said first entity identifier, said first account mapping, said first attribute mapping, said first site attribute list and said action mapping as a first record in a first partner list accessible to said second entity;
  
  receiving a second entity identifier, a second account mapping, a second attribute mapping, a second site attribute list and a second action mapping by said first entity; and
  
  storing said second entity identifier, said second account mapping, said second attribute mapping, said second site attribute list and said second action mapping as a second record in a second partner list accessible to said first entity.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41)
- - 34. The computer readable-medium according to claim 33, further comprising:
    - receiving a security assertions markup language (SAML) request, comprising said second entity identifier of said second entity, by a first entity;
      
      retrieving said second account mapping by matching said second entity identifier received in said SAML request with said second entity identifier in said second record; and
      
      processing said SAML request in accordance with said account mapping.
  - 35. The computer readable-medium according to claim 33, further comprising:
    - retrieving said second attribute mapping by matching said second entity identifier received in said SAML request with said second entity identifier in said second record; and
      
      processing said SAML request in accordance with said attribute mapping.
  - 36. The computer readable-medium according to claim 33, further comprising:
    - retrieving said second action mapping by matching said second entity identifier received in said SAML request with said second entity identifier in said second record; and
      
      processing said SAML request in accordance with said attribute mapping.
  - 37. The computer readable-medium according to claim 33, further comprising:
    - retrieving said second site attribute list by matching said second entity identifier received in said SAML request with said second entity identifier in said second record; and
      
      generating said SAML assertion in accordance with said site attribute list.
  - 38. The computer readable-medium according to claim 33, wherein said second account mapping defines a mapping of a subject between said first entity and said second entity.
  - 39. The computer readable-medium according to claim 33, wherein said second attribute mapping defines a mapping of an attribute between said first entity and said second entity.
  - 40. The computer readable-medium according to claim 33, wherein said second site attribute list defines an attribute to be exchanged between said first entity and said second entity.
  - 41. The computer readable-medium according to claim 33, wherein said second action mapping defines a mapping of an authorization decision of said first entity to and authorization decision of said second entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Sun, Wei, Xu, Hong, Ranganathan, Aravindan, Luo, Ping, Bhat, Shivaram, Cheng, Qingwen, Bhatnagar, Bhavna

Granted Patent

US 7,237,256 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

Method and system for providing an open and interoperable system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for providing an open and interoperable system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links