POLICY AND ATTRIBUTE BASED ACCESS TO A RESOURCE
First Claim
1. A method implemented in a non-transitory computer-readable storage medium having code that when executed by a proxy server cause the proxy server to perform the method, comprising:
- interacting, by the proxy server, with a principal for authenticating the principal based on acquired identity information;
assembling, by the proxy server, an identity configuration for the principal;
generating, by the proxy server, a service contract for the principal, a service, and a resource, wherein the principal uses the service to access the resource, and wherein the service contract includes a selective number of resource access policies and attributes which are included in the identity configuration; and
transmitting, by the proxy server, an access statement to the principal for use when the principal interacts with the service.
0 Assignments
0 Petitions
Accused Products
Abstract
Techniques are provided for controlling access to a resource based on access policies and attributes. A principal issues a request to a service for purposes of accessing a resource. The principal is authenticated and a service contract for the principal, the service, and the resource is generated. The service contract defines resource access policies and attributes which can be permissibly performed by the service on behalf of the principal during a session. Moreover, the session between the service and the resource is controlled by the service contract.
29 Citations
20 Claims
-
1. A method implemented in a non-transitory computer-readable storage medium having code that when executed by a proxy server cause the proxy server to perform the method, comprising:
-
interacting, by the proxy server, with a principal for authenticating the principal based on acquired identity information; assembling, by the proxy server, an identity configuration for the principal; generating, by the proxy server, a service contract for the principal, a service, and a resource, wherein the principal uses the service to access the resource, and wherein the service contract includes a selective number of resource access policies and attributes which are included in the identity configuration; and transmitting, by the proxy server, an access statement to the principal for use when the principal interacts with the service. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method implemented in a non-transitory computer-readable storage medium having code that when executed by a proxy server cause the proxy server to perform the method, comprising:
-
detecting, by the proxy server, a request being directed to a resource over a network from a principal; collecting, by the proxy server, identity information for the principal to authenticate to the resource and to a service that controls access to the resource; authenticating, by the proxy server, the principal in response to the identity information; creating, by the proxy server, a service contract, the service contract defining selective access policies and attributes for the principal to use when interacting with the service and the resource and the access policies and the attributes derived from the identity information; and providing, by the proxy server, the service contract to the principal for use when interacting with the service and the resource. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A method implemented in a non-transitory computer-readable storage medium having code that when executed by a proxy server cause the proxy server to perform the method, comprising:
-
aggregating, by the proxy server, identity information for a principal; obtaining, by the proxy server, selective identity information that a service, which controls a network resource, uses to authenticate users for access to the network resource; generating, by the proxy server, a contract that defines access policies and attributes for use during a session between the principal, the service, and the network resource; and sending, the contract to the principal for establishment of the session. - View Dependent Claims (19, 20)
-
Specification