PROPAGATING USER IDENTITIES IN A SECURE FEDERATED SEARCH SYSTEM

US 20120278303A1
Filed: 05/30/2012
Published: 11/01/2012
Est. Priority Date: 03/01/2006
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

creating a first set of security values based on security credentials obtained from a user and first security attributes for a first identity management system, wherein the first identity management system manages identities for a first secure data source;

creating a second set of security values based on the security credentials obtained from the user and second security attributes for a second identity management system, wherein the second identity management system manages identities for a second secure data source;

wherein the second identity management system manages identities for a second secure data source that is different from the first secure data source;

receiving a query from the user;

embedding the first set of security values into the query to create a first appended query, and querying the first secure data source based on the first appended query;

embedding the second set of security values into the query to create a second appended query, and querying the second secure data source based on the second appended query;

in response to querying the first secure data source, receiving a first search result list comprising first search result entries, and in response to querying the second secure data source, receiving a second search result list comprising second search result entries;

creating a single ranked search result list comprising a merge of the first search result entries with the second search result entries;

returning the single ranked search result list to the user.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A flexible and extensible architecture allows for secure searching across an enterprise. Such an architecture can provide a simple Internet-like search experience to users searching secure content inside (and outside) the enterprise. The architecture allows for the crawling and searching of a variety or sources across an enterprise, regardless of whether any of these sources conform to a conventional user role model. The architecture further allows for security attributes to be submitted at query time, for example, in order to provide real-time secure access to enterprise resources. The user query also can be transformed to provide for dynamic querying that provides for a more current result list than can be obtained for static queries.

22 Citations

21 Claims

1. A method, comprising:
- creating a first set of security values based on security credentials obtained from a user and first security attributes for a first identity management system, wherein the first identity management system manages identities for a first secure data source;
  
  creating a second set of security values based on the security credentials obtained from the user and second security attributes for a second identity management system, wherein the second identity management system manages identities for a second secure data source;
  
  wherein the second identity management system manages identities for a second secure data source that is different from the first secure data source;
  
  receiving a query from the user;
  
  embedding the first set of security values into the query to create a first appended query, and querying the first secure data source based on the first appended query;
  
  embedding the second set of security values into the query to create a second appended query, and querying the second secure data source based on the second appended query;
  
  in response to querying the first secure data source, receiving a first search result list comprising first search result entries, and in response to querying the second secure data source, receiving a second search result list comprising second search result entries;
  
  creating a single ranked search result list comprising a merge of the first search result entries with the second search result entries;
  
  returning the single ranked search result list to the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein querying the first secure data source.further comprises sending the first appended query to a first search engine instance that manages an index of the first secure data source;
    - andwherein querying the second secure data source further comprises sending the second appended query to a second search engine instance that manages an index of the second secure data source.
  - 3. The method of claim 2, wherein the first search engine instance is not the same as the second search engine instance.
  - 4. The method of claim 2, further comprising authenticating to the first search engine instance as a trusted identity, wherein the trusted identity is not included in the security credentials obtained from the user.
  - 5. The method of claim 2, further comprising authenticating to the first search engine instance as a trusted identity;
    - wherein the trusted identity is managed by the first identity management system.
  - 6. The method of claim 1, wherein the method is performed by a broker that comprises a particular search engine instance.
  - 7. The method of claim 1, wherein each search result entry in the first search result list and the second search result list are received with a relevance score;
    - and further comprising;
      
      assigning a new relevance score to said each search result entry based on the relevance score received with said each search result entry; and
      
      creating the single ranked search result list by ranking said each search result entry based on the new relevance score assigned to said each search result entry.
  - 8. The method of claim 7, wherein assigning the new relevance score to said each search result entry further comprises applying a weighting function to the relevance score received with said each search result entry.
  - 9. The method of claim 8, wherein a first weighting function is applied to each search result entry of the first search result entries, and a second weighting function that is different from the first weighting function is applied to each search result entry of the second search result entries.
  - 10. The method of claim 7, wherein assigning the new relevance score to said each search result entry further comprises determining the new relevance score based on criteria established for the particular search engine instance without using the relevance score received with said each search result entry.
  - 11. The method of claim 7, wherein merging the first search result entries with the second search result entries into a single ranked search result list further comprises identifying and eliminating a search result entry that appears in both the first and second search result lists.
  - 12. The method of claim 1, wherein the first identity management system and the second identity management system are the same.
  - 13. The method of claim 1, wherein the security credentials received from the user comprises one of:
    - user name, password, domain name;
      
      orfirst name, last name, department.
  - 14. The method of claim 1, wherein the first set of security values comprises:
    - identifiers of groups to which the user belongs;
      
      oridentifiers of roles assigned to the user;
      
      oridentifiers a location associated with the user.

15. The method comprising:
- receiving a user query and user identity information from a remote search engine broker; and
  
  authenticating the remote search engine broker using a first identity management system;
  
  obtaining user security credentials from a second identity management system based on the user identity information;
  
  creating a first set of security values based on the user security credentials;
  
  embedding the first set of security values into the user query to create a first appended query;
  
  querying a first data source based on the first appended query;
  
  in response to querying the first data source, determining a first set of search results; and
  
  sending the first set of search results to the remote search engine broker.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15, further comprising:
    - computing a relevance score for each search result entry of the first search result entries; and
      
      sending the relevance score for said each search result entry to the remote search engine broker with the first set of search results.
  - 17. The method of claim 15, wherein the user security credentials includes a security value not associated with the user identity information managed by the first identity management system.

18. A computer system, comprising:
- a plurality of processors;
  
  a memory coupled to one or more processors of the plurality of processors, the memory storing instructions, which when executed by the one or more processors comprises;
  
  a plurality of secure data sources, each secure data source associated with an identity management system of the plurality of identity management systems; and
  
  a broker operable to;
  
  receive first user credentials and a query from a user;
  
  for said each secure data source;
  
  map the first user credentials to second user credentials that are different from the first user credentials;
  
  extract security values from an identity management system based on the second user credentials, the security attributes corresponding to the security attributes used by said each secure data source to express access policy;
  
  embed the extracted security values into the query to create an appended query;
  
  receive a search result set corresponding to said each secure data source; and
  
  consolidate said each search result set corresponding to said each secure data source into a single ranked search result set.
- View Dependent Claims (19, 20, 21)
- - 19. The system of claim 18, further comprising a set of search engine instances, each search engine instance of the set of search engine instances operable to search an index of a secure data source of the plurality of secure data sources;
  - 20. The system of claim 19, wherein the broker is further operable to send each appended query to a corresponding search engine instance of the set of search engine instances.
  - 21. The system of claim 18, further comprising a set of identity management systems, each identity management system of the set of identity management systems managing security attributes used to express access policy to data managed by a corresponding secure data source of the plurality of secure data sources;
    - wherein said each identity management system maintains a distinct set of security attributes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Krishnaprasad, Muralidhar, Bhatkar, Sachin, Nimani, Visar, Chang, Thomas, Bhavsar, Meeten

Granted Patent

US 8,595,255 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/711
CPC Class Codes

G06F 16/2452   Query translation

G06F 16/2455   Query execution

H04L 63/0815   providing single-sign-on or...

PROPAGATING USER IDENTITIES IN A SECURE FEDERATED SEARCH SYSTEM

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

PROPAGATING USER IDENTITIES IN A SECURE FEDERATED SEARCH SYSTEM

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links