System and method for credential delegation using identity assertion
First Claim
Patent Images
1. A method for handling network security, said method comprising:
- receiving, at a first server, a client request from a client, wherein the client request includes a user identifier and a password;
authenticating the client request using a security service, wherein the security service is different than the first server;
in response to authenticating the client request, sending an authentication token from the security service to the first server;
in response to receiving the authentication token at the first server, storing the user identifier without the password in a client credential at the first server, wherein the client credential corresponds to a client credential type;
after receiving the authentication token from the security service, determining that a run-as command is specified that allows the first server to send an identity assertion token to a downstream server using a different identity, wherein the different identity is based upon a credential type that is selected from the group consisting of the client credential type, a server credential type, and a specific identifier credential type;
in response to determining that the run-as command is specified, selecting, at the first server, one of the credential types;
determining whether an enterprise Java bean has been invoked;
in response to determining that the enterprise Java bean has been invoked, generating the identity assertion token using an identified credential which corresponds to the selected credential type; and
sending the identity assertion token from the first server directly to the downstream server.
1 Assignment
0 Petitions
Accused Products
Abstract
Run-as credentials delegation using identity assertion is presented. A server receives a request from a client that includes the client'"'"'s user identifier and password. The server authenticates the client and stores the client'"'"'s user identifier without the corresponding password in a client credential storage area. The server determines if a run-as command is specified to communicate with a downstream server. If a run-as command is specified, the server retrieves a corresponding run-as identity which identifies whether a client credential type, a server credential type, or a specific identifier credential type should be used in the run-as command. The server retrieves an identified credential corresponding to the identified credential type, and sends the identified credential in an identity assertion token to a downstream server.
64 Citations
3 Claims
-
1. A method for handling network security, said method comprising:
-
receiving, at a first server, a client request from a client, wherein the client request includes a user identifier and a password; authenticating the client request using a security service, wherein the security service is different than the first server; in response to authenticating the client request, sending an authentication token from the security service to the first server; in response to receiving the authentication token at the first server, storing the user identifier without the password in a client credential at the first server, wherein the client credential corresponds to a client credential type; after receiving the authentication token from the security service, determining that a run-as command is specified that allows the first server to send an identity assertion token to a downstream server using a different identity, wherein the different identity is based upon a credential type that is selected from the group consisting of the client credential type, a server credential type, and a specific identifier credential type; in response to determining that the run-as command is specified, selecting, at the first server, one of the credential types; determining whether an enterprise Java bean has been invoked; in response to determining that the enterprise Java bean has been invoked, generating the identity assertion token using an identified credential which corresponds to the selected credential type; and sending the identity assertion token from the first server directly to the downstream server. - View Dependent Claims (2, 3)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsVenkataramappa, Vishwanath, Chao, Ching-Yun, Chung, Hyen Vui, Reddy, Ajay
-
Primary Examiner(s)Revak; Christoper A
-
Assistant Examiner(s)Moorthy; Aravind K
-
Application NumberUS10/286,609Publication NumberTime in Patent Office2,371 DaysField of Search726/5US Class Current726/5CPC Class CodesH04L 63/0807 using tickets, e.g. Kerbero...H04L 63/205 involving negotiation or de...
