Method and system for pluggability of federation protocol runtimes for federated user lifecycle management

US 7,698,375 B2
Filed: 07/21/2004
Issued: 04/13/2010
Est. Priority Date: 07/21/2004
Status: Active Grant

First Claim

Patent Images

1. A method for providing federated functionality within a data processing system, the method comprising:

configuring one or more pluggable modules into a federated user lifecycle management functionality with a federated computing environment, each of the pluggable modules having associated therewith a set of one or more runtime parameters to be used during federation transactions;

receiving an incoming request at point-of-contact functionality within a domain, wherein the domain is associated with a plurality of domains within the federated computing environment;

analyzing an incoming request with the point-of-contact functionality;

in response to a determination that the received request is directed to accessing a resource that is controlled by resource accessing functionality without the request requiring processing by federated user lifecycle management functionality, sending the received request from the point-of-contact functionality to the resource accessing functionality; and

in response to a determination that the received request requires processing by federated user lifecycle management functionality, sending the received request from the point-of-contact functionality to the federated user lifecycle management functionality, wherein the federated user lifecycle management functionality invokes one of the pluggable modules and its associated runtime parameters to provide a federated user lifecycle management function during a federation transaction;

wherein the pluggable modules enable the federated user lifecycle management functionality to support multiple, simultaneous, federated user lifecycle management functions on an as-needed basis without requiring changes to an existing infrastructure.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and a system are presented in which federated domains interact within a federated environment. Domains within a federation can initiate federated operations for a user at other federated domains. A point-of-contact server within a domain relies upon a trust proxy within the domain to manage trust relationships between the domain and the federation. The point-of-contact server receives incoming requests directed to the domain and interfaces with a first application server and a second application server, wherein the first application server responds to requests for access to controlled resources and the second application server responds to requests for access to federated user lifecycle management functions, which are implemented using one or more pluggable modules that interface with the second application server.

39 Citations

View as Search Results

41 Claims

1. A method for providing federated functionality within a data processing system, the method comprising:
- configuring one or more pluggable modules into a federated user lifecycle management functionality with a federated computing environment, each of the pluggable modules having associated therewith a set of one or more runtime parameters to be used during federation transactions;
  
  receiving an incoming request at point-of-contact functionality within a domain, wherein the domain is associated with a plurality of domains within the federated computing environment;
  
  analyzing an incoming request with the point-of-contact functionality;
  
  in response to a determination that the received request is directed to accessing a resource that is controlled by resource accessing functionality without the request requiring processing by federated user lifecycle management functionality, sending the received request from the point-of-contact functionality to the resource accessing functionality; and
  
  in response to a determination that the received request requires processing by federated user lifecycle management functionality, sending the received request from the point-of-contact functionality to the federated user lifecycle management functionality, wherein the federated user lifecycle management functionality invokes one of the pluggable modules and its associated runtime parameters to provide a federated user lifecycle management function during a federation transaction;
  
  wherein the pluggable modules enable the federated user lifecycle management functionality to support multiple, simultaneous, federated user lifecycle management functions on an as-needed basis without requiring changes to an existing infrastructure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein the point-of-contact functionality and the federated user lifecycle management functionality are implemented on the same server and the received request is sent from the point-of-contact functionality to the federated user lifecycle management functionality indirectly via a redirect through an application that generates the incoming request.
  - 3. The method of claim 1 wherein the point-of-contact functionality and the federated user lifecycle management functionality are implemented within the same application.
  - 4. The method of claim 1 wherein the point-of-contact functionality and the federated user lifecycle management functionality are implemented within the same domain.
  - 5. The method of claim 1 further comprising:
    - analyzing a received request message;
      
      invoking the resource accessing functionality to process a request that is received by the point-of-contact functionality which requests access to a controlled resource; and
      
      invoking the federated user lifecycle management functionality to process a request that is received by the point-of-contact functionality which requests or requires access to a federated user lifecycle management function.
  - 6. The method of claim 1 wherein a pluggable module supports a federation protocol in accordance with a WS-Federation specification.
  - 7. The method of claim 1 wherein a pluggable module supports a federation protocol in accordance with a Liberty Alliance specification.
  - 8. The method of claim 1 wherein a pluggable module supports a federation protocol in accordance with a SAML (Security Assertion Markup Language) specification.
  - 9. The method of claim 1 wherein a pluggable module supports a federation protocol in accordance with a proprietary specification.
  - 10. The method of claim 1 further comprising:
    - supporting a federation protocol at a first pluggable module in accordance with a first federation protocol profile; and
      
      supporting a federation protocol at a second pluggable module in accordance with a second federation protocol profile.

11. An apparatus for providing federated functionality within a data processing system, the apparatus comprising:
- a processor;
  
  a computer memory holding computer program instructions which when executed by the processor perform a method comprising;
  
  configuring one or more pluggable modules into a federated user lifecycle management functionality with a federated computing environment, each of the pluggable modules having associated therewith a set of one or more runtime parameters to be used during federation transactions;
  
  receiving an incoming request at point-of-contact functionality within a domain, wherein the domain is associated with a plurality of domains within the federated computing environment;
  
  analyzing an incoming request with the point-of-contact functionality;
  
  sending, in response to a determination that the received request is directed to accessing a resource that is controlled by resource accessing functionality, the received request from the point-of-contact functionality to the resource accessing functionality; and
  
  sending, in response to a determination that the received request is directed to accessing federated user lifecycle management functionality, the received request from the point-of-contact functionality to the federated user lifecycle management functionality, wherein the federated user lifecycle management functionality responds to requests for access to federated user lifecycle management functions by invoking one of the pluggable modules and its associated runtime parameters to provide a federated user lifecycle management function during a federation transaction;
  
  wherein the pluggable modules enable the federated user lifecycle management functionality to support multiple, simultaneous, federated user lifecycle management functions on an as-needed basis without requiring changes to an existing infrastructure.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The apparatus of claim 11 wherein the point-of-contact functionality and the federated user lifecycle management functionality are implemented on the same server.
  - 13. The apparatus of claim 11 wherein the point-of-contact functionality and the federated user lifecycle management functionality are implemented within the same application.
  - 14. The apparatus of claim 11 wherein the point-of-contact functionality and the federated user lifecycle management functionality are implemented within the same domain.
  - 15. The apparatus of claim 11 wherein the method further comprises:
    - analyzing a received request message;
      
      invoking the resource accessing functionality to process a request that is received by the point-of-contact functionality which requests access to a controlled resource; and
      
      invoking the federated user lifecycle management functionality to process a request that is received by the point-of-contact functionality which requests access to a federated user lifecycle management function.
  - 16. The apparatus of claim 11 wherein a pluggable module supports a federation protocol in accordance with a WS-Federation specification.
  - 17. The apparatus of claim 11 wherein a pluggable module supports a federation protocol in accordance with a Liberty Alliance specification.
  - 18. The apparatus of claim 11 wherein a pluggable module supports a federation protocol in accordance with a SAML (Security Assertion Markup Language) specification.
  - 19. The apparatus of claim 11 wherein a pluggable module supports a federation protocol in accordance with a proprietary specification.
  - 20. The apparatus of claim 11 wherein the method further comprises:
    - supporting a federation protocol at a first pluggable module in accordance with a first federation protocol profile; and
      
      supporting a federation protocol at a second pluggable module in accordance with a second federation protocol profile.

21. A computer program product on a computer storage medium for use in a data processing system for providing federated functionality, the computer program product holding computer program instructions which when executed by the data processing system perform a method comprising:
- configuring one or more pluggable modules into a federated user lifecycle management functionality with a federated computing environment, each of the pluggable modules having associated therewith a set of one or more runtime parameters to be used during federation transactions;
  
  receiving an incoming request at point-of-contact functionality within a domain, wherein the domain is associated with a plurality of domains within the federated computing environment;
  
  analyzing an incoming request with the point-of-contact functionality;
  
  sending, in response to a determination that the received request is directed to accessing a resource that is controlled by resource accessing functionality, the received request from the point-of-contact functionality to the resource accessing functionality; and
  
  sending, in response to a determination that the received request is directed to accessing federated user lifecycle management functionality, the received request from the point-of-contact functionality to the federated user lifecycle management functionality, wherein the federated user lifecycle management functionality responds to requests for access to federated user lifecycle management functions by invoking one of the pluggable modules and its associated runtime parameters to provide a federated user lifecycle management function during a federation transaction;
  
  wherein the pluggable modules enable the federated user lifecycle management functionality to support multiple, simultaneous, federated user lifecycle management functions on an as-needed basis without requiring changes to an existing infrastructure.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The computer program product of claim 21 wherein the point-of-contact functionality and the federated user lifecycle management functionality are implemented on the same server.
  - 23. The computer program product of claim 21 wherein the point-of-contact functionality and the federated user lifecycle management functionality are implemented within the same application.
  - 24. The computer program product of claim 21 wherein the point-of-contact functionality and the federated user lifecycle management functionality are implemented within the same domain.
  - 25. The computer program product of claim 21 wherein the method further comprises:
    - analyzing a received request message;
      
      invoking the resource accessing functionality to process a request that is received by the point-of-contact functionality which requests access to a controlled resource; and
      
      invoking the federated user lifecycle management functionality to process a request that is received by the point-of-contact functionality which requests access to a federated user lifecycle management function.
  - 26. The computer program product of claim 21 wherein a pluggable module supports a federation protocol in accordance with a WS-Federation specification.
  - 27. The computer program product of claim 21 wherein a pluggable module supports a federation protocol in accordance with a Liberty Alliance specification.
  - 28. The computer program product of claim 21 wherein a pluggable module supports a federation protocol in accordance with a SAML (Security Assertion Markup Language) specification.
  - 29. The computer program product of claim 21 wherein a pluggable module supports a federation protocol in accordance with a proprietary specification.
  - 30. The computer program product of claim 21 wherein the method further comprises:
    - supporting a federation protocol at a first pluggable module in accordance with a first federation protocol profile; and
      
      supporting a federation protocol at a second pluggable module in accordance with a second federation protocol profile.

31. A data processing system comprising:
- a management application having an associated interface for configuring one or more pluggable modules into a federated user lifecycle management functionality with a federated computing environment, each of the pluggable modules having associated therewith a set of one or more runtime parameters to be used during federation transactions;
  
  a point-of-contact server, wherein the point-of-contact server receives incoming requests directed to a domain, wherein the domain is associated with a plurality of domains within the federated computing environment;
  
  a first application server that interfaces with the point-of-contact server, wherein the first application server responds to requests for access to controlled resources; and
  
  a second application server that interfaces with the point-of-contact server, wherein the second application server responds to requests for access to federated user lifecycle management functions by invoking one of the pluggable modules and its associated runtime parameters to provide a federated user lifecycle management function during a federation transaction;
  
  wherein the pluggable modules enable the federated user lifecycle management functionality to support multiple, simultaneous, federated user lifecycle management functions on an as-needed basis without requiring changes to an existing infrastructure.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 32. The data processing system of claim 31 wherein the point-of-contact server further comprises:
    - a processor;
      
      a computer memory holding computer program instructions which when executed by the processor perform a method comprising;
      
      analyzing a received request message;
      
      invoking the first application server to process a request that is received by the point-of-contact server which requests access to controlled resources; and
      
      invoking the second application server to process requests that are received by the point-of-contact server which request access to federated user lifecycle management functions.
  - 33. The data processing system of claim 31 wherein a pluggable module supports a federation protocol in accordance with a WS-Federation specification.
  - 34. The data processing system of claim 31 wherein a pluggable module supports a federation protocol in accordance with a Liberty Alliance specification.
  - 35. The data processing system of claim 31 wherein a pluggable module supports a federation protocol in accordance with a SAML (Security Assertion Markup Language) specification.
  - 36. The data processing system of claim 31 wherein a pluggable module supports a federation protocol in accordance with a proprietary specification.
  - 37. The data processing system of claim 31 further comprising:
    - a first pluggable module for supporting a federation protocol in accordance with a first federation protocol profile; and
      
      a second pluggable module for supporting a federation protocol in accordance with a second federation protocol profile.
  - 38. The data processing system of claim 31 further comprising:
    - a trust proxy, wherein the trust proxy generates security assertions sent from the domain and validates security assertions received at the domain.
  - 39. The data processing system of claim 38 wherein the second application serverinvokes the trust proxy to generate secure messages that contain a request or a response.
  - 40. The data processing system of claim 38 wherein the trust proxymaintains trust relationships with different domains within the federated computing environment.
  - 41. The data processing system of claim 38 wherein the trust proxyinteroperates with a trust broker to obtain assistance in translating an assertion that has been received from a different domain within the federated computing environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Falola, Dolapo Martin, Wardrop, Patrick Ryan, Hinton, Heather Maria, Moran, Anthony Scott
Primary Examiner(s)
Ismail; Shawki S

Application Number

US10/896,353
Publication Number

US 20060020679A1
Time in Patent Office

2,092 Days
Field of Search

709/203, 709217-219, 709223-229, 709/231
US Class Current

709/217
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 2221/2115   Third party

G06Q 10/10   Office automation; Time man...

H04L 63/02   for separating internal fro...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

Method and system for pluggability of federation protocol runtimes for federated user lifecycle management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

39 Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for pluggability of federation protocol runtimes for federated user lifecycle management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links