-
公开(公告)号:US08099768B2
公开(公告)日:2012-01-17
申请号:US12233377
申请日:2008-09-18
申请人: Qingwen Cheng , Ping Luo , Andrew Patterson , Rajeev Angal
发明人: Qingwen Cheng , Ping Luo , Andrew Patterson , Rajeev Angal
IPC分类号: H04L29/00
CPC分类号: G06F21/41 , H04L63/0815 , H04L69/18
摘要: A method for multi-protocol logout. The method includes receiving, by a first identity provider, a logout request from a user agent, wherein the first identity provider executes in a federation manager, and initiating a logout on a service provider associated with the first identity provider based on the logout request by the first identity provider. The method further includes identifying, by the federation manager, a plurality of identity providers associated with the user agent, wherein the plurality of identity providers communicate using heterogeneous federation protocols, and initiating, by the federation manager, a logout on each of the plurality of identity providers based on the logout request using the plurality of heterogeneous federation protocols. The method further includes initiating, by the plurality of identity providers, a logout of each service provider corresponding to the plurality of identity providers, identifying a status of each logout, and sending the status to the user agent.
摘要翻译: 一种多协议注销的方法。 所述方法包括由第一身份提供者接收来自用户代理的注销请求,其中所述第一身份提供者在联合管理器中执行,并且基于所述注销请求,在与所述第一身份提供商相关联的服务提供商上发起登出 第一个身份提供商。 所述方法还包括由所述联盟管理器识别与所述用户代理相关联的多个身份提供者,其中所述多个身份提供者使用异构联盟协议进行通信,并且由所述联盟管理器发起在所述多个 基于使用多个异构联合协议的注销请求的身份提供者。 所述方法还包括由所述多个身份提供者发起对应于所述多个身份提供者的每个服务提供商的注销,识别每个注销的状态,以及将所述状态发送给所述用户代理。
-
2.发明授权Method and system for transferring identity assertion information between trusted partner sites in a network using artifacts 有权用于在网络中的信任伙伴站点之间传送身份断言信息的方法和系统,使用工件公开(公告)号:US07788711B1
公开(公告)日:2010-08-31
申请号:US10683728
申请日:2003-10-09
申请人: Wei Sun , Aravindan Ranganathan , Ping Luo , Qingwen Cheng , Shivaram Bhat , Hong Xu , Bhavna Bhatnagar
发明人: Wei Sun , Aravindan Ranganathan , Ping Luo , Qingwen Cheng , Shivaram Bhat , Hong Xu , Bhavna Bhatnagar
IPC分类号: G06F7/04
CPC分类号: H04L63/0815
摘要: A method for managing access to multiple applications using a central server. The method includes receiving a user name and password from an application for a user, generating identity assertion information using the user name and password, generating an artifact associated with the identity assertion information, sending the artifact to the application, receiving the artifact and a request for the identity assertion information from a second application, verifying the validity of the artifact, and sending the identity assertion information to the second application. The second application uses the identity assertion information to authorize the user to access the second application.
摘要翻译: 使用中央服务器管理对多个应用程序的访问的方法。 该方法包括从用户的应用程序接收用户名和密码,使用用户名和密码生成身份断言信息,生成与身份断言信息相关联的工件,将工件发送到应用程序,接收工件和请求 用于来自第二应用的身份断言信息,验证伪像的有效性,以及将身份断言信息发送到第二应用。 第二个应用程序使用身份断言信息来授权用户访问第二个应用程序。
-
公开(公告)号:US07506162B1
公开(公告)日:2009-03-17
申请号:US10833414
申请日:2004-04-27
申请人: Heng-Ming Hsu , Qingwen Cheng , Ping Luo , Bhavna Bhatnagar
发明人: Heng-Ming Hsu , Qingwen Cheng , Ping Luo , Bhavna Bhatnagar
CPC分类号: H04L63/0815
摘要: In accordance with one embodiment of the present invention, there is provided a mechanism for implementing navigation seamlessly between sites in a computing environment in order to access resources without having to require users or user agents to re-authenticate. In one embodiment, there is provided the ability to determine different attribute sets for use with different resources on a target site for a user or user agent authenticated with a first site seeking to access one or more resources of the second site without re-authenticating. In one embodiment, there is provided the ability to map accounts on a first site to accounts on the second site using a set of attributes selected from among attributes provided by an application on the first site. With this mechanism, it is possible for applications or other resources to share information about a user or a user agent across disparate web sites seamlessly.
摘要翻译: 根据本发明的一个实施例,提供了一种用于在计算环境中的站点之间无缝地实现导航以便访问资源而不必要求用户或用户代理重新认证的机制。 在一个实施例中,提供了确定不同属性集的能力,以针对用户或用户代理进行目标站点上的不同资源的身份验证,该用户或用户代理通过寻求访问第二站点的一个或多个资源的第一站点进行身份验证,而无需重新认证。 在一个实施例中,提供了使用从第一站点上的应用提供的属性中选择的一组属性将第一站点上的帐户映射到第二站点上的帐户的能力。 通过这种机制,应用程序或其他资源可以无缝地共享不同网站上的用户或用户代理的信息。
-
4.发明授权公开(公告)号:US07409710B1
公开(公告)日:2008-08-05
申请号:US10685989
申请日:2003-10-14
申请人: Mrudul P. Uchil , Xuerbin Lue , Qingwen Cheng , Bina Keshava , Ping Luo
发明人: Mrudul P. Uchil , Xuerbin Lue , Qingwen Cheng , Bina Keshava , Ping Luo
IPC分类号: H04L9/32
CPC分类号: H04L63/08 , H04L63/168
摘要: A method and system for dynamically generating web based user interfaces. In one embodiment, a method is disclosed for displaying a user interface over a network to a user. The method begins by reading an HTTP request for authentication from a browser associated with the user. The HTTP request comprises credential information associated with the user. Based on the credential information, a first plug-in module from a plurality of plug-in modules is invoked to authenticate the user. Also, each of the plurality of plug-in modules provide similar authentication services. An authentication user interface is dynamically generated based on the HTTP request and configuration properties that are defined by the first plug-in module.
摘要翻译: 一种用于动态生成基于Web的用户界面的方法和系统。 在一个实施例中,公开了一种用于通过网络将用户界面显示给用户的方法。 该方法开始于从与用户相关联的浏览器中读取用于认证的HTTP请求。 HTTP请求包括与用户相关联的凭证信息。 基于凭证信息,调用来自多个插件模块的第一插件模块来认证用户。 此外,多个插件模块中的每一个提供类似的认证服务。 基于由第一插件模块定义的HTTP请求和配置属性动态生成认证用户界面。
-
公开(公告)号:US20050021964A1
公开(公告)日:2005-01-27
申请号:US10627019
申请日:2003-07-25
申请人: Bhavna Bhatnagar , Ping Luo , Qingwen Cheng , Shivaram Bhat , Hong Xu , Wei Sun , Aravindan Ranganathan
发明人: Bhavna Bhatnagar , Ping Luo , Qingwen Cheng , Shivaram Bhat , Hong Xu , Wei Sun , Aravindan Ranganathan
CPC分类号: H04L63/0815 , H04L9/3263 , H04L63/0823
摘要: Embodiments of the present invention provide a circle of trust on a network. The circle of trust is configured by exchanging credential of a first and a second affiliated entity. The credentials of the first affiliated entity is stored in a trusted partner list of the second affiliated entity. The credentials of the second affiliated entity is stored in a trusted partner list of the first affiliated entity. Thereafter, a circle of trust session may be provided when a client device initiates use of a resource on a relying party device by providing an authentication assertion reference. The identity of the issuing party of the authentication is determined as a function of the authentication assertion reference. The relying party sends an authentication query containing its credential to the issuing party. The issuing party determines if the relying party is a trusted entity based upon whether the relying party's credential is contained in the trusted partner list of the issuing party.
摘要翻译: 本发明的实施例提供了一种网络上的信任圈。 通过交换第一个和第二个附属实体的凭证来配置信任圈。 第一个关联实体的凭证存储在第二个关联实体的可信合作伙伴列表中。 第二个关联实体的凭证存储在第一个关联实体的可信赖的合作伙伴列表中。 此后,当客户端设备通过提供认证断言引用来在依赖方设备上启动资源的使用时,可以提供一个信任圈。 认证的发行方的身份被确定为认证断言参考的函数。 依赖方向发卡方发送包含其凭据的认证查询。 发行方基于信任方的凭证是否包含在发行方的受信任的合作伙伴列表中来确定依赖方是否是可信赖的实体。
-
公开(公告)号:US07836510B1
公开(公告)日:2010-11-16
申请号:US10836991
申请日:2004-04-30
IPC分类号: G06F21/22
CPC分类号: G06F21/6218
摘要: A mechanism is disclosed for enabling an attribute provider service (APS), which provides access to one or more attributes, to control access to the attributes at the attribute level. In one implementation, a request is received, which specifies a particular attribute that is desired to be accessed from an attribute repository. In response to this request, a policy that applies to the particular attribute is accessed. The policy is then processed to determine whether access to the particular attribute is to be allowed or denied. With the above mechanism, it is possible to control access to attributes at the attribute level rather than at the service level. Because access control is exercised at such a low level, an administrator can exercise much tighter and precise control over how attributes provided by an APS are accessed.
摘要翻译: 公开了一种用于启用属性提供者服务(APS)的机制,其提供对一个或多个属性的访问以控制对属性级别的属性的访问。 在一个实现中,接收到请求,该请求指定希望从属性存储库访问的特定属性。 响应于此请求,访问适用于特定属性的策略。 然后处理该策略以确定是否允许或拒绝对特定属性的访问。 利用上述机制,可以控制对属性级别而不是服务级别的属性的访问。 由于访问控制以如此低的水平运行,所以管理员可以对如何访问由APS提供的属性进行更严格和精确的控制。
-
公开(公告)号:US07565356B1
公开(公告)日:2009-07-21
申请号:US10837146
申请日:2004-04-30
申请人: Emily Hong Xu , Qingwen Cheng , Rajeev Angal , Xuerbin Lue
发明人: Emily Hong Xu , Qingwen Cheng , Rajeev Angal , Xuerbin Lue
IPC分类号: G06F17/30
CPC分类号: H04L63/08 , Y10S707/99933 , Y10S707/99936 , Y10S707/99939 , Y10S707/99943
摘要: A mechanism is disclosed for providing a user's web service provider's (WSP's) access information to a web service consumer (WSC). In one embodiment, a directory service provider (DSP) receives, from a WSC, a request for a particular user's WSP access information. The request contains identifying information that is associated with the particular user. A repository indicates, for each user, an associated user characteristic. Each user characteristic is associated with a separate template object that indicates one or more WSP instances' access information. In response to receiving the request, the DSP determines, from the repository, the user characteristic that is associated with the particular user. The DSP sends, in a response to the WSC's request, the one or more WSP instances' access information that is indicated in the template object that is associated with the particular user's associated user characteristic. The WSC may use the WSP access information to direct a query to a particular WSP.
摘要翻译: 公开了一种用于向Web服务消费者(WSC)提供用户的web服务提供商(WSP))访问信息的机制。 在一个实施例中,目录服务提供商(DSP)从WSC接收对特定用户的WSP访问信息的请求。 请求包含与特定用户相关联的标识信息。 存储库为每个用户指示相关联的用户特性。 每个用户特征与指示一个或多个WSP实例的访问信息的单独的模板对象相关联。 响应于接收到请求,DSP从存储库确定与特定用户相关联的用户特性。 DSP响应于WSC的请求,发送与特定用户的关联用户特征相关联的模板对象中指示的一个或多个WSP实例的访问信息。 WSC可以使用WSP访问信息来将查询引导到特定的WSP。
-
公开(公告)号:US07716469B2
公开(公告)日:2010-05-11
申请号:US10627019
申请日:2003-07-25
申请人: Bhavna Bhatnagar , Ping Luo , Qingwen Cheng , Shivaram Bhat , Hong Xu , Wei Sun , Aravindan Ranganathan
发明人: Bhavna Bhatnagar , Ping Luo , Qingwen Cheng , Shivaram Bhat , Hong Xu , Wei Sun , Aravindan Ranganathan
CPC分类号: H04L63/0815 , H04L9/3263 , H04L63/0823
摘要: Embodiments of the present invention provide a circle of trust on a network. The circle of trust is configured by exchanging credential of a first and a second affiliated entity. The credentials of the first affiliated entity is stored in a trusted partner list of the second affiliated entity. The credentials of the second affiliated entity is stored in a trusted partner list of the first affiliated entity. Thereafter, a circle of trust session may be provided when a client device initiates use of a resource on a relying party device by providing an authentication assertion reference. The identity of the issuing party of the authentication is determined as a function of the authentication assertion reference. The relying party sends an authentication query containing its credential to the issuing party. The issuing party determines if the relying party is a trusted entity based upon whether the relying party's credential is contained in the trusted partner list of the issuing party.
摘要翻译: 本发明的实施例提供了一种网络上的信任圈。 通过交换第一个和第二个附属实体的凭证来配置信任圈。 第一个关联实体的凭证存储在第二个关联实体的可信合作伙伴列表中。 第二个关联实体的凭证存储在第一个关联实体的可信赖的合作伙伴列表中。 此后,当客户端设备通过提供认证断言引用来在依赖方设备上启动资源的使用时,可以提供一个信任圈。 认证的发行方的身份被确定为认证断言参考的函数。 依赖方向发卡方发送包含其凭据的认证查询。 发行方基于信任方的凭证是否包含在发行方的受信任的合作伙伴列表中来确定依赖方是否是可信赖的实体。
-
公开(公告)号:US20100071056A1
公开(公告)日:2010-03-18
申请号:US12233377
申请日:2008-09-18
申请人: Qingwen Cheng , Ping Luo , Rajeev Angal , Andrew Patterson
发明人: Qingwen Cheng , Ping Luo , Rajeev Angal , Andrew Patterson
IPC分类号: H04L9/32
CPC分类号: G06F21/41 , H04L63/0815 , H04L69/18
摘要: A method for multi-protocol logout. The method includes receiving, by a first identity provider, a logout request from a user agent, wherein the first identity provider executes in a federation manager, and initiating a logout on a service provider associated with the first identity provider based on the logout request by the first identity provider. The method further includes identifying, by the federation manager, a plurality of identity providers associated with the user agent, wherein the plurality of identity providers communicate using heterogeneous federation protocols, and initiating, by the federation manager, a logout on each of the plurality of identity providers based on the logout request using the plurality of heterogeneous federation protocols. The method further includes initiating, by the plurality of identity providers, a logout of each service provider corresponding to the plurality of identity providers, identifying a status of each logout, and sending the status to the user agent.
摘要翻译: 一种多协议注销的方法。 所述方法包括由第一身份提供者接收来自用户代理的注销请求,其中所述第一身份提供者在联合管理器中执行,并且基于所述注销请求,在与所述第一身份提供商相关联的服务提供商上发起登出 第一个身份提供商。 所述方法还包括由所述联盟管理器识别与所述用户代理相关联的多个身份提供者,其中所述多个身份提供者使用异构联盟协议进行通信,并且由所述联盟管理器发起所述多个 基于使用多个异构联合协议的注销请求的身份提供者。 所述方法还包括由所述多个身份提供者发起对应于所述多个身份提供者的每个服务提供商的注销,识别每个注销的状态,以及将所述状态发送给所述用户代理。
-
公开(公告)号:US20050015593A1
公开(公告)日:2005-01-20
申请号:US10619657
申请日:2003-07-14
申请人: Qingwen Cheng , Bhavna Bhatnagar , Hong Xu , Wei Sun , Ping Luo , Shivaram Bhat , Aravindan Ranganathan
发明人: Qingwen Cheng , Bhavna Bhatnagar , Hong Xu , Wei Sun , Ping Luo , Shivaram Bhat , Aravindan Ranganathan
CPC分类号: H04L63/0815
摘要: Embodiments of the present invention provide an open and interoperable single sign-on session in a heterogeneous communication network. The open and interoperable single sign-on system is configured by exchanging an entity identifier, an account mapping, an attribute mapping, a site attribute list, an action mapping and/or the like. The entity identifier, account mapping, attribute mapping, site attribute list, action mapping and the like for each partner entity is stored in a partner list accessable to the particular entity. Thereafter, the open and interoperable single sign-on session may be provided upon receipt of a SAML request or assertion containing an entity identifier. The entity identifier contained in the SAML request or assertion is looked-up in the partner list of the particular entity which received the SAML request or assertion. A record containing a matching entity identifier provides the applicable account mapping, attribute mapping, site attribute list, and/or action mapping. The one or more mappings are then utilized to process the SAML request or assertion.
摘要翻译: 本发明的实施例提供了在异构通信网络中的开放和可互操作的单点登录会话。 通过交换实体标识符,帐户映射,属性映射,站点属性列表,动作映射等来配置开放和可互操作的单点登录系统。 每个伙伴实体的实体标识符,帐户映射,属性映射,站点属性列表,操作映射等存储在可访问特定实体的合作伙伴列表中。 此后,可以在接收到包含实体标识符的SAML请求或断言时提供开放和可互操作的单点登录会话。 包含在SAML请求或断言中的实体标识符在接收到SAML请求或断言的特定实体的合作伙伴列表中查找。 包含匹配实体标识符的记录提供适用的帐户映射,属性映射,站点属性列表和/或动作映射。 然后利用一个或多个映射来处理SAML请求或断言。
-
-
-
-
-
-
-
-
-
搜索结果
14 条记录 (耗时 0.014 秒)
