摘要:
The invention provides federated functionality within a data processing system by means of a set of specialized runtimes. Each of the plurality of specialized runtimes provides requested federation services for selected ones of the requestors according to configuration data of respective federation relationships of the requestors with the identity provider. The configuration data is dynamically retrieved during initialization of the runtimes which allows the respective runtime to be specialized for a given federation relationship. Requests are routed to the appropriate specialized runtime using the first requestor identity and the given federation relationship. The data which describes each federation relationship between the identity provider and each of the plurality of requesters is configured prior to initialization of the runtimes. Configuration data is structured into global specified data, federation relationship data and requestor specific data to minimize data change, making the addition or deletion of requesters very scalable.
摘要:
A method and a system are presented in which federated domains interact within a federated environment. Domains within a federation can initiate federated single-sign-on operations for a user at other federated domains. A point-of-contact server within a domain relies upon a trust proxy within the domain to manage trust relationships between the domain and the federation. Trust proxies interpret assertions from other federated domains as necessary. Trust proxies may have a trust relationship with one or more trust brokers, and a trust proxy may rely upon a trust broker for assistance in interpreting assertions. When a user is provisioned at a particular federated domain, the federated domain can provision the user to other federated domains within the federated environment. A provision operation may include creating or deleting an account for a user, pushing updated user account information including attributes, and requesting updates on account information including attributes.
摘要:
A method and a system are presented in which federated domains interact within a federated environment. Domains within a federation can initiate federated operations for a user at other federated domains. A point-of-contact server within a domain relies upon a trust proxy within the domain to manage trust relationships between the domain and the federation. The point-of-contact server receives incoming requests directed to the domain and interfaces with a first application server and a second application server, wherein the first application server responds to requests for access to controlled resources and the second application server responds to requests for access to federated user lifecycle management functions, which are implemented using one or more pluggable modules that interface with the second application server.
摘要:
Methods, systems, and computer program products are disclosed that give entities flexibility to implement custom authentication methods of other entities for authentication of a principal in a federation by authenticating the principal by an identity provider according to a service provider's authentication policy and recording in session data of the identity provider an authentication credential satisfying the service provider's authentication policy. Authentication of a principal in a federation is also carried out by authenticating the principal by the identity provider according to an identity provider's authentication policy. Authentication of a principal in a federation is further carried out by receiving in the identity provider an authentication request from the service provider, the authentication request specifying the service provider's authentication policy.
摘要:
A method and a system are presented in which computing environments of different enterprises interact within a federated computing environment. Federated operations can be initiated at the computing environments of federation partners on behalf of a user at a different federated computing environment. A point-of-contact service relies upon a trust service to manage trust relationships between a computing environment and computing environments of federation partners. The trust service employs a key management service, an identity/attribute service, and a security token service. A federated user lifecycle management service implements federated user lifecycle functions and interacts with the point-of-contact service and the trust service.
摘要:
A method and system is presented to parse a WSDL description and build a hierarchical protected object namespace for authorization of access to the resource, wherein the protected object namespace is based on the abstract part of a WSDL but can be used to assist in authorization decisions for multiple different concrete bindings of this WSDL, wherein the concrete binding/request is based on the WS-Addressing endpoint reference.
摘要:
A method and a system are presented in which federated service providers interact within a federated environment to initiate federated operations. A point-of-contact component that provides session management capabilities at a first service provider receives a request from a client. The request is then sent, possibly using redirection through a client, to a federated user lifecycle management functional component of the first service provider, which may interact with a point-of-contact component at a second service provider to initiate a federated user lifecycle management function at the second service provider, which enlists the assistance of a federated user lifecycle management functional component at the second service provider. In response to completion of a federated user lifecycle management function, the point-of-contact component at the first service provider subsequently receives a response from the federated user lifecycle management functional component at the first service provider, and the original request can be further processed.
摘要:
A method is presented in which federated domains interact to complete transactions within a federated environment. A point-of-contact server within a domain relies upon a trust service to manage trust relationships. An administrative user can build a federation relationship between a first service provider and a second service provider, which includes a trust relationship between the first service provider and the second service provider and a selection of federation-related operations, i.e. federation functionality. During configuration of the federation relationship, a file is dynamically generated based on the selection of federation functionality for the federation relationship. The file is exported to the second service provider, which provides additional configuration information by inserting it into the file. The modified file is imported at the first service provider from the second service provider, and the additional configuration information are extracted for subsequent use in federated transactions.
摘要:
A method is presented for providing an HTTP-based authentication mechanism. A request for a controlled resource is received from a client at a first server, which sends a request for an uncontrolled resource to a second server, which may be an HTTP-based authentication server, e.g., by redirecting a request via the client to the second server or by forwarding a request directly to the second server. The second server then obtains authentication information from the client. The second server returns the authentication credential or the authenticated identify to the first server within a response message, e.g., by storing the authentication credential within one or more HTTP headers. In response to receiving the authentication information, the first server builds a session for the client and processes the original request for the controlled resource, e.g., by sending a redirection for the controlled resource through the client.
摘要:
A method is presented for managing authentication credentials for a user. A session management server performs session management with respect to the user for a domain that includes a protected resource. The session management server receives a request to access the protected resource, which requires authentication credentials that have been generated for a first type of authentication context. In response to determining that authentication credentials for the user have been generated for a second type of authentication context, the session management server sends to an authentication proxy server a first message that contains the authentication credentials for the user and an indicator for the first type of authentication context. The session management server subsequently receives a second message that contains updated authentication credentials for the user that indicate that the updated authentication credentials have been generated for the first type of authentication context.