US2011289553A1PendingUtilityA1

Policy and attribute based access to a resource

48
Assignee: CARTER STEPHEN RPriority: Sep 30, 2003Filed: Aug 2, 2011Published: Nov 24, 2011
Est. expirySep 30, 2023(expired)· nominal 20-yr term from priority
H04L 63/102H04L 63/0807
48
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Techniques are provided for controlling access to a resource based on access policies and attributes. A principal issues a request to a service for purposes of accessing a resource. The principal is authenticated and a service contract for the principal, the service, and the resource is generated. The service contract defines resource access policies and attributes which can be permissibly performed by the service on behalf of the principal during a session. Moreover, the session between the service and the resource is controlled by the service contract.

Claims

exact text as granted — not AI-modified
1 . A method implemented in a non-transitory computer-readable storage medium having code that when executed by a proxy server cause the proxy server to perform the method, comprising:
 interacting, by the proxy server, with a principal for authenticating the principal based on acquired identity information;   assembling, by the proxy server, an identity configuration for the principal;   generating, by the proxy server, a service contract for the principal, a service, and a resource, wherein the principal uses the service to access the resource, and wherein the service contract includes a selective number of resource access policies and attributes which are included in the identity configuration; and   transmitting, by the proxy server, an access statement to the principal for use when the principal interacts with the service.   
     
     
         2 . The method of  claim 1  further comprising generating, by the proxy server, alias identity information for the identity information and including the alias identity information with at least a portion of the access statement. 
     
     
         3 . The method of  claim 2  further comprising:
 receiving, by the proxy server, the alias identity information from the service; 
 mapping, by the proxy server, the alias identity information back to the identity information; 
 authenticating, by the proxy server, the identity information; and 
 permitting, by the proxy server, the service to the resource based on the service contract. 
 
     
     
         4 . The method of  claim 1  wherein the transmitting of the access statement further includes representing the access statement as an assertion that is directly used to acquire the identity information of the principal. 
     
     
         5 . The method of  claim 1  wherein the transmitting of the access statement further includes representing the identity information of the principal as an artifact that can be indirectly used to acquire the identity information. 
     
     
         6 . The method of  claim 1  further comprising removing, by the proxy server, the service contract when an active session with the principal expires. 
     
     
         7 . The method of  claim 1  wherein the interacting further includes establishing a secure communication with the principal. 
     
     
         8 . A method implemented in a non-transitory computer-readable storage medium having code that when executed by a proxy server cause the proxy server to perform the method, comprising:
 detecting, by the proxy server, a request being directed to a resource over a network from a principal;   collecting, by the proxy server, identity information for the principal to authenticate to the resource and to a service that controls access to the resource;   authenticating, by the proxy server, the principal in response to the identity information;   creating, by the proxy server, a service contract, the service contract defining selective access policies and attributes for the principal to use when interacting with the service and the resource and the access policies and the attributes derived from the identity information; and   providing, by the proxy server, the service contract to the principal for use when interacting with the service and the resource.   
     
     
         9 . The method of  claim 8 , wherein the proxy server is a forward proxy. 
     
     
         10 . The method of  claim 8 , wherein the proxy is a transparent proxy. 
     
     
         11 . The method of  claim 8 , wherein detecting further includes receiving the request via a browser redirection from a site associated with the service when the principal attempts to initially log into the service for access to the resource. 
     
     
         12 . The method of  claim 11 , wherein receiving further includes interacting with the principal via a secure socket layer network connection after the browser redirection from the site. 
     
     
         13 . The method of  claim 8 , wherein collecting further includes automatically acquiring some of the identity information from a computing environment of the principal. 
     
     
         14 . The method of  claim 8 , wherein authenticating further includes receiving a statement from the service that specifies how to perform authentication of the principal and specific identity information used by the service for the authentication. 
     
     
         15 . The method of  claim 8 , wherein providing further includes sending an access statement to the principal that maps to the service contract, the access statement does not include the service contract but does include information that permits the identity information for the principal to be reproduced to reacquire the service contract on demand. 
     
     
         16 . The method of  claim 8  further comprising, establishing, by the proxy server, a secure communication session between the principal and the service in accordance with the security contract. 
     
     
         17 . The method of  claim 8  further comprising, masking, by the proxy server, a true identity of the principal from the service, wherein the identity information is aliased when provided to the service for authentication. 
     
     
         18 . A method implemented in a non-transitory computer-readable storage medium having code that when executed by a proxy server cause the proxy server to perform the method, comprising:
 aggregating, by the proxy server, identity information for a principal;   obtaining, by the proxy server, selective identity information that a service, which controls a network resource, uses to authenticate users for access to the network resource;   generating, by the proxy server, a contract that defines access policies and attributes for use during a session between the principal, the service, and the network resource; and   sending, the contract to the principal for establishment of the session.   
     
     
         19 . The method of  claim 18 , wherein obtaining further includes acquiring a specific authentication mechanism that the service requires for access to the network resource. 
     
     
         20 . The method of  claim 19  further comprising, establishing, by the proxy server, the session on behalf of the principal and the service when the service requests authentication of the principal by using the selective identity information and the specific authentication mechanism.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.