What technology area does this patent fall under?

Primary CPC classification H04L47/70. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Mar 01 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Dynamically selecting an identity provider for a single sign-on request

US9276869B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9276869-B2
Application number	US-201313732727-A
Country	US
Kind code	B2
Filing date	Jan 2, 2013
Priority date	Jan 2, 2013
Publication date	Mar 1, 2016
Grant date	Mar 1, 2016

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

An identity provider (IdP) discovery service operative at a service provider (SP) is described. In operation, and as valid requests are received by the SP via normal IdP-initiated flows, the SP builds-up knowledge about the relationship between the IdP (that redirected the request) and the initiator of the request. The IdP instance typically is inferred from an HTTP referrer field, and information about the initiator may be ascertained from client-specific information, such as client system IP address, client DNS domain, a domain of a user e-mail address, a target URL for the incoming request, or the value associated with a particular HTTP header field. This knowledge is maintained in one or more mapping table(s) that associate request attributes-to-IdP instance data. The mappings are then used to facilitate IdP discovery for a new incoming request to the SP that has been determined to originate from other than an IdP.

First claim

Opening claim text (preview).

Having described our invention, what we now claim is as follows: 1. A method for enabling access to a protected resource in a federated distributed data processing environment, comprising: in association with a service provider, maintaining a data set that associates information identifying one or more identity providers with one or more request attributes, the service provider executing on a data processing machine having a hardware element; upon receipt by the service provider of a request to access the protected resource, determining whether the request originates from an identity provider; when the request does not originate from an identity provider, determining, using information in the data set, whether one or more attributes of the request are associated with a recognized identity provider as indicated in the data set; and when one or more of the attributes of the request are associated with a recognized identity provider, automatically redirecting the request to the recognized identity provider. 2. The method as described in claim 1 wherein, if the request originates from an identity provider, the data set is updated with information about one or more attributes of the request, and an identifier associated with the identity provider. 3. The method as described in claim 2 further including: processing the request without redirection to an identity provider. 4. The method as described in claim 1 wherein the one or more request attributes include one of: a client system IP address, a client DNS domain, a domain associated with a user identifier, a target URL for the request, and a value associated with header associated with the request. 5. The method as described in claim 1 wherein the step of determining whether the request originates from an identity provider examines a field of a request header. 6. The method as described in claim 1 , further comprising: enabling access to the protected resource following receipt at the service provider of a redirection indicating that an end user has been authenticated at the recognized identity provider. 7. The method as described in claim 1 , further including: when the request does not originate from an identity provider but one or more of the attributes of the request cannot be associated with a recognized identity provider, redirecting the request to an interface from which an identity provider selection is made. 8. Apparatus operating in a federated distributed data processing environment, comprising: a processor; a data store in which is maintained a data set that associates information identifying one or more identity providers with one or more request attributes; and computer memory holding computer program instructions that when executed by the processor perform a method for enabling access to a protected resource, the method comprising: upon receipt of a request to access the protected resource, determining whether the request originates from an identity provider; when the request does not originate from an identity provider, determining, using information in the data set, whether one or more attributes of the request are associated with a recognized identity provider as indicated in the data set; and when one or more of the attributes of the request are associated with a recognized identity provider, automatically redirecting the request to the recognized identity provider. 9. The apparatus as described in claim 8 wherein, if the request originates from an identity provider, the method further includes: updating the data set with information about one or more attributes of the request, and an identifier associated with the identity provider. 10. The apparatus as described in claim 9 wherein the method further includes: processing the request without redirection to an identity provider. 11. The apparatus as described in claim 8 wherein the one or more request attributes include one of: a client system IP address, a client DNS domain, a domain associated with a user identifier, a target URL for the request, and a value associated with header associated with the request. 12. The apparatus as described in claim 8 wherein the step of determining whether the request originates from an identity provider examines a field of a request header. 13. The apparatus as described in claim 8 , wherein the method further includes: enabling access to the protected resource following receipt at the service provider of a redirection indicating that an end user has been authenticated at the recognized identity provider. 14. The apparatus as described in claim 8 , wherein the method further includes: when the request does not originate from an identity provider but one or more of the attributes of the request cannot be associated with a recognized identity provider, redirecting the request to an interface from which an identity provider selection is made. 15. A computer program product in a non-transitory computer-readable storage medium for use in a data processing system for providing identity provider discovery services, the data processing system associated with a federated distributed data processing system, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method for enabling access to a protected resource, the method comprising: maintaining a data set that associates information identifying one or more identity providers with one or more request attributes; upon receipt of a request to access the protected resource, determining whether the request originates from an identity provider; when the request does not originate from an identity provider, determining, using information in the data set, whether one or more attributes of the request are associated with a recognized identity provider as indicated in the data set; and when one or more of the attributes of the request are associated with a recognized identity provider, automatically redirecting the request to the recognized identity provider. 16. The computer program product as described in claim 15 wherein, if the request originates from an identity provider, the method further includes: updating the data set with information about one or more attributes of the request, and an identifier associated with the identity provider. 17. The computer program product as described in claim 16 wherein the method further includes: processing the request without redirection to an identity provider. 18. The computer program product as described in claim 15 wherein the one or more request attributes include one of: a client system IP address, a client DNS domain, a domain associated with a user identifier, a target URL for the request, and a value associated with header associated with the request. 19. The computer program product as described in claim 15 wherein the step of determining whether the request originates from an identity provider examines a field of a request header. 20. The computer program product as described in claim 15 , wherein the method further includes: enabling access to the protected resource following receipt at the service provider of a redirection indicating that an end user has been authenticated at the recognized identity provider. 21. The computer program product as described in claim 15 , wherein the method further includes: when the request does not originate from an identity provider but one or more of the attributes of the request cannot be associated with a re

Assignees

Inventors

Classifications

H04L47/70Primary
Admission control; Resource allocation · CPC title
H04L63/0815Primary
providing single-sign-on or federations · CPC title
H04L67/327
Electricity · mapped topic
H04L67/02
based on web technology, e.g. hypertext transfer protocol [HTTP] · CPC title
H04L67/63
Routing a service request depending on the request content or context · CPC title

Patent family

Related publications grouped by family.

View patent family 51018572

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9276869B2 cover?: An identity provider (IdP) discovery service operative at a service provider (SP) is described. In operation, and as valid requests are received by the SP via normal IdP-initiated flows, the SP builds-up knowledge about the relationship between the IdP (that redirected the request) and the initiator of the request. The IdP instance typically is inferred from an HTTP referrer field, and informat…
Who is the assignee on this patent?: IBM
What technology area does this patent fall under?: Primary CPC classification H04L47/70. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Mar 01 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).