Trusted intermediary for network layer claims-enabled access control

摘要

Embodiments of the invention provide a trusted intermediary for use in a system in which access control decisions may be based at least in part on information provided in claims. The intermediary may request claims on behalf of a network resource to which access is requested, and submit the claims for a decision whether to grant or deny access. The decision may be based at least in part on one or more access control policies, which may be pre-set or dynamically generated. Because the intermediary requests the claims and submits the claims for an access control decision, the network resource (e.g., a server application) need not be configured to process claims information.

主权项

1. An apparatus for use in a system comprising a computer in communication via at least one network with a network resource, the at least one network employing a network layer security protocol, the apparatus comprising:
at least one processor coupled to a memory, the at least one processor programmed to: (A) receive from the computer a request for access to the network resource and one or more requester claims describing attributes of one or more of the computer, a user of the computer, and a context in which access by the computer to the network resource is requested, the one or more requester claims being included in a communication formatted to comply with the network layer security protocol; (B) in response to receiving from the computer the request for access to the network resource, request from a claims provider, on behalf of the network resource, one or more resource claims, the one or more resource claims describing attributes of one or more of the network resource, an organization to which the network resource is affiliated, an owner of the network resource, a stage of deployment of the network resource, and a sensitivity of the network resource; (C) receive from the claims provider the one or more resource claims, the one or more resource claims being included in a communication formatted to comply with the network layer security protocol; (D) request an access control policy decision whether to grant or deny access by the computer to the network resource, the request providing information included in the one or more requester claims and the one or more resource claims, the request being included in a communication formatted to comply with the network layer security protocol, the access control policy decision being based at least in part on the information and an access control policy that is dynamically generated; (E) receive an access control policy decision indicating that access by the computer to the network resource is granted; and (F) removing the one or more requester claims from the request before sending the request to the network resource in accordance with a second protocol.