CN103164648B - Method and device used for setting identity union configuration - Google Patents
Method and device used for setting identity union configuration Download PDFInfo
- Publication number
- CN103164648B CN103164648B CN201110426561.4A CN201110426561A CN103164648B CN 103164648 B CN103164648 B CN 103164648B CN 201110426561 A CN201110426561 A CN 201110426561A CN 103164648 B CN103164648 B CN 103164648B
- Authority
- CN
- China
- Prior art keywords
- attribute
- configuration
- identity federation
- attribute set
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 claims description 14
- 230000002452 interceptive Effects 0.000 claims description 4
- 238000005314 correlation function Methods 0.000 description 13
- 102100003606 CFC1 Human genes 0.000 description 11
- 101700067747 CFC1 Proteins 0.000 description 11
- 238000004891 communication Methods 0.000 description 9
- 230000000875 corresponding Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 7
- 210000001519 tissues Anatomy 0.000 description 7
- 238000004364 calculation method Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 239000000203 mixture Substances 0.000 description 4
- 210000003702 immature single positive T cell Anatomy 0.000 description 3
- 238000010200 validation analysis Methods 0.000 description 3
- 238000006243 chemical reaction Methods 0.000 description 2
- 230000001276 controlling effect Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000002093 peripheral Effects 0.000 description 2
- 229920001690 polydopamine Polymers 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 230000001808 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000003287 optical Effects 0.000 description 1
- 238000003786 synthesis reaction Methods 0.000 description 1
- 230000002194 synthesizing Effects 0.000 description 1
Abstract
For the method and apparatus arranging Identity Federation configuration, the method comprises: the first Identity Federation configuration attribute and second obtaining the first calculating system calculates the second Identity Federation configuration attribute of system;At least one relating attribute pair is identified in the first and second Identity Federation configuration attributes;Uniform user interfaces shows the attribute needing manually to arrange in the first and second Identity Federation configuration attributes, wherein it is desired to the artificial attribute arranged does not comprises the attribute that its value of any relating attribute centering can derive from the value of another attribute;Its value can be carried out automatic assignment from the attribute that the value of another attribute derives;The first and second Identity Federation configuration attribute set through arranging are provided respectively to the first and second calculating systems.
Description
Technical field
The present invention relates to the Identity Federation configuration across the system of calculating.
Background technology
Identity Federation (Identity Federation) is for managing identity and the access right of the resource across the system of calculating
Limit.Across the exemplary of access of the resource of the system of calculating, it it is the application of cloud service.Popular along with cloud service, more and more
Client (such as enterprise) order cloud service meet service needed.Identity Federation enables users to the most cross-domain access and applies,
Approach for a kind of various application with the account access cloud service in enterprise of enterprise's offer.In order to seamlessly hand over cloud service
Mutually, enterprise needs Identity Federation.Enterprises and cloud service two ends arrange the work of Identity Federation, are by the system of enterprises
Manager's (client administrator) completes.Owing to the service commercial city of cloud service provides cloud service under proprietary environment, use specially
Some data forms, the Identity Federation configuration of enterprises end may use different standards with the configuration of the Identity Federation of cloud server terminal,
The user interface of enterprises end and the style of cloud service user interface, data form may be entirely different, and therefore, system manager is not
But need to be familiar with the Identity Federation configuration standard of enterprises end and user interface, and need the Identity Federation being familiar with cloud server terminal to join
Put standard and user interface;Further, the Identity Federation configuration of enterprises end and the Identity Federation configuration of cloud server terminal are frequently present of big
The data that amount content repeats, this brings unnecessary workload for system manager.
Summary of the invention
An object of the present invention, is the settling period in Identity Federation configuration, for establishing two calculating of trusting relationship
System intensively carries out the setting of Identity Federation configuration, is ensureing the conforming same of two Identity Federation configurations calculating system
Time, reduce the quantity of the Identity Federation parameter needing system manager to arrange.
On the one hand, it is provided that a kind of method for arranging Identity Federation configuration, comprise: obtain the first of the first calculating system
Identity Federation configuration attribute set and second calculates the second Identity Federation configuration attribute set of system;In the first and second identity
Identifying one or more relating attribute pair in federal configuration attribute set, wherein, each relating attribute is to comprising the first identity connection
An attribute in nation's configuration attribute set and an attribute in the second Identity Federation configuration attribute set;At unification user circle
The attribute needing manually to arrange in the first and second federal configuration attribute set is shown on face, wherein it is desired to the artificial genus arranged
Property do not comprise the attribute that its value of any relating attribute centering can derive from the value of another attribute;Can be from another to its value
The attribute that the value of individual attribute derives carries out automatic assignment;The first body through arranging is provided respectively to the first and second calculating systems
The federal configuration attribute set of part and the second Identity Federation configuration attribute set.
On the other hand, it is provided that a kind of device for arranging Identity Federation configuration, comprise:
Acquisition module, the first Identity Federation configuration attribute set and second being configured to the first calculating system that obtains calculates
Second Identity Federation configuration attribute set of system;
Relating module, is configured to identify one or more association in the first and second Identity Federation configuration attribute set
Attribute pair, wherein, each relating attribute attribute to comprising in the first Identity Federation configuration attribute set and the second identity
An attribute in federal configuration attribute set;
User interactive module, is configured on uniform user interfaces in the federal configuration attribute set of display first and second
Need the artificial attribute arranged, wherein it is desired to its value that the artificial attribute arranged does not comprises any relating attribute centering can be from
The attribute that the value of another attribute derives;
Intersection assignment module, is configured to can automatically compose its value from the attribute that the value of another attribute derives
Value;
Configuration adapter, is configured to provide the first Identity Federation through arranging respectively to the first and second calculating systems
Configuration attribute set and the second Identity Federation configuration attribute set.
Accompanying drawing explanation
In conjunction with accompanying drawing and with reference to described further below, the feature of each embodiment of the present invention, advantage and other aspects will become
Must become apparent from, show some embodiments of the present invention at this by way of example, and not by way of limitation.In the accompanying drawings:
Figure 1A-1C shows the block diagram being suitable to the exemplary computer system for realizing embodiment of the present invention;
Fig. 2 A and 2B is illustrated as the mode that different calculating system arranges the prior art of Identity Federation configuration;
Fig. 3 A schematically shows the flow chart of the method according to one embodiment of the invention;
The part identity configuration attribute of the different calculating system of Fig. 3 B exemplary representation two;
Fig. 4 schematically shows the block diagram of the device according to one embodiment of the invention.
Detailed description of the invention
Flow chart in accompanying drawing and block diagram, it is illustrated that according to system, method and the computer of the various embodiment of the present invention
Architectural framework in the cards, function and the operation of program product.In this, each square frame in flow chart or block diagram is permissible
Representing a module, program segment or a part for code, a part for described module, program segment or code comprises one or many
The executable instruction of the individual logic function for realizing regulation.It should also be noted that in some realization alternately, in square frame
The function marked can also occur to be different from the order marked in accompanying drawing.Such as, the square frame that two succeedingly represent is real
Can perform substantially in parallel on border, they can also perform sometimes in the opposite order, depending on this is according to involved function.
It is also noted that the combination of the square frame in each square frame in block diagram and/or flow chart and block diagram and/or flow chart, can
Realize with the special hardware based system by the function or operation performing regulation, or specialized hardware and calculating can be used
The combination of machine instruction realizes.
Principle and the spirit of the present invention are described below with reference to some illustrative embodiments.Should be appreciated that and provide this
A little embodiments are only used to make those skilled in the art better understood when and then realize the present invention, and not with any
Mode limits the scope of the present invention.
Referring to Figure 1A-1C, wherein, Figure 1A schematically shows an example cloud computing node;Figure 1B schematically shows an example cloud meter
Calculate environment;Fig. 1 C schematically shows the abstract model layer of an example cloud computing environment.
Although first it should be understood that the disclosure includes the detailed description about cloud computing, thisOpen instituteThe technical side recorded
The realization of case is but not limited to cloud computing environment.Embodiments of the invention can in conjunction with currently known or exploitation later any its
The computing environment of its type and realize.
Cloud computing is a kind of service variable values, for carrying out shared configurable calculating resource pool conveniently, on-demand
Network accesses.Configurable calculate resource e.g. network, the network bandwidth, server, process, internal memory, store, apply, virtual machine
And service, it is with minimum management cost or the minimum mutual money that just can quickly provide and discharge with ISP
Source.This cloud model can include at least five feature, at least three service model and at least four deployment model.
Feature is as follows:
On-demand self-help service: cloud consumer can the most on-demand offer computing capability, such as server time
And the network storage, and without carrying out man-machine interactively with ISP.
Network insertion widely: cloud computing ability can obtain on network, and is obtained by standard mechanism, standard
Mechanism promotes by variety classes thin client platform or thick client platform (such as mobile phone, kneetop computer, individual number
Word assistant PDA) use to cloud.
Resource pool: the calculating resource of supplier is included into resource pool, by many tenants (munti-tenant) mode service
In many heavy users, different actual resources and virtual resource are dynamically allocated as required and reallocate.Because consumer
Typically do not control may not even be aware that the accurate location of provided resource, but position may be specified on higher level of abstraction
(such as country, state or data center), so there being a kind of position feeling of independence.
Rapidly elastic: rapidly and flexiblely (being automatically sometimes) to provide and calculate resource, to realize expanding rapidly
Open up and can discharge rapidly.For consumers, available calculating resource usually seems it is unlimited, at any time
Any amount of calculating resource can be obtained.
Measurable service: cloud system is suitable to service (such as store, process, bandwidth and active user account number) by utilization
The metrology capability of certain level of abstraction of type, automatically controls and optimizes resource effectiveness.Can monitor, control and report resource
Service condition, provides transparency for ISP and consumer both sides.
Service model is as follows:
Software i.e. services (SaaS): give the ability of the application that consumer uses supplier to run in cloud architecture.
Application be can by the thin client interface of such as web browser from various client devices access (the most network
Email).May be except being that in addition to the limited application configuration specific to user is arranged, consumer neither manages and the most do not controls the end
The cloud architecture of layer, including network, server, operating system, storage or even single application power.
Platform i.e. services (PaaS): the ability provided the consumer be in cloud architecture dispose consumer create or
The application obtained, these application are that the program design language supported with supplier instrument of making peace creates.Consumer do not manage or
Controlling the cloud architecture on basis, including network, server, operating system or storage, but the application to being disposed has control
System power, the application to hosting environment configuration has been likely to control.
Architecture i.e. services (IaaS): giving consumer's offer process, storage, network and consumer can dispose wherein
With the ability of the basic calculation resource running any software, wherein software can include operating system and application program.Consumer was both
Do not manage the cloud architecture the most not controlling bottom, but operating system, storage and the application disposed are possessed of control power, right
The network components (such as host firewall) selected is likely to have limited control.
Deployment model is as follows:
Privately owned cloud: cloud architecture is individually for certain operation.Cloud architecture can be by these organization and administration, also
Can be managed by third party, may reside in tissue, it is also possible to be present in outside tissue.
Community Cloud: cloud architecture is shared by several tissues, supports have common interests (such as mission, safety
Require, policy and conjunction rule consider) specific community.Community Cloud can be managed by the multiple tissues in community or third party
Reason, may reside in tissue, it is also possible to be present in outside tissue.
Public cloud: cloud architecture provides to the public or large-scale industrial colony, and is had by the tissue selling cloud service.
Mixed cloud: cloud architecture is the synthesis of two or more cloud (privately owned cloud, community Cloud or public cloud), these
Cloud is still that the entity of uniqueness, but by making data and applying the standardized technique that can transplant or privately owned technology (such as to use
The cloud burst flow of the load balance between cloud shares technology) bind together.
Cloud computing environment is service-oriented, and feature concentrates on the mutual behaviour of Stateless, lower coupling, modularity and the meaning of one's words
The property made.The core of cloud computing is the base structure comprising interconnecting nodes network.
With reference now to Figure 1A, figure shows the example of a cloud computing node.Cloud computing node 10 is only suitably
One example of cloud computing node, and it is not meant to any limit of the scope of the function to embodiments of the invention and use
System.In a word, cloud computing node 10 can be implemented and/or perform above-described any function.
Having a computer system/server 12 in cloud computing node 10, they can be with other universal or special meters numerous
Calculate system environments or configuration operates together.Be suitable to the well-known calculating system being used together with computer system/server 12
System, the example of environment and/or configuration include but not limited to: personal computer system, server computer system, thin client,
Thick client computer, hand-held or laptop devices, system based on microprocessor, Set Top Box, programmable consumer electronics, network individual
Computer, minicomputer system, large computer system and include the distributed cloud computing technology environment of any of the above described system, etc.
Deng.
Computer system/server 12 can in the computer system executable instruction performed by computer system (such as
Program module) general linguistic context under describe.Generally, program module can include routine, program, target program, assembly, logic,
Data structure etc., they perform specific task or realize specific abstract data type.Computer system/server 12
Can implement in distributed cloud computing environment, in distributed cloud computing environment, task is remote by by communication network links
Journey processing equipment performs.In distributed cloud computing environment, program module may be located at and includes this locality of storage device or remote
Journey calculates on system storage medium.
As shown in Figure 1A, the computer system/server 12 in cloud computing node 10 is the form with universal computing device
Performance.The parts of computer system/server 12 can include but not limited to: one or more processor or process are single
Unit 16, system storage 28, connect the bus 18 of different system parts (including system storage 28 and processing unit 16).
Bus 18 represents one or more in the bus structures of several types, including memory bus or memorizer control
Device processed, peripheral bus, AGP, processor or use any bus-structured local in multiple bus structures total
Line.For citing (but being not limited to these examples), these architectures include industry standard architecture (ISA) bus, micro-logical
Road architecture (MAC) bus, enhancement mode isa bus, VESA's (VESA) local bus and peripheral components
Interconnection (PCI) bus.
Computer system/server 12 typically comprises various computing systems computer-readable recording medium.These media can be can
Any obtainable medium accessed by computer system/server 12, including volatibility and non-volatile media, movably
With immovable medium.
System storage 28 can include the computer system-readable medium of form of volatile memory, such as random access memory
Memorizer (RAM) 30 and/or cache memory 32.It is permissible that computer system/server 12 may further include other
Movement/immovable, volatile/non-volatile computer system storage medium.Being only used as citing, storage system 34 is permissible
It is provided for reading and write immovable, non-volatile magnetic media (not shown, commonly referred to " hard disk drive ").To the greatest extent
Not shown in pipe figure, it is provided that for the disc driver that moveable non-volatile magnetic disk (typing " floppy disk ") is read and write,
And to moveable anonvolatile optical disk such as CD-ROM, DVD-ROM or the CD of other light medium read-write
Driver.In these cases, each driver can be connected with bus 18 by one or more data media interfaces.As
As below further indicating that and describe, memorizer 28 can include at least one program product, and this program product has one
Group (for example, at least one) program module, these program modules are configured to perform the function of various embodiments of the present invention.
There is the program/utility 40 of one group of (at least one) program module 42, can be stored in memorizer 28, this
Program module 42 such as (but not limited to) operating system, one or more application program, other program module and the journey of sample
Ordinal number evidence.Each or they in operating system, one or more application program, other program module, routine data
Certain combination potentially includes the realization of network environment.Program module 42 generally performs in embodiments of the invention described herein
Function and/or method.
Computer system/server 12 can also with one or more external equipments 14 such as keyboard, sensing equipment,
Display 24 etc. communicates, and enables users to the equipment mutual with computer system/server 12 with one or more and leads to
Letter, and/or with make the computer system/server 12 can with any equipment of other computing device communication one or more (such as
Network interface card, modem etc.) communication.This communication can be passed through input/output (I/O) interface 22 and carry out.Further, computer
Systems/servers 12 can also be by network adapter 20 and one or more network such as LAN (LAN), wide area
Net (WAN) and/or public network (such as the Internet) communication.As it can be seen, network adapter 20 is by bus 18 and meter
Other module communication of calculation machine systems/servers 12.It should be understood that although not shown in, other hardware and/or software module
Can be used together with computer system/server 12.Example includes but not limited to: microcode, device driver, redundancy process
Unit, external disk drive array, RAID system, tape drive and data backup storage system, etc..
With reference now to Figure 1B, this Figure illustrates exemplary cloud computing environment 50.As it can be seen, cloud computing environment 50 includes
The local computing device that cloud computing consumer uses can communicate therewith one or more cloud computing node 10 of letter, local meter
Calculation equipment such as individual digital auxiliary equipment (PDA) or mobile phone 54A, desktop computer 54B, notebook computer 54C,
And/or Automotive Computer System 54N.Can be in communication with each other between node 10.Can be all at one or more network
In privately owned cloud, community Cloud, public cloud or mixed cloud as discussed or combinations thereof, node 10 is carried out thing
Reason or virtual group (not shown).This allows cloud computing environment 50 to provide cloud consumer without on local computing device
Safeguard that the architecture that resource just can request that i.e. services, platform i.e. services and/or software i.e. services.It should be understood that Figure 1B illustrates
All kinds of calculating equipment 54A-N be only schematically, calculate node 10 and cloud computing environment 50 can be with any kind of
Any kind of calculating equipment (such as using web browser) communication on network and/or the connection of network addressable.
With reference now to Fig. 1 C, the figure shows one group of function modeling layer that cloud computing environment 50 (Figure 1B) provides.First should
When understanding, the parts shown in Fig. 1 C, layer and function are only all that schematically embodiments of the invention are not limited to this.Such as figure
Shown in, it is provided that following layers and corresponding function:
Hardware and software layer 60 includes hardware and software parts.The example of hardware component includes: main frame is such asSystem;Server such as IBM based on RISC (Reduced Instruction Set Computer) architectureSystem;IBMSystem;IBMSystem;Storage device;Network and Network Dept.
Part.The example of software part includes: network application server software such as IBMApplication server is soft
Part;Database software such as IBMDatabase software.(IBM, zSeries, pSeries, xSeries,
BladeCenter, WebSphere and DB2 are the trade marks that International Business Machine Corporation (IBM) registers in all parts of the world).
Virtual level 62 provides a level of abstraction, and this layer can provide the example of following pseudo-entity: virtual server, virtual
Storage, virtual network (including virtual private networks), virtual application and operating system, and virtual client.
In one example, management level 64 can provide following function: resource provisioning function provides at cloud computing ring
Border performs the calculating resource of task and the dynamic acquisition of other resource;Metering and pricing function resource quilt in cloud computing environment
Carry out cost tracing during use, and the consumption for these resources provides bill and invoice.In one example, these resources are permissible
Permit including application software.Security function provides authentication for cloud consumer and task, provides for data and other resource and protects
Protect.Portal user provides the access to cloud computing environment for consumer and system manager.Service level management function provides cloud
Calculate distribution and the management of resource, to meet required service level.SLA (SLA) is planned and fulfiled function is root
There is provided according to the cloud computing resources predicting tomorrow requirement of SLA and preset and supply.
Live load layer 66 provides the example of cloud computing environment function in the cards.In this layer, it is possible to provide work
Load or the example of function includes: mapping and navigation;Software development and life cycle management;The teaching of Virtual Class he
There is provided;Data Analysis Services;Trading processing, etc..
Fig. 2 A and 2B is illustrated as the mode that different calculating system arranges the prior art of Identity Federation configuration.
Fig. 2 A shows calculating system 210 and calculates system 220A, 220B and 220C.Calculating system 210 can be by meter
Calculation machine network is connected to calculating system 220A, 220B or 220C, it is thus achieved that calculate system 220A, 220B or 220C provide resource or
Service.Such as, calculating system 210 be the calculating system of an enterprise, such as trustship run enterprises application server,
Cloud service (the most also letter that service provider A, B and C that calculating system 220A, 220B and 220C are different respectively provides respectively
It is referred to as " cloud ").The user 231 of enterprise can access the enterprises in calculating system 210 by the desktop system of oneself simultaneously
Application resource and cloud service 220A, 220B, 220C on resource.Federated identity can allow user with after an authentication
Other identity can be used to access other resources and without user again Sign-On authentication by Identity Federation, access use for convenience
Family 231 accesses different cloud 220A, 220B or 220C, and system manager 230 needs to set in calculating system 210 and cloud 220A two ends
Put Identity Federation (hereinafter also referred to as " federal ");In calculating system 210 and cloud service 220B two ends, federation is set;Calculating system
System 210 and cloud service 220C two ends configuration federation.So, if user 231 is calculating system 210 access authentication, then need not be again
Secondary certification i.e. may have access to cloud service 220A, 220B and 220C.
Fig. 2 B illustrates the calculating system 210 (the most also " the calculating system of enterprise " being referred to as " enterprise ") of an enterprise
With a cloud service 220 (such as cloud 220A, 220B or 220C), as shown in four-headed arrow 240, enterprise 210 and cloud service 220 it
Between, there is the trusting relationship pre-build.
In order to arrange Identity Federation in enterprise 210 and cloud service 220 two ends, the system manager 230 of enterprise need with not
Same user interface interaction.
On the one hand, system manager 230 is mutual with the user interface 213 of enterprises end, arranges the identity connection of enterprise 210 end
Nation.The process of Identity Federation is set, is the process that value is set for Identity Federation configuration attribute.Through the Identity Federation configuration arranged
Attribute, will be provided to the Identity Federation runtime infrastructure (identity federation runtime) of calculating system 210 end
218.The example of Identity Federation configuration attribute includes that " SSO_endpoint " (single-sign-on end points), " private_key " are (private
Key), " Issuer " (issuer) etc..In actual applications, such Identity Federation configuration attribute (hereinafter also referred to as " connection
Nation's configuration attribute ", " configuration attribute " or " attribute ") often quantity the biggest.When creating (create) Identity Federation and again set
When putting (re-configure) Identity Federation, system manager 230 is required for arranging accordingly for these numerous attributes
Value.
On the other hand, system manager 230 is mutual with the user interface 223 of cloud server terminal, arranges cloud service 220 end
Federal configuration attribute, the federal configuration attribute being cloud server terminal arranges corresponding value.Through the federal configuration attribute arranged, will
It is provided to the Identity Federation runtime infrastructure 228 of cloud service 220 end.Equally, the federal configuration attribute of cloud server terminal is the most also
Numerous.
In general, the service provider of cloud service provides cloud service under proprietary (propriety) environment, in user interface
Proprietary data form it is also adopted by 223.Owing to the Identity Federation of enterprise 210 end configures and the Identity Federation of cloud service 220 end
Configuration may use different standard, and user interface 213 and the style of user interface 223, data form may be entirely different, because of
This, system manager 230 not only needs to be familiar with the Identity Federation configuration standard of enterprises end and user interface, and needs to be familiar with cloud
The Identity Federation configuration standard of service end and user interface.If an enterprise requires connect to different cloud services, system pipes
Reason person will arrange Identity Federation configuration attribute in the user interface that different cloud services provides, it is therefore desirable to is familiar with different
The proprietary, data format of cloud service.
Additionally, the Identity Federation configuration attribute of enterprise 210 end and the Identity Federation configuration attribute of cloud service 220 end, some
Content is to be mutually related, the most identical.System manager 230 repeatedly to arrange these in different user interfaces
The value of the attribute that relevance is the most identical, this unnecessarily increases the workload of system manager, too increases and makes mistakes
Probability.
To this end, the basic conception of the present invention, it is to be that such two calculating systems carry out body in the way of concentrating or be unified
The setting of the federal configuration of part, to improve the efficiency of system manager, reduces the probability made mistakes.
3A and 3B referring to the drawings, describes the various embodiments of the present invention in detail.Referring initially to Fig. 3 A, the figure shows
Flow chart according to the method for one embodiment of the invention.
In short, shown in Fig. 3 A is a kind of method arranging Identity Federation configuration attribute, comprises the steps of acquisition
First the first Identity Federation configuration attribute set calculating system and second calculates the second Identity Federation configuration attribute collection of system
Close;Identifying one or more relating attribute pair, wherein, each relating attribute is to comprising in the first Identity Federation configuration attribute set
An attribute and the second Identity Federation configuration attribute set in an attribute;Uniform user interfaces shows the first identity
Federal configuration attribute set and the second federal configuration attribute set need the attribute manually arranged, wherein, if identified
The value of one of them attribute of any relating attribute pair can derive from the value of another attribute, then need the attribute manually arranged
Do not comprise this one of them attribute;According to the incidence relation between relating attribute centering attribute, relating attribute centering is set automatically
The value of attribute;The first Identity Federation configuration attribute through arranging is provided respectively to the first calculating system and the second calculating system
Set and the second Identity Federation configuration attribute set.
Referring now to accompanying drawing, describe the operation of each step in detail.In the following description, to order the enterprise of cloud service
Calculate system and second with cloud service respectively as first and calculate the example of system.But, as a example by enterprise and cloud service, simply
In order to provide reference, it is more fully understood that each embodiment of the present invention to facilitate.Person of ordinary skill in the field reads
Completely it should be understood that the first calculating system of the present invention and the second calculating system are not limited to enterprise and cloud service after bright book.
The process of the method for the embodiment of the present invention, starts from step 311.
In step 311, the first Identity Federation configuration attribute set and second obtaining the first calculating system calculates system
Second Identity Federation configuration attribute set.
Such as, the first calculating system is the enterprise 210 shown in Fig. 2 B.The Identity Federation configuration of enterprise (is hereafter also referred to as
" federal configuration "), it is the set of an attribute-property value pair, it is also possible to be characterized as by all properties of attribute-property value centering
The federal configuration attribute set FC1 constituted:
FC1={para1_1, para1_2 ... para1_m} (1)
" para1_i " (i=1...m) represents an attribute in set FC1.
In general, when initially creating federation's configuration, the attribute in set FC1, system manager may be required for and compose
Value.And when resetting (such as amendment) federal configuration, some attributes may have predetermined value, i.e. without system pipes
The value that reason person inputs again.
Similarly, the federal configuration of cloud service, it is the set of an attribute-property value pair, can be characterized as by attribute-genus
Property value centering all properties constitute federal configuration attribute set FC2:
FC2={para2_1, para2_2 ... para2_n} (2)
" para2_i " (i=1...n) represents an attribute in set FC2.
Similar with above for described in set FC2, gathers the attribute in FC2, and have has predetermined value.
During Identity Federation single-sign-on, enterprise 210 and cloud service 220 need to carry out interacting message, in order to ensure
The concordance of message, needs to sign interaction message and verify.Enterprise needs " signature key " (signature key),
Sign for enterprise being sent to the message of cloud service;Cloud service needs " validation key " (verification public key), uses
Verify in the message that enterprise is sended over.Attribute in set FC1, such as, comprise " the signature of enterprise's needs
key”;Attribute in set FC2, such as, comprise " the validation key " of cloud service needs.
In step 312, at the first Identity Federation configuration attribute set FC1 and the second Identity Federation configuration attribute set FC2
The one or more relating attribute pair of middle identification, wherein, each relating attribute is to comprising the first Identity Federation configuration attribute set FC1
In an attribute and an attribute in the second Identity Federation configuration attribute set FC2.
Such as, by the federal configuration attribute of the attribute in the federal configuration attribute set FC1 of analysis enterprise with cloud service
The relation between attribute in set FC2, if in an attribute para1_j in community set FC1 and community set FC2
Have incidence relation between one attribute para2_k, then identifying attribute para1_j and attribute para2_k is a pair pass affiliation
Property, it is designated as<para1_j,para2_k>.Incidence relation between attribute para1_j and attribute para2_k, uses correlation function F
(1_j, 2_k) represents.Such relating attribute can be designated as with corresponding correlation function:
(<para1_j,para2_k>, F (1_j, 2_k)) and (3)
Such as, if the relation that correlation function F (1_j, 2_k) describes is " being equal to ", then it represents that relating attribute is to < para1_
J, para2_k > in the value of attribute para1_j should be equal to the value of attribute para2_k.
Enterprise and cloud service may belong to different territories, but enterprise and the territory belonging to cloud service, there is built-in identity
Federal domain knowledge (built-in identity federation domain knowledge).Utilize this Identity Federation territory
Knowledge, can analyze the function and significance of the not federal configuration attribute of same area, thus identify the federation of a territory (such as enterprise)
Whether incidence relation is there is between the federal configuration attribute of configuration attribute and another territory (such as cloud service).Art
Technical staff, in concrete application, it may be determined that the Identity Federation domain knowledge of enterprises end and high in the clouds Identity Federation domain knowledge
Between the rule of correspondence, and then formulate correlation rule, and this correlation rule is stored in one computer-readable association rule
Then in storehouse.Thus, computer can automatically determine the attribute in set FC1 and set according to the rule in correlation rule storehouse
The incidence relation between attribute in FC2, such as, determine " signature key " and cloud service that enterprise mentioned above needs
Between " the validation key " that need, there is incidence relation
According to one embodiment of the invention, optional step 312a can be performed, in step before step 312
Rapid 311 the first federal configuration attribute set obtained and the second federal configuration attribute set are respectively converted into the first public federation and join
Put community set and the first public federal configuration attribute set.The step for represent with dashed box and dotted arrow in figure 3 a.
Public federal configuration attribute, also referred to as " unified federal configuration attribute " or " unified federal configuration ".According to this
Invent the attribute in an embodiment, the first public federal configuration attribute set and the second public federal configuration attribute set, bag
Containing according to Identity Federation domain knowledge and the configurable attribute of a federation protocol definition.The set of such configurable attribute, also
It is referred to as Identity Federation metadata (identityfederation metadata).
According to one embodiment of the invention, federation protocol can be SAML agreement.Correspondingly, according to Identity Federation domain knowledge
With the configurable attribute of SAML protocol definition, it is independently of (platform-independent) of platform.Such configurable
The example of attribute includes: Issuer, Signature_Key, Encryption_Key, SSO_Endpoint, SLO_Endpoint,
Provider_ID, Partner_ID, Partner_SSO_Endpoint, Partner_SLO_Endpoint etc..
Expression with federal configuration attribute set FC1 is similar, and the first public federal configuration attribute set CFC1 can be with table
It is shown as:
CFC1={Cpara1_1, Cpara1_2 ... Cpara1_m} (1 ')
Wherein, " Cpara1_i " (i=1...m) is an attribute in public federal configuration attribute set CFC1, and
It it is the configurable attribute in Identity Federation metadata.
Similarly, the second public federal configuration attribute set CFC2 can be expressed as:
CFC1={Cpara2_1, Cpara2_2 ... Cpara2_n} (2 ')
Wherein, " Cpara2_i " (i=1...n) is an attribute in public federal configuration attribute set CFC2, and
It it is the configurable attribute in Identity Federation metadata.
According to one embodiment of the invention, step 312 can be performed on the basis of step 312a, i.e. public first
Federal configuration attribute set CFC1 and the second public federal configuration attribute set CFC2 identifies one or more relating attribute pair,
Wherein, each relating attribute attribute to comprising in the first public federal configuration attribute set CFC1 and the second public federation
An attribute in configuration attribute set CFC2.
Such as, belonged to by the federal configuration public with cloud service of the attribute in the public federal configuration attribute set CFC1 of enterprise
Property set FC2 in attribute between relation, identify relating attribute pair.If the public federal configuration attribute Cpara1_i of enterprise
And between the public federal configuration attribute Cpara2_j of cloud service, there is incidence relation, then identify attribute Cpara1_j and attribute
Cpara2_k is a pair relating attribute, is designated as<Cpara1_j, Cpara2_k>.The attribute Cpara1_j of relating attribute centering and genus
Property Cpara2_k between incidence relation, with corresponding correlation function F (1_j, 2_k) represent.Can be by such a pair attribute
Para1_j and attribute para2_k and corresponding correlation function thereof are designated as:
(<Cpara1_j, Cpara2_k>, F (1_j, 2_k)) (3 ')
In step 312a, the federal configuration attribute of not same area is converted to unified form, is conducive in step 312
Federal configuration attribute after conversion is analyzed, preferably identifies relating attribute pair.
The part identity configuration attribute of the different calculating system of Fig. 3 B exemplary representation two.As shown in Figure 3 B, first calculate
In the identity configuration attribute set of system 210, comprise " Issuer ", " Partner_SSO_Endpoi ", " Sign_
Authentivate_Request ", " Sign_Single_Logout_Request " and " Encrpt_Single_Logout_
Request " etc. attribute.Second calculate system 220 identity configuration attribute set in, comprise attribute " Provider_Id ",
“SSO_Endpoint”、“Validate_Authentivate_Request”、“Validate_Single_Logout_
Request " and the attribute such as " Decrpt_Single_Logout_Request ".Fig. 3 B connects the line segment of two attributes, represents
After performing step 312, between the two attribute identified, there is incidence relation.Such as, attribute " Issuer " and attribute
Between " Provider_Id ", there is incidence relation.
During the single-sign-on of Identity Federation based on SAML specification, enterprise need to cloud service send " certification please
Seek message " and it needs in this message, comprise message issuer, to this end, enterprises needs configuration attribute " Issuer ";Separately
Outward, cloud service needs to verify the attribute whether message issuer configures in cloud service, i.e. attribute equal to system manager "
Provider ID″.Therefore, in step 312, attribute " Issuer " and attribute can be identified according to Identity Federation domain knowledge "
Provider ID " has incidence relation, and incidence relation is equal to relation.Expression formula (3) mentioned above can be used to represent
Attribute " Issuer " and the incidence relation of " Provider_Id ":
{ wherein, correlation function F1 represents that the value of " Issuer " is equal to for<Issuer, Provider_Id>, F1}
The value of " Provider_Id ".
During the single-sign-on of Identity Federation based on SAML specification, enterprise needs configuration attribute " Partner_
SSO_Endpoint " (the single-sign-on end points of cloud service), and cloud service provides configuration attribute " SSO_Endpoint " (single-point
Log in end points) (such as, for cloud service SampleCloudService, this property value is equal to https: //
Login.SampleCloudService.com), based on this Identity Federation domain knowledge, attribute is identified in step 312
" Partner_SSO_Endpoint " and attribute " SSO_Endpoint " have incidence relation, it may be assumed that
{<Partner_SSO_Endpoint, SSO_Endpoint>, F2}
Wherein, correlation function F2 represents the value value equal to " SSO_Endpoint " of " Partner_SSO_Endpoint ".
Obviously, if attribute SSO_Endpoint has had certain value, then the configuration attribute of enterprise is being set
Time " Partner_SSO_Endpoint ", directly can give attribute " Partner_SSO_ by the value of attribute SSO_Endpoint
Endpoint ", it is exposed to system manager without by this configuration attribute.
Enterprise needs the Single Sign Out end points of the cloud service of configuration to need the Single Sign Out end points of configuration (in figure with cloud service
Be not shown) between relation, with attribute " Partner_SSO_Endpoint " and the cloud service that above-mentioned enterprise needs configuration
Configuration attribute " SSO_Endpoint " between relation be similar to.
During the single-sign-on of Identity Federation based on SAML specification, in order to ensure the consistent of " authentication request message "
Property, enterprise needs to sign this message it is necessary to configuration attribute " SignAuthentication Request ".Cloud service is led to
Cross whether configuration attribute " Validate AuthenticationRequest " statement is verified authentication request message.According to
This knowledge, can identify and have incidence relation between the two attribute, it may be assumed that
<Sign_Authentication_Request, Validate_Authentication_Request>, and F3} its
In, correlation function represents that the value of the two attribute is equal.
Similarly, enterprise is for the configuration attribute being encrypted " authentication request message "
" EncryptAuthentication Request " (being not shown) and cloud service are for being decrypted " authentication request message "
Configuration attribute " Decrypt Authentication Request " (being not shown) between, it may have incidence relation, and close
Connection relation is equal to relation.
For Single Sign Out message, configuration attribute " Sign_Single_Logout_Request " and " Validate_
Single_Logout_Request " also there is incidence relation, and incidence relation is equal to relation.
" Encrypt_Single_Logout_Request " also has with " Decrypt_Single_Logout_Request "
Relevant, and incidence relation is equal to relation.
In step 313, uniform user interfaces shows the first Identity Federation configuration attribute set and the second federal configuration
Community set needs the attribute manually arranged, wherein it is desired to the artificial attribute arranged does not comprises any relating attribute centering
The attribute that its value can derive from the value of another attribute.In other words, if wherein the one of any relating attribute pair identified
The value of individual attribute can derive from the value of another attribute, then need the attribute manually arranged not comprise this one of them attribute.
System manager 230 needs the value of the artificial attribute arranged by input on uniform user interfaces, the most permissible
Obtain the first Identity Federation configuration attribute set through arranging and the second federal configuration attribute set.
In other words, the first Identity Federation configuration attribute needing system manager to arrange and the second federation are joined by step 313
Put attribute all show in a unified user interface rather than show in different user interfaces respectively.
It addition, in shown attribute, not comprising can be with the attribute of automatic assignment, such as its value can belong to from another
Property value derive attribute.
Attribute according to whether having in the relation between two attributes of relating attribute centering, two attributes has predetermined
Value, it may be determined that whether the value of one of them attribute can derive from the value of another attribute.
As shown in expression formula (3) above, relating attribute pair<para1_j,para2_k>corresponding correlation function F (1_j,
2_k), for describing the incidence relation between attribute para1_j and attribute para2_k.Therefore, it can according to relating attribute to <
Para1_j, para2_k > in attribute para1_j and attribute para2_k between incidence relation, it is judged that one of them attribute
Whether the value of para1_j can derive from the value of another attribute para2_k, or judge that the value of attribute para2_k whether may be used
To derive from the value of another attribute para1_j.A kind of common incidence relation between attribute para1_j and attribute para2_k
Being " being equal to " relation, in this case, the value of attribute para1_j can derive the value of attribute para2_k, vice versa.
As a example by the attribute " Partner_SSO_Endpoint " shown in Fig. 3 B and attribute " SSO_Endpoint ".According to
Identity Federation domain knowledge, can identify them in step 312 and have incidence relation, i.e. < Partner_SSO_Endpoint,
SSO_Endpoint >, the relation of F}, correlation function F definition is that " Partner_SSO_Endpoint " is equal to " SSO_
Endpoint " (i.e. can give " Partner_SSO_Endpoint " by the value of " SSO_Endpoint "), or " SSO_
Endpoint " being equal to " Partner_SSO_Endpoint " (i.e. can be by the value imparting of " Partner_SSO_Endpoint "
“SSO_Endpoint”。
If attribute " SSO_Endpoint " have predetermined value " https: //
Login.SampleCloudService.com ", it is equal to according to definition-" Partner_SSO_Endpoint " of correlation function F
" SSO_Endpoint ", it is possible to give attribute by value " https: //login.SampleCloudService.com "
" Partner_SSO_Endpoint " in this case, attribute " Partner_SSO_Endpoint " belongs to and can oneself arrange
Federal configuration attribute, it is not necessary to system manager is manually arranged.
The most such as, the attribute " Issuer " shown in Fig. 3 B also has similar incidence relation with " Partener_Id ".?
In SAML federation, the Identity Provider (such as enterprise 210) of a side should provide " Issuer " attribute, and the partner of the opposing party
Companion's (such as cloud service 220) requires there is " Partner_Id " attribute.The value of the two attribute must be identical, otherwise, from one
The token that direction the opposing party sends will not pass through checking.Therefore, step 312 will determine that one comprises from enterprise 210
" Issuer " and the relating attribute pair of " Partener_Id " from cloud 220, and in correlation function specify " Issuer " and
The relation of " Partener_Id " is: " Partener_Id " is equal to " Issuer ";Or " Issuer " is equal to " Partener_
Id”.Therefore, in step 313, if " Issuer " has a predetermined value, then belong to can oneself for attribute " Partener_Id "
The federal configuration attribute arranged, it is not necessary to system manager is manually arranged.
In a particular application, relating attribute pair<para1_j,para2_k>attribute between except this simple " etc.
In " relation, it is also possible to having more complicated incidence relation, person of ordinary skill in the field can closed for concrete application
Connection rule base arranges corresponding rule, enables a computer to automatically identify other incidence relation, for each relating attribute pair,
Determine whether the value of one of them attribute can be derived by the value of another attribute, so that it is determined that whether this attribute is needs
The artificial attribute arranged.
In step 314, its value can be carried out automatic assignment from the attribute that the value of another attribute derives.That is, root
According to the incidence relation between relating attribute centering attribute, the value of the attribute of relating attribute centering is set automatically.
Still with the relating attribute shown in Fig. 3 B to<Partner_SSO_Endpoint, SSO_Endpoint>as a example by.
As described above, " Partner_SSO_Endpoint " and attribute " SSO_Endpoint " have incidence relation, i.e. <
Partner_SSO_Endpoint, SSO_Endpoint >, the relation of F}, correlation function F definition is " Partner_SSO_
Endpoint " it is equal to " SSO_Endpoint "." if SSO_Endpoint " have predetermined value "https:// login.SampleCloudService.com", attribute " Partner_SSO_Endpoint " belongs to can the self-connection arranged
Nation's configuration attribute, it is not necessary to system manager is manually arranged.
In this case, step 314 according to relating attribute to<Partner_SSO_Endpoint, SSO_Endpoint>
Incidence relation between middle attribute " Partner_SSO_Endpoint " and attribute " SSO_Endpoint ", i.e. " Partner_
SSO_Endpoint " it is equal to " SSO_Endpoint ", the value of automatically set a property " Partner_SSO_Endpoint ", i.e. genus
The value of property " SSO_Endpoint " "https://login.SampleCloudService.com", give attribute " Partner_
SSO_Endpoint”。
In the above example, its value can be derived from the value of another attribute " Partner_SSO_Endpoint "
When attribute " SSO_Endpoint " carries out automatic assignment, the value of another attribute described "https:// login.SampleCloudService.com", it is a predetermined value.
According to one embodiment of the invention, the value of another attribute described, it can be the value from uniform user interfaces input.
Such as, in upper example attribute " Partner_SSO_Endpoint " value "https:// login.SampleCloudService.com", it is also possible to system manager inputs on uniform user interfaces.
After step 313 and 314, the attribute needing artificial setting of display on unified interface, and its value is permissible
The attribute derived from the value of another attribute, is the most manually arranged or is automatically arranged, and then, process proceeds to step 315.
In step 315, calculate system 210 to first and the second calculating system 220 provides the first body through arranging respectively
The federal configuration attribute set of part and the second Identity Federation configuration attribute set.For example, it is possible to by the first identity connection through arranging
Nation configuration attribute set CF1 and the second Identity Federation configuration attribute set CF2 is supplied directly to the Identity Federation of enterprises end respectively
Runtime infrastructure (idtificationfederation runtime) 218 and the Identity Federation runtime infrastructure 228 in high in the clouds.
As described above, before performing step 312, optional step 312a can be performed, obtaining in step 311
The federal configuration attribute set of first taken and the second federal configuration attribute set are respectively converted into the first public federal configuration attribute
Set and the first public federal configuration attribute set.So, step 312 is to the federal configuration attribute collection of first in the operation of 314
Close and the second federal configuration attribute set, respectively with the first public federal configuration attribute set and the first public federal configuration attribute
The form of set presents.
According to one embodiment of the invention, in the case of performing step 312a, then step 315 can comprise step
315a, by the first common identity federation configuration attribute set CFC1 and the second common identity federation configuration attribute set CFC2 respectively
Be converted to the first Identity Federation configuration attribute set FC1 and the second Identity Federation configuration attribute set FC2.So, first calculate
The form of the federal configuration attribute that system 210 and the second calculating system 220 are respectively received, is the form before changing, can
Directly to use.
By the first and second common identity federations configuration attribute set (CFC1, CFC2) be converted to the first and second identity
Federal configuration attribute set (FC1, FC2), is that the first and second Identity Federation configuration attribute set are converted to first and second
The inverse operation of common identity federation configuration attribute set, at this without repeating.
According to one embodiment of the invention, it is also possible to by the first Identity Federation configuration attribute set and second through arranging
Identity Federation configuration attribute set stores, such as, be stored in a configuration database.So, need afterwards again to set
When putting federal configuration, directly can obtain the first Identity Federation configuration attribute set and the second Identity Federation from configuration database
Configuration attribute set.
From the above description it is recognised that the method using various embodiments of the present invention, system manager is without different
In user interface, Identity Federation attribute is configured, and, by the automatic assignment to attribute, decrease and need system administration
The quantity of the artificial attribute arranged of member.
It is explained above the various embodiments of the method for arranging Identity Federation configuration of the present invention.According to identical
Inventive concept, the present invention also provides for a kind of device for arranging Identity Federation configuration.
Fig. 4 is the block diagram of the device for arranging Identity Federation configuration according to one embodiment of the invention.
Device shown in Fig. 4, comprises acquisition module 411, relating module 412, user interactive module 413, the assignment mould that intersects
Block 414 and configuration adapter 415.
Acquisition module 411 is configured to the first Identity Federation configuration attribute set and of the first calculating system 210 that obtains
Two the second Identity Federation configuration attribute set calculating system 220.
Relating module 412 is configured at the first Identity Federation configuration attribute set and the second Identity Federation configuration attribute collection
Identifying one or more relating attribute pair in conjunction, wherein, each relating attribute is to comprising the first Identity Federation configuration attribute set
In an attribute and an attribute in the second Identity Federation configuration attribute set.
User interactive module 413 be configured to show on uniform user interfaces the first Identity Federation configuration attribute set and
Second federal configuration attribute set needs the attribute manually arranged, wherein it is desired to the artificial attribute arranged does not comprises any pass
The attribute that its value of attribute centering can derive from the value of another attribute.
In other words, if the value of one of them attribute of any relating attribute pair identified can be from another attribute
Value derives, then need the attribute manually arranged not comprise this one of them attribute.
Assignment module 414 of intersecting is configured to can automatically compose its value from the attribute that the value of another attribute derives
Value.In other words, assignment module 414 of intersecting can arrange association automatically according to the incidence relation between relating attribute centering attribute
The value of the attribute of attribute centering.
Configuration adapter 415 is configured to provide respectively through setting to the first calculating system 210 and the second calculating system 220
The the first Identity Federation configuration attribute set put and the second Identity Federation configuration attribute set.
For example, it is possible to by the first Identity Federation configuration attribute set (CF1, CFC1) and the second Identity Federation through arranging
Configuration attribute set (CF2, CFC2) is supplied directly to Identity Federation runtime infrastructure 218 and the identity in high in the clouds of enterprises end respectively
Federal runtime infrastructure 228.
According to one embodiment of the invention, comprise a modular converter further for arranging the device of Identity Federation configuration
412a, it is configured to be respectively converted into the acquired first federal configuration attribute set and the second federal configuration attribute set
First public federal configuration attribute set and the second public federal configuration attribute set.
According to one embodiment of the invention, the first public federal configuration attribute set and the second public federal configuration attribute collection
Attribute in conjunction, comprises according to Identity Federation domain knowledge and the configurable attribute of a federation protocol definition.
According to one embodiment of the invention, described federation protocol comprises SAML agreement.
According to one embodiment of the invention, described relating module 412 is further configured with in the first public federal configuration
Identifying one or more relating attribute pair in community set and the second public federal configuration attribute set, each relating attribute is to bag
Containing in an attribute in the configuration attribute set of the first common identity federation and the configuration attribute set of the second common identity federation
One attribute.
According to one embodiment of the invention, described modular converter 412 is further configured so that the first common identity is federal
Configuration attribute set CFC1 and the second common identity federation configuration attribute set CFC2 is respectively converted into the first Identity Federation configuration
Community set FC1 and the second Identity Federation configuration attribute set FC2.This conversion, be
According to one embodiment of the invention, the first calculating system is to order the enterprise of cloud service, and the second calculating system is cloud
Service.
According to one embodiment of the invention, described intersection assignment module 414 is configured to arrange association according to predetermined value
The value of the attribute of attribute centering.In other words, the attribute that its value can be derived by assignment module 414 of intersecting from the value of another attribute
When carrying out automatic assignment, the value of another attribute described, is a predetermined value.
According to one embodiment of the invention, described intersection assignment module 414 is configured to according to defeated from uniform user interfaces
The property value entered arranges the value of the attribute of relating attribute centering.In other words, intersecting assignment module 414 can be from another to its value
When the attribute that the value of attribute derives carries out automatic assignment, the value of another attribute described, is the value from uniform user interfaces input.
According to one embodiment of the invention, it is further configured with will be through setting for arranging the device of Identity Federation configuration
The first Identity Federation configuration attribute set and the second Identity Federation configuration attribute set put are stored in a data base, such as
In configuration database 450 shown in Fig. 4.
According to one embodiment of the invention, described acquisition device 411 is configured to from described data base 450 obtain process
The the first Identity Federation configuration attribute set arranged and the second Identity Federation configuration attribute set.
The foregoing describe the device for arranging Identity Federation configuration according to the embodiment of the present invention, due to the most detailed
Carefully describe according to various embodiments of the invention for arrange Identity Federation configuration method, in the above-mentioned description to device
In, eliminate and substantially repeat with method is described or be easy to from the description to method, amplify the content drawn.
It is to be noted that above description is merely illustrative rather than limitation of the present invention.Other embodiments in the present invention
In, the method can have more, less or different steps, the numbering to step, be in order to make explanation more simple and clear rather than
Considered critical to the ordering relation between each step, the order between each step and step can be unlike the described.
Therefore, in some embodiments of the invention, can there is no said one or multiple optional step.Each step
Concrete executive mode can be unlike the described.Within all these changes are all in the spirit and scope of the present invention.
The present invention can take hardware embodiment, Software Implementation or not only comprise nextport hardware component NextPort but also comprise component software
The form of embodiment.In a preferred embodiment, present invention is typically implemented as software, it includes but not limited to firmware, resident soft
Part, microcode etc..
And, the present invention may also take on and can use from computer or the computer program product of computer-readable medium access
The form of product, these media provide program code to use or in connection for computer or any instruction execution system.
For the purpose of description, computer can with or computer-readable mechanism can be any tangible device, it can comprise, stores,
Communication, propagation or transmission procedure are to be used or in connection by instruction execution system, device or equipment.
Medium can be electric, magnetic, light, electromagnetism, ultrared or the system of quasiconductor (or device or device)
Or propagation medium.The example of computer-readable medium include quasiconductor or solid-state memory, tape, removable computer diskette,
Random access storage device (RAM), read only memory (ROM), hard disc and CD.At present the example of CD includes compact disk-only
Read memorizer (CD-ROM), compact disk-read/write (CD-R/W) and DVD.
The data handling system being suitable for storage/or execution program code will include at least one processor, and it is directly
Or it is indirectly couple to memory component by system bus.Memory component can be included in the actual execution phase of program code
Between the local storage, the mass storage that are utilized and temporarily storing to subtract of at least some of program code is provided
The cache memory of the number of times of code must be fetched from mass storage term of execution of few.
Input/output or I/O equipment (including but not limited to keyboard, display, pointer device etc.) can directly or
It is coupled to system by middle I/O controller.
Network adapter can also be coupled to system, so that data handling system can pass through the private or public of centre
Network and be coupled to other data handling systems or remote printer or storage device.Modem, cable modem
And Ethernet card is only several examples of currently available types of network adapters.
Should be appreciated that without departing from the true spirit of the invention from foregoing description, can enforcement each to the present invention
Mode is modified and changes.Description in this specification is merely illustrative, and is not considered as restrictive.This
Bright scope is only limited by the appended claims.
Claims (20)
1., for the method arranging Identity Federation configuration, comprise:
The the first Identity Federation configuration attribute set and the second the second Identity Federation calculating system that obtain the first calculating system are joined
Put community set;
One or more relating attribute pair, wherein, each association is identified in the first and second Identity Federation configuration attribute set
In the attribute attribute to comprising in the first Identity Federation configuration attribute set and the second Identity Federation configuration attribute set
One attribute;
Uniform user interfaces shows the attribute needing manually to arrange in the first and second federal configuration attribute set, wherein,
The artificial attribute arranged is needed not comprise the attribute that its value of any relating attribute centering can derive from the value of another attribute;
Its value can be carried out automatic assignment from the attribute that the value of another attribute derives;
The first Identity Federation configuration attribute set and the second identity through arranging is provided respectively to the first and second calculating systems
Federal configuration attribute set.
2. the method for claim 1, comprises further:
Acquired first and second federal configuration attribute set are respectively converted into the first public federal configuration attribute set and
Second public federal configuration attribute set.
3. the method for claim 2, wherein, the first public federal configuration attribute set and the second public federal configuration attribute set
In attribute, comprise according to Identity Federation domain knowledge and the configurable attribute of federation protocol definition.
4. the method for claim 3, wherein, described federation protocol comprises SAML agreement.
5. one of any method of claim 2-4, wherein, described in the first and second Identity Federation configuration attribute set
Identify one or more relating attribute pair, be included in the first and second public federal configuration attribute set identify one or more
Relating attribute pair, each relating attribute attribute to comprising in the configuration attribute set of the first common identity federation and second public
An attribute in Identity Federation configuration attribute set altogether.
6. the method for claim 5, wherein, described to the first and second calculating systems provide respectively through setting the first identity
Federal configuration attribute set and the second Identity Federation configuration attribute set, comprise and the configuration of the first and second common identity federations belonged to
Property set is respectively converted into the first and second Identity Federation configuration attribute set.
7. the process of claim 1 wherein that the value of another attribute described is a predetermined value.
8. the process of claim 1 wherein that the value of another attribute described is the value from uniform user interfaces input.
9. the method for claim 5, wherein, will be stored in one through the first and second Identity Federation configuration attribute set arranged
In individual data base.
10. the method for claim 9, wherein, described acquisition first calculate system the first Identity Federation configuration attribute set and
Second the second Identity Federation configuration attribute set calculating system, comprises and obtains the first body through arranging from described data base
The federal configuration attribute set of part and the second Identity Federation configuration attribute set.
11. 1 kinds, for arranging the device of Identity Federation configuration, comprise:
Acquisition module, is configured to the first Identity Federation configuration attribute set and the second calculating system of the first calculating system that obtains
The second Identity Federation configuration attribute set;
Relating module, is configured to identify one or more relating attribute in the first and second Identity Federation configuration attribute set
Right, wherein, each relating attribute attribute to comprising in the first Identity Federation configuration attribute set and the second Identity Federation
An attribute in configuration attribute set;
User interactive module, is configured to show the first Identity Federation configuration attribute set and second on uniform user interfaces
Nation's configuration attribute set needs the attribute manually arranged, wherein it is desired to the artificial attribute arranged does not comprises any relating attribute
The attribute that its value of centering can derive from the value of another attribute;
Intersection assignment module, is configured to from the attribute that the value of another attribute derives, its value can be carried out automatic assignment;
Configuration adapter, is configured to provide the first Identity Federation configuration through arranging respectively to the first and second calculating systems
Community set and the second Identity Federation configuration attribute set.
The device of 12. claim 11, comprises further:
Modular converter, is configured to federal to the acquired first federal configuration attribute set and second configuration attribute set difference
Be converted to the first public federal configuration attribute set and the second public federal configuration attribute set.
The device of 13. claim 12, wherein, the first public federal configuration attribute set and the second public federal configuration attribute collection
Attribute in conjunction, comprises according to Identity Federation domain knowledge and the configurable attribute of a federation protocol definition.
The device of 14. claim 13, wherein, described federation protocol comprises SAML agreement.
One of any device of 15. claim 12-14, wherein, described relating module is further configured with public first
The most federal configuration attribute set and the second public federal configuration attribute set identify one or more relating attribute pair, Mei Geguan
An attribute attribute to comprising in the configuration attribute set of the first common identity federation and the configuration of the second common identity federation belong to
An attribute in property set.
The device of 16. claim 15, wherein, described modular converter is further configured with by the configuration of the first common identity federation
Community set and the configuration attribute set of the second common identity federation are respectively converted into the first Identity Federation configuration attribute set and
Two Identity Federation configuration attribute set.
The device of 17. claim 11, wherein, the value of another attribute described, is predetermined value.
The device of 18. claim 11, the value of another attribute described, is the value from uniform user interfaces input.
The device of 19. claim 15, be further configured with by through setting the first Identity Federation configuration attribute set and
Second Identity Federation configuration attribute set is stored in a data base.
The device of 20. claim 19, wherein, described acquisition device is configured to from described data base obtain through setting
First Identity Federation configuration attribute set and the second Identity Federation configuration attribute set.
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201110426561.4A CN103164648B (en) | 2011-12-19 | Method and device used for setting identity union configuration | |
US13/719,305 US9122863B2 (en) | 2011-12-19 | 2012-12-19 | Configuring identity federation configuration |
US14/825,850 US9576125B2 (en) | 2011-12-19 | 2015-08-13 | Configuring identity federation configuration |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201110426561.4A CN103164648B (en) | 2011-12-19 | Method and device used for setting identity union configuration |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103164648A CN103164648A (en) | 2013-06-19 |
CN103164648B true CN103164648B (en) | 2016-12-14 |
Family
ID=
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101449263A (en) * | 2006-06-15 | 2009-06-03 | 国际商业机器公司 | Method and apparatus for middleware assisted system integration in a federated environment |
CN102118430A (en) * | 2009-12-17 | 2011-07-06 | 英特尔公司 | Cloud federation as a service |
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101449263A (en) * | 2006-06-15 | 2009-06-03 | 国际商业机器公司 | Method and apparatus for middleware assisted system integration in a federated environment |
CN102118430A (en) * | 2009-12-17 | 2011-07-06 | 英特尔公司 | Cloud federation as a service |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108322472B (en) | For providing method, system and the medium of identity based on cloud and access management | |
CN104516730B (en) | A kind of data processing method and device | |
CN104335189B (en) | Secure access to sharing storage resource | |
CN103365725B (en) | Method and system for dynamic allocation of workload deployment units across a plurality of clouds | |
US9122863B2 (en) | Configuring identity federation configuration | |
CN103369022B (en) | Method and system for communication with memory device | |
CN103916454B (en) | Method and device for extending organizational boundaries throughout a cloud architecture | |
CN104660669B (en) | The method and system of a host is selected from multiple main frames for application model component | |
CN104603762B (en) | The method and system for supporting to access the coordination of the shared storage of file system using the automatic calibration of parallel file access protocol and metadata management | |
CN105446793A (en) | Method and device for migrating virtual assets | |
CN104067265A (en) | System and method for supporting secure application deployment in the cloud | |
CN106027593B (en) | For dynamically maintaining the method and system of data structure | |
CN103379114A (en) | Method and device for protecting private data in MapReduce system | |
CN103973641B (en) | Manage the method and device of the session of different web sites | |
CN109906597A (en) | To with data set that restricted data set and untethered system are stored and fetched from cloud network | |
CN103377402A (en) | Multi-user analysis system and corresponding apparatus and method | |
CN110036385A (en) | Mixed mode cloud On-premise (ON-PREMISE) secure communication | |
Tao et al. | The research and application of network teaching platform based on cloud computing | |
Taufiq et al. | Robust crypto-governance graduate document storage and fraud avoidance certificate in Indonesian private university | |
CN104424012A (en) | Method and equipment used for providing user-defined virtual device | |
CN103164648B (en) | Method and device used for setting identity union configuration | |
US20240046147A1 (en) | Systems and methods for administrating a federated learning network | |
Tomašević | OVERVIEW OF CLOUD COMPUTING IN BUSINESS | |
CN104519096A (en) | Service deployment method and system used for cloud calculating system | |
Andini | Cloud-Based Information Technology Architecture Modeling Computing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant |