CN103164648B - Method and device used for setting identity union configuration - Google Patents

Method and device used for setting identity union configuration Download PDF

Info

Publication number
CN103164648B
CN103164648B CN201110426561.4A CN201110426561A CN103164648B CN 103164648 B CN103164648 B CN 103164648B CN 201110426561 A CN201110426561 A CN 201110426561A CN 103164648 B CN103164648 B CN 103164648B
Authority
CN
China
Prior art keywords
attribute
configuration
identity federation
attribute set
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201110426561.4A
Other languages
Chinese (zh)
Other versions
CN103164648A (en
Inventor
刘建
刘晓曦
黄鹤远
李敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Priority to CN201110426561.4A priority Critical patent/CN103164648B/en
Priority to US13/719,305 priority patent/US9122863B2/en
Publication of CN103164648A publication Critical patent/CN103164648A/en
Priority to US14/825,850 priority patent/US9576125B2/en
Application granted granted Critical
Publication of CN103164648B publication Critical patent/CN103164648B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

For the method and apparatus arranging Identity Federation configuration, the method comprises: the first Identity Federation configuration attribute and second obtaining the first calculating system calculates the second Identity Federation configuration attribute of system;At least one relating attribute pair is identified in the first and second Identity Federation configuration attributes;Uniform user interfaces shows the attribute needing manually to arrange in the first and second Identity Federation configuration attributes, wherein it is desired to the artificial attribute arranged does not comprises the attribute that its value of any relating attribute centering can derive from the value of another attribute;Its value can be carried out automatic assignment from the attribute that the value of another attribute derives;The first and second Identity Federation configuration attribute set through arranging are provided respectively to the first and second calculating systems.

Description

Method and device used for setting identity union configuration
Technical field
The present invention relates to the Identity Federation configuration across the system of calculating.
Background technology
Identity Federation (Identity Federation) is for managing identity and the access right of the resource across the system of calculating Limit.Across the exemplary of access of the resource of the system of calculating, it it is the application of cloud service.Popular along with cloud service, more and more Client (such as enterprise) order cloud service meet service needed.Identity Federation enables users to the most cross-domain access and applies, Approach for a kind of various application with the account access cloud service in enterprise of enterprise's offer.In order to seamlessly hand over cloud service Mutually, enterprise needs Identity Federation.Enterprises and cloud service two ends arrange the work of Identity Federation, are by the system of enterprises Manager's (client administrator) completes.Owing to the service commercial city of cloud service provides cloud service under proprietary environment, use specially Some data forms, the Identity Federation configuration of enterprises end may use different standards with the configuration of the Identity Federation of cloud server terminal, The user interface of enterprises end and the style of cloud service user interface, data form may be entirely different, and therefore, system manager is not But need to be familiar with the Identity Federation configuration standard of enterprises end and user interface, and need the Identity Federation being familiar with cloud server terminal to join Put standard and user interface;Further, the Identity Federation configuration of enterprises end and the Identity Federation configuration of cloud server terminal are frequently present of big The data that amount content repeats, this brings unnecessary workload for system manager.
Summary of the invention
An object of the present invention, is the settling period in Identity Federation configuration, for establishing two calculating of trusting relationship System intensively carries out the setting of Identity Federation configuration, is ensureing the conforming same of two Identity Federation configurations calculating system Time, reduce the quantity of the Identity Federation parameter needing system manager to arrange.
On the one hand, it is provided that a kind of method for arranging Identity Federation configuration, comprise: obtain the first of the first calculating system Identity Federation configuration attribute set and second calculates the second Identity Federation configuration attribute set of system;In the first and second identity Identifying one or more relating attribute pair in federal configuration attribute set, wherein, each relating attribute is to comprising the first identity connection An attribute in nation's configuration attribute set and an attribute in the second Identity Federation configuration attribute set;At unification user circle The attribute needing manually to arrange in the first and second federal configuration attribute set is shown on face, wherein it is desired to the artificial genus arranged Property do not comprise the attribute that its value of any relating attribute centering can derive from the value of another attribute;Can be from another to its value The attribute that the value of individual attribute derives carries out automatic assignment;The first body through arranging is provided respectively to the first and second calculating systems The federal configuration attribute set of part and the second Identity Federation configuration attribute set.
On the other hand, it is provided that a kind of device for arranging Identity Federation configuration, comprise:
Acquisition module, the first Identity Federation configuration attribute set and second being configured to the first calculating system that obtains calculates Second Identity Federation configuration attribute set of system;
Relating module, is configured to identify one or more association in the first and second Identity Federation configuration attribute set Attribute pair, wherein, each relating attribute attribute to comprising in the first Identity Federation configuration attribute set and the second identity An attribute in federal configuration attribute set;
User interactive module, is configured on uniform user interfaces in the federal configuration attribute set of display first and second Need the artificial attribute arranged, wherein it is desired to its value that the artificial attribute arranged does not comprises any relating attribute centering can be from The attribute that the value of another attribute derives;
Intersection assignment module, is configured to can automatically compose its value from the attribute that the value of another attribute derives Value;
Configuration adapter, is configured to provide the first Identity Federation through arranging respectively to the first and second calculating systems Configuration attribute set and the second Identity Federation configuration attribute set.
Accompanying drawing explanation
In conjunction with accompanying drawing and with reference to described further below, the feature of each embodiment of the present invention, advantage and other aspects will become Must become apparent from, show some embodiments of the present invention at this by way of example, and not by way of limitation.In the accompanying drawings:
Figure 1A-1C shows the block diagram being suitable to the exemplary computer system for realizing embodiment of the present invention;
Fig. 2 A and 2B is illustrated as the mode that different calculating system arranges the prior art of Identity Federation configuration;
Fig. 3 A schematically shows the flow chart of the method according to one embodiment of the invention;
The part identity configuration attribute of the different calculating system of Fig. 3 B exemplary representation two;
Fig. 4 schematically shows the block diagram of the device according to one embodiment of the invention.
Detailed description of the invention
Flow chart in accompanying drawing and block diagram, it is illustrated that according to system, method and the computer of the various embodiment of the present invention Architectural framework in the cards, function and the operation of program product.In this, each square frame in flow chart or block diagram is permissible Representing a module, program segment or a part for code, a part for described module, program segment or code comprises one or many The executable instruction of the individual logic function for realizing regulation.It should also be noted that in some realization alternately, in square frame The function marked can also occur to be different from the order marked in accompanying drawing.Such as, the square frame that two succeedingly represent is real Can perform substantially in parallel on border, they can also perform sometimes in the opposite order, depending on this is according to involved function. It is also noted that the combination of the square frame in each square frame in block diagram and/or flow chart and block diagram and/or flow chart, can Realize with the special hardware based system by the function or operation performing regulation, or specialized hardware and calculating can be used The combination of machine instruction realizes.
Principle and the spirit of the present invention are described below with reference to some illustrative embodiments.Should be appreciated that and provide this A little embodiments are only used to make those skilled in the art better understood when and then realize the present invention, and not with any Mode limits the scope of the present invention.
Referring to Figure 1A-1C, wherein, Figure 1A schematically shows an example cloud computing node;Figure 1B schematically shows an example cloud meter Calculate environment;Fig. 1 C schematically shows the abstract model layer of an example cloud computing environment.
Although first it should be understood that the disclosure includes the detailed description about cloud computing, thisOpen instituteThe technical side recorded The realization of case is but not limited to cloud computing environment.Embodiments of the invention can in conjunction with currently known or exploitation later any its The computing environment of its type and realize.
Cloud computing is a kind of service variable values, for carrying out shared configurable calculating resource pool conveniently, on-demand Network accesses.Configurable calculate resource e.g. network, the network bandwidth, server, process, internal memory, store, apply, virtual machine And service, it is with minimum management cost or the minimum mutual money that just can quickly provide and discharge with ISP Source.This cloud model can include at least five feature, at least three service model and at least four deployment model.
Feature is as follows:
On-demand self-help service: cloud consumer can the most on-demand offer computing capability, such as server time And the network storage, and without carrying out man-machine interactively with ISP.
Network insertion widely: cloud computing ability can obtain on network, and is obtained by standard mechanism, standard Mechanism promotes by variety classes thin client platform or thick client platform (such as mobile phone, kneetop computer, individual number Word assistant PDA) use to cloud.
Resource pool: the calculating resource of supplier is included into resource pool, by many tenants (munti-tenant) mode service In many heavy users, different actual resources and virtual resource are dynamically allocated as required and reallocate.Because consumer Typically do not control may not even be aware that the accurate location of provided resource, but position may be specified on higher level of abstraction (such as country, state or data center), so there being a kind of position feeling of independence.
Rapidly elastic: rapidly and flexiblely (being automatically sometimes) to provide and calculate resource, to realize expanding rapidly Open up and can discharge rapidly.For consumers, available calculating resource usually seems it is unlimited, at any time Any amount of calculating resource can be obtained.
Measurable service: cloud system is suitable to service (such as store, process, bandwidth and active user account number) by utilization The metrology capability of certain level of abstraction of type, automatically controls and optimizes resource effectiveness.Can monitor, control and report resource Service condition, provides transparency for ISP and consumer both sides.
Service model is as follows:
Software i.e. services (SaaS): give the ability of the application that consumer uses supplier to run in cloud architecture. Application be can by the thin client interface of such as web browser from various client devices access (the most network Email).May be except being that in addition to the limited application configuration specific to user is arranged, consumer neither manages and the most do not controls the end The cloud architecture of layer, including network, server, operating system, storage or even single application power.
Platform i.e. services (PaaS): the ability provided the consumer be in cloud architecture dispose consumer create or The application obtained, these application are that the program design language supported with supplier instrument of making peace creates.Consumer do not manage or Controlling the cloud architecture on basis, including network, server, operating system or storage, but the application to being disposed has control System power, the application to hosting environment configuration has been likely to control.
Architecture i.e. services (IaaS): giving consumer's offer process, storage, network and consumer can dispose wherein With the ability of the basic calculation resource running any software, wherein software can include operating system and application program.Consumer was both Do not manage the cloud architecture the most not controlling bottom, but operating system, storage and the application disposed are possessed of control power, right The network components (such as host firewall) selected is likely to have limited control.
Deployment model is as follows:
Privately owned cloud: cloud architecture is individually for certain operation.Cloud architecture can be by these organization and administration, also Can be managed by third party, may reside in tissue, it is also possible to be present in outside tissue.
Community Cloud: cloud architecture is shared by several tissues, supports have common interests (such as mission, safety Require, policy and conjunction rule consider) specific community.Community Cloud can be managed by the multiple tissues in community or third party Reason, may reside in tissue, it is also possible to be present in outside tissue.
Public cloud: cloud architecture provides to the public or large-scale industrial colony, and is had by the tissue selling cloud service.
Mixed cloud: cloud architecture is the synthesis of two or more cloud (privately owned cloud, community Cloud or public cloud), these Cloud is still that the entity of uniqueness, but by making data and applying the standardized technique that can transplant or privately owned technology (such as to use The cloud burst flow of the load balance between cloud shares technology) bind together.
Cloud computing environment is service-oriented, and feature concentrates on the mutual behaviour of Stateless, lower coupling, modularity and the meaning of one's words The property made.The core of cloud computing is the base structure comprising interconnecting nodes network.
With reference now to Figure 1A, figure shows the example of a cloud computing node.Cloud computing node 10 is only suitably One example of cloud computing node, and it is not meant to any limit of the scope of the function to embodiments of the invention and use System.In a word, cloud computing node 10 can be implemented and/or perform above-described any function.
Having a computer system/server 12 in cloud computing node 10, they can be with other universal or special meters numerous Calculate system environments or configuration operates together.Be suitable to the well-known calculating system being used together with computer system/server 12 System, the example of environment and/or configuration include but not limited to: personal computer system, server computer system, thin client, Thick client computer, hand-held or laptop devices, system based on microprocessor, Set Top Box, programmable consumer electronics, network individual Computer, minicomputer system, large computer system and include the distributed cloud computing technology environment of any of the above described system, etc. Deng.
Computer system/server 12 can in the computer system executable instruction performed by computer system (such as Program module) general linguistic context under describe.Generally, program module can include routine, program, target program, assembly, logic, Data structure etc., they perform specific task or realize specific abstract data type.Computer system/server 12 Can implement in distributed cloud computing environment, in distributed cloud computing environment, task is remote by by communication network links Journey processing equipment performs.In distributed cloud computing environment, program module may be located at and includes this locality of storage device or remote Journey calculates on system storage medium.
As shown in Figure 1A, the computer system/server 12 in cloud computing node 10 is the form with universal computing device Performance.The parts of computer system/server 12 can include but not limited to: one or more processor or process are single Unit 16, system storage 28, connect the bus 18 of different system parts (including system storage 28 and processing unit 16).
Bus 18 represents one or more in the bus structures of several types, including memory bus or memorizer control Device processed, peripheral bus, AGP, processor or use any bus-structured local in multiple bus structures total Line.For citing (but being not limited to these examples), these architectures include industry standard architecture (ISA) bus, micro-logical Road architecture (MAC) bus, enhancement mode isa bus, VESA's (VESA) local bus and peripheral components Interconnection (PCI) bus.
Computer system/server 12 typically comprises various computing systems computer-readable recording medium.These media can be can Any obtainable medium accessed by computer system/server 12, including volatibility and non-volatile media, movably With immovable medium.
System storage 28 can include the computer system-readable medium of form of volatile memory, such as random access memory Memorizer (RAM) 30 and/or cache memory 32.It is permissible that computer system/server 12 may further include other Movement/immovable, volatile/non-volatile computer system storage medium.Being only used as citing, storage system 34 is permissible It is provided for reading and write immovable, non-volatile magnetic media (not shown, commonly referred to " hard disk drive ").To the greatest extent Not shown in pipe figure, it is provided that for the disc driver that moveable non-volatile magnetic disk (typing " floppy disk ") is read and write, And to moveable anonvolatile optical disk such as CD-ROM, DVD-ROM or the CD of other light medium read-write Driver.In these cases, each driver can be connected with bus 18 by one or more data media interfaces.As As below further indicating that and describe, memorizer 28 can include at least one program product, and this program product has one Group (for example, at least one) program module, these program modules are configured to perform the function of various embodiments of the present invention.
There is the program/utility 40 of one group of (at least one) program module 42, can be stored in memorizer 28, this Program module 42 such as (but not limited to) operating system, one or more application program, other program module and the journey of sample Ordinal number evidence.Each or they in operating system, one or more application program, other program module, routine data Certain combination potentially includes the realization of network environment.Program module 42 generally performs in embodiments of the invention described herein Function and/or method.
Computer system/server 12 can also with one or more external equipments 14 such as keyboard, sensing equipment, Display 24 etc. communicates, and enables users to the equipment mutual with computer system/server 12 with one or more and leads to Letter, and/or with make the computer system/server 12 can with any equipment of other computing device communication one or more (such as Network interface card, modem etc.) communication.This communication can be passed through input/output (I/O) interface 22 and carry out.Further, computer Systems/servers 12 can also be by network adapter 20 and one or more network such as LAN (LAN), wide area Net (WAN) and/or public network (such as the Internet) communication.As it can be seen, network adapter 20 is by bus 18 and meter Other module communication of calculation machine systems/servers 12.It should be understood that although not shown in, other hardware and/or software module Can be used together with computer system/server 12.Example includes but not limited to: microcode, device driver, redundancy process Unit, external disk drive array, RAID system, tape drive and data backup storage system, etc..
With reference now to Figure 1B, this Figure illustrates exemplary cloud computing environment 50.As it can be seen, cloud computing environment 50 includes The local computing device that cloud computing consumer uses can communicate therewith one or more cloud computing node 10 of letter, local meter Calculation equipment such as individual digital auxiliary equipment (PDA) or mobile phone 54A, desktop computer 54B, notebook computer 54C, And/or Automotive Computer System 54N.Can be in communication with each other between node 10.Can be all at one or more network In privately owned cloud, community Cloud, public cloud or mixed cloud as discussed or combinations thereof, node 10 is carried out thing Reason or virtual group (not shown).This allows cloud computing environment 50 to provide cloud consumer without on local computing device Safeguard that the architecture that resource just can request that i.e. services, platform i.e. services and/or software i.e. services.It should be understood that Figure 1B illustrates All kinds of calculating equipment 54A-N be only schematically, calculate node 10 and cloud computing environment 50 can be with any kind of Any kind of calculating equipment (such as using web browser) communication on network and/or the connection of network addressable.
With reference now to Fig. 1 C, the figure shows one group of function modeling layer that cloud computing environment 50 (Figure 1B) provides.First should When understanding, the parts shown in Fig. 1 C, layer and function are only all that schematically embodiments of the invention are not limited to this.Such as figure Shown in, it is provided that following layers and corresponding function:
Hardware and software layer 60 includes hardware and software parts.The example of hardware component includes: main frame is such asSystem;Server such as IBM based on RISC (Reduced Instruction Set Computer) architectureSystem;IBMSystem;IBMSystem;Storage device;Network and Network Dept. Part.The example of software part includes: network application server software such as IBMApplication server is soft Part;Database software such as IBMDatabase software.(IBM, zSeries, pSeries, xSeries, BladeCenter, WebSphere and DB2 are the trade marks that International Business Machine Corporation (IBM) registers in all parts of the world).
Virtual level 62 provides a level of abstraction, and this layer can provide the example of following pseudo-entity: virtual server, virtual Storage, virtual network (including virtual private networks), virtual application and operating system, and virtual client.
In one example, management level 64 can provide following function: resource provisioning function provides at cloud computing ring Border performs the calculating resource of task and the dynamic acquisition of other resource;Metering and pricing function resource quilt in cloud computing environment Carry out cost tracing during use, and the consumption for these resources provides bill and invoice.In one example, these resources are permissible Permit including application software.Security function provides authentication for cloud consumer and task, provides for data and other resource and protects Protect.Portal user provides the access to cloud computing environment for consumer and system manager.Service level management function provides cloud Calculate distribution and the management of resource, to meet required service level.SLA (SLA) is planned and fulfiled function is root There is provided according to the cloud computing resources predicting tomorrow requirement of SLA and preset and supply.
Live load layer 66 provides the example of cloud computing environment function in the cards.In this layer, it is possible to provide work Load or the example of function includes: mapping and navigation;Software development and life cycle management;The teaching of Virtual Class he There is provided;Data Analysis Services;Trading processing, etc..
Fig. 2 A and 2B is illustrated as the mode that different calculating system arranges the prior art of Identity Federation configuration.
Fig. 2 A shows calculating system 210 and calculates system 220A, 220B and 220C.Calculating system 210 can be by meter Calculation machine network is connected to calculating system 220A, 220B or 220C, it is thus achieved that calculate system 220A, 220B or 220C provide resource or Service.Such as, calculating system 210 be the calculating system of an enterprise, such as trustship run enterprises application server, Cloud service (the most also letter that service provider A, B and C that calculating system 220A, 220B and 220C are different respectively provides respectively It is referred to as " cloud ").The user 231 of enterprise can access the enterprises in calculating system 210 by the desktop system of oneself simultaneously Application resource and cloud service 220A, 220B, 220C on resource.Federated identity can allow user with after an authentication Other identity can be used to access other resources and without user again Sign-On authentication by Identity Federation, access use for convenience Family 231 accesses different cloud 220A, 220B or 220C, and system manager 230 needs to set in calculating system 210 and cloud 220A two ends Put Identity Federation (hereinafter also referred to as " federal ");In calculating system 210 and cloud service 220B two ends, federation is set;Calculating system System 210 and cloud service 220C two ends configuration federation.So, if user 231 is calculating system 210 access authentication, then need not be again Secondary certification i.e. may have access to cloud service 220A, 220B and 220C.
Fig. 2 B illustrates the calculating system 210 (the most also " the calculating system of enterprise " being referred to as " enterprise ") of an enterprise With a cloud service 220 (such as cloud 220A, 220B or 220C), as shown in four-headed arrow 240, enterprise 210 and cloud service 220 it Between, there is the trusting relationship pre-build.
In order to arrange Identity Federation in enterprise 210 and cloud service 220 two ends, the system manager 230 of enterprise need with not Same user interface interaction.
On the one hand, system manager 230 is mutual with the user interface 213 of enterprises end, arranges the identity connection of enterprise 210 end Nation.The process of Identity Federation is set, is the process that value is set for Identity Federation configuration attribute.Through the Identity Federation configuration arranged Attribute, will be provided to the Identity Federation runtime infrastructure (identity federation runtime) of calculating system 210 end 218.The example of Identity Federation configuration attribute includes that " SSO_endpoint " (single-sign-on end points), " private_key " are (private Key), " Issuer " (issuer) etc..In actual applications, such Identity Federation configuration attribute (hereinafter also referred to as " connection Nation's configuration attribute ", " configuration attribute " or " attribute ") often quantity the biggest.When creating (create) Identity Federation and again set When putting (re-configure) Identity Federation, system manager 230 is required for arranging accordingly for these numerous attributes Value.
On the other hand, system manager 230 is mutual with the user interface 223 of cloud server terminal, arranges cloud service 220 end Federal configuration attribute, the federal configuration attribute being cloud server terminal arranges corresponding value.Through the federal configuration attribute arranged, will It is provided to the Identity Federation runtime infrastructure 228 of cloud service 220 end.Equally, the federal configuration attribute of cloud server terminal is the most also Numerous.
In general, the service provider of cloud service provides cloud service under proprietary (propriety) environment, in user interface Proprietary data form it is also adopted by 223.Owing to the Identity Federation of enterprise 210 end configures and the Identity Federation of cloud service 220 end Configuration may use different standard, and user interface 213 and the style of user interface 223, data form may be entirely different, because of This, system manager 230 not only needs to be familiar with the Identity Federation configuration standard of enterprises end and user interface, and needs to be familiar with cloud The Identity Federation configuration standard of service end and user interface.If an enterprise requires connect to different cloud services, system pipes Reason person will arrange Identity Federation configuration attribute in the user interface that different cloud services provides, it is therefore desirable to is familiar with different The proprietary, data format of cloud service.
Additionally, the Identity Federation configuration attribute of enterprise 210 end and the Identity Federation configuration attribute of cloud service 220 end, some Content is to be mutually related, the most identical.System manager 230 repeatedly to arrange these in different user interfaces The value of the attribute that relevance is the most identical, this unnecessarily increases the workload of system manager, too increases and makes mistakes Probability.
To this end, the basic conception of the present invention, it is to be that such two calculating systems carry out body in the way of concentrating or be unified The setting of the federal configuration of part, to improve the efficiency of system manager, reduces the probability made mistakes.
3A and 3B referring to the drawings, describes the various embodiments of the present invention in detail.Referring initially to Fig. 3 A, the figure shows Flow chart according to the method for one embodiment of the invention.
In short, shown in Fig. 3 A is a kind of method arranging Identity Federation configuration attribute, comprises the steps of acquisition First the first Identity Federation configuration attribute set calculating system and second calculates the second Identity Federation configuration attribute collection of system Close;Identifying one or more relating attribute pair, wherein, each relating attribute is to comprising in the first Identity Federation configuration attribute set An attribute and the second Identity Federation configuration attribute set in an attribute;Uniform user interfaces shows the first identity Federal configuration attribute set and the second federal configuration attribute set need the attribute manually arranged, wherein, if identified The value of one of them attribute of any relating attribute pair can derive from the value of another attribute, then need the attribute manually arranged Do not comprise this one of them attribute;According to the incidence relation between relating attribute centering attribute, relating attribute centering is set automatically The value of attribute;The first Identity Federation configuration attribute through arranging is provided respectively to the first calculating system and the second calculating system Set and the second Identity Federation configuration attribute set.
Referring now to accompanying drawing, describe the operation of each step in detail.In the following description, to order the enterprise of cloud service Calculate system and second with cloud service respectively as first and calculate the example of system.But, as a example by enterprise and cloud service, simply In order to provide reference, it is more fully understood that each embodiment of the present invention to facilitate.Person of ordinary skill in the field reads Completely it should be understood that the first calculating system of the present invention and the second calculating system are not limited to enterprise and cloud service after bright book.
The process of the method for the embodiment of the present invention, starts from step 311.
In step 311, the first Identity Federation configuration attribute set and second obtaining the first calculating system calculates system Second Identity Federation configuration attribute set.
Such as, the first calculating system is the enterprise 210 shown in Fig. 2 B.The Identity Federation configuration of enterprise (is hereafter also referred to as " federal configuration "), it is the set of an attribute-property value pair, it is also possible to be characterized as by all properties of attribute-property value centering The federal configuration attribute set FC1 constituted:
FC1={para1_1, para1_2 ... para1_m} (1)
" para1_i " (i=1...m) represents an attribute in set FC1.
In general, when initially creating federation's configuration, the attribute in set FC1, system manager may be required for and compose Value.And when resetting (such as amendment) federal configuration, some attributes may have predetermined value, i.e. without system pipes The value that reason person inputs again.
Similarly, the federal configuration of cloud service, it is the set of an attribute-property value pair, can be characterized as by attribute-genus Property value centering all properties constitute federal configuration attribute set FC2:
FC2={para2_1, para2_2 ... para2_n} (2)
" para2_i " (i=1...n) represents an attribute in set FC2.
Similar with above for described in set FC2, gathers the attribute in FC2, and have has predetermined value.
During Identity Federation single-sign-on, enterprise 210 and cloud service 220 need to carry out interacting message, in order to ensure The concordance of message, needs to sign interaction message and verify.Enterprise needs " signature key " (signature key), Sign for enterprise being sent to the message of cloud service;Cloud service needs " validation key " (verification public key), uses Verify in the message that enterprise is sended over.Attribute in set FC1, such as, comprise " the signature of enterprise's needs key”;Attribute in set FC2, such as, comprise " the validation key " of cloud service needs.
In step 312, at the first Identity Federation configuration attribute set FC1 and the second Identity Federation configuration attribute set FC2 The one or more relating attribute pair of middle identification, wherein, each relating attribute is to comprising the first Identity Federation configuration attribute set FC1 In an attribute and an attribute in the second Identity Federation configuration attribute set FC2.
Such as, by the federal configuration attribute of the attribute in the federal configuration attribute set FC1 of analysis enterprise with cloud service The relation between attribute in set FC2, if in an attribute para1_j in community set FC1 and community set FC2 Have incidence relation between one attribute para2_k, then identifying attribute para1_j and attribute para2_k is a pair pass affiliation Property, it is designated as<para1_j,para2_k>.Incidence relation between attribute para1_j and attribute para2_k, uses correlation function F (1_j, 2_k) represents.Such relating attribute can be designated as with corresponding correlation function:
(<para1_j,para2_k>, F (1_j, 2_k)) and (3)
Such as, if the relation that correlation function F (1_j, 2_k) describes is " being equal to ", then it represents that relating attribute is to < para1_ J, para2_k > in the value of attribute para1_j should be equal to the value of attribute para2_k.
Enterprise and cloud service may belong to different territories, but enterprise and the territory belonging to cloud service, there is built-in identity Federal domain knowledge (built-in identity federation domain knowledge).Utilize this Identity Federation territory Knowledge, can analyze the function and significance of the not federal configuration attribute of same area, thus identify the federation of a territory (such as enterprise) Whether incidence relation is there is between the federal configuration attribute of configuration attribute and another territory (such as cloud service).Art Technical staff, in concrete application, it may be determined that the Identity Federation domain knowledge of enterprises end and high in the clouds Identity Federation domain knowledge Between the rule of correspondence, and then formulate correlation rule, and this correlation rule is stored in one computer-readable association rule Then in storehouse.Thus, computer can automatically determine the attribute in set FC1 and set according to the rule in correlation rule storehouse The incidence relation between attribute in FC2, such as, determine " signature key " and cloud service that enterprise mentioned above needs Between " the validation key " that need, there is incidence relation
According to one embodiment of the invention, optional step 312a can be performed, in step before step 312 Rapid 311 the first federal configuration attribute set obtained and the second federal configuration attribute set are respectively converted into the first public federation and join Put community set and the first public federal configuration attribute set.The step for represent with dashed box and dotted arrow in figure 3 a.
Public federal configuration attribute, also referred to as " unified federal configuration attribute " or " unified federal configuration ".According to this Invent the attribute in an embodiment, the first public federal configuration attribute set and the second public federal configuration attribute set, bag Containing according to Identity Federation domain knowledge and the configurable attribute of a federation protocol definition.The set of such configurable attribute, also It is referred to as Identity Federation metadata (identityfederation metadata).
According to one embodiment of the invention, federation protocol can be SAML agreement.Correspondingly, according to Identity Federation domain knowledge With the configurable attribute of SAML protocol definition, it is independently of (platform-independent) of platform.Such configurable The example of attribute includes: Issuer, Signature_Key, Encryption_Key, SSO_Endpoint, SLO_Endpoint, Provider_ID, Partner_ID, Partner_SSO_Endpoint, Partner_SLO_Endpoint etc..
Expression with federal configuration attribute set FC1 is similar, and the first public federal configuration attribute set CFC1 can be with table It is shown as:
CFC1={Cpara1_1, Cpara1_2 ... Cpara1_m} (1 ')
Wherein, " Cpara1_i " (i=1...m) is an attribute in public federal configuration attribute set CFC1, and It it is the configurable attribute in Identity Federation metadata.
Similarly, the second public federal configuration attribute set CFC2 can be expressed as:
CFC1={Cpara2_1, Cpara2_2 ... Cpara2_n} (2 ')
Wherein, " Cpara2_i " (i=1...n) is an attribute in public federal configuration attribute set CFC2, and It it is the configurable attribute in Identity Federation metadata.
According to one embodiment of the invention, step 312 can be performed on the basis of step 312a, i.e. public first Federal configuration attribute set CFC1 and the second public federal configuration attribute set CFC2 identifies one or more relating attribute pair, Wherein, each relating attribute attribute to comprising in the first public federal configuration attribute set CFC1 and the second public federation An attribute in configuration attribute set CFC2.
Such as, belonged to by the federal configuration public with cloud service of the attribute in the public federal configuration attribute set CFC1 of enterprise Property set FC2 in attribute between relation, identify relating attribute pair.If the public federal configuration attribute Cpara1_i of enterprise And between the public federal configuration attribute Cpara2_j of cloud service, there is incidence relation, then identify attribute Cpara1_j and attribute Cpara2_k is a pair relating attribute, is designated as<Cpara1_j, Cpara2_k>.The attribute Cpara1_j of relating attribute centering and genus Property Cpara2_k between incidence relation, with corresponding correlation function F (1_j, 2_k) represent.Can be by such a pair attribute Para1_j and attribute para2_k and corresponding correlation function thereof are designated as:
(<Cpara1_j, Cpara2_k>, F (1_j, 2_k)) (3 ')
In step 312a, the federal configuration attribute of not same area is converted to unified form, is conducive in step 312 Federal configuration attribute after conversion is analyzed, preferably identifies relating attribute pair.
The part identity configuration attribute of the different calculating system of Fig. 3 B exemplary representation two.As shown in Figure 3 B, first calculate In the identity configuration attribute set of system 210, comprise " Issuer ", " Partner_SSO_Endpoi ", " Sign_ Authentivate_Request ", " Sign_Single_Logout_Request " and " Encrpt_Single_Logout_ Request " etc. attribute.Second calculate system 220 identity configuration attribute set in, comprise attribute " Provider_Id ", “SSO_Endpoint”、“Validate_Authentivate_Request”、“Validate_Single_Logout_ Request " and the attribute such as " Decrpt_Single_Logout_Request ".Fig. 3 B connects the line segment of two attributes, represents After performing step 312, between the two attribute identified, there is incidence relation.Such as, attribute " Issuer " and attribute Between " Provider_Id ", there is incidence relation.
During the single-sign-on of Identity Federation based on SAML specification, enterprise need to cloud service send " certification please Seek message " and it needs in this message, comprise message issuer, to this end, enterprises needs configuration attribute " Issuer ";Separately Outward, cloud service needs to verify the attribute whether message issuer configures in cloud service, i.e. attribute equal to system manager " Provider ID″.Therefore, in step 312, attribute " Issuer " and attribute can be identified according to Identity Federation domain knowledge " Provider ID " has incidence relation, and incidence relation is equal to relation.Expression formula (3) mentioned above can be used to represent Attribute " Issuer " and the incidence relation of " Provider_Id ":
{ wherein, correlation function F1 represents that the value of " Issuer " is equal to for<Issuer, Provider_Id>, F1} The value of " Provider_Id ".
During the single-sign-on of Identity Federation based on SAML specification, enterprise needs configuration attribute " Partner_ SSO_Endpoint " (the single-sign-on end points of cloud service), and cloud service provides configuration attribute " SSO_Endpoint " (single-point Log in end points) (such as, for cloud service SampleCloudService, this property value is equal to https: // Login.SampleCloudService.com), based on this Identity Federation domain knowledge, attribute is identified in step 312 " Partner_SSO_Endpoint " and attribute " SSO_Endpoint " have incidence relation, it may be assumed that
{<Partner_SSO_Endpoint, SSO_Endpoint>, F2}
Wherein, correlation function F2 represents the value value equal to " SSO_Endpoint " of " Partner_SSO_Endpoint ".
Obviously, if attribute SSO_Endpoint has had certain value, then the configuration attribute of enterprise is being set Time " Partner_SSO_Endpoint ", directly can give attribute " Partner_SSO_ by the value of attribute SSO_Endpoint Endpoint ", it is exposed to system manager without by this configuration attribute.
Enterprise needs the Single Sign Out end points of the cloud service of configuration to need the Single Sign Out end points of configuration (in figure with cloud service Be not shown) between relation, with attribute " Partner_SSO_Endpoint " and the cloud service that above-mentioned enterprise needs configuration Configuration attribute " SSO_Endpoint " between relation be similar to.
During the single-sign-on of Identity Federation based on SAML specification, in order to ensure the consistent of " authentication request message " Property, enterprise needs to sign this message it is necessary to configuration attribute " SignAuthentication Request ".Cloud service is led to Cross whether configuration attribute " Validate AuthenticationRequest " statement is verified authentication request message.According to This knowledge, can identify and have incidence relation between the two attribute, it may be assumed that
<Sign_Authentication_Request, Validate_Authentication_Request>, and F3} its In, correlation function represents that the value of the two attribute is equal.
Similarly, enterprise is for the configuration attribute being encrypted " authentication request message " " EncryptAuthentication Request " (being not shown) and cloud service are for being decrypted " authentication request message " Configuration attribute " Decrypt Authentication Request " (being not shown) between, it may have incidence relation, and close Connection relation is equal to relation.
For Single Sign Out message, configuration attribute " Sign_Single_Logout_Request " and " Validate_ Single_Logout_Request " also there is incidence relation, and incidence relation is equal to relation.
" Encrypt_Single_Logout_Request " also has with " Decrypt_Single_Logout_Request " Relevant, and incidence relation is equal to relation.
In step 313, uniform user interfaces shows the first Identity Federation configuration attribute set and the second federal configuration Community set needs the attribute manually arranged, wherein it is desired to the artificial attribute arranged does not comprises any relating attribute centering The attribute that its value can derive from the value of another attribute.In other words, if wherein the one of any relating attribute pair identified The value of individual attribute can derive from the value of another attribute, then need the attribute manually arranged not comprise this one of them attribute.
System manager 230 needs the value of the artificial attribute arranged by input on uniform user interfaces, the most permissible Obtain the first Identity Federation configuration attribute set through arranging and the second federal configuration attribute set.
In other words, the first Identity Federation configuration attribute needing system manager to arrange and the second federation are joined by step 313 Put attribute all show in a unified user interface rather than show in different user interfaces respectively.
It addition, in shown attribute, not comprising can be with the attribute of automatic assignment, such as its value can belong to from another Property value derive attribute.
Attribute according to whether having in the relation between two attributes of relating attribute centering, two attributes has predetermined Value, it may be determined that whether the value of one of them attribute can derive from the value of another attribute.
As shown in expression formula (3) above, relating attribute pair<para1_j,para2_k>corresponding correlation function F (1_j, 2_k), for describing the incidence relation between attribute para1_j and attribute para2_k.Therefore, it can according to relating attribute to < Para1_j, para2_k > in attribute para1_j and attribute para2_k between incidence relation, it is judged that one of them attribute Whether the value of para1_j can derive from the value of another attribute para2_k, or judge that the value of attribute para2_k whether may be used To derive from the value of another attribute para1_j.A kind of common incidence relation between attribute para1_j and attribute para2_k Being " being equal to " relation, in this case, the value of attribute para1_j can derive the value of attribute para2_k, vice versa.
As a example by the attribute " Partner_SSO_Endpoint " shown in Fig. 3 B and attribute " SSO_Endpoint ".According to Identity Federation domain knowledge, can identify them in step 312 and have incidence relation, i.e. < Partner_SSO_Endpoint, SSO_Endpoint >, the relation of F}, correlation function F definition is that " Partner_SSO_Endpoint " is equal to " SSO_ Endpoint " (i.e. can give " Partner_SSO_Endpoint " by the value of " SSO_Endpoint "), or " SSO_ Endpoint " being equal to " Partner_SSO_Endpoint " (i.e. can be by the value imparting of " Partner_SSO_Endpoint " “SSO_Endpoint”。
If attribute " SSO_Endpoint " have predetermined value " https: // Login.SampleCloudService.com ", it is equal to according to definition-" Partner_SSO_Endpoint " of correlation function F " SSO_Endpoint ", it is possible to give attribute by value " https: //login.SampleCloudService.com " " Partner_SSO_Endpoint " in this case, attribute " Partner_SSO_Endpoint " belongs to and can oneself arrange Federal configuration attribute, it is not necessary to system manager is manually arranged.
The most such as, the attribute " Issuer " shown in Fig. 3 B also has similar incidence relation with " Partener_Id ".? In SAML federation, the Identity Provider (such as enterprise 210) of a side should provide " Issuer " attribute, and the partner of the opposing party Companion's (such as cloud service 220) requires there is " Partner_Id " attribute.The value of the two attribute must be identical, otherwise, from one The token that direction the opposing party sends will not pass through checking.Therefore, step 312 will determine that one comprises from enterprise 210 " Issuer " and the relating attribute pair of " Partener_Id " from cloud 220, and in correlation function specify " Issuer " and The relation of " Partener_Id " is: " Partener_Id " is equal to " Issuer ";Or " Issuer " is equal to " Partener_ Id”.Therefore, in step 313, if " Issuer " has a predetermined value, then belong to can oneself for attribute " Partener_Id " The federal configuration attribute arranged, it is not necessary to system manager is manually arranged.
In a particular application, relating attribute pair<para1_j,para2_k>attribute between except this simple " etc. In " relation, it is also possible to having more complicated incidence relation, person of ordinary skill in the field can closed for concrete application Connection rule base arranges corresponding rule, enables a computer to automatically identify other incidence relation, for each relating attribute pair, Determine whether the value of one of them attribute can be derived by the value of another attribute, so that it is determined that whether this attribute is needs The artificial attribute arranged.
In step 314, its value can be carried out automatic assignment from the attribute that the value of another attribute derives.That is, root According to the incidence relation between relating attribute centering attribute, the value of the attribute of relating attribute centering is set automatically.
Still with the relating attribute shown in Fig. 3 B to<Partner_SSO_Endpoint, SSO_Endpoint>as a example by. As described above, " Partner_SSO_Endpoint " and attribute " SSO_Endpoint " have incidence relation, i.e. < Partner_SSO_Endpoint, SSO_Endpoint >, the relation of F}, correlation function F definition is " Partner_SSO_ Endpoint " it is equal to " SSO_Endpoint "." if SSO_Endpoint " have predetermined value "https:// login.SampleCloudService.com", attribute " Partner_SSO_Endpoint " belongs to can the self-connection arranged Nation's configuration attribute, it is not necessary to system manager is manually arranged.
In this case, step 314 according to relating attribute to<Partner_SSO_Endpoint, SSO_Endpoint> Incidence relation between middle attribute " Partner_SSO_Endpoint " and attribute " SSO_Endpoint ", i.e. " Partner_ SSO_Endpoint " it is equal to " SSO_Endpoint ", the value of automatically set a property " Partner_SSO_Endpoint ", i.e. genus The value of property " SSO_Endpoint " "https://login.SampleCloudService.com", give attribute " Partner_ SSO_Endpoint”。
In the above example, its value can be derived from the value of another attribute " Partner_SSO_Endpoint " When attribute " SSO_Endpoint " carries out automatic assignment, the value of another attribute described "https:// login.SampleCloudService.com", it is a predetermined value.
According to one embodiment of the invention, the value of another attribute described, it can be the value from uniform user interfaces input. Such as, in upper example attribute " Partner_SSO_Endpoint " value "https:// login.SampleCloudService.com", it is also possible to system manager inputs on uniform user interfaces.
After step 313 and 314, the attribute needing artificial setting of display on unified interface, and its value is permissible The attribute derived from the value of another attribute, is the most manually arranged or is automatically arranged, and then, process proceeds to step 315.
In step 315, calculate system 210 to first and the second calculating system 220 provides the first body through arranging respectively The federal configuration attribute set of part and the second Identity Federation configuration attribute set.For example, it is possible to by the first identity connection through arranging Nation configuration attribute set CF1 and the second Identity Federation configuration attribute set CF2 is supplied directly to the Identity Federation of enterprises end respectively Runtime infrastructure (idtificationfederation runtime) 218 and the Identity Federation runtime infrastructure 228 in high in the clouds.
As described above, before performing step 312, optional step 312a can be performed, obtaining in step 311 The federal configuration attribute set of first taken and the second federal configuration attribute set are respectively converted into the first public federal configuration attribute Set and the first public federal configuration attribute set.So, step 312 is to the federal configuration attribute collection of first in the operation of 314 Close and the second federal configuration attribute set, respectively with the first public federal configuration attribute set and the first public federal configuration attribute The form of set presents.
According to one embodiment of the invention, in the case of performing step 312a, then step 315 can comprise step 315a, by the first common identity federation configuration attribute set CFC1 and the second common identity federation configuration attribute set CFC2 respectively Be converted to the first Identity Federation configuration attribute set FC1 and the second Identity Federation configuration attribute set FC2.So, first calculate The form of the federal configuration attribute that system 210 and the second calculating system 220 are respectively received, is the form before changing, can Directly to use.
By the first and second common identity federations configuration attribute set (CFC1, CFC2) be converted to the first and second identity Federal configuration attribute set (FC1, FC2), is that the first and second Identity Federation configuration attribute set are converted to first and second The inverse operation of common identity federation configuration attribute set, at this without repeating.
According to one embodiment of the invention, it is also possible to by the first Identity Federation configuration attribute set and second through arranging Identity Federation configuration attribute set stores, such as, be stored in a configuration database.So, need afterwards again to set When putting federal configuration, directly can obtain the first Identity Federation configuration attribute set and the second Identity Federation from configuration database Configuration attribute set.
From the above description it is recognised that the method using various embodiments of the present invention, system manager is without different In user interface, Identity Federation attribute is configured, and, by the automatic assignment to attribute, decrease and need system administration The quantity of the artificial attribute arranged of member.
It is explained above the various embodiments of the method for arranging Identity Federation configuration of the present invention.According to identical Inventive concept, the present invention also provides for a kind of device for arranging Identity Federation configuration.
Fig. 4 is the block diagram of the device for arranging Identity Federation configuration according to one embodiment of the invention.
Device shown in Fig. 4, comprises acquisition module 411, relating module 412, user interactive module 413, the assignment mould that intersects Block 414 and configuration adapter 415.
Acquisition module 411 is configured to the first Identity Federation configuration attribute set and of the first calculating system 210 that obtains Two the second Identity Federation configuration attribute set calculating system 220.
Relating module 412 is configured at the first Identity Federation configuration attribute set and the second Identity Federation configuration attribute collection Identifying one or more relating attribute pair in conjunction, wherein, each relating attribute is to comprising the first Identity Federation configuration attribute set In an attribute and an attribute in the second Identity Federation configuration attribute set.
User interactive module 413 be configured to show on uniform user interfaces the first Identity Federation configuration attribute set and Second federal configuration attribute set needs the attribute manually arranged, wherein it is desired to the artificial attribute arranged does not comprises any pass The attribute that its value of attribute centering can derive from the value of another attribute.
In other words, if the value of one of them attribute of any relating attribute pair identified can be from another attribute Value derives, then need the attribute manually arranged not comprise this one of them attribute.
Assignment module 414 of intersecting is configured to can automatically compose its value from the attribute that the value of another attribute derives Value.In other words, assignment module 414 of intersecting can arrange association automatically according to the incidence relation between relating attribute centering attribute The value of the attribute of attribute centering.
Configuration adapter 415 is configured to provide respectively through setting to the first calculating system 210 and the second calculating system 220 The the first Identity Federation configuration attribute set put and the second Identity Federation configuration attribute set.
For example, it is possible to by the first Identity Federation configuration attribute set (CF1, CFC1) and the second Identity Federation through arranging Configuration attribute set (CF2, CFC2) is supplied directly to Identity Federation runtime infrastructure 218 and the identity in high in the clouds of enterprises end respectively Federal runtime infrastructure 228.
According to one embodiment of the invention, comprise a modular converter further for arranging the device of Identity Federation configuration 412a, it is configured to be respectively converted into the acquired first federal configuration attribute set and the second federal configuration attribute set First public federal configuration attribute set and the second public federal configuration attribute set.
According to one embodiment of the invention, the first public federal configuration attribute set and the second public federal configuration attribute collection Attribute in conjunction, comprises according to Identity Federation domain knowledge and the configurable attribute of a federation protocol definition.
According to one embodiment of the invention, described federation protocol comprises SAML agreement.
According to one embodiment of the invention, described relating module 412 is further configured with in the first public federal configuration Identifying one or more relating attribute pair in community set and the second public federal configuration attribute set, each relating attribute is to bag Containing in an attribute in the configuration attribute set of the first common identity federation and the configuration attribute set of the second common identity federation One attribute.
According to one embodiment of the invention, described modular converter 412 is further configured so that the first common identity is federal Configuration attribute set CFC1 and the second common identity federation configuration attribute set CFC2 is respectively converted into the first Identity Federation configuration Community set FC1 and the second Identity Federation configuration attribute set FC2.This conversion, be
According to one embodiment of the invention, the first calculating system is to order the enterprise of cloud service, and the second calculating system is cloud Service.
According to one embodiment of the invention, described intersection assignment module 414 is configured to arrange association according to predetermined value The value of the attribute of attribute centering.In other words, the attribute that its value can be derived by assignment module 414 of intersecting from the value of another attribute When carrying out automatic assignment, the value of another attribute described, is a predetermined value.
According to one embodiment of the invention, described intersection assignment module 414 is configured to according to defeated from uniform user interfaces The property value entered arranges the value of the attribute of relating attribute centering.In other words, intersecting assignment module 414 can be from another to its value When the attribute that the value of attribute derives carries out automatic assignment, the value of another attribute described, is the value from uniform user interfaces input.
According to one embodiment of the invention, it is further configured with will be through setting for arranging the device of Identity Federation configuration The first Identity Federation configuration attribute set and the second Identity Federation configuration attribute set put are stored in a data base, such as In configuration database 450 shown in Fig. 4.
According to one embodiment of the invention, described acquisition device 411 is configured to from described data base 450 obtain process The the first Identity Federation configuration attribute set arranged and the second Identity Federation configuration attribute set.
The foregoing describe the device for arranging Identity Federation configuration according to the embodiment of the present invention, due to the most detailed Carefully describe according to various embodiments of the invention for arrange Identity Federation configuration method, in the above-mentioned description to device In, eliminate and substantially repeat with method is described or be easy to from the description to method, amplify the content drawn.
It is to be noted that above description is merely illustrative rather than limitation of the present invention.Other embodiments in the present invention In, the method can have more, less or different steps, the numbering to step, be in order to make explanation more simple and clear rather than Considered critical to the ordering relation between each step, the order between each step and step can be unlike the described.
Therefore, in some embodiments of the invention, can there is no said one or multiple optional step.Each step Concrete executive mode can be unlike the described.Within all these changes are all in the spirit and scope of the present invention.
The present invention can take hardware embodiment, Software Implementation or not only comprise nextport hardware component NextPort but also comprise component software The form of embodiment.In a preferred embodiment, present invention is typically implemented as software, it includes but not limited to firmware, resident soft Part, microcode etc..
And, the present invention may also take on and can use from computer or the computer program product of computer-readable medium access The form of product, these media provide program code to use or in connection for computer or any instruction execution system. For the purpose of description, computer can with or computer-readable mechanism can be any tangible device, it can comprise, stores, Communication, propagation or transmission procedure are to be used or in connection by instruction execution system, device or equipment.
Medium can be electric, magnetic, light, electromagnetism, ultrared or the system of quasiconductor (or device or device) Or propagation medium.The example of computer-readable medium include quasiconductor or solid-state memory, tape, removable computer diskette, Random access storage device (RAM), read only memory (ROM), hard disc and CD.At present the example of CD includes compact disk-only Read memorizer (CD-ROM), compact disk-read/write (CD-R/W) and DVD.
The data handling system being suitable for storage/or execution program code will include at least one processor, and it is directly Or it is indirectly couple to memory component by system bus.Memory component can be included in the actual execution phase of program code Between the local storage, the mass storage that are utilized and temporarily storing to subtract of at least some of program code is provided The cache memory of the number of times of code must be fetched from mass storage term of execution of few.
Input/output or I/O equipment (including but not limited to keyboard, display, pointer device etc.) can directly or It is coupled to system by middle I/O controller.
Network adapter can also be coupled to system, so that data handling system can pass through the private or public of centre Network and be coupled to other data handling systems or remote printer or storage device.Modem, cable modem And Ethernet card is only several examples of currently available types of network adapters.
Should be appreciated that without departing from the true spirit of the invention from foregoing description, can enforcement each to the present invention Mode is modified and changes.Description in this specification is merely illustrative, and is not considered as restrictive.This Bright scope is only limited by the appended claims.

Claims (20)

1., for the method arranging Identity Federation configuration, comprise:
The the first Identity Federation configuration attribute set and the second the second Identity Federation calculating system that obtain the first calculating system are joined Put community set;
One or more relating attribute pair, wherein, each association is identified in the first and second Identity Federation configuration attribute set In the attribute attribute to comprising in the first Identity Federation configuration attribute set and the second Identity Federation configuration attribute set One attribute;
Uniform user interfaces shows the attribute needing manually to arrange in the first and second federal configuration attribute set, wherein, The artificial attribute arranged is needed not comprise the attribute that its value of any relating attribute centering can derive from the value of another attribute;
Its value can be carried out automatic assignment from the attribute that the value of another attribute derives;
The first Identity Federation configuration attribute set and the second identity through arranging is provided respectively to the first and second calculating systems Federal configuration attribute set.
2. the method for claim 1, comprises further:
Acquired first and second federal configuration attribute set are respectively converted into the first public federal configuration attribute set and Second public federal configuration attribute set.
3. the method for claim 2, wherein, the first public federal configuration attribute set and the second public federal configuration attribute set In attribute, comprise according to Identity Federation domain knowledge and the configurable attribute of federation protocol definition.
4. the method for claim 3, wherein, described federation protocol comprises SAML agreement.
5. one of any method of claim 2-4, wherein, described in the first and second Identity Federation configuration attribute set Identify one or more relating attribute pair, be included in the first and second public federal configuration attribute set identify one or more Relating attribute pair, each relating attribute attribute to comprising in the configuration attribute set of the first common identity federation and second public An attribute in Identity Federation configuration attribute set altogether.
6. the method for claim 5, wherein, described to the first and second calculating systems provide respectively through setting the first identity Federal configuration attribute set and the second Identity Federation configuration attribute set, comprise and the configuration of the first and second common identity federations belonged to Property set is respectively converted into the first and second Identity Federation configuration attribute set.
7. the process of claim 1 wherein that the value of another attribute described is a predetermined value.
8. the process of claim 1 wherein that the value of another attribute described is the value from uniform user interfaces input.
9. the method for claim 5, wherein, will be stored in one through the first and second Identity Federation configuration attribute set arranged In individual data base.
10. the method for claim 9, wherein, described acquisition first calculate system the first Identity Federation configuration attribute set and Second the second Identity Federation configuration attribute set calculating system, comprises and obtains the first body through arranging from described data base The federal configuration attribute set of part and the second Identity Federation configuration attribute set.
11. 1 kinds, for arranging the device of Identity Federation configuration, comprise:
Acquisition module, is configured to the first Identity Federation configuration attribute set and the second calculating system of the first calculating system that obtains The second Identity Federation configuration attribute set;
Relating module, is configured to identify one or more relating attribute in the first and second Identity Federation configuration attribute set Right, wherein, each relating attribute attribute to comprising in the first Identity Federation configuration attribute set and the second Identity Federation An attribute in configuration attribute set;
User interactive module, is configured to show the first Identity Federation configuration attribute set and second on uniform user interfaces Nation's configuration attribute set needs the attribute manually arranged, wherein it is desired to the artificial attribute arranged does not comprises any relating attribute The attribute that its value of centering can derive from the value of another attribute;
Intersection assignment module, is configured to from the attribute that the value of another attribute derives, its value can be carried out automatic assignment;
Configuration adapter, is configured to provide the first Identity Federation configuration through arranging respectively to the first and second calculating systems Community set and the second Identity Federation configuration attribute set.
The device of 12. claim 11, comprises further:
Modular converter, is configured to federal to the acquired first federal configuration attribute set and second configuration attribute set difference Be converted to the first public federal configuration attribute set and the second public federal configuration attribute set.
The device of 13. claim 12, wherein, the first public federal configuration attribute set and the second public federal configuration attribute collection Attribute in conjunction, comprises according to Identity Federation domain knowledge and the configurable attribute of a federation protocol definition.
The device of 14. claim 13, wherein, described federation protocol comprises SAML agreement.
One of any device of 15. claim 12-14, wherein, described relating module is further configured with public first The most federal configuration attribute set and the second public federal configuration attribute set identify one or more relating attribute pair, Mei Geguan An attribute attribute to comprising in the configuration attribute set of the first common identity federation and the configuration of the second common identity federation belong to An attribute in property set.
The device of 16. claim 15, wherein, described modular converter is further configured with by the configuration of the first common identity federation Community set and the configuration attribute set of the second common identity federation are respectively converted into the first Identity Federation configuration attribute set and Two Identity Federation configuration attribute set.
The device of 17. claim 11, wherein, the value of another attribute described, is predetermined value.
The device of 18. claim 11, the value of another attribute described, is the value from uniform user interfaces input.
The device of 19. claim 15, be further configured with by through setting the first Identity Federation configuration attribute set and Second Identity Federation configuration attribute set is stored in a data base.
The device of 20. claim 19, wherein, described acquisition device is configured to from described data base obtain through setting First Identity Federation configuration attribute set and the second Identity Federation configuration attribute set.
CN201110426561.4A 2011-12-19 2011-12-19 Method and device used for setting identity union configuration Active CN103164648B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN201110426561.4A CN103164648B (en) 2011-12-19 Method and device used for setting identity union configuration
US13/719,305 US9122863B2 (en) 2011-12-19 2012-12-19 Configuring identity federation configuration
US14/825,850 US9576125B2 (en) 2011-12-19 2015-08-13 Configuring identity federation configuration

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110426561.4A CN103164648B (en) 2011-12-19 Method and device used for setting identity union configuration

Publications (2)

Publication Number Publication Date
CN103164648A CN103164648A (en) 2013-06-19
CN103164648B true CN103164648B (en) 2016-12-14

Family

ID=

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101449263A (en) * 2006-06-15 2009-06-03 国际商业机器公司 Method and apparatus for middleware assisted system integration in a federated environment
CN102118430A (en) * 2009-12-17 2011-07-06 英特尔公司 Cloud federation as a service

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101449263A (en) * 2006-06-15 2009-06-03 国际商业机器公司 Method and apparatus for middleware assisted system integration in a federated environment
CN102118430A (en) * 2009-12-17 2011-07-06 英特尔公司 Cloud federation as a service

Similar Documents

Publication Publication Date Title
CN108322472B (en) For providing method, system and the medium of identity based on cloud and access management
CN104516730B (en) A kind of data processing method and device
CN104335189B (en) Secure access to sharing storage resource
CN103365725B (en) Method and system for dynamic allocation of workload deployment units across a plurality of clouds
US9122863B2 (en) Configuring identity federation configuration
CN103369022B (en) Method and system for communication with memory device
CN103916454B (en) Method and device for extending organizational boundaries throughout a cloud architecture
CN104660669B (en) The method and system of a host is selected from multiple main frames for application model component
CN104603762B (en) The method and system for supporting to access the coordination of the shared storage of file system using the automatic calibration of parallel file access protocol and metadata management
CN105446793A (en) Method and device for migrating virtual assets
CN104067265A (en) System and method for supporting secure application deployment in the cloud
CN106027593B (en) For dynamically maintaining the method and system of data structure
CN103379114A (en) Method and device for protecting private data in MapReduce system
CN103973641B (en) Manage the method and device of the session of different web sites
CN109906597A (en) To with data set that restricted data set and untethered system are stored and fetched from cloud network
CN103377402A (en) Multi-user analysis system and corresponding apparatus and method
CN110036385A (en) Mixed mode cloud On-premise (ON-PREMISE) secure communication
Tao et al. The research and application of network teaching platform based on cloud computing
Taufiq et al. Robust crypto-governance graduate document storage and fraud avoidance certificate in Indonesian private university
CN104424012A (en) Method and equipment used for providing user-defined virtual device
CN103164648B (en) Method and device used for setting identity union configuration
US20240046147A1 (en) Systems and methods for administrating a federated learning network
Tomašević OVERVIEW OF CLOUD COMPUTING IN BUSINESS
CN104519096A (en) Service deployment method and system used for cloud calculating system
Andini Cloud-Based Information Technology Architecture Modeling Computing

Legal Events

Date Code Title Description
PB01 Publication
SE01 Entry into force of request for substantive examination
GR01 Patent grant