1. Field of the Invention
The field of the invention is data processing, or, more specifically, methods, systems, and products for cross domain security information conversion.
2. Description of Related Art
A “federation” is a collection of security domains that have established trust. The level of trust may vary, but typically includes authentication and may include authorization, message integrity, message privacy, and other aspects of computer security. Examples of federation security protocols include WS-Federation, developed by IBM Corporation and Microsoft Corporation, and SAML, the Security Assertion Markup Language, developed by OASIS, the Organization for the Advancement of Structured Information Standards.
Entities within a federation often gain access to resources in a first domain using security information in a native format for the first domain (such as for example SAML), but to gain access to resources in a second domain, the requesting entity often must provide security information in a native format for the second domain (such as for example WS-Federation). Existing federation protocols such as WS-Federation define mechanisms from translating security information between domain specific native formats. These protocols define high-level message exchanges for retrieving security information for disparate domains, but do not discuss how to perform the actual mapping.
Current cross domain security information mapping techniques do exist, but these mapping techniques have a number of drawbacks. Conventional mapping techniques often use a shared library or plug-in architecture that require administrators or developers to be trained in or have strong knowledge in a traditional programming language such as C++ or Java to create the individual security information mappings and require new mappings to be written for each new security information format introduced. Conventional mapping techniques are therefore not easily extensible. These convention mapping techniques are also inefficient. Despite the requirement for extensive programming to create the mappings, typically only a very small portion of security information data is actually needed to gain access to resource. For example, often just a user name in the proper native format is sufficient to gain access. Such mapping systems are also often poorly written and unreliable. A badly written C or C++ plug-in that raises a segmentation fault will take down the entire system. There is a need for improved cross domain security information conversion that is extensible, robust, and employs standard technologies.