(12) United States Patent

Transcription

1 (12) United States Patent US B2 (10) Patent N0.: Cheng et a]. () Date of Patent: Jan. 17, 12 (54) METHOD AND SYSTEM FOR (56) References Cited MULTI-PROTOCOL SINGLE LOGOUT U.S. PATENT DOCUMENTS (75) Inventors: Qingwen Cheng, Peasanton, CA (US); 04/ A1 * 7/04 Bakey et a /229 we; egg/saga; :1: e 2952 Andrew Patterson, San Jose, CA (US); nton et a ' """""""""" " Rajeev Anga, San Jose, CA (U S) * cued by examner Primary Examiner * Vivek Srivastava (73) Assignee: Orace America, Inc., Redwood City, Assistant Examiner * Anthony BroWn CA (Us) (74) Attorney, Agent, or Firm * Osha ' Liang LLP * N _ ' S b_ d_ 1 _ h f hi (57) ABSTRACT ( ) Once' u Jed-t0 any 1 amerit eterm O t S A method for muti-protoco ogout. The method incudes patent 1s extended or adjusted under..... U S C (b) by 3 days rece1v1ng, by a?rst 1dent1ty prov1der, a ogout request from a _ ' ' ' ' user agent, Wherein the?rst identity provider executes in a federation manager, and initiating a ogout on a service pro (21) App' No" 12/ vider associated With the?rst identity provider based on the ogout request by the?rst identity provider. The method fur (22) Fiedi Sep- 18, 08 ther incudes identifying, by the federation manager, a pu raity of identity providers associated With the user agent, (65) Prior Pubication Data Wherein the puraity of identity providers communicate using heterogeneous federation protocos, and initiating, by Us 10/ A1 Mar the federation manager, a ogout on each of the puraity of identity providers based on the ogout request using the pu (06.01) (51) Int. C. H04L 29/00 raity of heterogeneous federation protocos. The method fur ther incudes initiating, by the puraity of identity providers, (52) us. C /8; 709/ ogout Of each service Provider Corresponding to the Pura... _ 1t 0 1 ent1t rov1 ers, 1 ent1 1n a status 0 eac 0 out, (58) Fied of Cassi?cation Search /229, ' y f d ' y P d d 'fy' g f M g and sending the status to the user agent. 726/8 See appication?e for compete search history. Caims, 5 Drawing Sheets Federation Manager 108 Circe of TTt Manager 1 12M Federation Protoco N Singe Logoff (SLO) Service Provider Interface (SPI) M Session Cache 11% Identity Provider (IDP) A i 1.12M Federation Protoco M Singe Logoff (SLO) Service Provider interface (SPI) 4 Muti-Fed eration Protoco Manager i 110B Identity Provider (idp) B t ' 194x : Service Provider (SP) X 122 User Agent

2 US. Patent Jan. 17, 12 Sheet 1 of5 16 Federation Manager m Circe of Trust Manager 1 12N 1 12M Federation Protoco N Singe Federation Protoco M Singe Logoff (SLO) Service Provider Interface (SPI) i? Session 4-: Cache t t Logot f (SLO) Service Provider Interface (SPI) 1_4 Muti-Federation Protoco Manager 1 10A 1 10B Identity Provider (IDP) A Identity Provider (IDP) B t i I ' 1_O_ : 104x 1042 Service Service I ' Provider (SP) ' ' Provider (SP) ' ' x z ' a m m m M User Agent FIG. 1

3 US. Patent Jan. 17, 12 Sheet 2 of5 i [- Step 1 User requests access to service provider Step 3 User aready authenticated to service provider? NO + / Step 4 Refer user to the identity provider corresponding to the service provider in the circe of trust YES YE User authenticated at the identity provider? Step 5 [- Step 7 NO Generate * /_ Step 9 assertion Identity provider corresponding to service provider authenticates user to generate assertion I- Step 211 > Assertion sent to service provider I,- Step 213 Service provider verifies assertion I [- Step 215 > User granted access to service FIG. 2

4 US. Patent Jan. 17, 12 Sheet 3 of5 ( START _ V _ I,- Step 231 User initiates ogout with one of the service providers V Service provider initiates ogout with corresponding /' step 233 identity provider Corresponding identity provider sends an access /_ Step 2 request to the muti-federaton protoco manager to ogout on other identity providers Muti-federation protoco manager invokes ogout for [- Step 237 each other identity provider in circe of trust Each other identity provider perform singe ogout with / step 239 their corresponding service provider Muti-federation protoco manager destroys users /- Step 241 sessions shared among a service providers Muti-federation protoco manager sends status to f Step 243 corresponding identity provider Corresponding identity provider sends status to service / Step 2 provider FIG. 3

5

6 US. Patent Jan. 17, 12 Sheet 5 of5 12 Monitor 4 Network 0 / Computer System M Processor 51% Storage Device 9% x 410 Keyb0ard n I Mouse FIG. 5

7 1 METHOD AND SYSTEM FOR MULTI-PROTOCOL SINGLE LOGOUT BACKGROUND One of the bene?ts of a network is to aow users to access services from a remote computer system using a oca com puter system. For exampe, users may use onine banking services to check their?nancia accounts, onine gaming ser vices to pay games With other users, on-demand video ser vices to Watch movies, and access other such services. Often the services are provided by different service providers. The service providers may require that the users are authenticated before providing access to the resource. In order to authenticate the user, the service provider may require that the user have a digita identity associated With the service provider. Thus, When mutipe service providers are controed by different business organizations, a user may have mutipe digita identities, one for each service provider. Because of the mutipe digita identities, a user may be required to sign-on to each service provider separatey. In order to remove this requirement, identity federation may be used. Identity federation aows business organizations contro ing different service providers to form a partnership and share digita identities. The partnership aows the service providers to form a circe of trust. The circe of trust has a one or more identity providers that communicates With the ser vice providers and manages the authentication of the user. Thus, When a user is authenticated to one service provider, the user may be automaticay aowed access to other service providers in the same circe of trust. SUMMARY In genera, in one aspect, the invention reates to a method for muti-protoco ogout. The method incudes receiving, by a?rst identity provider, a ogout request from a user agent, Wherein the?rst identity provider executes in a federation manager, and initiating a ogout on a service provider asso ciated With the?rst identity provider based on the ogout request by the?rst identity provider. The method further incudes identifying, by the federation manager, a puraity of identity providers associated With the user agent, Wherein the puraity of identity providers communicate using heteroge neous federation protocos, and initiating, by the federation manager, a ogout on each of the puraity of identity provid ers based on the ogout request using the puraity of hetero geneous federation protocos. The method further incudes initiating, by the puraity of identity providers, a ogout of each service provider corresponding to the puraity of iden tity providers, identifying a status of each ogout, and sending the status to the user agent. In genera, in one aspect, the invention reates to a federa tion manager for muti-protoco ogout, incuding a proces sor, a muti-federation protoco manager, and a puraity of identity providers in a circe of trust. The federation manager is con?gured to receive a noti?cation from a?rst identity provider of the puraity of identity providers that a user agent has requested to ogout of a service provider associated With the?rst identity provider, Wherein the?rst identity provider uses a?rst federation protoco, identify, in response to the noti?cation, a second federation protoco used by the circe of trust, determine Whether the user agent has an open session With a second identity provider of the puraity of identity providers in the circe of trust, Wherein the second identity provider uses the second protoco, initiate a ogout of the user agent on the second identity provider, initiate, in response to the ogout, a ogout of the user agent on a second service provider associated With the second identity provider, and send a status of the ogout to the user agent. In genera, in one aspect, the invention reates to a com puter readabe medium incuding computer readabe program code embodied therein for causing a computer system to receive, by a?rst identity provider, a ogout request from a user agent, Wherein the?rst identity provider executes in a federation manager, initiate a ogout on a service provider associated With the?rst identity provider based on the ogout request by the?rst identity provider, identify, by the federa tion manager, a puraity of identity providers associated With the user agent, Wherein the puraity of identity providers communicate using heterogeneous federation protocos, ini tiate, by the federation manager, a ogout on each of the puraity of identity providers based on the ogout request using the puraity of heterogeneous federation protocos, initiate, by the puraity of identity providers, a ogout of each service provider corresponding to the puraity of identity providers, identify a status of each ogout, and send the status to the user agent. Other aspects of the invention Wi be apparent from the foowing description and the appended caims. BRIEF DESCRIPTION OF DRAWINGS FIG. 1 shows a schematic diagram in accordance With one or more embodiments of the invention. FIGS. 2 and 3 show?owcharts in accordance With one or more embodiments of the invention. FIG. 4 shows an exampe in accordance With one or more embodiments of the invention. FIG. 5 shows a computer system in accordance With one or more embodiments of the invention. DETAILED DESCRIPTION Speci?c embodiments of the invention Wi now be described in detai With reference to the accompanying?g ures. Like eements in the various?gures are denoted by ike reference numeras for consistency. In the foowing detaied description of embodiments of the invention, numerous speci?c detais are set forth in order to provide a more thorough understanding of the invention. HoWever, it Wi be apparent to one of ordinary ski in the art that the invention may be practiced Without these speci?c detais. In other instances, We-knoWn features have not been described in detai to avoid unnecessariy compicating the description. In genera, embodiments of the invention provide a method and system for singe ogout across mutipe service providers When the mutipe service providers use heterogeneous fed eration protocos. A federation protoco is a communication protoco used between the service provider and the identity provider to authenticate a user. For exampe, federation pro tocos may incude Security Assertion Markup Language (SAML) protoco, SAML version 2 (SAML v2) protoco, Web Services Federation (WS-Federation) protoco, Identity Federation FrameWork (ID-FF) protoco, and other protocos. Different service providers may be con?gured to communi cate using different federation protocos. For exampe, egacy service providers may communicate With oder and more obscure federation protocos Whie newer service providers may communicate With recenty created federation protocos. Embodiments of the invention aow for service providers using heterogeneous federation protocos to be in the same

8 3 circe of trust. A circe of trust is a group of service providers and identity providers that may share authentication informa tion. Speci?cay, When a user is authenticated to one service provider, the user is automaticay authenticated to another service provider. Embodiments of the invention aow for a singe ogout of the user from a service providers When the service providers use heterogeneous federation protocos. Speci?cay, When the user is ogged off of one service pro vider in the circe of trust, the user may automaticay be ogged off of a service providers in the circe of trust. In one or more embodiments of the invention, determining Whether a user is authenticated to a service provider and subsequenty to the circe of trust is based on the existence or ack thereof of an open user session. A user session is a period of communication activity between a time in Which the user is authenticated to a service provider and When a user is no onger authenticated to the service provider. The user session aows a user to communicate With the service provider With out requiring the user or the service provider to re-authenti cate the user. Service providers and a federation manager (discussed beow) may track Which user sessions are open. FIG. 1 shows a schematic diagram in accordance With one or more embodiments of the invention. As shown in FIG. 1, the system incudes a user agent (102), service providers (104), and a federation manager (106) in accordance With one or more embodiments of the invention. Each of these com ponents is described beow. In one or more embodiments of the invention, the user agent (102) is a program that aows the user to access service providers (104). The user agent (102) incudes functionaity to request access to each service provider, assist in authenti cating the user, and act as an interface between the user and the service provider. For exampe, the user agent (102) may be a Web browser, an appication that executes ocay on the user s computer system, or another appication that aows the user to access the service providers (104). In one or more embodiments of the invention, the user agent incudes functionaity to contact service providers (104). A service provider (104) provides a service to the user. For exampe, the service provider may provide banking ser vices, on-demand video services, ring tones for mobie tee phones, gaming services, rea-time aerts, and other services. The service provider (104) may provide the service via a network, such as a oca area network, a Wide area network (e. g., the Internet), a virtua private network, or any other type of network. The service providers (104) may be administered by the same entity or by different entities. For exampe, service provider X (104X) may be deveoped by and executed on servers associated With the XYZ Corporation Whie service providery (104Y) is deveoped by and executed on servers associated With the ABC Corporation. Aternativey, each service provider (1 04) may be administered and controed by the same entity that provides different the services. In one or more embodiments of the invention, the service providers (104) communicate using heterogeneous federa tion protocos. For exampe, service provider X (104X) may be a egacy appication in execution for mutipe years. Thus, service provider X (104X) may be con?gured to communi cate With an oder federation protoco. In the exampe, service provider Z (104Z) may be a new appication deveoped in the past year. Accordingy, service provider Z (104Z) may com municate using a newy deveoped federation protoco. Athough service provider X (104X) and service provider Z (104Z) communicate using different federation protocos, service providerx (104X) and service provider Z (104Z) may be in the same circe of trust In one or more embodiments of the invention, the service provider is connected to a federation manager (106). The federation manager (106) incudes functionaity to create and manage a circe of trust. The federation manager (106) incudes a circe of trust manager (108), identity providers (110), one or more protoco singe ogout (SLO) service provider interfaces (SPI) (e.g., 112N, 112M), a muti-federa tion protoco manager (114), and a session cache (116). Each of these components is discussed beow. A circe of trust manager (108) incudes functionaity to manage the circe of trust. Speci?cay, the circe of trust manager (108) incudes functionaity to create a new circe of trust and add and remove components to the circe of trust, such as the service providers (104) and the identity providers (110). In one or more embodiments of the invention, each identity provider (110) is associated With a federation protoco. For exampe, identity providera (1 1 0A) may communicate using SAML v2 authentication protoco Whie identity provider B (110B) communicates using ID-FF authentication protoco. The identity provider (110) incudes functionaity to service access requests for a group of service providers (104). The service providers in the group use the same federation proto co as the identity provider. The federation protoco is used to communicate access requests and responses between the identity provider (110) and the service providers (104) in the group. The access requests incude requests to authenticate a user to the circe of trust, create a session for the user, and ogout the user from the circe of trust. In one or more embodiments of the invention, identity providers incudes functionaity to initiate a ogout for a user from any identity provider or service provider in the circe of trust using different federation protocos. The ogout may be originay initiated by the identity provider or the service provider. For exampe, When a service provider in the group sends an access request to ogout a user to an identity pro vider, the identity provider incudes functionaity to initiate a ogout of the user With the remaining service providers in the group. As another exampe, the identity provider may origi nay initiate a ogout among the service providers. In the exampe, the user agent may access the identity provider using a federation protoco to perform the singe ogout. In response, the identity provider may initiate the ogout among a service providers and other identity providers. The identity provider further incudes functionaity to generate an access request to ogout the user from other service providers. Each federation protoco used by the identity providers (110) and service providers (104) impements a protoco SLO SPI (112N, 112M). In one or more embodiments of the inven tion, the protoco SLO SPI (112N, 112M) de?nes the inter face for sending a ogout request using a particuar federation protoco. In one or more embodiments of the invention, the protoco SLO SPI (112N, 112M) incudes an interface for ogging off a singe speci?ed user session, a speci?ed set of user sessions, or a user sessions. The protoco SLO SPI (112N, 112M) may aso identify the identity provider and/or service provider that initiates the singe ogout information, Whether Simpe Object Access protoco (SOAP) binding or Hypertext Transfer Protoco (HTTP) binding is used for the initiating the initia ogout request, state information about the ogout, the current status of the ogout, and other such information. The protoco SLO SPI (112N, 112M) may aso incude mechanism for responding to the entity initiating the ogout, such as succeeded, faied, a partia ogout achieved, the ogout is redirected, and other such responses. Continuing With FIG. 1, in one or more embodiments of the invention, the identity providers (110) are connected to a

9 5 muti-federation protoco manager (114). The muti-federa tion protoco manager (114) incudes functionaity to manage the ogout of a user across mutipe identity providers. Spe ci?cay, the muti-federation protoco manager (114) incudes functionaity to identify each identity provider (110) in the circe of trust. For each identity provider (110) in the circe of trust, the muti-federation protoco manager (114) incudes functionaity to determine whether the user has a session with the identity provider (110), and use the protoco SLO SPI (112N, 112M) to initiate a ogout of the user on the identity provider (110). In one or more embodiments of the invention, the muti federation protoco manager is associated with a session cache (116). The session cache maintains a isting of user sessions. In one or more embodiments of the invention, the session cache (116) incudes a tabe for each identity provider (110). The tabe identi?es the sessions open between users and service providers corresponding to the identity provider. In one or more embodiments of the invention, for each service provider, the tabe maintains a ist of users that have a session open with the service provider. Athough the above is dis cussed with respect to a tabuar approach to trace which sessions are open, other approaches and/or data structures may be used without departing from the scope of the inven tion. Different methods may be used to create a circe of trust with service providers in accordance with one or more embodiments of the invention. In one or more embodiments of the invention, a new federation manager is created. The circe of trust manager in the federation manager may instan tiate a new circe of trust. Further, identity providers are instantiated in the federation manager for each federation protoco and added to the circe of trust. In one or more embodiments of the invention, service providers are added to the circe of trust by obtaining metadata about the service providers, such as a description of the services provided by the service provider, the sign-on and ogout protocos for the service provider, how to access the service provider, and other such information. The obtained metadata may be used by the federation manager to create a remote instance of the service provider in the federation manager and add the service pro vider to the circe of trust. The remote instance aows the identity provider to interface with the service provider. In one or more embodiments of the invention, after a service pro vider is added to the circe of trust, the service provider may use the circe of trust to authenticate users and to ogout users. FIGS. 2 and 3 show?owcharts in accordance with one or more embodiments of the invention. Whie the various steps in these?owcharts are presented and described sequentiay, one of ordinary ski wi appreciate that some or a of the steps may be executed in different orders, may be combined or omitted, and some or a of the steps may be executed in parae. In addition, steps such as receive and authenticated acknowedgements have been omitted to simpify the presen tation. FIG. 2 shows a?owchart for authenticating a user to a service provider in accordance with one or more embodi ments of the invention. In step 1, a user requests access to the service provider. The user may request access to the service provider using, for exampe, a user agent. For exampe, the user may attempt to access a service provided by the service provider that requires authentication. In step 3, a determination is made whether the user is aready authenticated to the service provider. Speci?cay, the service provider may use oca session information to deter mine whether the user is aready authenticated. If the user is aready authenticated to the service provider, then the service provider grants access to the user (Step 215). Aternativey, if the user is not aready granted access to the service provider, then the service provider may refer the user to the corresponding identity provider to authenticate the user (Step 4). Speci?cay, the service provider may send an access request to the identity provider corresponding to the service provider. The service provider may aternativey redi rect the user agent of the user to the identity provider. In one or more embodiments of the invention, the access request is sent in the federation protoco used by the service provider. In one or more embodiments of the invention, a determi nation is made whether the user agent is authenticated to the identity provider (Step 5). The identity provider may query the session cache to determine whether the user is authenti cated to the circe of trust. Aternativey, the identity provider may send a query to the muti-federation protoco manager to determine whether the user is authenticated to the circe of trust. The muti-federation protoco manager may query the session cache to determine whether the user has any open sessions with service providers in the circe of trust. As another aternative, the identity provider may?rst deter mine whether the user is authenticated to another service provider corresponding to the identity provider (e.g., another service provider that uses the same federation protoco as the identity provider). If the user is not authenticated to another service provider of the identity provider, then the identity provider may send an access request to the muti-federation protoco manager to determine whether the user is authenti cated to a service provider associated with another identity provider. The muti-federation protoco manager may send a request to each identity provider using each corresponding federation protoco to determine whether the user has a ses sion with another service provider. If the user is aready authenticated to the identity provider in the circe of trust, then an assertion is generated (Step 7). The assertion aows the service provider to verify that the identity provider authenticated the user. For exampe, the assertion may identify the user, identify the access request sent by the service provider, provide information to verify the identity provider, and incude other information pertinent to authenticating the user. If the user is not aready authenticated to another service provider in the circe of trust, then the identity provider cor responding to the service provider authenticates the user to generate the assertion (Step 9). Speci?cay, the identity provider veri?es the identity of the user. The identity provider may use any method known in the art to authenticate the user. Based on the authentication, the user agent generates an assertion. In step 211, the assertion is sent to the service provider. In step 213, the service provider veri?es the assertion. If the assertion is veri?ed, the service provider grants access to the user. When granting access to the user, the service provider may create a session for the user and send the session infor mation to the federation manager. The federation manager may store the session information, such as in the session cache or with the identity provider. The user may continue to request access to different service providers in the circe of trust. Accordingy, the user may have mutipe open sessions with service providers in the circe of trust. When the user is ogged off of one service provider, the user may be ogged off of a service providers in the circe of trust. FIG. 3 shows a?owchart for performing singe ogout of a user in accordance with one or more embodiments of the invention. In one or more embodiments of the invention, the

10 7 user agent initiates a ogout With one of the service providers (step 231). The ogout request may be based on the user sending a command to ogout, the expiration of a time imit to access the service provider, etc. In step 233, the service provider initiates a ogout With the corresponding identity provider. The service provider sends the ogout request using the federation protoco of the service provider. The identity provider that uses the federation pro toco of the service provider receives the ogout request. The identity provider determines Whether any other service pro vider uses the same federation protoco. If another service provider uses the same federation protoco, then the identity provider may send to each service provider a ogout request for the user using the federation protoco. Accordingy, each service provider that receives a ogout request from the iden tity provider performs a ogout of the user. In step 2, the corresponding identity provider aso sends an access request to the muti-federation protoco manager to ogout other identity providers. For exampe, the correspond ing identity provider may perform a method ca on the muti federation protoco manager to perform a singe ogout across a identity providers Within the circe of trust. In step 237, the muti-federation protoco manager invokes a ogout for each other identity provider in the circe of trust. For exampe, the muti-federation protoco manager may use each protoco SLO SPI to invoke the singe ogout on each identity provider. In one or more embodiments of the inven tion, the muti-federation protoco manager may invoke the singe ogout sequentiay or in parae across the identity providers. In one or more embodiments of the invention, rather than sending the ogout request to each of the other identity pro viders, the muti-federation protoco manager may ony send the ogout request to identity providers Which have sessions With the user. In particuar, the muti-federation protoco manager may?rst query the session cache to determine Which identity provider corresponds to a service provider With an open session With the user. Using the response from the query, the muti-federation protoco manager may send the ogout request to ony the identity providers that correspond to ser vice providers having an open session With the user. In step 239, each identity provider performs a singe ogout With their corresponding service providers. Speci?cay, each identity provider sends in their federation protoco, a singe ogout request to each service provider. In one or more embodiments of the invention, the identity providers send the ogout request ony to the service providers that have an open session With the user. Each service provider that receives the ogout request performs a ogout of the user and may respond With a status of the ogout. In step 241, the muti-federation protoco manager destroys user s sessions shared among a service providers. The muti-federation protoco manager may aso remove information about the user s sessions from the session cache. In step 243, the muti-federation protoco manager sends the status to the corresponding identity provider. The status may indicate Whether the ogout faied, succeeded, Was a partia success (e.g., successfu ogout on some service pro viders), Whether the ogout Was redirected, such as to another uniform resource ocation (URL) in the situation in Which HTTP binding is used. In step 2, the corresponding identity provider sends the status to the service provider. The status may aso be sent to the user agent by the service provider. FIG. 4 shows an exampe in accordance With one or more embodiments of the invention. The foowing exampe is for expanatory purposes ony and not intended to imit the scope of the invention. The foowing exampe shows how a user may perform a singe ogout across mutipe service providers in a circe oftrust. In step 1 of the exampe, the setup of the circe of trust is performed across a of the service providers and identity providers. Speci?cay, in the exampe, the service providers incude a service provider that uses SAML V2 federation protoco ( SAML V2 SP ) (4), a service provider that uses ID-FF federation protoco ( ID-FF SP ) (6), and a service provider that uses WS-Federation protoco ( WS-Federation SP ) (8). In one or more embodiments of the invention, because the service providers incude service providers that use SAML V2, ID-FF, and WS-Federation protocos, a federation man ager ( FM ) (310) is instantiated With an identity provider that uses SAML V2 federation protoco ( SAML V2 IDP ) (312), an identity provider that uses ID-FF federation proto co ( ID-FF IDP ) (314), and an identity provider that uses WS-Federation protoco ( WS-Federation IDP ) (316). Each identity provider (e.g., SAML V2 IDP (312), ID-FF IDP (314), WS-Federation IDP (316)) is added to the circe of trust. Further, metadata for each service provider (e. g., SAML V2 SP (4), ID-FF SP (6), WS-Federation SP (8)) is sent to the FM (310) to create a remote service provider instance for each service provider on the FM (310). The remote service provider instance is added to the circe of trust, thereby adding the service provider (e.g., SAMLV2 SP (4), ID-FF SP (6), WS-Federation SP (8)) to the circe of trust. In addition to the remote service provider instances and the identity providers (e.g., SAML V2 IDP (312), ID-FF IDP (314), WS-Federation IDP (316)), the FM (310) aso incudes a muti-federation protoco manager ( Muti-Fed Protoco Manager ) (318). Continuing With the exampe, a singe sign-on using the SAML V2 protoco is performed in step 2. Speci?cay, the user through the user agent (3 02) requests access to the SAML V2 SP (4). In response, the SAML V2 SP (4) determines that a session is not yet open for the user at the SAML V2 SP (4). Accordingy, the SAML V2 SP (4) sends a request to the SAML V2 IDP (312) using the SAML V2 federation protoco. Because the request for access to the SAML V2 SP (3 04) is the?rst request, the SAML V2 IDP (312) determines that the user is not yet authenticated to any service provider in the circe of trust. In the exampe, the SAML V2 IDP (312) may perform the determination by querying the session cache. Because the user is not yet authenticated to any service pro viders in the circe of trust, the SAML V2 IDP (312) authen ticates the user. For exampe, the SAML V2 IDP (312) may request the user to provide a usemame and password through the user agent (2). Once the user provides the usemame and password, the SAML V2 IDP (312) authenticates the user and sends an assertion to the SAML V2 SP (4). The SAML V2 SP (6) creates a session for the user and sends the session information to the FM (310) to add to the session cache. Continuing With the exampe, a singe sign-on using the ID-FF protoco is performed in step 3. Speci?cay, the user through the user agent (2) requests access to the ID-FF SP (6). In response, the ID-FF SP (6) determines that a session is not yet open for the user at the ID-FF SP (6). Accordingy, the ID-FF SP (4) sends a request to the ID-FF IDP (314) using the ID-FF federation protoco. Because the user is aready authenticated to the SAML V2 SP (4), the ID-FF IDP (314) determines that the user is authenticated to a service provider in the circe of trust. In the exampe, the ID-FF IDP (314) may perform the determina tion by querying the session cache. Accordingy, the ID-FF

11 IDP (314) sends an assertion to the ID-FF SP (6). The ID-FF SP (6) creates a session for the user and sends the session information to the FM (310) to add to the session cache. In step 4, a singe sign-on using the WS-Federation proto co is performed. The singe sign-on using the WS-Federation protoco may proceed using the WS-Federation SP (8) and the WS-Federation IDP (316) in a manner simiar to the singe sign-on using the ID-FF IDP protoco. Continuing With the exampe, in step 5, the user initiates a singe ogout With the SAML V2 SP (4). In response, the SAML V2 SP (3 04) initiates a singe ogout using the SAML V2 protoco on the SAML V2 IDP (312) in step 6. The SAML V2 IDP determines that no other service providers exist that use the SAML V2 protoco. Thus, the SAML V2 IDP does not need to send a ogout request to other service providers using the SAML V2 protoco. In step 7, the SAML V2 IDP (312) cas the muti-fed protoco manager (318) to perform a singe ogout. In response, the muti-fed protoco manager (318) queries the session cache to determine that the user has three sessions open (i.e., the session With the SAML V2 SP (4), the session With the ID-FF SP (6), and the session With the WS-Federation SP (8)). Accordingy, in step 8, the muti-fed protoco manager (318) uses the ID-FF SLO SPI to invoke an ID-FF ogout on the ID-FF IDP (314). The ID-FF IDP (314) sends an ID-FF singe ogout request to the ID-FF SP (6) in step 9. Accord ingy, the ID-FF SP (6) performs a singe ogout of the user and responds With the status that the ogout is successfu. On receiving the response, the ID-FF IDP (314) sends a message to the muti-fed protoco manager (318) indicating that the ogout is successfu. In step 10, the muti-fed protoco manager (318) uses the WS-Federation SPI to invoke a WS-Federation ogout on the WS-Federation IDP (316). The WS-Federation IDP (316) sends a WS-Federation singe ogout request to the WS-Fed eration SP (8) in step 11. Accordingy, the WS-Federation SP (8) performs a singe ogout of the user and responds With the status that the ogout is successfu. On receiving the response, the WS-Federation IDP (316) sends a message to the muti-fed protoco manager (318) indicating that the ogout is successfu. In step 12, the muti-fed protoco manager (318) destroys the user sessions. In step 13, a ogout status is sent. In par ticuar, the muti-fed protoco manager may send a ogout status to the SAML V2 IDP (312) indicating that the ogout is successfu. In response, the SAML V2 IDP (312) may send the ogout status to the SAML V2 SP (4). Simiary, the SAML V2 SP (4) may send the ogout status to the user agent (2). The user agent may dispay the status informa tion for the user showing that the user is ogged out. Embodiments of the invention may be impemented on virtuay any type of computer regardess of the patform being used. For exampe, as shown in FIG. 4, a computer system (0) incudes one or more processor(s) (2), asso ciated memory (4) (e.g., random access memory (RAM), cache memory,?ash memory, etc.), a storage device (6) (e. g., a hard disk, an optica drive such as a compact disk drive or digita video disk (DVD) drive, a?ash memory stick, etc.), and numerous other eements and functionaities typica of today s computers (not shown). The computer (0) may aso incude input means, such as a keyboard (8), a mouse (410), or a microphone (not shown). Further, the computer (0) may incude output means, such as a monitor (412) (e.g., a iquid crysta dispay (LCD), a pasma dispay, or cathode ray tube (CRT) monitor). The computer system (0) may be connected to a network (414) (e.g., a oca area network (LAN), a Wide area network (WAN) such as the Internet, or any other simiar type of network) via a network interface connection (not shown). Those skied in the art Wi appre ciate that many different types of computer systems exist, and the aforementioned input and output means may take other forms. Generay speaking, the computer system (0) incudes at east the minima processing, input, and/ or output means necessary to practice embodiments of the invention. Further, those skied in the art Wi appreciate that one or more eements of the aforementioned computer system (0) may be ocated at a remote ocation and connected to the other eements over a network. Further, embodiments of the inven tion may be impemented on a distributed system having a puraity of nodes, Where each portion of the invention (e. g., COT manager, muti-federation protoco manager, identity provider, etc.) may be ocated on a different node Within the distributed system. In one embodiment of the invention, the node corresponds to a computer system. Aternativey, the node may correspond to a processor With associated physica memory. The node may aternativey correspond to a proces sor or a micro-core on a processor With shared memory and/ or resources. Further, software instructions to perform embodi ments of the invention may be stored on a computer readabe medium such as a compact disc (CD), a diskette, a tape, a?e, or any other computer readabe storage device. Embodiments of the invention provide a method and sys tem for performing a singe ogout amongst mutipe service providers that use heterogeneous federation protocos. In par ticuar, embodiments of the invention are abe to ensure that With a singe ogout request, a user is ogged out of the circe of trust regardess of the heterogeneous federation protocos used in the circe of trust. Thus, embodiments of the invention aow for maintaining security in a system having appica tions that use different federation protocos. Whie the invention has been described With respect to a imited number of embodiments, those skied in the art, having bene?t of this discosure, Wi appreciate that other embodiments can be devised Which do not depart from the scope of the invention as discosed herein. Accordingy, the scope of the invention shoud be imited ony by the attached caims. What is caimed is: 1. A method for muti-protoco ogout in a circe of trust, comprising: receiving, by a?rst identity provider executing on at east one computer processor, a?rst ogout request from a user agent to ogout a user, Wherein the?rst identity provider executes in a centra federation manager, Wherein the?rst identity provider manages communica tion With a service providers in the circe of trust that communicate using a?rst federation protoco; initiating, by the?rst identity provider, a ogout on any service provider associated With the?rst identity pro vider that has at east one open session With the user agent based on the?rst ogout request; sending, by the?rst identity provider to a muti-federation protoco manager, an access request to ogout the user, Wherein the muti-federation protoco manager executes in the centra federation manager; identifying, by the muti-federation protoco manager executing on the at east one computer processor, a sec ond identity provider and a third identity provider asso ciated With the user agent, Wherein the second identity provider manages communication With a service pro viders in the circe of trust that communicate using a second federation protoco, Wherein the third identity

12 11 provider manages communication With a service pro viders in the circe of trust that communicate using a third federation protoco, and Wherein the second iden tity provider and the third identity provider each execute in the centra federation manager; sending, by the muti-federation protoco manager, based on the access request, a second ogout request to the second identity provider using the second federation protoco; sending, by the second identity provider, a third ogout request to each service provider corresponding to the second identity provider that has at east one open ses sion With the user agent using the second federation protoco; sending, by the muti-federation protoco manager, based on the access request, a fourth ogout request to the third identity provider using the third federation protoco; sending, by the third identity provider, a?fth ogout request to each service provider corresponding to the third identity provider that has at east one open session With the user agent using the third federation protoco; identifying a status of each o gout of the user initiated in the circe of trust; and sending, to the user agent, the status of each ogout. 2. The method of caim 1, Wherein the muti-federation protoco manager sends ogout requests ony to identity pro viders corresponding to service providers having at east one open session With the user agent. 3. The method of caim 1, further comprising: accessing a session cache for the circe of trust to identify a puraity of open sessions; identifying a service provider for each of the puraity of open sessions to obtain a puraity of identi?ed service providers; and identifying a federation protoco corresponding to each of the puraity of identi?ed service providers to obtain a puraity of identi?ed federation protocos, Wherein identifying the second identity provider and the third identity provider is performed according to the puraity of identi?ed federation protocos. 4. The method of caim 1, further comprising: identifying the second federation protoco that corresponds to the second identity provider; and accessing a federation protoco singe ogout service pro vider interface to create the second o gout request in the second federation protoco. 5. The method of caim 1, Wherein identifying the status of each ogout comprises: receiving, by the?rst identity provider, the second identity provider, and the third identity provider, a service pro vider ogout status from a puraity of service providers; and responding, by the?rst identity provider, the second iden tity provider, and the third identity provider, to the muti federation protoco manager With the service provider ogout status. 6. The method of caim 1, Wherein the?rst federation protoco, the second federation protoco, and the third federa tion protoco comprise at east two seected from a group consisting of Security Assertion Markup Language (SAML) protoco, SAML version 2 (SAML v2) protoco, Web Ser vices Federation (WS-Federation) protoco, and Identity Fed eration Framework (ID-FF) protoco. 7. A system for muti-protoco ogout in a circe of trust, comprising: at east one computer processor; a?rst identity provider in the circe of trust, executing on the at east one computer processor, and con?gured to: receive a?rst ogout request from a user agent to ogout a user, initiate a ogout on any service provider associated With the?rst identity provider that has at east one open session With the user agent based on the?rst ogout request, Wherein the?rst identity provider manages communication With a service providers in the circe of trust that communicate using a?rst federation pro toco; and send, to a muti-federation protoco manager, an access request to ogout the user; the muti-federation protoco manager executing on the at east one computer processor and con?gured to: identify a second identity provider and a third identity provider associated With the user agent, send, based on the access request, a second ogout request to the second identity provider using a second federation protoco; and send, based on the access request, a third ogout request to the third identity provider using a third federation protoco; and send, to the user agent, a status of each ogout of the user initiated in the circe of trust; the second identity provider in the circe of trust, executing on the at east one computer processor, and con?gured to: send, in response to the second ogout request, a fourth ogout request to each service provider corresponding to the second identity provider that has at east one open session With the user agent using the second federation protoco, Wherein the second identity provider manages commu nication With a service providers in the circe of trust that communicate using the second federation proto co; and the third identity provider in the circe of trust, executing on the at east one computer processor, and con?gured to: send, in response to the third o gout request, a?fth ogout request to each service provider corresponding to the third identity provider that has at east one open session With the user agent using the third federation protoco, Wherein the third identity provider manages communi cation With a service providers in the circe of trust that communicate using the third federation protoco. 8. The system of caim 7, Wherein the muti-federation protoco manager is further con?gured to: access a session cache for the circe of trust to identify a puraity of open sessions; identify a service provider for each of the puraity of open sessions to obtain a puraity of identi?ed service pro viders; and identify a federation protoco corresponding to each of the puraity of identi?ed service providers to obtain a pu raity of identi?ed federation protocos, Wherein the second identity provider and the third identity provider are identi?ed according to the puraity of iden ti?ed federation protocos. 9. The system of caim 7, Wherein the muti-federation protoco manager is further con?gured to: identify the second federation protoco that corresponds to the second identity provider; and

13 13 access a federation protoco singe ogout service provider interface corresponding to the second federation proto co to create the second ogout request in the second federation protoco. 10. The system of caim 7, Wherein muti-federation pro toco manager is further con?gured to identify the status of each ogout of the user initiated in the circe of trust, Wherein the status of each ogout is obtained by: receiving, by the second identity provider, a service pro vider ogout status from a service provider; and responding, by the second identity provider, to the muti federation protoco manager With the service provider ogout status. 11. The system of caim 7, Wherein the?rst federation protoco, the second federation protoco, and the third federa tion protoco comprise at east two seected from a group consisting of Security Assertion Markup Language (SAML) protoco, SAML version 2 (SAML v2) protoco, Web Ser vices Federation (WS-Federation) protoco, and Identity Fed eration Framework (ID-FF) protoco. 12. A non-transitory computer readabe medium compris ing computer readabe program code embodied therein for causing a computer system to: receive, by a?rst identity provider, a?rst ogout request from a user agent to ogout a user, Wherein the?rst identity provider executes in a centra federation man ager, Wherein the?rst identity provider manages com munication With a service providers in a circe of trust that communicate using a?rst federation protoco; initiate, by the?rst identity provider, a ogout on any ser vice provider associated With the?rst identity provider that has at east one open session With the user agent based on the?rst ogout request; sending, by the?rst identity provider to a muti-federation protoco manager, an access request to ogout the user, Wherein the muti-federation protoco manager executes in the centra federation manager; identify, by the muti-federation protoco manager, a sec ond identity provider and a third identity provider asso ciated With the user agent, Wherein the second identity provider manages communication With a service pro viders in the circe of trust that communicate using a second federation protoco, Wherein the third identity provider manages communication With a service pro viders in the circe of trust that communicate using a third federation protoco, and Wherein the second iden tity provider and the third identity provider each execute in the centra federation manager; send, by the muti-federation protoco manager, based on the access request, a second ogout request to the second identity provider based on the access request using the second federation protoco; send, by the second identity provider, a third ogout request to each service provider corresponding to the second identity provider that has at east one open session With the user agent using the second federation protoco; send, by the muti-federation protoco manager, based on the access request, a fourth ogout request to the third identity provider using the third federation protoco; send, by the third identity provider, a?fth ogout request to each service provider corresponding to the third identity provider that has at east one open session With the user agent using the third federation protoco; identify a status of each ogout of the user initiated in the circe of trust; and send, to the user agent, the status of each ogout The non-transitory computer readabe medium of caim 12, Wherein the muti-federation protoco manager sends ogout requests ony to identity providers corresponding to service providers having at east one open session With the user agent. 14. The non-transitory computer readabe medium of caim 12, Wherein the computer readabe program code further causes the computer system to: access a session cache for the circe of trust to identify a puraity of open sessions; identify a service provider for each of the puraity of open sessions to obtain a puraity of identi?ed service pro viders; and identify a federation protoco corresponding to each of the puraity of identi?ed service providers to obtain a pu raity of identi?ed federation protocos, Wherein identifying the second identity provider and the third identity provider is performed according to the puraity of identi?ed federation protocos. 15. The non-transitory computer readabe medium of caim 12, Wherein the computer readabe program code further causes the computer system to: identifying the second federation protoco that corresponds to the second identity provider; and accessing a federation protoco singe ogout service pro vider interface to create the second ogout request in the second federation protoco. 16. The computer readabe medium of caim 12, Wherein identifying the status of each ogout comprises: receiving, by the?rst identity provider, the second identity provider, and the third identity provider, a service pro vider ogout status from a puraity of service providers; and responding, by the?rst identity provider, the second iden tity provider, and the third identity provider, to the muti federation protoco manager With the service provider ogout status. 17. The computer readabe medium of caim 12, Wherein the?rst federation protoco, the second federation protoco and the third federation protoco comprise at east two seected from a group consisting of Security Assertion Markup Language (SAML) protoco, SAML version 2 (SAML v2) protoco, Web Services Federation (WS-Federa tion) protoco, and Identity Federation FrameWork (ID-FF) protoco. 18. The method of caim 1, further comprising: receiving, by the?rst identity provider, a?rst request using the?rst federation protoco to authenticate the user for a?rst service provider, authenticating, by the?rst identity provider, the user to the circe of trust in response to the?rst request; sending, by the?rst identity provider, to the?rst service provider, a?rst assertion using the?rst federation pro toco to authenticate the user to the?rst service provider in response to authenticating the user to the circe of trust, Wherein the?rst service provider communicates using the?rst federation protoco; receiving, by the second identity provider, a second request using the second federation protoco to authenticate the user for a second service provider; determining, by the second identity provider, that the user is not authenticated to any service provider correspond ing to the second identity provider; sending, by the second identity provider to the muti-fed eration protoco manager, a third request to determine Whether the user is authenticated to any identity provider

14 15 in response to determining that the user is not authenti cated to any service provider corresponding to the sec ond identity provider; determining, by the muti-federation protoco manager, that the user is authenticated to the?rst identity provider in response to the third request; sending, by the muti-federation protoco manager, a response to the second identity provider that the user is authenticated using the second federation protoco; sending, by the second identity provider, to the second service provider, a second assertion using the second federation protoco to authenticate the user to the second service provider; receiving, by the second identity provider, a fourth request using the second federation protoco to authenticate the user for a third service provider; determining, by the second identity provider, that the user is authenticated to the second service provider corre sponding to the second identity provider; and sending, by the second identity provider, to the second service provider, a third assertion using the second fed eration protoco to authenticate the user to the third service provider in response to determining that the user is authenticated to the second service provider. 19. The system of caim 7, Wherein: the?rst identity provider is further con?gured to: receive a?rst request using the?rst federation protoco to authenticate the user for a?rst service provider, authenticate the user to the circe of trust in response to the?rst request; and send to the?rst service provider, a?rst assertion using the?rst federation protoco to authenticate the user to the?rst service provider in response to authenticating the user to the circe of trust, Wherein the?rst service provider communicates using the?rst federation pro toco; the second identity provider is further con?gured to: receive a second request using the second federation protoco to authenticate the user for a second service provider; determine that the user is not authenticated to any ser vice provider corresponding to the second identity provider; send, to the muti-federation protoco manager, a third request to determine Whether the user is authenticated to any identity provider in response to determining that the user is not authenticated to any service pro vider corresponding to the second identity provider; send, to the second service provider, a second assertion using the second federation protoco to authenticate the user to the second service provider based on a response from the muti-federation protoco manager; receive, by the second identity provider, a fourth request using the second federation protoco to authenticate the user for a third service provider; determine that the user is authenticated to the second service provider corresponding to the second identity provider; and send to the second service provider, a third assertion using the second federation protoco to authenticate 16 the user to the third service provider in response to determining that the user is authenticated to the sec ond service provider; and the muti-federation protoco manager is further con?g ured to: determine that the user is authenticated to the?rst iden tity provider in response to the third request; and send the response to the second identity provider that the user is authenticated using the second federation pro toco.. The non-transitory computer readabe medium of caim 12, Wherein the computer readabe program code further causes the computer system to: receive, by the?rst identity provider, a?rst request using the?rst federation protoco to authenticate the user for a?rst service provider, authenticate, by the?rst identity provider, the user to the circe of trust in response to the?rst request; send, by the?rst identity provider, to the?rst service pro vider, a?rst assertion using the?rst federation protoco to authenticate the user to the?rst service provider in response to authenticating the user to the circe of trust, Wherein the?rst service provider communicates using the?rst federation protoco; receive, by the second identity provider, a second request using the second federation protoco to authenticate the user for a second service provider; determine, by the second identity provider, that the user is not authenticated to any service provider corresponding to the second identity provider; send, by the second identity provider to the muti-federa tion protoco manager, a third request to determine Whether the user is authenticated to any identity provider in response to determining that the user is not authenti cated to any service provider corresponding to the sec ond identity provider; determine, by the muti-federation protoco manager, that the user is authenticated to the?rst identity provider in response to the third request; send, by the muti-federation protoco manager, a response to the second identity provider that the user is authenti cated using the second federation protoco; send, by the second identity provider, to the second service provider, a second assertion using the second federation protoco to authenticate the user to the second service provider; receive, by the second identity provider, a fourth request using the second federation protoco to authenticate the user for a third service provider; determine, by the second identity provider, that the user is authenticated to the second service provider correspond ing to the second identity provider; and send, by the second identity provider, to the second service provider, a third assertion using the second federation protoco to authenticate the user to the third service provider in response to determining that the user is authenticated to the second service provider.