Active directory for user authentication in a historization system

US 10,003,592 B2
Filed: 03/05/2015
Issued: 06/19/2018
Est. Priority Date: 05/05/2014
Status: Active Grant

First Claim

Patent Images

1. A user authentication system comprising:

a processor;

a memory device coupled to the processor;

processor-executable instructions stored on the memory device and executed on the processor, said instructions comprising;

instructions for registering a main directory within a historian application;

instructions for creating a plurality of active directories and assigning a domain to each active directory, wherein each active directory and the domain assigned thereto are associated with a tenant having its own set of users and access rules, wherein each active directory stores user credentials for controlling access to the historian application by the users thereof, and wherein the active directories are separate from each other;

instructions for populating a first active directory of the plurality with user authentication information for a user of the historian application upon the user being added to the domain assigned to the first active directory;

instructions for assigning a tenant identifier to the first active directory, the tenant identifier identifying a group of users associated with the first active directory;

instructions for linking the first active directory to the historian application through the main directory by adding an application identifier to the first active directory, wherein the application identifier identifies the historian application as having access thereto controlled by the first active directory, and wherein the historian application is associated with a process control system;

instructions for redirecting a web browser to open a login page from the first active directory upon receiving a sign-in request for a historian storage associated with the first active directory, wherein one or more of the tenants are allowed access to the historian storage;

instructions for receiving credential data for the first active directory from the user;

instructions for generating a first token when the credential data matches a portion of the user authentication information, wherein the tenant identifier is included in the first token when the credential data received from the user includes the tenant identifier;

instructions for returning the first token to the web browser to open a session between the web browser and the first active directory;

instructions for converting the first token into a second token, wherein the second token is a single-use token, and wherein the second token includes a role claim based on a role of the user within the process control system and includes the tenant identifier from the first token;

instructions for validating the second token against the tenants allowed access to the historian storage; and

instructions for granting the user access to the historian application for aspects of the process control system associated with the user by the role claim of the second token upon validation thereof and to data stored in one or more storage accounts via the historian application when the second token includes the tenant identifier.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A user authentication system enables control of access to historian data through a historian application. The user authentication system creates a user authentication directory for storing user authentication information. The system populates the directory with user authentication information. The system links the directory to a historian application and receives credential data from a user. The system grants access to the historian application when it determines that the credential data from the user matches a portion of the user authentication information on the directory.

41 Citations

View as Search Results

9 Claims

1. A user authentication system comprising:
- a processor;
  
  a memory device coupled to the processor;
  
  processor-executable instructions stored on the memory device and executed on the processor, said instructions comprising;
  
  instructions for registering a main directory within a historian application;
  
  instructions for creating a plurality of active directories and assigning a domain to each active directory, wherein each active directory and the domain assigned thereto are associated with a tenant having its own set of users and access rules, wherein each active directory stores user credentials for controlling access to the historian application by the users thereof, and wherein the active directories are separate from each other;
  
  instructions for populating a first active directory of the plurality with user authentication information for a user of the historian application upon the user being added to the domain assigned to the first active directory;
  
  instructions for assigning a tenant identifier to the first active directory, the tenant identifier identifying a group of users associated with the first active directory;
  
  instructions for linking the first active directory to the historian application through the main directory by adding an application identifier to the first active directory, wherein the application identifier identifies the historian application as having access thereto controlled by the first active directory, and wherein the historian application is associated with a process control system;
  
  instructions for redirecting a web browser to open a login page from the first active directory upon receiving a sign-in request for a historian storage associated with the first active directory, wherein one or more of the tenants are allowed access to the historian storage;
  
  instructions for receiving credential data for the first active directory from the user;
  
  instructions for generating a first token when the credential data matches a portion of the user authentication information, wherein the tenant identifier is included in the first token when the credential data received from the user includes the tenant identifier;
  
  instructions for returning the first token to the web browser to open a session between the web browser and the first active directory;
  
  instructions for converting the first token into a second token, wherein the second token is a single-use token, and wherein the second token includes a role claim based on a role of the user within the process control system and includes the tenant identifier from the first token;
  
  instructions for validating the second token against the tenants allowed access to the historian storage; and
  
  instructions for granting the user access to the historian application for aspects of the process control system associated with the user by the role claim of the second token upon validation thereof and to data stored in one or more storage accounts via the historian application when the second token includes the tenant identifier.
- View Dependent Claims (2, 3)
- - 2. The user authentication system of claim 1, wherein the system grants the user access to a set of information stored by the historian storage based on the user authentication information.
  - 3. The user authentication system of claim 1, wherein said instructions further comprise:
    - instructions for saving the application identifier defining the link between the first active directory and the historian application;
      
      instructions for creating a second active directory, wherein the second active directory is separate from the first active directory; and
      
      instructions for linking the second active directory to the historian application by adding the saved application identifier to the second active directory, wherein the application identifier identifies the historian application as having access thereto further controlled by the second active directory.

4. A method for authenticating users accessing a historian application comprising:
- registering a main directory with the historian application;
  
  creating a plurality of active directories stored on a memory device, the active directories each storing user credentials for controlling access to the historian application, and the active directories each being separate from the other active directories;
  
  assigning a domain to each active directory, each active directory and the domain assigned thereto being associated with a tenant having its own set of users and access rules;
  
  populating a first active directory of the plurality with user authentication information for a user of the historian application in response to the user being added to the domain assigned to the first active directory;
  
  assigning a tenant identifier to the first active directory, the tenant identifier identifying a group of users associated with the first active directory;
  
  linking the first active directory to the historian application through the main directory by adding an application identifier to the first active directory, the application identifier identifying the historian application as having access thereto controlled by the first active directory, the historian application associated with a process control system;
  
  receiving credential data for the first active directory from the user;
  
  generating a first token when the credential data matches a portion of the user authentication information;
  
  including the tenant identifier in the first token when the credential data received from the user includes the tenant identifier;
  
  opening a session between a web browser and the first active directory upon validity confirmation of the first token;
  
  converting the first token into a second token, wherein the second token is a single-use token, and wherein the second token includes a role claim based on a role of the user within the process control system;
  
  including the tenant identifier from the first token in the second token; and
  
  granting the user access to the historian application for aspects of the process control system associated with the user by the role claim of the second token and to data stored in one or more storage accounts via the historian application when the second token includes the tenant identifier.
- View Dependent Claims (5, 6)
- - 5. The method for authenticating users of claim 4, wherein the user is granted access to a set of information stored by the historian application based on the user authentication information.
  - 6. The method for authenticating users of claim 4, further comprising:
    - saving the application identifier defining the link between the first active directory and the historian application;
      
      creating a second active directory stored on the memory device, the second active directory separate from the first active directory; and
      
      linking the second active directory to the historian application by adding the saved application identifier to the second active directory, wherein the application identifier identifies the historian application as having access thereto further controlled by the second active directory.

7. A tangible, non-transitory computer-readable storage media storing processor-executable instructions that, when executed by a processor, perform a method for implementing a user authentication system, the method comprising:
- creating a first directory stored on a memory device, the first directory storing user access credentials for controlling access to a historian application;
  
  assigning a domain to the first directory, wherein the first directory and the domain assigned thereto is associated with a tenant having a set of users and access rules;
  
  populating the first directory with user authentication information for a user of the historian application in response to the user being added to the domain assigned to the first directory;
  
  assigning a tenant identifier to the first directory, the tenant identifier identifying a group of users associated with the first directory;
  
  linking the first directory to the historian application by adding an application identifier to the first directory, wherein the application identifier identifies the historian application as having access thereto controlled by the first directory, and wherein the historian application is associated with a process control system;
  
  receiving credential data from a user;
  
  generating a first token when the credential data matches a portion of the user authentication information;
  
  including the tenant identifier in the first token when the credential data received from the user includes the tenant identifier;
  
  converting the first token into a second token, wherein the second token is a single-use token, and wherein the second token includes a role claim based on a role of the user within the process control system;
  
  including the tenant identifier from the first token in the second token; and
  
  granting the user access to the historian application for aspects of the process control system associated with the user by the role claim of the second token and to data stored in one or more storage accounts via the historian application when the second token includes the tenant identifier.
- View Dependent Claims (8, 9)
- - 8. The tangible, non-transitory computer-readable storage media of claim 7, further comprising processor-executable instructions that, when executed by a processor, create multiple directories, wherein each directory is assigned to a group of users.
  - 9. The tangible, non-transitory computer-readable storage media of claim 7, wherein the processor-executable instructions, when executed by the processor, further perform:
    - saving the application identifier defining the link between the first directory and the historian application;
      
      creating a second directory, wherein the second directory is separate from the first directory;
      
      andlinking the second directory to the historian application by adding the saved application identifier to the second directory, wherein the application identifier identifies the historian application as having access thereto further controlled by the second directory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Schneider Electric Software, LLC (Schneider Electric SE)
Original Assignee
Schneider Electric Software, LLC (Schneider Electric SE)
Inventors
Prakash, Ravi Kumar Herunde, Gonugunta, Sudhir, Madden, John, Middleton, Elliot, Vaillancourt, Olivier, Kamath, Vinay T.
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Wilcox, James J

Application Number

US14/639,691
Publication Number

US 20150317463A1
Time in Patent Office

1,202 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 21/45   Structures or tools for the...

H04L 63/0815   providing single-sign-on or...

Active directory for user authentication in a historization system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Active directory for user authentication in a historization system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links