Techniques for authentication level step-down
First Claim
1. A method comprising:
- receiving, at an access agent of a single-sign-on gateway, a first request to access a first resource from a computing device by a user, wherein the first resource is provided by a resource computer system;
communicating, by the access agent, with an authorization engine of an access management system to identify a first authentication level at which access to the first resource is permitted;
in response to identifying the first authentication level, determining, by a session engine of the access management system, authentication of the user at the first authentication level;
based on determining that the user is authenticated at the first authentication level, establishing, by the session engine, a single-sign-on session at an authentication level for the computing device, wherein the authentication level of the session is the first authentication level that enables the user at the computing device to access the first resource provided by the resource computer system;
receiving, at the access agent, a second request to access a second resource from the computing device by the user;
communicating, by the access agent, with the authorization engine of the access management system to identify a second authentication level at which access to the second resource is permitted, wherein the first authentication level is different from the second authentication level at which the first resource is not accessible;
determining, by the session engine, that the received second request is an event for reducing the authentication level for the computing device;
modifying, by the session engine, the authentication level of the single sign-on session for the computing device from the first authentication level to the second authentication level based on the determination of the event, wherein the access to the first resource by the user at the computing device is prevented by modifying the authentication level of the single-sing-on session to the second authentication level; and
sending, by the session engine, information concerning the modification of the authentication level to the access agent to indicate to the access agent that the authentication level of the single sign-on session for the computing device has changed from the first authentication level to the second authentication level.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are disclosed to modify the authentication level of a session providing access to resources. In some embodiments, an access management system is configurable to enable voluntary (e.g., request by a user) or involuntary (e.g., by the access management system) reduce, or “step-down” the authentication level for a session if a lower authentication level exists. For example, an access management system may be configured to enable a user to request a step-down of the authentication level of a session to prevent access to resources at a higher authentication level. By reducing the authentication level to a lower authentication level, a user may be prompted to provide credentials for authentication according to the authentication schemes defined for higher authentication levels. These techniques can reduce, if not prevent, unauthorized access to protected resources by challenging a user for credentials to authenticate to higher authentication levels.
-
Citations
9 Claims
-
1. A method comprising:
-
receiving, at an access agent of a single-sign-on gateway, a first request to access a first resource from a computing device by a user, wherein the first resource is provided by a resource computer system; communicating, by the access agent, with an authorization engine of an access management system to identify a first authentication level at which access to the first resource is permitted; in response to identifying the first authentication level, determining, by a session engine of the access management system, authentication of the user at the first authentication level; based on determining that the user is authenticated at the first authentication level, establishing, by the session engine, a single-sign-on session at an authentication level for the computing device, wherein the authentication level of the session is the first authentication level that enables the user at the computing device to access the first resource provided by the resource computer system; receiving, at the access agent, a second request to access a second resource from the computing device by the user; communicating, by the access agent, with the authorization engine of the access management system to identify a second authentication level at which access to the second resource is permitted, wherein the first authentication level is different from the second authentication level at which the first resource is not accessible; determining, by the session engine, that the received second request is an event for reducing the authentication level for the computing device; modifying, by the session engine, the authentication level of the single sign-on session for the computing device from the first authentication level to the second authentication level based on the determination of the event, wherein the access to the first resource by the user at the computing device is prevented by modifying the authentication level of the single-sing-on session to the second authentication level; and sending, by the session engine, information concerning the modification of the authentication level to the access agent to indicate to the access agent that the authentication level of the single sign-on session for the computing device has changed from the first authentication level to the second authentication level. - View Dependent Claims (2, 3)
-
-
4. A system comprising:
-
one or more processors; and a memory accessible to the one or more processors, the memory storing one or more instructions that, upon execution by the one or more processors, causes the one or more processors to; receive a first request to access a first resource from a computing device by a user, wherein the first resource is provided by a resource computer system; identify a first authentication level at which access to the first resource is permitted; in response to identifying the first authentication level, determine authentication of the user at the first authentication level; based on determining that the user is authenticated at the first authentication level, establish a single sign-on session at an authentication level for the computing device, wherein the authentication level of the session is the first authentication level that enables the user at the computing device to access the first resource provided by the resource computer system; after the single sign-on session is established at the first authentication level, receive a second request to access a second resource from the computing device by the user; identify a second authentication level at which access to the second resource is permitted, wherein the first authentication level is different from the second authentication level at which the first resource is not accessible; determine that the received second request is an event for reducing the authentication level for the computing device, modify the authentication level of the single sign-on session for the computing device from the first authentication level to the second authentication level based on the determination of the event, wherein the access to the first resource by the user at the computing device is prevented by modifying the authentication level of the single sign-on session to the second authentication level; and sending information concerning the modification of the authentication level to an access agent to indicate to the access agent that the authentication level of the single sign-on session for the computing device has changed from the first authentication level to the second authentication level. - View Dependent Claims (5, 6)
-
-
7. A non-transitory computer-readable medium storing one or more instructions that, upon execution by one or more processors, causes the one or more processors to:
-
receive, at a computer system of an access management system a first request to access a first resource from a computing device by a user, wherein the first resource is provided by a resource computer system; identify, by the computer system, a first authentication level at which access to the first resource is permitted; in response to identifying the first authentication level, determine, by the computer system, authentication of the user at the first authentication level; based on determining that the user is authenticated at the first authentication level, establish, by the computer system, a single sign-on session at an authentication level for the computing device, wherein the authentication level of the session is the first authentication level that enables the user at the computing device to access the first resource provided by the resource computer system; after the single sign-on session is established at the first authentication level, receive, at the computer system, a second request to access a second resource from the computing device by the user; identify, at the computer system, a second authentication level at which access to the second resource is permitted, wherein the first authentication level is different from the second authentication level at which the first resource is not accessible; determine, by the computer system, that the received second request is an event for reducing the authentication level for the computing device; modify, by the computer system, the authentication level of the single sign-on session for the computing device from the first authentication level to the second authentication level based on the determination of the event, wherein the access to the first resource by the user at the computing device is prevented by modifying the authentication level of the single sign-on session to the second authentication level; and send, by the computer system, information concerning the modification of the authentication level to an access agent to indicate to the access agent that the authentication level of the single sign-on session for the computing device has changed from the first authentication level to the second authentication level. - View Dependent Claims (8, 9)
-
Specification