Techniques for authentication level step-down

US 10,257,205 B2
Filed: 10/14/2016
Issued: 04/09/2019
Est. Priority Date: 10/22/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at an access agent of a single-sign-on gateway, a first request to access a first resource from a computing device by a user, wherein the first resource is provided by a resource computer system;

communicating, by the access agent, with an authorization engine of an access management system to identify a first authentication level at which access to the first resource is permitted;

in response to identifying the first authentication level, determining, by a session engine of the access management system, authentication of the user at the first authentication level;

based on determining that the user is authenticated at the first authentication level, establishing, by the session engine, a single-sign-on session at an authentication level for the computing device, wherein the authentication level of the session is the first authentication level that enables the user at the computing device to access the first resource provided by the resource computer system;

receiving, at the access agent, a second request to access a second resource from the computing device by the user;

communicating, by the access agent, with the authorization engine of the access management system to identify a second authentication level at which access to the second resource is permitted, wherein the first authentication level is different from the second authentication level at which the first resource is not accessible;

determining, by the session engine, that the received second request is an event for reducing the authentication level for the computing device;

modifying, by the session engine, the authentication level of the single sign-on session for the computing device from the first authentication level to the second authentication level based on the determination of the event, wherein the access to the first resource by the user at the computing device is prevented by modifying the authentication level of the single-sing-on session to the second authentication level; and

sending, by the session engine, information concerning the modification of the authentication level to the access agent to indicate to the access agent that the authentication level of the single sign-on session for the computing device has changed from the first authentication level to the second authentication level.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed to modify the authentication level of a session providing access to resources. In some embodiments, an access management system is configurable to enable voluntary (e.g., request by a user) or involuntary (e.g., by the access management system) reduce, or “step-down” the authentication level for a session if a lower authentication level exists. For example, an access management system may be configured to enable a user to request a step-down of the authentication level of a session to prevent access to resources at a higher authentication level. By reducing the authentication level to a lower authentication level, a user may be prompted to provide credentials for authentication according to the authentication schemes defined for higher authentication levels. These techniques can reduce, if not prevent, unauthorized access to protected resources by challenging a user for credentials to authenticate to higher authentication levels.

101 Citations

View as Search Results

9 Claims

1. A method comprising:
- receiving, at an access agent of a single-sign-on gateway, a first request to access a first resource from a computing device by a user, wherein the first resource is provided by a resource computer system;
  
  communicating, by the access agent, with an authorization engine of an access management system to identify a first authentication level at which access to the first resource is permitted;
  
  in response to identifying the first authentication level, determining, by a session engine of the access management system, authentication of the user at the first authentication level;
  
  based on determining that the user is authenticated at the first authentication level, establishing, by the session engine, a single-sign-on session at an authentication level for the computing device, wherein the authentication level of the session is the first authentication level that enables the user at the computing device to access the first resource provided by the resource computer system;
  
  receiving, at the access agent, a second request to access a second resource from the computing device by the user;
  
  communicating, by the access agent, with the authorization engine of the access management system to identify a second authentication level at which access to the second resource is permitted, wherein the first authentication level is different from the second authentication level at which the first resource is not accessible;
  
  determining, by the session engine, that the received second request is an event for reducing the authentication level for the computing device;
  
  modifying, by the session engine, the authentication level of the single sign-on session for the computing device from the first authentication level to the second authentication level based on the determination of the event, wherein the access to the first resource by the user at the computing device is prevented by modifying the authentication level of the single-sing-on session to the second authentication level; and
  
  sending, by the session engine, information concerning the modification of the authentication level to the access agent to indicate to the access agent that the authentication level of the single sign-on session for the computing device has changed from the first authentication level to the second authentication level.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, further comprising enabling, by the session engine, the computing device to access the second resource based on determining that the single sign-on session is active and that the authentication level of the single sign-on session is at the first authentication level.
  - 3. The method of claim 1, further comprising:
    - sending, to the computing device, a request for credential information of the user to access the first resource at the first authentication level;
      
      receiving, from the computing device, the credential information; and
      
      determining the authentication of the user at the first authentication level based on verifying the credential information.

4. A system comprising:
- one or more processors; and
  
  a memory accessible to the one or more processors, the memory storing one or more instructions that, upon execution by the one or more processors, causes the one or more processors to;
  
  receive a first request to access a first resource from a computing device by a user, wherein the first resource is provided by a resource computer system;
  
  identify a first authentication level at which access to the first resource is permitted;
  
  in response to identifying the first authentication level, determine authentication of the user at the first authentication level;
  
  based on determining that the user is authenticated at the first authentication level, establish a single sign-on session at an authentication level for the computing device, wherein the authentication level of the session is the first authentication level that enables the user at the computing device to access the first resource provided by the resource computer system;
  
  after the single sign-on session is established at the first authentication level, receive a second request to access a second resource from the computing device by the user;
  
  identify a second authentication level at which access to the second resource is permitted, wherein the first authentication level is different from the second authentication level at which the first resource is not accessible;
  
  determine that the received second request is an event for reducing the authentication level for the computing device,modify the authentication level of the single sign-on session for the computing device from the first authentication level to the second authentication level based on the determination of the event, wherein the access to the first resource by the user at the computing device is prevented by modifying the authentication level of the single sign-on session to the second authentication level; and
  
  sending information concerning the modification of the authentication level to an access agent to indicate to the access agent that the authentication level of the single sign-on session for the computing device has changed from the first authentication level to the second authentication level.
- View Dependent Claims (5, 6)
- - 5. The system of claim 4, wherein the system is included in an access management system.
  - 6. The system of claim 4, wherein the one or more instructions that, upon execution by the one or more processors, further causes the one or more processors to enable the computing device to access the second resource based on determining that the single sign-on session is active and that the authentication level of the single sign-on session is at the first authentication level.

7. A non-transitory computer-readable medium storing one or more instructions that, upon execution by one or more processors, causes the one or more processors to:
- receive, at a computer system of an access management system a first request to access a first resource from a computing device by a user, wherein the first resource is provided by a resource computer system;
  
  identify, by the computer system, a first authentication level at which access to the first resource is permitted;
  
  in response to identifying the first authentication level, determine, by the computer system, authentication of the user at the first authentication level;
  
  based on determining that the user is authenticated at the first authentication level, establish, by the computer system, a single sign-on session at an authentication level for the computing device, wherein the authentication level of the session is the first authentication level that enables the user at the computing device to access the first resource provided by the resource computer system;
  
  after the single sign-on session is established at the first authentication level, receive, at the computer system, a second request to access a second resource from the computing device by the user;
  
  identify, at the computer system, a second authentication level at which access to the second resource is permitted, wherein the first authentication level is different from the second authentication level at which the first resource is not accessible;
  
  determine, by the computer system, that the received second request is an event for reducing the authentication level for the computing device;
  
  modify, by the computer system, the authentication level of the single sign-on session for the computing device from the first authentication level to the second authentication level based on the determination of the event, wherein the access to the first resource by the user at the computing device is prevented by modifying the authentication level of the single sign-on session to the second authentication level; and
  
  send, by the computer system, information concerning the modification of the authentication level to an access agent to indicate to the access agent that the authentication level of the single sign-on session for the computing device has changed from the first authentication level to the second authentication level.
- View Dependent Claims (8, 9)
- - 8. The non-transitory computer-readable medium of claim 7, wherein the one or more instructions that, upon execution by the one or more processors, further causes the one or more processors to enable the computing device to access the second resource based on determining that the single sign-on session is active and that the authentication level of the single sign-on session is at the first authentication level.
  - 9. The non-transitory computer-readable medium of claim 7, wherein the non-transitory computer-readable medium is part of the access management system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Mathew, Stephen, Subramanya, Ramya, Balakrishnan, Aarathi, Koottayi, Vipin Anaparakkal, Martin, Madhu
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US15/294,381
Publication Number

US 20170118223A1
Time in Patent Office

907 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/45   Structures or tools for the...

G06F 21/554   involving event detection a...

G06F 21/6218   to a system of files or obj...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

Techniques for authentication level step-down

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

101 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for authentication level step-down

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links