Modifying a user session lifecycle in a cloud broker environment

US 10,291,636 B2
Filed: 05/23/2016
Issued: 05/14/2019
Est. Priority Date: 05/23/2016
Status: Active Grant

First Claim

Patent Images

1. A processor-implemented method for modifying a user session lifecycle, the method comprising:

instructing an identity provider to authenticate a first user session of a user device on a first cloud service provider under a single source sign-on service, wherein the authentication requires a user to provide user specific credentials;

monitoring a plurality of user behaviors exhibited during the authenticated user session;

determining a plurality of session data relating to a session timeout within the identity provider should be updated based on the monitored plurality of user behaviors and a security policy within a database, wherein initiating the session timeout relates to terminating a user session based on an elapsed time since user authentication;

modifying, within the identity provider, the determined plurality of session data based on the determination;

in response to the session timeout being initiated, instructing the identity provider to authenticate a second user session of the user device on a second cloud service provider under the single source sign-on service; and

in response to the session timeout being extended, providing user access, by an extension of the first user session, to the second cloud service provider based on the modified plurality of session data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for modifying a user session lifecycle is provided. The method may include verifying a user session on a cloud service provider is valid. The method may also include monitoring a plurality of user behaviors exhibited during the verified user session. The method may further include determining a plurality of session data within an identity provider should be updated based on the monitored plurality of user behaviors and a policy within a database. The method may also include modifying the determined plurality of session data.

Citations

20 Claims

1. A processor-implemented method for modifying a user session lifecycle, the method comprising:
- instructing an identity provider to authenticate a first user session of a user device on a first cloud service provider under a single source sign-on service, wherein the authentication requires a user to provide user specific credentials;
  
  monitoring a plurality of user behaviors exhibited during the authenticated user session;
  
  determining a plurality of session data relating to a session timeout within the identity provider should be updated based on the monitored plurality of user behaviors and a security policy within a database, wherein initiating the session timeout relates to terminating a user session based on an elapsed time since user authentication;
  
  modifying, within the identity provider, the determined plurality of session data based on the determination;
  
  in response to the session timeout being initiated, instructing the identity provider to authenticate a second user session of the user device on a second cloud service provider under the single source sign-on service; and
  
  in response to the session timeout being extended, providing user access, by an extension of the first user session, to the second cloud service provider based on the modified plurality of session data.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the plurality of user behaviors comprises a plurality of personal identifiable information, a plurality of user activity data, a plurality of operational data detailing a plurality of operations performed by a user, a resource being accessed by the user, a plurality of user anomaly data, a device geographic location, and a device management status.
  - 3. The method of claim 1, wherein determining the plurality of session data within the identity provider should be updated further comprises:
    - analyzing the monitored plurality of user behaviors; and
      
      determining the cloud service provider has an associated risk level for a plurality of malware or a plurality of third party attacks below a preconfigured threshold based on the analyzed plurality of user behaviors.
  - 4. The method of claim 1, wherein monitoring the plurality of user behaviors utilizes a reputation service and a threat alert system.
  - 5. The method of claim 1, wherein the determined plurality of session data comprises a user inactivity timeout policy and a user session limit timeout policy.
  - 6. The method of claim 1, wherein modifying the determined plurality of session data is selected from a group consisting of extending the verified user session and terminating the verified user session.
  - 7. The method of claim 1, wherein modifying the determined plurality of session data further comprises:
    - transmitting a notification to the identity provider detailing a plurality of modification information to update the determined plurality of session data, wherein the plurality of modification information is selected from a group consisting of a session termination, a session lifetime extension, and a session re-authorization; and
      
      modifying, by the identity provider, the determined plurality of session data based the transmitted notification.

8. A computer system for modifying a user session lifecycle, the computer system comprising:
- one or more processors, one or more computer-readable memories, one or more computer-readable tangible storage medium, and program instructions stored on at least one of the one or more tangible storage medium for execution by at least one of the one or more processors via at least one of the one or more memories, wherein the computer system is capable of performing a method comprising;
  
  instructing an identity provider to authenticate a first user session of a user device on a first cloud service provider under a single source sign-on service, wherein the authentication requires a user to provide user specific credentials;
  
  monitoring a plurality of user behaviors exhibited during the authenticated user session;
  
  determining a plurality of session data relating to a session timeout within the identity provider should be updated based on the monitored plurality of user behaviors and a security policy within a database, wherein initiating the session timeout relates to terminating a user session based on an elapsed time since user authentication;
  
  modifying, within the identity provider, the determined plurality of session data based on the determination;
  
  in response to the session timeout being initiated, instructing the identity provider to authenticate a second user session of the user device on a second cloud service provider under the single source sign-on service; and
  
  in response to the session timeout being extended, providing user access, by an extension of the first user session, to the second cloud service provider based on the modified plurality of session data.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer system of claim 8, wherein the plurality of user behaviors comprises a plurality of personal identifiable information, a plurality of user activity data, a plurality of operational data detailing a plurality of operations performed by a user, a resource being accessed by the user, a plurality of user anomaly data, a device geographic location, and a device management status.
  - 10. The computer system of claim 8, wherein determining the plurality of session data within the identity provider should be updated further comprises:
    - analyzing the monitored plurality of user behaviors; and
      
      determining the cloud service provider has an associated risk level for a plurality of malware or a plurality of third party attacks below a preconfigured threshold based on the analyzed plurality of user behaviors.
  - 11. The computer system of claim 8, wherein monitoring the plurality of user behaviors utilizes a reputation service and a threat alert system.
  - 12. The computer system of claim 8, wherein the determined plurality of session data comprises a user inactivity timeout policy and a user session limit timeout policy.
  - 13. The computer system of claim 8, wherein modifying the determined plurality of session data is selected from a group consisting of extending the verified user session and terminating the verified user session.
  - 14. The computer system of claim 8, wherein modifying the determined plurality of session data further comprises:
    - transmitting a notification to the identity provider detailing a plurality of modification information to update the determined plurality of session data, wherein the plurality of modification information is selected from a group consisting of a session termination, a session lifetime extension, or a session re-authorization; and
      
      modifying, by the identity provider, the determined plurality of session data based the transmitted notification.

15. A computer program product for modifying a user session lifecycle, the computer program product comprising:
- one or more computer-readable tangible storage medium and program instructions stored on at least one of the one or more tangible storage medium, the program instructions executable by a processor, the program instructions comprising;
  
  program instructions to instruct an identity provider to authenticate a first user session of a user device on a first cloud service provider under a single source sign-on service, wherein the authentication requires a user to provide user specific credentials;
  
  program instructions to monitor a plurality of user behaviors exhibited during the authenticated user session;
  
  program instructions to determine a plurality of session data relating to a session timeout within the identity provider should be updated based on the monitored plurality of user behaviors and a policy within a database, and wherein initiating the session timeout relates to terminating a user session based on an elapsed time since user authentication;
  
  program instructions to modify, within the identity provider, the determined plurality of session data based on the determination;
  
  in response to the session timeout being initiated, program instructions to instruct the identity provider to authenticate a second user session of the user device on a second cloud service provider under the single source sign-on service; and
  
  in response to the session timeout being extended, program instructions to provide user access, by an extension of the first user session, to the second cloud service provider based on the modified plurality of session data.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product of claim 15, wherein the plurality of user behaviors comprises a plurality of personal identifiable information, a plurality of user activity data, a plurality of operational data detailing a plurality of operations performed by a user, a resource being accessed by the user, a plurality of user anomaly data, a device geographic location, and a device management status.
  - 17. The computer program product of claim 15, wherein determining the plurality of session data within the identity provider should be updated further comprises:
    - program instructions to analyze the monitored plurality of user behaviors; and
      
      program instructions to determine the cloud service provider has an associated risk level for a plurality of malware or a plurality of third party attacks below a preconfigured threshold based on the analyzed plurality of user behaviors.
  - 18. The computer program product of claim 15, wherein monitoring the plurality of user behaviors utilizes a reputation service and a threat alert system.
  - 19. The computer program product of claim 15, wherein the determined plurality of session data comprises a user inactivity timeout policy and a user session limit timeout policy.
  - 20. The computer program product of claim 15, wherein modifying the determined plurality of session data is selected from a group consisting of extending the verified user session and terminating the verified user session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Backer, Shahnawaz, Hockings, Christopher J., Pranam, Codur S., Satyanarayana, Rohit U.
Primary Examiner(s)
Rashid, Harunur
Assistant Examiner(s)
Taylor, Sakinah White

Application Number

US15/161,941
Publication Number

US 20170339176A1
Time in Patent Office

1,086 Days
Field of Search

726 1
US Class Current
CPC Class Codes

H04L 63/0892   by using authentication-aut...

H04L 63/108   when the policy decisions a...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

H04L 67/143   Termination or inactivation...

H04L 67/535   Tracking the activity of th...

Modifying a user session lifecycle in a cloud broker environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Modifying a user session lifecycle in a cloud broker environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links