Access manager session management strategy
First Claim
Patent Images
1. A method comprising:
- receiving, at a computer system of an access management system, a request for access to a resource, wherein the request is received from a user operating a client device;
obtaining, by the computer system, user identity information associated with the user from an identity data store of the access management system;
authenticating, by the computer system, the user to access the resource;
using the user identity information about the user obtained from the identity data store and based on the authentication of the user for access to the resource, establishing, by the computer system, a session for the user to access the resource, wherein the establishing the session comprises;
generating session information for the session, wherein the session information includes;
(i) common attributes, and (ii) specific attributes, the common attributes include user access information that is shared between sessions, and the specific attributes include information that changes between sessions, and wherein the session information includes one or more of;
a list of partners accessed in session, an Internet protocol (IP) address of the client device, an authentication level of the session, an authentication scheme of the session, an authentication timestamp of the session, or application domain information for one or more accessed resources using the session;
storing the common attributes in a data store of the access management system, wherein the data store is implemented as a cache accessible in a distributed manner to the access management system, and the common attributes are stored associated with an identifier in the cache; and
sending an access claim to the client device for the session that is established, wherein the access claim includes the specific attributes and the identifier for the common attributes;
receiving, at the computing system, from the user operating the client device, another request for access to another resource, wherein the another request includes the access claim;
accessing, from the data store, based on the identifier, the common attributes for the session;
determining, based on the specific attributes received in the access claim and the common attributes accessed from the data store, the session established for the user;
based on authorization of the user to access the another resource, providing, by the computer system, the user with access to the another resource using the determined session;
updating, by the computer system, the session information including the specific attributes for the session based on the access to the another resource using the session; and
sending, by the computer system, the access claim to the client device for the session that is established, wherein the access claim includes the updated specific attributes and the identifier for the common attributes.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are disclosed for managing session information stored by an access management system. Certain techniques are disclosed for updating session information based characteristics of the session information to be updated. The disclose techniques disclose how session information is updated and the frequency in which the session information is updated. Certain embodiments may enable a decrease in computing performance overhead and/or memory usage overhead caused by managing session information (e.g., performing authentication or determining authorization to access a resource) for a session.
147 Citations
11 Claims
-
1. A method comprising:
-
receiving, at a computer system of an access management system, a request for access to a resource, wherein the request is received from a user operating a client device; obtaining, by the computer system, user identity information associated with the user from an identity data store of the access management system; authenticating, by the computer system, the user to access the resource; using the user identity information about the user obtained from the identity data store and based on the authentication of the user for access to the resource, establishing, by the computer system, a session for the user to access the resource, wherein the establishing the session comprises; generating session information for the session, wherein the session information includes;
(i) common attributes, and (ii) specific attributes, the common attributes include user access information that is shared between sessions, and the specific attributes include information that changes between sessions, and wherein the session information includes one or more of;
a list of partners accessed in session, an Internet protocol (IP) address of the client device, an authentication level of the session, an authentication scheme of the session, an authentication timestamp of the session, or application domain information for one or more accessed resources using the session;storing the common attributes in a data store of the access management system, wherein the data store is implemented as a cache accessible in a distributed manner to the access management system, and the common attributes are stored associated with an identifier in the cache; and sending an access claim to the client device for the session that is established, wherein the access claim includes the specific attributes and the identifier for the common attributes; receiving, at the computing system, from the user operating the client device, another request for access to another resource, wherein the another request includes the access claim; accessing, from the data store, based on the identifier, the common attributes for the session; determining, based on the specific attributes received in the access claim and the common attributes accessed from the data store, the session established for the user; based on authorization of the user to access the another resource, providing, by the computer system, the user with access to the another resource using the determined session; updating, by the computer system, the session information including the specific attributes for the session based on the access to the another resource using the session; and sending, by the computer system, the access claim to the client device for the session that is established, wherein the access claim includes the updated specific attributes and the identifier for the common attributes. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system comprising:
-
one or more processors; and a memory accessible to the one or more processors, the memory storing one or more instructions that, upon execution by the one or more processors, causes the one or more processors to; receive a request for access to a resource, wherein the request is received from a user operating a client device; obtain user identity information associated with the user from an identity data store of an access management system; authenticate the user to access the resource; using the user identity information about the user obtained from the identity data store and based on the authentication of the user for access to the resource, establish, by the access management system, a session for the user to access the resource, wherein the establishing the session comprises; generating session information for the session, wherein the session information includes;
(i) common attributes, and (ii) specific attributes, the common attributes include user access information that is shared between sessions, and the specific attributes include information that changes between sessions, and wherein the session information includes one or more of;
a list of partners accessed in session, an Internet protocol (IP) address of the client device, an authentication level of the session, an authentication scheme of the session, an authentication timestamp of the session, or application domain information for one or more accessed resources using the session;storing the common attributes in a data store of the access management system, wherein the data store is implemented as a cache accessible in a distributed manner to the access management system, and the common attributes are stored associated with an identifier in the cache; and sending an access claim to the client device for the session that is established, wherein the access claim includes the specific attributes and the identifier for the common attributes; receive, from the user operating the client device, another request for access to a another resource, wherein the another request includes the access claim; access, from the data store, based on the identifier, the common attributes for the session; determine, based on the specific attributes received in the access claim and the common attributes accessed from the data store, the session established for the user; based on authorization of the user to access the another resource, provide the user with access to the another resource using the determined session; update the session information including the specific attributes for the session based on the access to the another resource using the session; and send the access claim to the client device for the session that is established, wherein the access claim includes the updated specific attributes and the identifier for the common attributes. - View Dependent Claims (7, 8)
-
-
9. A non-transitory computer-readable medium storing one or more instructions that, upon execution by one or more processors, causes the one or more processors to:
-
receive a request for access to a resource, wherein the request is received from a user operating a client device; obtain user identity information associated with the user from an identity data store of an access management system; authenticate the user to access the resource; using the user identity information about the user obtained from the identity data store and based on the authentication of the user for access to the resource, establish, by the access management system, a session for the user to access the resource, wherein the establishing the session comprises; generating session information for the session, wherein the session information includes;
(i) common attributes, and (ii) specific attributes, the common attributes include user access information that is shared between sessions, and the specific attributes include information that changes between sessions, and wherein the session information includes one or more of;
a list of partners accessed in session, an Internet protocol (IP) address of the client device, an authentication level of the session, an authentication scheme of the session, an authentication timestamp of the session, or application domain information for one or more accessed resources using the session;storing the common attributes in a data store of the access management system, wherein the data store is implemented as a cache accessible in a distributed manner to the access management system, and the common attributes are stored associated with an identifier in the cache; and sending an access claim to the client device for the session that is established, wherein the access claim includes the specific attributes and the identifier for the common attributes; receive, from the user operating the client device, another request for access to a another resource, wherein the another request includes the access claim; access, from the data store, based on the identifier, the common attributes for the session; determine, based on the specific attributes received in the access claim and the common attributes accessed from the data store, the session established for the user; based on authorization of the user to access the another resource, provide the user with access to the another resource using the determined session; update the session information including the specific attributes for the session based on the access to the another resource using the session; and send the access claim to the client device for the session that is established, wherein the access claim includes the updated specific attributes and the identifier for the common attributes. - View Dependent Claims (10, 11)
-
Specification