Access manager session management strategy

US 10,454,936 B2
Filed: 10/21/2016
Issued: 10/22/2019
Est. Priority Date: 10/23/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a computer system of an access management system, a request for access to a resource, wherein the request is received from a user operating a client device;

obtaining, by the computer system, user identity information associated with the user from an identity data store of the access management system;

authenticating, by the computer system, the user to access the resource;

using the user identity information about the user obtained from the identity data store and based on the authentication of the user for access to the resource, establishing, by the computer system, a session for the user to access the resource, wherein the establishing the session comprises;

generating session information for the session, wherein the session information includes;

(i) common attributes, and (ii) specific attributes, the common attributes include user access information that is shared between sessions, and the specific attributes include information that changes between sessions, and wherein the session information includes one or more of;

a list of partners accessed in session, an Internet protocol (IP) address of the client device, an authentication level of the session, an authentication scheme of the session, an authentication timestamp of the session, or application domain information for one or more accessed resources using the session;

storing the common attributes in a data store of the access management system, wherein the data store is implemented as a cache accessible in a distributed manner to the access management system, and the common attributes are stored associated with an identifier in the cache; and

sending an access claim to the client device for the session that is established, wherein the access claim includes the specific attributes and the identifier for the common attributes;

receiving, at the computing system, from the user operating the client device, another request for access to another resource, wherein the another request includes the access claim;

accessing, from the data store, based on the identifier, the common attributes for the session;

determining, based on the specific attributes received in the access claim and the common attributes accessed from the data store, the session established for the user;

based on authorization of the user to access the another resource, providing, by the computer system, the user with access to the another resource using the determined session;

updating, by the computer system, the session information including the specific attributes for the session based on the access to the another resource using the session; and

sending, by the computer system, the access claim to the client device for the session that is established, wherein the access claim includes the updated specific attributes and the identifier for the common attributes.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for managing session information stored by an access management system. Certain techniques are disclosed for updating session information based characteristics of the session information to be updated. The disclose techniques disclose how session information is updated and the frequency in which the session information is updated. Certain embodiments may enable a decrease in computing performance overhead and/or memory usage overhead caused by managing session information (e.g., performing authentication or determining authorization to access a resource) for a session.

147 Citations

11 Claims

1. A method comprising:
- receiving, at a computer system of an access management system, a request for access to a resource, wherein the request is received from a user operating a client device;
  
  obtaining, by the computer system, user identity information associated with the user from an identity data store of the access management system;
  
  authenticating, by the computer system, the user to access the resource;
  
  using the user identity information about the user obtained from the identity data store and based on the authentication of the user for access to the resource, establishing, by the computer system, a session for the user to access the resource, wherein the establishing the session comprises;
  
  generating session information for the session, wherein the session information includes;
  
  (i) common attributes, and (ii) specific attributes, the common attributes include user access information that is shared between sessions, and the specific attributes include information that changes between sessions, and wherein the session information includes one or more of;
  
  a list of partners accessed in session, an Internet protocol (IP) address of the client device, an authentication level of the session, an authentication scheme of the session, an authentication timestamp of the session, or application domain information for one or more accessed resources using the session;
  
  storing the common attributes in a data store of the access management system, wherein the data store is implemented as a cache accessible in a distributed manner to the access management system, and the common attributes are stored associated with an identifier in the cache; and
  
  sending an access claim to the client device for the session that is established, wherein the access claim includes the specific attributes and the identifier for the common attributes;
  
  receiving, at the computing system, from the user operating the client device, another request for access to another resource, wherein the another request includes the access claim;
  
  accessing, from the data store, based on the identifier, the common attributes for the session;
  
  determining, based on the specific attributes received in the access claim and the common attributes accessed from the data store, the session established for the user;
  
  based on authorization of the user to access the another resource, providing, by the computer system, the user with access to the another resource using the determined session;
  
  updating, by the computer system, the session information including the specific attributes for the session based on the access to the another resource using the session; and
  
  sending, by the computer system, the access claim to the client device for the session that is established, wherein the access claim includes the updated specific attributes and the identifier for the common attributes.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the access claim is a pre-defined response from the computing system that includes:
    - (i) a portion of the session information including the specific attributes, and (ii) the identifier for the common attributes.
  - 3. The method of claim 2, wherein the pre-defined response further includes an access token, and wherein the another request for access to the another resource includes the access token sent in the response to the client device.
  - 4. The method of claim 2, wherein the pre-defined response further includes a domain name of the user.
  - 5. The method of claim 1, further comprising:
    - based on the information accessed about the user, determining that access by the session is locked; and
      
      denying the user at the device with access to the resource based on the determined session.

6. A system comprising:
- one or more processors; and
  
  a memory accessible to the one or more processors, the memory storing one or more instructions that, upon execution by the one or more processors, causes the one or more processors to;
  
  receive a request for access to a resource, wherein the request is received from a user operating a client device;
  
  obtain user identity information associated with the user from an identity data store of an access management system;
  
  authenticate the user to access the resource;
  
  using the user identity information about the user obtained from the identity data store and based on the authentication of the user for access to the resource, establish, by the access management system, a session for the user to access the resource, wherein the establishing the session comprises;
  
  generating session information for the session, wherein the session information includes;
  
  (i) common attributes, and (ii) specific attributes, the common attributes include user access information that is shared between sessions, and the specific attributes include information that changes between sessions, and wherein the session information includes one or more of;
  
  a list of partners accessed in session, an Internet protocol (IP) address of the client device, an authentication level of the session, an authentication scheme of the session, an authentication timestamp of the session, or application domain information for one or more accessed resources using the session;
  
  storing the common attributes in a data store of the access management system, wherein the data store is implemented as a cache accessible in a distributed manner to the access management system, and the common attributes are stored associated with an identifier in the cache; and
  
  sending an access claim to the client device for the session that is established, wherein the access claim includes the specific attributes and the identifier for the common attributes;
  
  receive, from the user operating the client device, another request for access to a another resource, wherein the another request includes the access claim;
  
  access, from the data store, based on the identifier, the common attributes for the session;
  
  determine, based on the specific attributes received in the access claim and the common attributes accessed from the data store, the session established for the user;
  
  based on authorization of the user to access the another resource, provide the user with access to the another resource using the determined session;
  
  update the session information including the specific attributes for the session based on the access to the another resource using the session; and
  
  send the access claim to the client device for the session that is established, wherein the access claim includes the updated specific attributes and the identifier for the common attributes.
- View Dependent Claims (7, 8)
- - 7. The system of claim 6, wherein the access claim is a pre-defined response from the computing system that includes:
    - (i) a portion of the session information including the specific attributes, and (ii) the identifier for the common attributes.
  - 8. The system of claim 7, wherein the pre-defined response further includes an access token, and wherein the another request for access to the another resource includes the access token sent in the response to the client device.

9. A non-transitory computer-readable medium storing one or more instructions that, upon execution by one or more processors, causes the one or more processors to:
- receive a request for access to a resource, wherein the request is received from a user operating a client device;
  
  obtain user identity information associated with the user from an identity data store of an access management system;
  
  authenticate the user to access the resource;
  
  using the user identity information about the user obtained from the identity data store and based on the authentication of the user for access to the resource, establish, by the access management system, a session for the user to access the resource, wherein the establishing the session comprises;
  
  generating session information for the session, wherein the session information includes;
  
  (i) common attributes, and (ii) specific attributes, the common attributes include user access information that is shared between sessions, and the specific attributes include information that changes between sessions, and wherein the session information includes one or more of;
  
  a list of partners accessed in session, an Internet protocol (IP) address of the client device, an authentication level of the session, an authentication scheme of the session, an authentication timestamp of the session, or application domain information for one or more accessed resources using the session;
  
  storing the common attributes in a data store of the access management system, wherein the data store is implemented as a cache accessible in a distributed manner to the access management system, and the common attributes are stored associated with an identifier in the cache; and
  
  sending an access claim to the client device for the session that is established, wherein the access claim includes the specific attributes and the identifier for the common attributes;
  
  receive, from the user operating the client device, another request for access to a another resource, wherein the another request includes the access claim;
  
  access, from the data store, based on the identifier, the common attributes for the session;
  
  determine, based on the specific attributes received in the access claim and the common attributes accessed from the data store, the session established for the user;
  
  based on authorization of the user to access the another resource, provide the user with access to the another resource using the determined session;
  
  update the session information including the specific attributes for the session based on the access to the another resource using the session; and
  
  send the access claim to the client device for the session that is established, wherein the access claim includes the updated specific attributes and the identifier for the common attributes.
- View Dependent Claims (10, 11)
- - 10. The non-transitory computer-readable medium of claim 9, wherein the access claim is a pre-defined response from the computing system that includes:
    - (i) a portion of the session information including the specific attributes, and (ii) the identifier for the common attributes.
  - 11. The non-transitory computer-readable medium of claim 10, wherein the pre-defined response further includes an access token, and wherein the another request for access to the another resource includes the access token sent in the response to the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Koottayi, Vipin Anaparakkal, Mathew, Stephen, Martin, Madhu
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Jackson, Jenise E

Application Number

US15/331,613
Publication Number

US 20170118218A1
Time in Patent Office

1,096 Days
Field of Search

726 4
US Class Current
CPC Class Codes

H04L 63/0876   based on the identity of th...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 67/14   Session management for real...

Access manager session management strategy

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

147 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Access manager session management strategy

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

147 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links