Restricting access for a single sign-on (SSO) session

US 10,693,859 B2
Filed: 07/30/2015
Issued: 06/23/2020
Est. Priority Date: 07/30/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a computer system from a client device operated by a first user, a request to access a first resource;

requesting, by the computer system, credential data from the first user to access the first resource;

in response to the request for the credential data, receiving, by the computer system from the client device operated by the first user, the credential data and scope information for establishing a session, wherein the scope information is provided by the first user and defines a first group of resources that are accessible by the client device during the session and/or a second group of resources that are restricted from access by the client device during the session, and wherein the first group of resources include the first resource that the first user is requesting to access;

determining, by the computer system, the credential data for the first user is valid;

in response to determining the credential data is valid, establishing, by the computer system, the session with the client device;

determining, by the computer system, a scope of authentication for the session based on the scope information provided by the first user;

configuring, by the computer system, the session for the client device based on the scope of authentication, wherein the session is configured to allow the client device to access the first group of resources during the session and/or restrict the client device from accessing the second group of resources during the session;

determining, by the computer system, the first user operating the client device is authorized to access the first resource based on the configuration of the session; and

in response to determining the first user operating the client device is authorized to access the first resource, sending, by the computer system, an authorization message to the client device to allow the first user to access the first resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for restricting access to resources accessible in a SSO session. An access management system may provide access one or more resources by implementing an SSO system to provide a SSO session. An SSO session may provide an authenticated user with access to protected resources to which the user is entitled to access. In some instances, a user sharing a computer with other users may want to access a particular protected resource so as to restrict other users sharing the computer from accessing other protected resources accessible to the user in an SSO session. The access management system may enable the user to dynamically choose, such as during login, the protected resources which to restrict and/or permit. Upon successful authentication, a session may be established for only those protected resources that are permitted based on the user'"'"'s selection, while the other resources are restricted.

Citations

14 Claims

1. A method comprising:
- receiving, by a computer system from a client device operated by a first user, a request to access a first resource;
  
  requesting, by the computer system, credential data from the first user to access the first resource;
  
  in response to the request for the credential data, receiving, by the computer system from the client device operated by the first user, the credential data and scope information for establishing a session, wherein the scope information is provided by the first user and defines a first group of resources that are accessible by the client device during the session and/or a second group of resources that are restricted from access by the client device during the session, and wherein the first group of resources include the first resource that the first user is requesting to access;
  
  determining, by the computer system, the credential data for the first user is valid;
  
  in response to determining the credential data is valid, establishing, by the computer system, the session with the client device;
  
  determining, by the computer system, a scope of authentication for the session based on the scope information provided by the first user;
  
  configuring, by the computer system, the session for the client device based on the scope of authentication, wherein the session is configured to allow the client device to access the first group of resources during the session and/or restrict the client device from accessing the second group of resources during the session;
  
  determining, by the computer system, the first user operating the client device is authorized to access the first resource based on the configuration of the session; and
  
  in response to determining the first user operating the client device is authorized to access the first resource, sending, by the computer system, an authorization message to the client device to allow the first user to access the first resource.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - upon configuring the session for the client device, receiving, by the computer system from the client device operated by a second user, a request to access a second resource within the session, wherein the second user is a same or different user from the first user;
      
      determining, by the computer system, the second user operating the client device is not authorized to access the second resource based on the configuration of the session, wherein the second group of resources include the second resource that the second user is request to access; and
      
      in response to determining the second user operating the client device is not authorized to access the second resource, sending, by the computer system, an authorization message to the client device to deny the second user access to the second resource.
  - 3. The method of claim 2, wherein the first resource corresponds to a first application and the second resource corresponds to a second application.
  - 4. The method of claim 2, wherein at least one of the first resource or the second resource is identified by a uniform resource identifier (URI).
  - 5. The method of claim 1, wherein the session is single-sign-on (SSO) session.
  - 6. The method of claim 1, wherein the scope information is provided by the first user in an interface provided by the client device, and wherein the interface includes one or more interactive elements to enable the first user to define the first group of resources and the second group of resources.

7. A system comprising:
- a memory; and
  
  one or more processors coupled to the memory and configured to;
  
  receive, from a client device operated by a first user, a request to access a first resource;
  
  requesting credential data from the first user to access the first resource;
  
  in response to the request for the credential data, receive, from the client device operated by the first user, the credential data and scope information for establishing a session, wherein the scope information is provided by the first user and defines a first group of resources that are accessible by the client device during the session and/or a second group of resources that are restricted from access by the client device during the session, and wherein the first group of resources include the first resource that the first user is requesting to access;
  
  determine the credential data for the first user is valid;
  
  in response to determining the credential data is valid, establish the session with the client device;
  
  determine a scope of authentication for the session based on the scope information provided by the first user;
  
  configure the session for the client device based on the scope of authentication, wherein the session is configured to allow the client device to access the first group of resources during the session and/or restrict the client device from accessing the second group of resources during the session;
  
  determine the first user operating the client device is authorized to access the first resource based on the configuration of the session; and
  
  in response to determining the first user operating the client device is authorized to access the first resource, sending an authorization message to the client device to allow the first user to access the first resource.
- View Dependent Claims (8, 9, 10)
- - 8. The system of claim 7, wherein the one or more processors are further configured to:
    - upon configuring the session for the client device, receive from the client device operated by a second user, a request to access a second resource within the session, wherein the second user is a same or different user from the first user;
      
      determine the second user operating the client device is not authorized to access the second resource based on the configuration of the session, wherein the second group of resources include the second resource that the second user is request to access; and
      
      in response to determining the second user operating the client device is not authorized to access the second resource, send an authorization message to the client device to deny the second user access to the second resource.
  - 9. The system of claim 7, wherein the scope information is provided by the first user in an interface provided by the client device, and wherein the interface includes one or more interactive elements to enable the first user to define the first group of resources and the second group of resources.
  - 10. The system of claim 7, wherein the session is single-sign-on (SSO) session.

11. A non-transitory computer-readable medium storing a set of instructions that are executable by one or more processors to:
- receive, from a client device operated by a first user, a request to access a first resource;
  
  requesting credential data from the first user to access the first resource;
  
  in response to the request for the credential data, receive, from the client device operated by the first user, the credential data and scope information for establishing a session, wherein the scope information is provided by the first user and defines a first group of resources that are accessible by the client device during the session and/or a second group of resources that are restricted from access by the client device during the session, and wherein the first group of resources include the first resource that the first user is requesting to access;
  
  determine the credential data for the first user is valid;
  
  in response to determining the credential data is valid, establish the session with the client device;
  
  determine a scope of authentication for the session based on the scope information provided by the first user;
  
  configure the session for the client device based on the scope of authentication, wherein the session is configured to allow the client device to access the first group of resources during the session and/or restrict the client device from accessing the second group of resources during the session;
  
  determine the first user operating the client device is authorized to access the first resource based on the configuration of the session; and
  
  in response to determining the first user operating the client device is authorized to access the first resource, sending an authorization message to the client device to allow the first user to access the first resource.
- View Dependent Claims (12, 13, 14)
- - 12. The non-transitory computer-readable medium of claim 11, wherein the scope information is provided by the first user in an interface provided by the client device, and wherein the interface includes one or more interactive elements to enable the first user to define the first group of resources and the second group of resources.
  - 13. The non-transitory computer-readable medium of claim 11, wherein the session is single-sign-on (SSO) session.
  - 14. The non-transitory computer-readable medium of claim 11, wherein the set of instructions are further executable by the one or more processors to:
    - upon configuring the session for the client device, receive from the client device operated by a second user, a request to access a second resource within the session, wherein the second user is a same or different user from the first user;
      
      determine the second user operating the client device is not authorized to access the second resource based on the configuration of the session, wherein the second group of resources include the second resource that the second user is request to access; and
      
      in response to determining the second user operating the client device is not authorized to access the second resource, send an authorization message to the client device to deny the second user access to the second resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Kukehalli Subramanya, Ramya, Mathew, Stephen
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Truvan, Leynna

Application Number

US14/814,209
Publication Number

US 20170034152A1
Time in Patent Office

1,790 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/108   when the policy decisions a...

H04L 67/10   in which an application is ...

Restricting access for a single sign-on (SSO) session

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Restricting access for a single sign-on (SSO) session

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links