Restricting access for a single sign-on (SSO) session
First Claim
1. A method comprising:
- receiving, by a computer system from a client device operated by a first user, a request to access a first resource;
requesting, by the computer system, credential data from the first user to access the first resource;
in response to the request for the credential data, receiving, by the computer system from the client device operated by the first user, the credential data and scope information for establishing a session, wherein the scope information is provided by the first user and defines a first group of resources that are accessible by the client device during the session and/or a second group of resources that are restricted from access by the client device during the session, and wherein the first group of resources include the first resource that the first user is requesting to access;
determining, by the computer system, the credential data for the first user is valid;
in response to determining the credential data is valid, establishing, by the computer system, the session with the client device;
determining, by the computer system, a scope of authentication for the session based on the scope information provided by the first user;
configuring, by the computer system, the session for the client device based on the scope of authentication, wherein the session is configured to allow the client device to access the first group of resources during the session and/or restrict the client device from accessing the second group of resources during the session;
determining, by the computer system, the first user operating the client device is authorized to access the first resource based on the configuration of the session; and
in response to determining the first user operating the client device is authorized to access the first resource, sending, by the computer system, an authorization message to the client device to allow the first user to access the first resource.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are disclosed for restricting access to resources accessible in a SSO session. An access management system may provide access one or more resources by implementing an SSO system to provide a SSO session. An SSO session may provide an authenticated user with access to protected resources to which the user is entitled to access. In some instances, a user sharing a computer with other users may want to access a particular protected resource so as to restrict other users sharing the computer from accessing other protected resources accessible to the user in an SSO session. The access management system may enable the user to dynamically choose, such as during login, the protected resources which to restrict and/or permit. Upon successful authentication, a session may be established for only those protected resources that are permitted based on the user'"'"'s selection, while the other resources are restricted.
-
Citations
14 Claims
-
1. A method comprising:
-
receiving, by a computer system from a client device operated by a first user, a request to access a first resource; requesting, by the computer system, credential data from the first user to access the first resource; in response to the request for the credential data, receiving, by the computer system from the client device operated by the first user, the credential data and scope information for establishing a session, wherein the scope information is provided by the first user and defines a first group of resources that are accessible by the client device during the session and/or a second group of resources that are restricted from access by the client device during the session, and wherein the first group of resources include the first resource that the first user is requesting to access; determining, by the computer system, the credential data for the first user is valid; in response to determining the credential data is valid, establishing, by the computer system, the session with the client device; determining, by the computer system, a scope of authentication for the session based on the scope information provided by the first user; configuring, by the computer system, the session for the client device based on the scope of authentication, wherein the session is configured to allow the client device to access the first group of resources during the session and/or restrict the client device from accessing the second group of resources during the session; determining, by the computer system, the first user operating the client device is authorized to access the first resource based on the configuration of the session; and in response to determining the first user operating the client device is authorized to access the first resource, sending, by the computer system, an authorization message to the client device to allow the first user to access the first resource. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system comprising:
-
a memory; and one or more processors coupled to the memory and configured to; receive, from a client device operated by a first user, a request to access a first resource; requesting credential data from the first user to access the first resource; in response to the request for the credential data, receive, from the client device operated by the first user, the credential data and scope information for establishing a session, wherein the scope information is provided by the first user and defines a first group of resources that are accessible by the client device during the session and/or a second group of resources that are restricted from access by the client device during the session, and wherein the first group of resources include the first resource that the first user is requesting to access; determine the credential data for the first user is valid; in response to determining the credential data is valid, establish the session with the client device; determine a scope of authentication for the session based on the scope information provided by the first user; configure the session for the client device based on the scope of authentication, wherein the session is configured to allow the client device to access the first group of resources during the session and/or restrict the client device from accessing the second group of resources during the session; determine the first user operating the client device is authorized to access the first resource based on the configuration of the session; and in response to determining the first user operating the client device is authorized to access the first resource, sending an authorization message to the client device to allow the first user to access the first resource. - View Dependent Claims (8, 9, 10)
-
-
11. A non-transitory computer-readable medium storing a set of instructions that are executable by one or more processors to:
-
receive, from a client device operated by a first user, a request to access a first resource; requesting credential data from the first user to access the first resource; in response to the request for the credential data, receive, from the client device operated by the first user, the credential data and scope information for establishing a session, wherein the scope information is provided by the first user and defines a first group of resources that are accessible by the client device during the session and/or a second group of resources that are restricted from access by the client device during the session, and wherein the first group of resources include the first resource that the first user is requesting to access; determine the credential data for the first user is valid; in response to determining the credential data is valid, establish the session with the client device; determine a scope of authentication for the session based on the scope information provided by the first user; configure the session for the client device based on the scope of authentication, wherein the session is configured to allow the client device to access the first group of resources during the session and/or restrict the client device from accessing the second group of resources during the session; determine the first user operating the client device is authorized to access the first resource based on the configuration of the session; and in response to determining the first user operating the client device is authorized to access the first resource, sending an authorization message to the client device to allow the first user to access the first resource. - View Dependent Claims (12, 13, 14)
-
Specification