Proxy system

US 20020147813A1
Filed: 11/30/2001
Published: 10/10/2002
Est. Priority Date: 12/22/2000
Status: Active Grant

First Claim

Patent Images

1. A method for allowing proxies in an Identity System, comprising the steps of:

receiving a request for a first entity to be a proxy for a second entity;

associating said first entity with one or more credentials of said second entity without authenticating said first entity as said second entity; and

allowing said first entity to use said Identity System as said second entity based on said one or more credentials of said second entity.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed to technology for using a proxy in an Identity System. When a first entity is on vacation, on a business trip or otherwise unavailable to perform certain actions on an Identity System, a second entity can act as a proxy for the first entity. The Identity System will provide the second entity, acting as a proxy, with the privileges, access and rights of the first entity. In one embodiment, Identity System is part of an integrated Identity and Access System, and the second entity is a proxy in the Identity System but not in the Access System.

111 Citations

View as Search Results

49 Claims

1. A method for allowing proxies in an Identity System, comprising the steps of:
- receiving a request for a first entity to be a proxy for a second entity;
  
  associating said first entity with one or more credentials of said second entity without authenticating said first entity as said second entity; and
  
  allowing said first entity to use said Identity System as said second entity based on said one or more credentials of said second entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 25, 26, 27, 28, 29, 30, 31)
- - 2. A method according to claim 1, wherein said step of receiving a request includes the steps of:
    - providing a notification to said first entity of an ability to be said proxy for said second entity; and
      
      receiving a request from said first entity to be said proxy for said second entity.
  - 3. A method according to claim 2, wherein:
    - said notification includes an email.
  - 4. A method according to claim 2, wherein:
    - said notification includes a display page for said Identity System.
  - 5. A method according to claim 1, wherein said step of receiving a request includes the step of:
    - receiving an indication from said second entity that said first entity can be said proxy for a second entity.
  - 6. A method according to claim 1, wherein said step of receiving a request includes the steps of:
    - providing a list of potential proxy candidates;
      
      providing a search mechanism to add more candidates to said list of potential proxy candidates; and
      
      receiving a selection of one or more of said potential proxy candidates, including a selection of said first entity.
  - 7. A method according to claim 1, wherein:
    - said credentials includes a distinguished name for said second entity.
  - 8. A method according to claim 1, wherein:
    - said credentials includes identity profile attributes for said second entity.
  - 9. A method according to claim 1, wherein:
    - said step of associating includes storing an identification of said second entity in a data element used to identify said first entity.
  - 10. A method according to claim 1, wherein:
    - said step of associating includes storing an identification of said second entity in a cookie for said first entity.
  - 11. A method according to claim 1, wherein:
    - said step of associating includes using an identification of said second entity to identify said first entity.
  - 12. A method according to claim 1, wherein said step of associating includes the steps of:
    - accessing an Identity System cookie for said first entity, said Identity System cookie stores an identification of said first entity;
      
      storing said identification of said first entity from said step of accessing in a second cookie; and
      
      storing an identification of said second entity in said an Identity System cookie for said first entity.
  - 13. A method according to claim 12, further comprising the steps of:
    - receiving a request to terminate said first entity being a proxy for said second entity;
      
      accessing said identification of said first entity in said second cookie; and
      
      storing said identification of said first entity in said Identity System cookie for said first entity.
  - 14. A method according to claim 12, further comprising the steps of:
    - receiving a request from said first entity to access said Identity System;
      
      determining whether said Identity System cookie for said first entity exists;
      
      providing access to said Identity System for said first entity if said Identity System cookie for said first entity exists; and
      
      authenticating said first entity and creating said Identity System cookie if said Identity System cookie for said first entity does not exist prior to said step of determining, said step of creating includes adding said identification of said first entity to said Identity System cookie.
  - 15. A method according to claim 12, wherein said step of allowing includes the steps of:
    - receiving a request from said first entity to access a service in said Identity System;
      
      accessing said identification of said second entity in said Identity System cookie;
      
      accessing attributes for said second entity based on said identification of said second entity in said Identity System cookie; and
      
      providing access to said service in said Identity System based on said attributes for said second entity.
  - 16. A method according to claim 1, wherein:
    - said steps of receiving, associating and allowing are performed without said first entity providing a password for said second entity.
  - 17. A method according to claim 1, wherein:
    - said step of associating verifies that said second entity is a delegated administrator having a right to be proxied.
  - 18. A method according to claim 1, further comprising the step of:
    - delegating a right to be proxied to said second entity, said step of associating verifies that said second entity has said right to be proxied.
  - 19. A method according to claim 1, wherein:
    - said Identity System is part of an integrated Identity System and Access System.
  - 20. A method according to claim 1, wherein:
    - said Identity System is part of an integrated Identity System and Access System; and
      
      said an integrated Identity System and Access System uses said credentials of said second entity to authorize said second entity to access resources.
  - 21. A method according to claim 20, wherein:
    - said step of allowing does not include using said credentials of said second entity to authorize said first entity to access resources.
  - 22. A method according to claim 1, wherein:
    - said Identity System is part of an integrated Identity System and Access System; and
      
      said steps of associating and allowing provide for said first entity to be said proxy for said second entity in said Identity System but does not provide for said first entity to be said proxy for said second entity in said Access System.
  - 23. A method according to claim 1, wherein:
    - said Identity System is part of an integrated Identity System and Access System;
      
      said step of associating includes the steps of;
      
      accessing an Identity System cookie for said first entity, said Identity System cookie stores an identification of said first entity, and storing an identification of said second entity in said an Identity System cookie for said first entity;
      
      said Access System uses a Access System cookie for said first entity, said Identity System cookie is separate from said Access System cookie; and
      
      said Access System cookie for said first entity does not store an indication of said second entity.
  - 25. One or more processor readable storage devices according to claim 24, wherein:
    - said credentials includes identity profile attributes for said second entity.
  - 26. One or more processor readable storage devices according to claim 24, wherein:
    - said step of associating includes storing an identification of said second entity in a data element used to identify said first entity.
  - 27. One or more processor readable storage devices according to claim 24, wherein:
    - said step of associating includes the steps of;
      
      accessing an Identity System cookie for said first entity, said Identity System cookie stores an identification of said first entity, storing said identification of said first entity from said step of accessing in a second cookie, and storing an identification of said second entity in said an Identity System cookie for said first entity; and
      
      said method further comprises the steps of;
      
      receiving a request to terminate said first entity being a proxy for said second entity, accessing said identification of said first entity in said second cookie, and storing said identification of said first entity in said Identity System cookie for said first entity.
  - 28. One or more processor readable storage devices according to claim 27, wherein said step of allowing includes the steps of:
    - receiving a request from said first entity to access a service in said Identity System;
      
      accessing said identification of said second entity in said Identity System cookie;
      
      accessing attributes for said second entity based on said identification of said second entity in said Identity System cookie; and
      
      providing access to said service in said Identity System based on said attributes for said second entity.
  - 29. One or more processor readable storage devices according to claim 24, wherein:
    - said steps of receiving, associating and allowing are performed without said first entity providing a password for said second entity.
  - 30. One or more processor readable storage devices according to claim 24, wherein:
    - said Identity System is part of an integrated Identity System and Access System; and
      
      said steps of associating and allowing provide for said first entity to be said proxy for said second entity in said Identity System but does not provide for said first entity to be said proxy for said second entity in said Access System.
  - 31. One or more processor readable storage devices according to claim 24, wherein:
    - said Identity System is part of an integrated Identity System and Access System;
      
      said step of associating includes the steps of;
      
      accessing an Identity System cookie for said first entity, said Identity System cookie stores an identification of said first entity, and storing an identification of said second entity in said an Identity System cookie for said first entity;
      
      said Access System uses a Access System cookie for said first entity, said Identity System cookie is separate from said Access System cookie; and
      
      said Access System cookie for said first entity does not store an indication of said second entity.

24. One or more processor readable storage devices having processor readable code embodied on said processor readable storage devices, said processor readable code for programming one or more processors to perform a method comprising the steps of:
- receiving a request for a first entity to be a proxy for a second entity;
  
  associating said first entity with one or more credentials of said second entity without authenticating said first entity as said second entity; and
  
  allowing said first entity to use said Identity System as said second entity based on said one or more credentials of said second entity.

32. An apparatus that allows for proxies in an Identity System, comprising:
- one or more communication interfaces;
  
  one or more storage devices; and
  
  one or more processors in communication with said one or more storage devices and said one or more communication interfaces, said processor performs a method comprising the steps of;
  
  receiving a request for a first entity to be a proxy for a second entity, associating said first entity with one or more credentials of said second entity without authenticating said first entity as said second entity, and allowing said first entity to use said Identity System as said second entity based on said one or more credentials of said second entity.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39)
- - 33. An apparatus according to claim 32, wherein:
    - said credentials includes identity profile attributes for said second entity.
  - 34. An apparatus according to claim 32, wherein:
    - said step of associating includes storing an identification of said second entity in a data element used to identify said first entity.
  - 35. An apparatus according to claim 32, wherein:
    - said step of associating includes the steps of;
      
      accessing an Identity System cookie for said first entity, said Identity System cookie stores an identification of said first entity, storing said identification of said first entity from said step of accessing in a second cookie, and storing an identification of said second entity in said an Identity System cookie for said first entity; and
      
      said method further comprises the steps of;
      
      receiving a request to terminate said first entity being a proxy for said second entity;
      
      accessing said identification of said first entity in said second cookie, and storing said identification of said first entity in said Identity System cookie for said first entity.
  - 36. An apparatus according to claim 35, wherein said step of allowing includes the step of:
    - receiving a request from said first entity to access a service in said Identity System;
      
      accessing said identification of said second entity in said Identity System cookie;
      
      accessing attributes for said second entity based on said identification of said second entity in said Identity System cookie; and
      
      providing access to said service in said Identity System based on said attributes for said second entity.
  - 37. An apparatus according to claim 32, wherein:
    - said steps of receiving, associating and allowing are performed without said first entity providing a password for said second entity.
  - 38. An apparatus according to claim 32, wherein:
    - said Identity System is part of an integrated Identity System and Access System; and
      
      said steps of associating and allowing provide for said first entity to be said proxy for said second entity in said Identity System but does not provide for said first entity to be said proxy for said second entity in said Access System.
  - 39. An apparatus according to claim 32, wherein:
    - said Identity System is part of an integrated Identity System and Access System;
      
      said step of associating includes the steps of;
      
      accessing an Identity System cookie for said first entity, said Identity System cookie stores an identification of said first entity, and storing an identification of said second entity in said an Identity System cookie for said first entity;
      
      said Access System uses a Access System cookie for said first entity, said Identity System cookie is separate from said Access System cookie; and
      
      said Access System cookie for said first entity does not store an indication of said second entity.

40. A method for allowing proxies in a system, comprising the steps of:
- receiving an indication that a first entity can be a proxy for a second entity, said indication is from said second entity;
  
  receiving an indication from said first entity to become said proxy for said second entity;
  
  associating said first entity with one or more credentials of said second entity without authenticating said first entity as said second entity; and
  
  allowing said first entity to use said system as said second entity based on said one or more credentials of said second entity.
- View Dependent Claims (41, 42, 43, 44, 46, 47, 48, 49)
- - 41. A method according to claim 40, wherein:
    - said step of associating includes storing an identification of said second entity in a data element used to identify said first entity.
  - 42. A method according to claim 40, wherein:
    - said step of associating includes the steps of;
      
      accessing a first cookie for said first entity, said first cookie stores an identification of said first entity, storing said identification of said first entity in a second cookie, and storing an identification of said second entity in said an first cookie for said first entity; and
      
      said method further comprises the steps of;
      
      receiving a request to terminate said first entity being a proxy for said second entity, accessing said identification of said first entity in said second cookie, and storing said identification of said first entity in said first cookie for said first entity.
  - 43. A method according to claim 42, wherein said step of allowing includes the steps of:
    - receiving a request from said first entity to access a service;
      
      accessing said identification of said second entity in said first cookie;
      
      accessing attributes for said second entity based on said identification of said second entity in said first cookie; and
      
      providing access to said service based on said attributes for said second entity.
  - 44. A method according to claim 40, wherein:
    - said steps of receiving, associating and allowing are performed without said first entity providing a password for said second entity.
  - 46. One or more processor readable storage devices according to claim 45, wherein:
    - said step of associating includes storing an identification of said second entity in a data element used to identify said first entity.
  - 47. One or more processor readable storage devices according to claim 45, wherein:
    - said step of associating includes the steps of;
      
      accessing a first cookie for said first entity, said first cookie stores an identification of said first entity, storing said identification of said first entity in a second cookie, and storing an identification of said second entity in said an first cookie for said first entity; and
      
      said method further comprises the steps of;
      
      receiving a request to terminate said first entity being a proxy for said second entity, accessing said identification of said first entity in said second cookie, and storing said identification of said first entity in said first cookie for said first entity.
  - 48. One or more processor readable storage devices according to claim 47, wherein said step of allowing includes the steps of:
    - receiving a request from said first entity to access a service;
      
      accessing said identification of said second entity in said first cookie;
      
      accessing attributes for said second entity based on said identification of said second entity in said first cookie; and
      
      providing access to said service based on said attributes for said second entity.
  - 49. One or more processor readable storage devices according to claim 45, wherein:
    - said steps of receiving, associating and allowing are performed without said first entity providing a password for said second entity.

45. One or more processor readable storage devices having processor readable code embodied on said processor readable storage devices, said processor readable code for programming one or more processors to perform a method comprising the steps of:
- receiving an indication that a first entity can be a proxy for a second entity, said indication is from said second entity;
  
  receiving an indication from said first entity to become said proxy for said second entity;
  
  associating said first entity with one or more credentials of said second entity without authenticating said first entity as said second entity; and
  
  allowing said first entity to use said system as said second entity based on said one or more credentials of said second entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Teng, Joan C., Lee, Chi-Cheng

Granted Patent

US 7,380,008 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/225
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 21/6218   to a system of files or obj...

G06F 2221/2119   Authenticating web pages, e...

G06Q 10/06   Resources, workflows, human...

G06Q 10/10   Office automation; Time man...

H04L 63/0281   Proxies

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

H04L 67/02   based on web technology, e....

H04L 67/1001   for accessing one among a p...

H04L 67/306   User profiles

H04L 69/329   in the application layer [O...

Proxy system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

111 Citations

49 Claims

Specification

Use Cases

Quick Links

Others

Proxy system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

111 Citations

49 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others