Credential management
First Claim
1. A method for accommodating a legacy application, the method comprising:
- obtaining a request for a high-level credential from a legacy application;
marshalling the requested credential;
returning the marshaled credential to the application.
2 Assignments
0 Petitions
Accused Products
Abstract
Described herein is an implementation of a technology for managing credentials. With an implementation, a credential manager is domain-authentication aware and concurrent authentications with multiple independent networks (e.g., domains) may be established and maintained. Moreover, a credential manager provides a credential model retrofit for legacy applications that only understand the password model. The manager provides a mechanism where the application is only a “blind courier” of credentials between the trusted part of the OS to the network and/or network resource. The manager filly insulates the application from “read” access to the credentials. This abstract itself is not intended to limit the scope of this patent. The scope of the present invention is pointed out in the appending claims.
93 Citations
35 Claims
-
1. A method for accommodating a legacy application, the method comprising:
-
obtaining a request for a high-level credential from a legacy application;
marshalling the requested credential;
returning the marshaled credential to the application. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. In a computing environment where processes have a provision for low-level credentials but have no provision for high-level credentials, a method for accommodating such processes comprising:
-
obtaining a request for a credential from a process, wherein the requested credential is a high-level credential;
retrieving the requested credential from a database;
converting the requested high-level credential into a format approximating a low-level credential and representative of the requested high-level credential;
returning the converted credential to the process. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A method for authenticating a user to a network, the method comprising:
-
obtaining a request for a credential to authenticate the user to access a resource within the network, wherein the resource requires an appropriate credential before the user may access the resource;
locating the appropriate credential;
returning the appropriate credential to the resource within the network, so that the resource allows the user to access such resource;
wherein the obtaining, locating, and returning are performed without user interaction so that the user need not be aware that such steps are being performed. - View Dependent Claims (14, 15)
-
-
16. A method for concurrently accessing a first resource on a first network and a second resource on a second network, the method comprising:
-
first obtaining a first request for a first credential to authenticate a user to access a first resource of the first network, wherein the first resource requires an appropriate first credential before the user may access the first resource;
first locating the appropriate first credential;
first returning the appropriate first credential to the first resource of the first network, so that the first resource allows the user to access the first resource;
wherein the first obtaining, locating, and returning are performed without user interaction so that the user need not be aware that such steps are being performed;
second obtaining a second request for a second credential to authenticate a user to access a second resource of the second network, wherein the second resource requires an appropriate second credential before the user may access the second resource;
second locating the appropriate second credential;
second returning the appropriate second credential to the second resource of the second network, so that the second resource allows the user to access the second resource;
wherein the second obtaining, locating, and returning are performed without user interaction so that the user need not be aware that such steps are being performed - View Dependent Claims (17)
-
-
18. A credential management architecture, comprising:
-
a trusted computing base (TCB) that has fill access to persisted credentials, the TCB being configured to interact with an untrusted computing layer (UTCL) that accesses the persisted credentials via the TCB;
the TCB comprises;
a credential management module configured to receive requests from the UTCL for a credential for a resource, the credential being associated with a user;
a credential database associated with the user, wherein credentials are persisted within the database;
the credential management module being configured to retrieve credentials from the database. - View Dependent Claims (19, 20, 21, 22)
-
-
23. An apparatus comprising:
-
a processor;
a marshaler executable on the processor to;
obtain a high-level credential;
convert the high-level credential to generate a representation of the high-level credential that is formatted as a low-level credential so that it appears to be a conventional username/password pair.
-
-
24. A low-level-credential-application accommodation system comprising:
-
a request obtainer configured to obtain a request for a high-level credential from a low-level-credential-application;
a credential retriever configured to retrieve the requested credential from a database of credentials;
a marshaller configured to marshal the requested credential and return the marshaled credential to the low-level-credential-application. - View Dependent Claims (25, 26, 27, 28)
-
-
29. A system for authenticating a user to a network, the system comprising;
-
a request obtainer configured to obtain a request for a credential to authenticate the user to access a resource within the network, wherein the resource requires an appropriate credential before the user may access the resource;
a credential retriever configured to retrieve the appropriate credential from a database of credentials;
a credential returner configured to return the appropriate credential to the resource within the network, so that the resource allows the user to access such resource;
wherein the obtainer, retriever, and returner are further configured to operate without user interaction. - View Dependent Claims (30, 31)
-
-
32. An application programming interface (API) method comprising:
-
receiving a CredUI-promptfor-credentials call having a set of parameters comprising a TargetName, Context, AuthFlags, and Flags;
parsing the call to retrieve the parameters to determine a specified resource;
obtaining a credential;
associating the credential with the specified resource;
persisting the credential into a database while maintaining the credential'"'"'s association with the specified resource. - View Dependent Claims (33)
-
-
34. An application programming interface (API) method comprising:
-
receiving a CredUI-promptfor-credentials call having a set of parameters comprising a TargetName, UserName, Password, and Flags;
parsing the call to retrieve the parameters to determine a requesting application;
obtaining a low-level credential from a user, wherein such credential includes a username and a password;
returning the low-level credential to the requesting application. - View Dependent Claims (35)
-
Specification