Log-on service providing credential level change without loss of session continuity

US 20060070114A1
Filed: 09/12/2005
Published: 03/30/2006
Est. Priority Date: 08/05/1999
Status: Active Grant

First Claim

Patent Images

1. (canceled)

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security architecture has been developed in which a single sign-on is provided for multiple information resources. Rather than specifying a single authentication scheme for all information resources, the security architecture associates trust-level requirements with information resources. Authentication schemes (e.g., those based on passwords, certificates, biometric techniques, smart cards, etc.) are employed depending on the trust-level requirement(s) of an information resource (or information resources) to be accessed. Once credentials have been obtained for an entity and the entity has been authenticated to a given trust level, access is granted, without the need for further credentials and authentication, to information resources for which the authenticated trust level is sufficient.

169 Citations

21 Claims

1. (canceled)

2. A method for providing access to a plurality of secured information resources in a networked information environment, the method comprising:
- allocating a new session and an associated default credential if an access request either does not indicate a session token or indicates an invalid session token;
  
  authorizing the access request based, at least in part, on the allocated default credential, wherein the access request targets at least one of the secured information resources.
- View Dependent Claims (3, 4, 5, 6, 7, 8)
- - 3. The method of claim 2, wherein the default credential is allocated based, at least in part, on environment information and resource requested by the access request.
  - 4. The method of claim 3, wherein environment information comprises at least one of time of the access request, source of the access request, connection speed, and client application.
  - 5. The method of claim 2, wherein the session is allocated irrespective of authentication status or requestor identity.
  - 6. The method of claim 2, wherein the authorizing may refuse the access request, based, at least in part, on environment information and resource requested by the access request.
  - 7. The method of claim 2 further comprising maintaining the new session through a credential level change of the allocated default credential.
  - 8. The method of claim 2 embodied as a computer program product encoded in one or more machine-readable media.

9. A security framework for a set of one or more information resources, the security framework comprising:
- a gatekeeper operable to determine if an access request indicates an invalid session token or does not indicate a session token; and
  
  a session management component operable to allocate a session and a default credential for an access request that the gatekeeper determines as indicating an invalid session token or no session token.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The security framework of claim 9, wherein the gatekeeper is further operable to obtain one or more of environment information and source number for an access request.
  - 11. The security framework of claim 10, wherein the session management component is operable to allocate a session for an access request irrespective of authentication status or identity of a requestor of the access request.
  - 12. The security framework of claim 10, wherein the session management is operable to allocate a session and a default credential for an access request based, at least in part, on environment information obtained by the gatekeeper and a target of the access request.
  - 13. The security framework of claim 9 further comprising an authorization component operable to authorize an access request to the set of one or more information resources based, at least in part, on a credential indicated by the access request.
  - 14. The security framework of claim 9 further comprising an authentication component operable to authenticate a requestor.
  - 15. The security framework of claim 9, wherein the session management component is operable to allocate a session and a default credential for an access request irrespective of authentication status for the access request and identify of a corresponding requestor.
  - 16. The security framework of claim 9, wherein the session management component is further operable to omit binding of a session token to a session if a corresponding requestor has not yet been authenticated.

17. An apparatus comprising:
- a network interface operable to receive access requests; and
  
  means for allocating a session and a default credential for an access request that either indicates an invalid session token or does not indicate a session token, wherein the access requests target one or more information resources secured by the apparatus.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The apparatus of claim 17 further comprising means for determining which of the one or more information resources is targeted by an access request and determining environment information, wherein a default credential is allocated for the access request by the allocating means based, at least in part, on the determining target information resource and environment information.
  - 19. The apparatus of claim 17 further comprising means for allowing a credential level change of an allocated default credential while maintaining a persistent session.
  - 20. The apparatus of claim 17 further comprising means to authorize an access request with a default credential therefor.
  - 21. The apparatus of claim 17 further comprising means for encoding a default credential in one of a cookie and a uniform resource locator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Wood, David L., Wilson, Yvonne, Ferris, Chris, Soley, William R., Norton, Derk, Weschler, Paul

Granted Patent

US 7,117,359 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/2
CPC Class Codes

G06F 21/31   User authentication

G06F 21/32   using biometric data, e.g. ...

G06F 21/34   involving the use of extern...

G06F 21/41   where a single sign-on prov...

G06F 21/6209   to a single file or object,...

G06F 2211/009   Trust

G06F 2221/2113   Multi-level security, e.g. ...

H04L 63/0815   providing single-sign-on or...

H04L 63/105   Multiple levels of security

Log-on service providing credential level change without loss of session continuity

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

169 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Log-on service providing credential level change without loss of session continuity

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

169 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links