Identity validation

US 20070283424A1
Filed: 06/01/2006
Published: 12/06/2007
Est. Priority Date: 06/01/2006
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a sign-on token from a principal;

requesting first principal attributes from an identity service;

acquiring second principal attributes; and

validating the principal for access when the first principal attributes match the second principal attributes.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for validating identities are provided. A sign-on request is authenticated for a given principal. Attributes associated with that principal are acquired from an identity service and compared against local maintained attributes for that principal. If the identity-service acquired attributes match the local attributes, then the principal is validated for access. During principal access, selective events drive updates to the identity-service acquired attributes, and the comparison with the local attributes is performed again to determine whether the validated principal is to be invalidated or is to remain validated.

Citations

26 Claims

1. A method, comprising:
- receiving a sign-on token from a principal;
  
  requesting first principal attributes from an identity service;
  
  acquiring second principal attributes; and
  
  validating the principal for access when the first principal attributes match the second principal attributes.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein acquiring further includes obtaining the second principal attributes directly from the principal when the sign-on token represents a first access attempt by the principal.
  - 3. The method of claim 1, wherein acquiring further includes obtaining the second principal attributes from a repository when the principal has had a previous access.
  - 4. The method of claim 1, wherein requesting further includes requesting the first principal attributes in response to a policy.
  - 5. The method of claim 1 further comprising:
    - detecting an event defined by a policy during principal access;
      
      requesting an updated version of the first principal attributes from the identity service; and
      
      terminating the principal access when the updated version does not match the second principal attributes.
  - 6. The method of claim 5, wherein detecting further includes identifying the event as at least one of an attempt by the principal to access a sensitive resource and an attempt by the principal to acquire single sign-on status for purposes of accessing a different service.
  - 7. The method of claim 1 further comprising, denying accessing when the first principal attributes do not match the second principal attributes.

8. A method, comprising:
- detecting an event during a session with a principal;
  
  evaluating a policy in response to the event;
  
  acquiring first attributes from an identity service;
  
  comparing the first attributes against second attributes; and
  
  deciding to terminate the session when the policy prohibits or when the first attributes do not match the second attributes.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein detecting further includes recognizing the event as at least one of a single sign-on request by the principal to access another service, a federated identity request made by the principal, and an attempt by the principal to access a restricted resource.
  - 10. The method of claim 8, wherein evaluating further includes deciding whether the event warrants terminating the session of the principal or whether the event is acceptable.
  - 11. The method of claim 8, wherein evaluating further includes identifying the policy to evaluate in response to a type associated with the detected event.
  - 12. The method of claim 8, wherein comparing further includes acquiring the second attributes from at least one of an initial registration of the principal, memory, and storage.
  - 13. The method of claim 8 further comprising, ignoring the event and permitting the session to continue unabated when the policy permits and when the first attributes match the second attributes.

14. A method, comprising:
- identifying a principal that is requesting access;
  
  acquiring information on the principal from an identity service;
  
  locating local information on the principal; and
  
  validating the principal as legitimate when the information matches the local information.
- View Dependent Claims (15, 16, 17)
- - 15. The method of claim 14 further comprising:
    - detecting a federated identity request from the principal during access; and
      
      deciding whether to permit the federated identity request in response to a policy evaluation and in response to dynamically updating the information on the principal from the identity service.
  - 16. The method of claim 15, wherein detecting further includes recognizing the federated identity request as a single sign-on request that the principal makes to access another resource.
  - 17. The method of claim 14, wherein locating further includes at least one of interacting with the principal to acquire the local information directly from the principal and retrieving the local information from a local data store.

18. A system, comprising:
- an identity service; and
  
  a service provider, wherein the service provider is to interact with principals requesting access to local and external services of the service provider, and wherein the principals acquire credentials from the identity service to access the service provider, the service provider initially acquires attributes from the principals during first accesses and with each access the service provider consults the identity service for updated attributes of the principals, the updated attributes are compared against the initially acquired attributes to determine whether access is permissible to the local and external services.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
- - 19. The system of claim 18 further comprising, a local repository to house the initially acquired attributes.
  - 20. The system of claim 18 further comprising, a policy store to house policies for events detected during sessions with the principals, wherein a number of the policies identity specific ones of the events and instruct the service provider to terminate selective ones of the sessions.
  - 21. The system of claim 18, wherein the service provider is to determine which of the initially acquired attributes to request for which of the principals in response to policies associated with each principal.
  - 22. The system of claim 18, wherein the credentials are single sign-on tokens acquired by the principals during previous interactions with the identity service.
  - 23. The system of claim 18, wherein the service provider is to terminate access when the initially acquired attributes do not match the updated attributes.
  - 24. The system of claim 18, wherein the service provider consults a locally configured policy for each single sign-on request made by the principals to determine when such request is prohibited or permissible.
  - 25. The system of claim 18, wherein the service provider is a proxy for a service.
  - 26. The system of claim 25, wherein the proxy is a transparent proxy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Morris, Cameron Craig, Kinser, Stephen Hugh, Burch, Llyod Leon

Granted Patent

US 8,069,476 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

G06F 21/31 User authentication

Identity validation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Identity validation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links