Multiple security access mechanisms for a single identifier

US 20080114987A1
Filed: 10/31/2006
Published: 05/15/2008
Est. Priority Date: 10/31/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method, comprising:

receiving a first authentication secret associated with a principal;

validating the first authentication secret from a plurality of assigned authentication secrets associated with the principal;

acquiring one or more attributes in response to their association with the validated first authentication secret; and

transmitting an access credential along with the one or more attributes in response to the validated first authentication secret.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for using multiple security access mechanisms for a single identifier are presented. A single identifier is permitted to be associated with multiple authentication secrets. The single identifier resolves to a particular identity in response to the particular authentication secret presented with the single identifier. Moreover, in an embodiment, any resolved identity may have a variety of attributes automatically set for a particular communication session, such as role, access rights, etc.

44 Citations

View as Search Results

25 Claims

1. A method, comprising:
- receiving a first authentication secret associated with a principal;
  
  validating the first authentication secret from a plurality of assigned authentication secrets associated with the principal;
  
  acquiring one or more attributes in response to their association with the validated first authentication secret; and
  
  transmitting an access credential along with the one or more attributes in response to the validated first authentication secret.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein receiving further includes, receiving the first authentication secret from a browser session that was redirected when the principal attempted to access a target service via a browser that the principal interacts with.
  - 3. The method of claim 1, wherein receiving further includes receiving the first authentication secret from a directory service that the principal attempts to interact with.
  - 4. The method of claim 1, wherein receiving further includes identifying the first authentication secret as a password of the principal, and wherein the password is defined with other passwords associated with the principal in the assigned authentication secrets.
  - 5. The method of claim 1, wherein validating further includes:
    - identifying an authentication service in response to the first authentication secret;
      
      contacting the authentication service to validate the first authentication secret; and
      
      receiving a validated first authentication secret for the principal from the authentication service.
  - 6. The method of claim 4, wherein acquiring further includes receiving some or each of the one or more attributes from the authentication service.
  - 7. The method of claim 1, wherein acquiring further includes identifying at least one of the one or more attributes as a role for the principal to assume when interacting during a communication session or when accessing a target resource, and wherein the role is associated with access rights during the communication session or during access to the target resource.
  - 8. The method of claim 1, wherein transmitting further includes sending the access credential to the principal to access a target resource, and wherein the one or more attributes at least partially define access rights for the principal when accessing the target resource.
  - 9. The method of claim 1, wherein transmitting further includes sending the access credential and the one or more attributes to a directory service to authenticate and provide access rights to the principal that is attempting to access one or more resources of the directory service.

10. A method, comprising:
- receiving an identifier and a first password from a requestor;
  
  authenticating a first identity for a principal in response to the identifier and the first password, wherein the identifier is associated with multiple different identities associated with the principal and multiple different passwords, and the first password is used to select the first identity of the principal;
  
  acquiring a role attribute for the principal in response to the first identity; and
  
  providing an authentication credential for the principal and the role attribute to the requestor.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10 further comprising:
    - acquiring additional attributes for the principal in response to the first identity; and
      
      providing the additional attributes to the requester.
  - 12. The method of claim 10 further comprising:
    - receiving a second password with the first password and the identifier from the requestor;
      
      authenticating a second identity for the principal in response to the identifier and the second password;
      
      acquiring an additional role attribute for the principal in response to the second identity; and
      
      providing an additional authentication credential for the principal and the additional role attribute to the requestor.
  - 13. The method of claim 10, wherein receiving further includes identifying the requestor as one of the following, the principal, a service associated with the principal, a resource that the principal is attempting to access, a proxy the intercepts an access attempt made by the principal to gain access to the resource, or a directory service.
  - 14. The method of claim 10, wherein authenticating includes one or more of the following:
    - matching the first password and identifier combination in a trust data store to authenticate and establish the first identity;
      
      hashing the first password to acquire a value and matching the value in the trust data store to authenticate and establish the first identity;
      
      enlisting an external authentication service to perform the authentication and assist in establishing the first identity; and
      
      identifying the external authentication service to perform the authentication in response to a mapping associated with the first password and identifier in order to assist in establishing the first identity.
  - 15. The method of claim 14, wherein acquiring further includes one or more of the following:
    - acquiring the role attribute from the external authentication service;
      
      acquiring one or more additional attributes from the external authentication service; and
      
      acquiring some or each of the one or more additional attributes from a directory service.

16. A system, comprising:
- a trusted data store; and
  
  an identity service, wherein the identity service is to receive an identifier and a first password from a principal, and wherein the identity service is to use the first password and the identifier to search the trusted data store to determine how to authenticate the principal, and wherein the trusted data store includes multiple passwords for the principal that the identity service uses to find a match with the first password, and wherein the identity service is to resolve a first identity for the principal in response to the authentication and supplies the first identity via a credential to the principal for subsequent use.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16 further comprising, an authentication service that is identified with the match from the trusted data store and is to be consulted by the identity service to authenticate the principal and establish the first identity.
  - 18. The system of claim 17, wherein the authentication service is to provide one or more attributes to be associated with the credential and to be sent with the credential from the identity service to the principal.
  - 19. The system of claim 16, wherein the identity service is to concurrently receive a second password from the principal with the first password and the identifier, and wherein the identity service is to use the trusted data store to determine how to authenticate the principal to a second identity and the identity service supplies an additional credential for the second identity to the principal when validated.
  - 20. The system of claim 16, wherein the identity service is to use a policy to assist in determining how to authenticate the principal in response to the first password and the match of the first password within the trusted data store.

21. A system, comprising:
- a directory service; and
  
  an identity service, wherein the identity service manages multiple passwords for a single principal, each password corresponding to different role that the principal can assume for a particular communication session, and wherein the identity service uses the directory service to assist in resolving a particular role for the principal for a given password supplied on behalf of the principal.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The system of claim 21, wherein the identity service is to use the directory service to acquire at least some attributes for the principal when the particular role is resolved.
  - 23. The system of claim 21, wherein the identity service communicates locally and securely with the directory service.
  - 24. The system of claim 21, wherein the identity service is to set the particular role, other attributes, and access rights for the principal during the particular communication session that the principal is engaged in.
  - 25. The system of claim 21, wherein the identity service is to receive the particular password for the principal from one of the following, the principal, the directory service acting on behalf of the principal, a proxy, and a browser interacting with the principal that is redirected to the identity service when the principal attempts to access a protected resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
EMC Corporation (Dell Technologies Inc.)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Burch, Lloyd Leon, Earl, Douglas G., Morris, Cameron Craig

Application Number

US11/590,360
Publication Number

US 20080114987A1
Time in Patent Office

Days
Field of Search
US Class Current

713/183
CPC Class Codes

G06F 21/31   User authentication

G06F 21/606   by securing the transmissio...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0815   providing single-sign-on or...

Multiple security access mechanisms for a single identifier

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Multiple security access mechanisms for a single identifier

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links