Cascading Authentication System

US 20080271117A1
Filed: 04/27/2007
Published: 10/30/2008
Est. Priority Date: 04/27/2007
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a user to a target server, the method comprising:

receiving a request from a user computer system to authenticate the user to the target server;

determining whether authenticating the user requires matching an authentication plan;

in response to determining that matching an authentication plan is required, accessing a stored authentication plan associated with the user, the stored authentication plan having one or more authentication records each having expected information relating to user access to a different, particular server at a previous layer of authentication than the target server;

receiving an indication of the user'"'"'s current authentication plan from an authentication store, the current authentication plan having one or more authentication records each having current information relating to user access to a particular, different server at a previous layer of authentication than the target server;

comparing the stored authentication plan with the received current authentication plan to determine whether they match; and

in response to a match between the stored authentication plan and the current authentication plan, authenticating the user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Generally speaking, systems, methods and media for authenticating a user to a server based on previous authentications to other servers are disclosed. Embodiments of a method for authenticating a user to a server may include receiving a request to authenticate the user to the server and determining whether authenticating the user requires matching an authentication plan. If a plan is required, the method may also include accessing a stored authentication plan with authentication records each having expected information relating to user access to a different server. The method may also include receiving an indication of the user'"'"'s current authentication plan from an authentication store where the plan has authorization records each having current information relating to user access. Embodiments of the method may also include comparing the stored authentication plan with the received current authentication plan to determine whether they match and, in response to a match, authenticating the user.

56 Citations

View as Search Results

20 Claims

1. A method for authenticating a user to a target server, the method comprising:
- receiving a request from a user computer system to authenticate the user to the target server;
  
  determining whether authenticating the user requires matching an authentication plan;
  
  in response to determining that matching an authentication plan is required, accessing a stored authentication plan associated with the user, the stored authentication plan having one or more authentication records each having expected information relating to user access to a different, particular server at a previous layer of authentication than the target server;
  
  receiving an indication of the user'"'"'s current authentication plan from an authentication store, the current authentication plan having one or more authentication records each having current information relating to user access to a particular, different server at a previous layer of authentication than the target server;
  
  comparing the stored authentication plan with the received current authentication plan to determine whether they match; and
  
  in response to a match between the stored authentication plan and the current authentication plan, authenticating the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising in response to determining that matching an authentication plan is required, transmitting a request for a current authentication plan to the user computer system.
  - 3. The method of claim 1, further comprising in response to a mismatch between the stored authentication plan and the current authentication plan, resolving the authentication plan mismatch.
  - 4. The method of claim 3, wherein resolving the authentication plan mismatch comprises requiring additional authentication information.
  - 5. The method of claim 3, wherein resolving the authentication plan mismatch comprises invoking a method to modify or create an authentication plan.
  - 6. The method of claim 1, wherein each authentication record of the authentication plans comprises a server identifier and an authentication event fact.
  - 7. The method of claim 1, wherein comparing the stored authentication plan with the current authentication plan to determine whether they match comprises comparing authentication records of each authentication plan to determine whether at least a specified subset of authentication records match between the authentication plans.

8. A computer program product comprising a computer-useable medium having a computer readable program, wherein the computer readable program when executed on a computer causes the computer to:
- receiving a request from a user computer system to authenticate a user to a target server;
  
  determining whether authenticating the user requires matching an authentication plan;
  
  in response to determining that matching an authentication plan is required, accessing a stored authentication plan associated with the user, the stored authentication plan having one or more authentication records each having expected information relating to user access to a different, particular server at a previous layer of authentication than the target server;
  
  receiving an indication of the user'"'"'s current authentication plan from an authentication store, the current authentication plan having one or more authentication records each having current information relating to user access to a different, particular server at a previous layer of authentication than the target server;
  
  comparing the stored authentication plan with the received current authentication plan to determine whether they match; and
  
  in response to a match between the stored authentication plan and the current authentication plan, authenticating the user.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The computer program product of claim 8, further comprising in response to determining that matching an authentication plan is required, transmitting a request for a current authentication plan to the user computer system.
  - 10. The computer program product of claim 8, further comprising in response to a mismatch between the stored authentication plan and the current authentication plan, resolving the authentication plan mismatch.
  - 11. The computer program product of claim 10, wherein resolving the authentication plan mismatch comprises requiring additional authentication information.
  - 12. The computer program product of claim 8, wherein comparing the stored authentication plan with the current authentication plan to determine whether they match comprises comparing authentication records of each authentication plan to determine whether at least a specified subset of authentication records match between the authentication plans.

13. A cascading authentication system, the system comprising:
- a target server having an authentication plan manager to access a stored authentication plan associated with a user requesting access to the target server, the stored authentication plan comprising one or more authentication records each having expected information relating to access by a user to a different, particular server at a previous layer of authentication than the target server;
  
  an authentication store to store a current authentication plan associated with the user, the current authentication plan comprising one or more authentication records each having current information relating to access by a user to a different, particular server at a previous layer of authentication than the target server;
  
  an authentication store manager in communication with the target server and the authentication store to provide the current authentication plan associated with a particular user to the authentication plan manager of the target server; and
  
  wherein the authentication plan manager of the target server determines whether to authenticate a user based on a comparison between the stored authentication plan and the current authentication plan.
- View Dependent Claims (14, 15, 16)
- - 14. The system of claim 13, wherein the authentication store is an encrypted database.
  - 15. The system of claim 13, wherein the authentication store manager executes in non-volatile memory of a user computer system of the user requesting access to the target server.
  - 16. The system of claim 13, wherein the authentication store manager executes on a trusted third party computer system.

17. A method for authenticating a user to a target server, the method comprising:
- performing an authentication step for one or more servers at a previous layer of authentication to the target server;
  
  storing an authentication event record for each performed authentication step in an authentication store;
  
  attempting to authenticate to the target server, the target server requiring an authentication plan associated with the user; and
  
  receiving an indication of whether access to the target server was granted.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, further comprising transmitting a current authentication plan to the target server, the current authentication plan having a stored authentication record for one or more performed authentication steps for servers at previous layers of authentication to the target server.
  - 19. The method of claim 17, further comprising receiving a request for a current authentication plan from the target server.
  - 20. The method of claim 17, further comprising in response to receiving an indication that access to the target server was not granted, resolving an authentication plan mismatch with the target server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
O'Connell, Brian M., Hamilton, Rick A., Walker, Keith R., Pavesi, John R.

Granted Patent

US 8,726,347 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04L 67/10   in which an application is ...

Cascading Authentication System

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

56 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cascading Authentication System

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links