METHOD AND SYSTEM FOR PROVIDING A FEDERATED AUTHENTICATION SERVICE WITH GRADUAL EXPIRATION OF CREDENTIALS
First Claim
1. A method for providing a single sign-on service, comprisingreceiving at an authentication server an authentication request from a user;
- authenticating said user at said authentication server;
associating at least one initial trust level with said authentication;
receiving a validation request pertaining to said user and an application server, said application server enforcing a required minimum level of trust;
calculating an updated trust level to be associated with said authentication from at least a function of time;
granting said user access to said application server if said updated trust level exceeds said required minimum level.
2 Assignments
0 Petitions
Accused Products
Abstract
The present invention relates to the field of authentication of users of services over a computer network, more specifically within the paradigms of federated authentication or single sign-on. A known technique consists of associating different trust levels to different authentication mechanisms, wherein the respective trust levels give access to different information resources, notably to provide the possibility to protect more sensitive resources with a stronger form of authentication. The present invention provides a mechanism to allow the trust level to decrease without re-authenticating with the single sign on system, down to the level at which it is no longer sufficient to obtain access to a desired resource. Only then, the user needs to reauthenticate.
-
Citations
26 Claims
-
1. A method for providing a single sign-on service, comprising
receiving at an authentication server an authentication request from a user; -
authenticating said user at said authentication server; associating at least one initial trust level with said authentication; receiving a validation request pertaining to said user and an application server, said application server enforcing a required minimum level of trust; calculating an updated trust level to be associated with said authentication from at least a function of time; granting said user access to said application server if said updated trust level exceeds said required minimum level. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system for providing a single sign-on service, comprising
a first receiving agent for receiving an authentication request from a user; -
an authentication agent for authenticating said user; an issuing agent for issuing an authentication ticket for said user, wherein at least one initial trust level is associated with said authentication ticket; a second receiving agent for receiving a validation request pertaining to said user from an application server, said request containing a reference to said authentication ticket, and said application server enforcing a required minimum level of trust; a processor for calculating an updated trust level to be associated with said authentication ticket from at least a function of time; and a sending agent for sending a signal indicative of said calculating to said application server. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
-
-
24. A system for providing a single sign-on service, comprising
a receiving agent for receiving an authentication request from a user; -
an authentication agent for authenticating said user; and
,an issuing agent for issuing an authentication ticket for said user, wherein at least one initial trust level and at least one subsequent trust level are associated with said authentication ticket, said subsequent trust level having a validity period extending beyond the validity period of said initial trust level. - View Dependent Claims (25)
-
-
26. A method for providing a single sign-on service, comprising
receiving an authentication request from a user; -
authenticating said user; and
,issuing an authentication ticket for said user, wherein at least one initial trust level and at least one subsequent trust level are associated with said authentication ticket, said subsequent trust level having a validity period extending beyond the validity period of said initial trust level.
-
Specification