STATE DRIVEN ORCHESTRATION OF AUTHENTICATION COMPONENTS IN AN ACCESS MANAGER

US 20140208401A1
Filed: 01/24/2013
Published: 07/24/2014
Est. Priority Date: 01/24/2013
Status: Active Grant

First Claim

Patent Images

1. A method for state driven orchestration of authentication components to access a resource protected by an access manager framework, comprising:

receiving a request to access a resource from a client;

determining required authentication components for the requested resource and a sequential order of the authentication components based at least in part upon the received access request;

requesting a first set of credential information required for a first authentication component to authenticate the client requesting access to the resource;

upon successful validation of the received first set of credential information, generating an authentication context including information indicating a second authentication component of the determined sequential order of the required authentication components, the authentication context stored at the client;

requesting a second set of credential information required for the second authentication component to authenticate the client requesting access to the resource;

receiving the second set of credential information along with the authentication context from the client;

determining which authentication component is to receive the second set of credential information based at least in part upon the authentication context received from the client; and

sending the second set of credential information to the second authentication component.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are described for state driven orchestration of authentication components to access a resource protected by an access manager framework. In response to a client request for a protected resource, relevant authentication components and their respective order are determined. Upon successful authentication of the first authentication component, proper state information of the authentication process is stored by the client indicating the next authentication component. In response to a request for additional credential information for the authentication process from the next authentication component, the client provides the stored state information so that the authentication process continues with the second authentication component according to the determined order of the authentication components within an authentication process.

Citations

20 Claims

1. A method for state driven orchestration of authentication components to access a resource protected by an access manager framework, comprising:
- receiving a request to access a resource from a client;
  
  determining required authentication components for the requested resource and a sequential order of the authentication components based at least in part upon the received access request;
  
  requesting a first set of credential information required for a first authentication component to authenticate the client requesting access to the resource;
  
  upon successful validation of the received first set of credential information, generating an authentication context including information indicating a second authentication component of the determined sequential order of the required authentication components, the authentication context stored at the client;
  
  requesting a second set of credential information required for the second authentication component to authenticate the client requesting access to the resource;
  
  receiving the second set of credential information along with the authentication context from the client;
  
  determining which authentication component is to receive the second set of credential information based at least in part upon the authentication context received from the client; and
  
  sending the second set of credential information to the second authentication component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the access manager framework is stateless and processes each received request independently from previous related requests.
  - 3. The method of claim 1, wherein the resource includes an application.
  - 4. The method of claim 1, wherein the authentication context is stored in an internet browser of the client.
  - 5. The method of claim 1, wherein the authorization context is persisted in an authentication cookie.
  - 6. The method of claim 1, wherein the authentication context is represented as a Java®
    - object.
  - 7. The method of claim 1, wherein at least one of the authentication components is an authentication plugin.
  - 8. The method of claim 6, wherein the authentication plugin includes LDAP, RSA, KERBEROS, or X509 authentication plugins.
  - 9. The method of claim 1, wherein at least one of the authentication components is developed by a third party developer.
  - 10. The method of claim 1, wherein the sets of credential information received from the client include a username, password, date of birth, social security number, or one-time password.
  - 11. The method of claim 1, further comprising:
    - upon successful authentication of the received second set of credential information, generating a session to allow access of the requested resource to the client.
  - 12. The method of claim 11, wherein the client is authorized to access other resources with substantially identical security requirements in the generated session.
  - 13. The method of claim 1, further comprising:
    - upon successful authentication of the received second set of credential information, generating additional information indicating successful authentication of the received second set of information.
  - 14. The method of claim 1, further comprising:
    - upon successful authentication of the received second set of credential information, requesting a third set of credential information required for authentication of a third authentication component within the determined sequential order.
  - 15. A computer system executing instructions in a computer program, the computer program instructions comprising program code for performing the operations of claim 1.
  - 16. A non-transitory machine-readable storage medium having instructions stored thereon, the instructions comprising program code for the operations of claim 1.
  - 17. The non-transitory computer-readable storage medium of claim 16, wherein, the authentication context is persisted in an authentication cookie and stored in an internet browser of the client.
  - 18. The non-transitory computer-readable storage medium of claim 16, wherein at least one of the authentication components is an authentication plugin from at least one of LDAP, RSA, KERBEROS, and X509 authentication plugins.

19. A method comprising:
- receiving a request to access a resource from a client, access to the resource requiring a first authentication and a second authentication;
  
  authenticating the user on a web browser client at a server using a first authentication plugin;
  
  sending an encrypted cookie to the client based on the first authentication;
  
  requesting the encrypted cookie from the web browser client;
  
  bypassing the first authentication based on the received encrypted cookie and then authenticating the user on the web browser client using a second authentication plugin; and
  
  allowing access to the resources that requires the first and second authentications based on the received encrypted cookie and the second authentication using the second authentication plugin.

20. A method comprising:
- authenticating a user on a web browser client at a server using a first authentication plugin;
  
  sending an encrypted cookie to the client based on the authentication;
  
  receiving a request to access a resource from the client, access to the resource requiring a first authentication and a second authentication;
  
  requesting the encrypted cookie from the web browser client;
  
  bypassing the first authentication based on the received encrypted cookie and then authenticating the user on the web browser client using a second authentication plugin; and
  
  allowing access to the resources that requires the first and second authentications based on the received encrypted cookie and authentication using the second authentication plugin.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Balakrishnan, Aarathi, Subramanya, Ramya Kukkehali, Ramakrishnan, Deepak

Granted Patent

US 9,100,387 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 67/02   based on web technology, e....

STATE DRIVEN ORCHESTRATION OF AUTHENTICATION COMPONENTS IN AN ACCESS MANAGER

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

STATE DRIVEN ORCHESTRATION OF AUTHENTICATION COMPONENTS IN AN ACCESS MANAGER

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links