Log-on service providing credential level change without loss of session continuity
First Claim
1. A method of providing a persistent session in a networked information environment, the method comprising:
- associating a unique session identifier with a set of access requests originating from a client entity; and
maintaining the unique session identifier across a credential level change.
2 Assignments
0 Petitions
Accused Products
Abstract
A security architecture has been developed in which a single sign-on is provided for multiple information resources. Rather than specifying a single authentication scheme for all information resources, the security architecture associates trust-level requirements with information resources. Authentication schemes (e.g., those based on passwords, certificates, biometric techniques, smart cards, etc.) are employed depending on the trust-level requirement(s) of an information resource (or information resources) to be accessed. Once credentials have been obtained for an entity and the entity has been authenticated to a given trust level, access is granted, without the need for further credentials and authentication, to information resources for which the authenticated trust level is sufficient. The security architecture allows upgrade of credentials for a given session. This capability is particularly advantageous in the context of a single, enterprise-wide log-on. An entity (e.g., a user or an application) may initially log-on with a credential suitable for one or more resources in an initial resource set, but then require access to resource requiring authentication at higher trust level. In such case, the log-on service allows additional credentials to be provided to authenticate at the higher trust level. The log-on service allows upgrading and/or downgrading without loss of session continuity (i.e., without loss of identity mappings, authorizations, permissions, and environmental variables, etc.).
734 Citations
34 Claims
-
1. A method of providing a persistent session in a networked information environment, the method comprising:
-
associating a unique session identifier with a set of access requests originating from a client entity; and
maintaining the unique session identifier across a credential level change. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
issuing one or more cryptographically secured session tokens to the client entity, each of the one or more cryptographically secured session tokens encoding the unique session identifier; and
supplying at least one of the one or more cryptographically secured session tokens with each of the access requests.
-
-
3. A method as in claim 1,
wherein the client entity includes a browser; - and
wherein the unique session identifier is encoded as a cryptographically secured session token and supplied to the browser as a cookie.
- and
-
4. A method as in claim 1, wherein the credential level change includes:
-
obtaining a second credential from the client entity after a previously supplied first credential is determined to be insufficient for access to an information resource;
authenticating the client entity by the obtained second credential; and
updating session context identified by the unique session identifier.
-
-
5. A method as in claim 4,
wherein the unique session identifier associating includes issuing the client entity a first session token encoding the unique session identifier; - and
wherein the credential level change further includes issuing the client entity a second session token encoding the unique session identifier.
- and
-
6. A method as in claim 4,
wherein the client entity includes a browser; - and
wherein the first and second session tokens are cryptographically secured and supplied to the browser as a cookie.
- and
-
7. A method as in claim 4, embodied as a computer program product including functionally descriptive information for directing a processor to perform the credential obtaining, the authenticating, and the session context updating, the computer program product encoded by or transmitted in at least one computer readable medium selected from the set of a disk, tape or other magnetic, optical, or electronic storage medium and a network, wireline, wireless or other communications medium.
-
8. A method as recited in claim 1, further comprising:
-
obtaining a first credential for the client entity and authenticating the client entity thereby;
accessing a first of plural information resources;
if the client entity is sufficiently authenticated for access to a second of the information resources, accessing the second information resource; and
otherwise, obtaining a second credential for the client entity and authenticating the client entity thereby, the second credential sufficiently authenticating the client entity for access to the second information resource; and
thereafter accessing the second information resource, wherein the accesses to first and second information resources are performed within a persistent session context and wherein the second credential obtaining and client entity authenticating are performed without loss of session continuity.
-
-
9. A method as in claim 8, further comprising:
issuing the client entity at least one session token for identifying the persistent session context to the security architecture.
-
10. A method as in claim 8, further comprising:
-
issuing to the client entity at least first and second session tokens, the first token after the first credential authenticating and the second token after the second credential authenticating, wherein the first and second session tokens both correspond to the persistent session context.
-
-
11. A method as in claim 10,
wherein the client entity includes a browser operated by a principal; - and
wherein the session token is cryptographically secured and encoded in cookie supplied to the browser.
- and
-
12. A method as in claim 8, further comprising:
-
prior to the first credential obtaining, receiving a request from the client entity to access the first information resource; and
after the client entity authenticating by the first credential, issuing the client entity a session token for identifying the persistent session context to the security architecture.
-
-
13. A method as in claim 12,
wherein the access request receiving and the first information resource accessing are performed by a proxy. -
14. A method as in claim 8, further comprising:
- establishing the persistent session context prior to the first authenticating.
-
15. A method as in claim 8, further comprising:
-
before the authenticating by the second credential, accessing a third of the information resources, the first credential sufficiently authenticating the client entity for access to the first and third information resources.
-
-
16. A method as in claim 8,
wherein, after the authenticating by the second credential, the client entity is sufficiently authenticated to access both the first and second information resources. -
17. A method as in claim 8, embodied as a computer program product encoded by or transmitted in at least one computer readable medium selected from the set of a disk, tape or other magnetic, optical, or electronic storage medium and a network, wireline, wireless or other communications medium.
-
18. In a networked information environment having a plural information resources with potentially differing authentication requirements, a method claim 1, wherein the unique session identifier is embodied, at least in part, as a session token, the method providing a sign-on common to the information resources, and comprising:
-
authenticating the client entity using a first credential;
issuing a session token corresponding to a session of the client entity;
allowing access using the session token to first and second, but not a third, of the information resources;
upgrading the session token after authenticating with a second credential; and
thereafter, without loss of session continuity, allowing access using the upgraded session token to the first, second and third information resources.
-
-
19. A method as in claim 18,
wherein the session token and the upgraded session token both resolve to a same session object, the same session object maintaining a consistent session state spanning the upgrading. -
20. A method as in claim 18,
wherein the client entity includes a browser. -
21. A method as in claim 18,
wherein the first and the second credentials are selected from a set including username password pairs, digital certificates, encrypted credentials based on asymmetric, symmetric, public, private, or secret key technologies, one-time passwords, biometric credentials based on retinal scan, voice print, or finger print, and possession based credentials embodied in smart cards, Enigma cards or keys; the second credential corresponding to a higher trust level than the first.
-
22. A method as in claim 18, embodied as a computer program product encoded by or transmitted in at least one computer readable medium selected from the set of a disk, tape or other magnetic, optical, or electronic storage medium and a network, wireline, wireless or other communications medium.
-
23. In a networked information environment having plural authentication levels for access to one or more information resources, a method as recited in claim 1 the method providing a persistent session interface thereto, and comprising:
-
authenticating an entity to a first authentication level and associating the a unique session identifier with the entity;
after association of the unique session identifier, authenticating the entity to a second authentication level and maintaining the association of the unique session identifier with the entity; and
thereafter allowing access, using the unique session identifier, to the information resources at the second authentication level.
-
-
24. A method as in claim 23, wherein the unique session identifier is encoded in one or more session tokens issued to the entity.
-
25. A method as in claim 23, further comprising:
after the authenticating to the first authentication level, accessing, using the unique session identifier, a first of the information resources at the first authentication level.
-
26. A method as in claim 25, further comprising:
after the authenticating to the second authentication level, accessing, using the unique session identifier, the first information resource at the second authentication level.
-
27. A method as in claim 23, further comprising:
after the authenticating to the second authentication level, accessing a second information resource at the second authentication level.
-
28. A method as in claim 23, embodied as a computer program product encoding instructions executable by a computer to perform the authenticating to first and second authentication levels and to perform the access allowing, the computer program product encoded by or transmitted in at least one computer readable medium selected from the set of a disk, tape or other magnetic, optical, or electronic storage medium and a network, wireline, wireless or other communications medium.
-
29. An apparatus comprising:
-
means for associating a unique session identifier with a set of access requests originating from a client entity, and means for maintaining the unique session identifier across a credential level change. - View Dependent Claims (30, 31, 32, 33, 34)
plural information resources hosted on one or more servers coupled via a communication network to the client entity, the plural information resources having individualized authentication requirements;
wherein, the associating and maintaining means are embodied, at least in part, as a log-on service common to the plural information resources, the common log-on service obtaining a first credential for the client entity, authenticating the client entity thereby, and establishing a session having a first authentication level commensurate with authentication requirements of at least one of the plural information resources, and wherein, in response to an access request requiring a second authentication level higher than the first, the common log-on service obtains a second credential for the client entity, authenticates the client entity thereby, and upgrades the session to the second authentication level without loss of session continuity.
-
-
31. The apparatus as recited in claim 29, embodied at least in part as an access management system providing a single sign-on for sessions that potentially include access to plural information resources having differing security requirements, the apparatus further comprising:
-
a gatekeeper including an authorization interface for determining whether a first authenticated credential associated with the client entity and the session is consistent with a trust level requirement for a target information resource and, if so, proxying an access thereto; and
means responsive to the gatekeeper for upgrading the session by obtaining and authenticating a second credential to allow access to the target information resource if the first authenticated credential is inconsistent with the trust level requirement, the session upgrade means maintaining session continuity across credential upgrades.
-
-
32. The apparatus of, as in claim 29, embodied at least in part as a computer program product encoded in computer readable media, and further comprising:
-
log-on code executable on a first server as a log-on component to obtain one or more credentials for the client entity, the log-on component including an authentication interface for authenticating the client entity using the obtained one or more credentials; and
gatekeeper code executable on one of first server and a second server as a gatekeeper component to receive access requests from the client entity, the gatekeeper component including an authorization interface for determining whether an authentication level is consistent with a trust level requirement for a target information resource and, if so, proxying an access thereto, and, if not, redirecting the access to the log-on component for obtaining and authenticating at least one additional credential to allow access to the target information resource.
-
-
33. The computer program product of claim 32, further comprising:
-
authentication code executable as an authentication component to perform the authenticating; and
authorization code executable as an authorization component to determining consistency of authentication levels with trust level requirements.
-
-
34. The computer program product of claim 32, encoded by or transmitted in at least one computer readable medium selected from the set of a disk, tape or other magnetic, optical, or electronic storage medium and a network, wireline, wireless or other communications medium.
Specification