Single sign-on framework with trust-level mapping to authentication requirements
First Claim
1. An information security system comprising:
- plural information resources distributed amongst and executable on one or more servers coupled via a communication network to a client entity, the plural information resources having associated trust level requirements, wherein the information security system provides plural trust levels, each of the trust levels corresponding to a respective set of credential types;
a gatekeeper interposed between the client entity and the information resources; and
a credential gathering service common to the plural information resources, wherein upon receipt of a first request for access to a first of the plural information resources without prior authentication to a sufficient trust level, the gatekeeper redirects the first request to the common credential gathering service and the common credential gathering service obtains a login credential for the client entity in accordance with a mapping rule establishing a correspondence between the sufficient trust level and the respective set of credential types therefor.
2 Assignments
0 Petitions
Accused Products
Abstract
A security architecture has been developed in which a single sign-on is provided for multiple information resources. Rather than specifying a single authentication scheme for all information resources, the security architecture associates trust-level requirements with information resources. Authentication schemes (e.g., those based on passwords, certificates, biometric techniques, smart cards, etc.) are associated with trust levels and a log-on service obtains credentials for an entity commensurate with the trust-level requirement(s) of an information resource (or information resources) to be accessed. Once credentials have been obtained for an entity and the entity has been authenticated to a given trust level, access is granted, without the need for further credentials and authentication, to information resources for which the authenticated trust level is sufficient.
600 Citations
38 Claims
-
1. An information security system comprising:
-
plural information resources distributed amongst and executable on one or more servers coupled via a communication network to a client entity, the plural information resources having associated trust level requirements, wherein the information security system provides plural trust levels, each of the trust levels corresponding to a respective set of credential types;
a gatekeeper interposed between the client entity and the information resources; and
a credential gathering service common to the plural information resources, wherein upon receipt of a first request for access to a first of the plural information resources without prior authentication to a sufficient trust level, the gatekeeper redirects the first request to the common credential gathering service and the common credential gathering service obtains a login credential for the client entity in accordance with a mapping rule establishing a correspondence between the sufficient trust level and the respective set of credential types therefor. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A credential gathering service providing a single sign-on for sessions that potentially include access to plural information resources having differing security requirements, the credential gathering service comprising:
-
an input port configured to receive an access request identifying an initiating client entity;
means for associating a trust level requirement with the access request;
an encoding of correspondence between trust levels and credential types, wherein each of the trust levels corresponds to a respective set of the credential types;
selection logic for selecting in accordance with the encoding, a credential type corresponding to the trust level requirement; and
a credential obtaining interface for requesting and receiving a credential of the selected credential type for the initiating client entity. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A method of providing a single sign-on for plural information resources in an environment that provides plural trust levels, the method comprising:
-
associating credential types with respective ones of the trust levels;
specifying for each information resource, required ones of the trust levels for accesses thereto;
obtaining at least one credential corresponding to a client entity and authenticating the client entity thereby; and
permitting access to any of the information resources having a specified trust level requirement commensurate with the trust level associated with the authenticated at least one credential. - View Dependent Claims (25, 26, 27)
-
-
28. A method of providing sign-on in a networked information environment that provides plural trust levels, the method comprising:
-
directing a request for access to a first information resource from an insufficiently authenticated client entity to a credential gathering service;
associating a first trust level requirement with the access to the first information resource;
selecting from plural credential types, a credential type having an associated trust level commensurate with the first trust level requirement;
obtaining a credential of the selected credential type for the client entity; and
authenticating the obtained credential. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35)
-
-
36. A method of providing a security interface common to plural information resources, the method comprising:
-
associating credential types with trust levels, wherein each of the trust levels correspond to a respective set of the credential types;
specifying for each information resource, a required one of the trust levels for accesses thereto;
with a login service common to the plural information resources, obtaining at least one credential corresponding to a client entity and authenticating an identity of the client entity thereby, wherein the obtained at least one credential is of one of the credential types associated with the required one of the trust levels;
granting or denying access to a first of the information resources based on correspondence between the required trust-level therefor and an authenticated trust level associated with the obtained at least one credential; and
granting or denying access to a second of the information resources based on correspondence between the required trust-level therefor and the authenticated trust level. - View Dependent Claims (37, 38)
-
Specification