Log-on service providing credential level change without loss of session continuity

US 6,944,761 B2
Filed: 08/19/2003
Issued: 09/13/2005
Est. Priority Date: 08/05/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method for providing credential level change in a security architecture, the method comprising:

obtaining a first credential for a client entity and authenticating the client entity thereby;

accessing a first of plural information resources;

if the client entity is sufficiently authenticated for access to a second of the information resources, accessing the second information resource; and

otherwise, obtaining a second credential for the client entity and authenticating the client entity thereby, the second credential sufficiently authenticating the client entity for access to the second information resource; and

thereafter accessing the second information resource, wherein the accesses to first and second information resources are performed within a persistent session context and wherein the second credential obtaining and client entity authenticating are performed without loss of session continuity.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security architecture has been developed in which a single sign-on is provided for multiple information resources. Rather than specifying a single authentication scheme for all information resources, the security architecture associates trust-level requirements with information resources. Authentication schemes (e.g., those based on passwords, certificates, biometric techniques, smart cards, etc.) are employed depending on the trust-level requirement(s) of an information resource (or information resources) to be accessed. Once credentials have been obtained for an entity and the entity has been authenticated to a given trust level, access is granted, without the need for further credentials and authentication, to information resources for which the authenticated trust level is sufficient.

82 Citations

View as Search Results

26 Claims

1. A method for providing credential level change in a security architecture, the method comprising:
- obtaining a first credential for a client entity and authenticating the client entity thereby;
  
  accessing a first of plural information resources;
  
  if the client entity is sufficiently authenticated for access to a second of the information resources, accessing the second information resource; and
  
  otherwise, obtaining a second credential for the client entity and authenticating the client entity thereby, the second credential sufficiently authenticating the client entity for access to the second information resource; and
  
  thereafter accessing the second information resource, wherein the accesses to first and second information resources are performed within a persistent session context and wherein the second credential obtaining and client entity authenticating are performed without loss of session continuity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method as in claim 1, further comprising:
    - issuing the client entity at least one session token for identifying the persistent session context to the security architecture.
  - 3. A method as in claim 1, further comprising:
    - issuing to the client entity at least first and second session tokens, the first token after the first credential authenticating and the second token after the second credential authenticating, wherein the first and second session tokens both correspond to the persistent session context.
  - 4. A method as in claim 3,wherein the client entity includes a browser operated by a principal;
    - and wherein the session token is cryptographically secured and encoded in cookie supplied to the browser.
  - 5. A method as in claim 1, further comprising:
    - prior to the first credential obtaining, receiving a request from the client entity to access the first information resource; and
      
      after the client entity authenticating by the first credential, issuing the client entity a session token for identifying the persistent session context to the security architecture.
  - 6. A method as in claim 5,wherein the access request receiving and the first information resource accessing are performed by a proxy.
  - 7. A method as in claim 1, further comprising:
    - establishing the persistent session context prior to the first authenticating.
  - 8. A method as in claim 1, further comprising:
    - before the authenticating by the second credential, accessing a third of the information resources, the first credential sufficiently authenticating the client entity for access to the first and third information resources.
  - 9. A method as in claim 1,wherein, after the authenticating by the second credential, the client entity is sufficiently authenticated to access both the first and second information resources.
  - 10. A method as in claim 1, embodied as a computer program product encoded by or transmitted in at least one computer readable medium selected from the set of a disk, tape or other magnetic, optical, or electronic storage medium and a network, wireline, wireless or other communications medium.

11. In a networked information environment having plural information resources with potentially differing authentication requirements, a method of providing a sign-on common to the information resources, the method comprising:
- authenticating a client entity using a first credential;
  
  issuing a session token corresponding to a session of the client entity;
  
  allowing access using the session token to first and second, but not a third, of the information resources;
  
  upgrading the session token after authenticating with a second credential; and
  
  thereafter, without loss of session continuity, allowing access using the upgraded session token to the first, second and third information resources.
- View Dependent Claims (12, 13, 14, 15)
- - 12. A method as in claim 11,wherein the session token and the upgraded session token both resolve to a same session object, the same session object maintaining a consistent session state spanning the upgrading.
  - 13. A method as in claim 11,wherein the client entity includes a browser.
  - 14. A method as in claim 11,wherein the first and the second credentials are selected from a set including usemame password pairs, digital certificates, encrypted credentials based on asymmetric, symmetric, public, private, or secret key technologies, one-time passwords, biometric credentials based on retinal scan, voice print, or finger print, and possession based credentials embodied in smart cards, Enigma cards or keys;
    - the second credential corresponding to a higher trust level than the first.
  - 15. A method as in claim 11, embodied as a computer program product encoded by or transmitted in at least one computer readable medium selected from the set of a disk, tape or other magnetic, optical, or electronic storage medium and a network, wireline, wireless or other communications medium.

16. In a networked information environment having plural authentication levels for access to one or more information resources, a method for providing a persistent session interface thereto, the method comprising:
- authenticating an entity to a first authentication level and associating a unique session identifier with the entity;
  
  after association of the unique session identifier, authenticating the entity to a second authentication level and maintaining the association of the unique session identifier with the entity; and
  
  thereafter allowing access, using the unique session identifier, to the information resources at the second authentication level.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. A method as in claim 16,wherein the unique session identifier is encoded in one or more session tokens issued to the entity.
  - 18. A method as in claim 16, further comprising:
    - after the authenticating to the first authentication level, accessing, using the unique session identifier, a first of the information resources at the first authentication level.
  - 19. A method as in claim 18, further comprising:
    - after the authenticating to the second authentication level, accessing, using the unique session identifier, the first information resource at the second authentication level.
  - 20. A method as in claim 16, further comprising:
    - after the authenticating to the second authentication level, accessing a second information resource at the second authentication level.
  - 21. A method as in claim 16, embodied as a computer program product encoding instructions executable by a computer to perform the authenticating to first and second authentication levels and to perform the access allowing, the computer program product encoded by or transmitted in at least one computer readable medium selected from the set of a disk, tape or other magnetic, optical, or electronic storage medium and a network, wireline, wireless or other communications medium.

22. A secure information system comprising:
- plural information resources hosted on one or more servers coupled via a communication network to a client entity, the plural information resources having individualized authentication requirements; and
  
  a log-on service common to the plural information resources, the common log-on service obtaining a first credential for the client entity, authenticating the client entity thereby, and establishing a session having a first authentication level commensurate with authentication requirements of at least one of the plural information resources, wherein, in response to an access request requiring a second authentication level higher than the first, the common log-on service obtains a second credential for the client entity, authenticates the client entity thereby, and upgrades the session to the second authentication level without loss of session continuity.

23. An access management system providing a single sign-on for sessions that potentially include access to plural information resources having differing security requirements, the access management system comprising:
- a gatekeeper including an authorization interface for determining whether a first authenticated credential associated with client entity and session is consistent with a trust level requirement for a target information resource and, if so, proxying an access thereto; and
  
  means responsive to the gatekeeper for upgrading the session by obtaining and authenticating a second credential to allow access to the target information resource if the first authenticated credential is inconsistent with the trust level requirement, the session upgrade means maintaining session continuity across credential upgrades.

24. A computer program product encoded in computer readable media, the computer program product comprising:
- log-on code executable on a first server as a log-on component to obtain one or more credentials for a client entity, the log-on component including an authentication interface for authenticating the client entity using the obtained one or more credentials; and
  
  gatekeeper code executable on one of the first server and a second server as a gatekeeper component to receive access requests from the client entity, the gatekeeper component including an authorization interface for determining whether an authentication level is consistent with a trust level requirement for a target information resource and, if so, proxying an access thereto, and, if not, redirecting the access to the log-on component for obtaining and authenticating at least one additional credential to allow access to the target information resource.
- View Dependent Claims (25, 26)
- - 25. The computer program product of claim 24, further comprising:
    - authentication code executable as an authentication component to perform the authenticating; and
      
      authorization code executable as an authorization component to determining consistency of authentication levels with trust level requirements.
  - 26. The computer program product of claim 24, encoded by or transmitted in at least one computer readable medium selected from the set of a disk, tape or other magnetic, optical, or electronic storage medium and a network, wireline, wireless or other communications medium.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Wood, David L., Wilson, Yvonne, Ferris, Chris, Soley, William R., Norton, Derk, Weschler, Paul
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US10/643,813
Publication Number

US 20040210771A1
Time in Patent Office

756 Days
Field of Search

713/155, 713/162, 713/169, 713/200, 713/201
US Class Current

713/155
CPC Class Codes

G06F 21/31   User authentication

G06F 21/32   using biometric data, e.g. ...

G06F 21/34   involving the use of extern...

G06F 21/41   where a single sign-on prov...

G06F 21/6209   to a single file or object,...

G06F 2211/009   Trust

G06F 2221/2113   Multi-level security, e.g. ...

H04L 63/0815   providing single-sign-on or...

H04L 63/105   Multiple levels of security

Log-on service providing credential level change without loss of session continuity

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

82 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Log-on service providing credential level change without loss of session continuity

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

82 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links