Credential management
First Claim
1. A method for accommodating a legacy application, the legacy application resident on a legacy system having provisions for a low-level credential authorization model which employs username-and-password based authorization, the method comprising:
- obtaining a request from a high-level credential authorization model for a high-level credential to be provided by the legacy application, wherein the high-level credential authorization model does not employ username-and-password based authorization;
retrieving the requested high level credential from a database of credentials; and
marshaling the requested high-level credential, the marshaling is characterized by converting a description of the high-level credential into a format recognizable as a low-level credential by the legacy application employing a low-level credential authorization model, wherein the marshaling is a mechanism by which a description of the high-level credential is passed through a secured operating system layer using an interface designed to output low-level credentials.
2 Assignments
0 Petitions
Accused Products
Abstract
Described herein is an implementation of a technology for managing credentials. With an implementation, a credential manager is domain-authentication aware and concurrent authentications with multiple independent networks (e.g., domains) may be established and maintained. Moreover, a credential manager provides a credential model retrofit for legacy applications that only understand the password model. The manager provides a mechanism where the application is only a “blind courier” of credentials between the trusted part of the OS to the network and/or network resource. The manager fully insulates the application from “read” access to the credentials. This abstract itself is not intended to limit the scope of this patent. The scope of the present invention is pointed out in the appending claims.
-
Citations
32 Claims
-
1. A method for accommodating a legacy application, the legacy application resident on a legacy system having provisions for a low-level credential authorization model which employs username-and-password based authorization, the method comprising:
-
obtaining a request from a high-level credential authorization model for a high-level credential to be provided by the legacy application, wherein the high-level credential authorization model does not employ username-and-password based authorization; retrieving the requested high level credential from a database of credentials; and marshaling the requested high-level credential, the marshaling is characterized by converting a description of the high-level credential into a format recognizable as a low-level credential by the legacy application employing a low-level credential authorization model, wherein the marshaling is a mechanism by which a description of the high-level credential is passed through a secured operating system layer using an interface designed to output low-level credentials. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. In a computing environment where legacy processes have a provision for low-level credentials but have no provision for high-level credentials, wherein a provision for low-level credentials employs username-and-password based authorization while a provision for high-level credentials does not employ username-and-password based authorization, a method for accommodating such processes comprising:
-
obtaining a request for a credential from a legacy process, wherein the requested credential is a high-level credential, which is not username-and-password based; retrieving the requested credential from a database; converting the requested high-level credential into a format approximating a low-level credential and representative of the requested high-level credential; and passing a description of the high-level credential through a secured operating system layer using an interface designed to output low-level credentials. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A method for authenticating a user to a network, the method comprising:
-
using an interface designed to output low-level credentials; obtaining a request for a high-level credential to authenticate the user to access a resource within the network, wherein the resource requires an appropriate high-level credential before the user may access the resource; locating the appropriate high-level credential; passing a description of the high-level credential, through a secured operating system layer using said interface so high-level credential is formatted as a low-level credentials, returning the appropriate high-level credential to the resource within the network, so that the resource allows the user to access such resource; wherein the obtaining, locating, and returning, and passing are performed without user interaction so that the user need not be aware that such steps are being performed. - View Dependent Claims (15, 16)
-
-
17. A credential management architecture, comprising:
-
a trusted computing base (TCB) that has full access to persisted credentials, the TCB being configured to interact with an untrusted computing layer (UTCL) that accesses the persisted credentials via the TCB, the TCB comprises; a credential management module configured to receive requests from the UTCL for a high-level credential for a resource, the high-level credential being associated with a user and not being username-and-password based authorization; a credential database associated with the user, wherein credentials are persisted within the database; the credential management module being configured to retrieve credentials from the database; and an interface that performs marshaling, wherein marshaling is characterized by converting a description of the high-level credential into a format recognizable as a low-level credential by the legacy application. - View Dependent Claims (18, 19, 20)
-
-
21. An apparatus comprising:
-
a processor; a marshaller executable on the processor to; obtain a high-level credential, wherein a high-level credential is employed in an authorization model which is not username-and-password based authorization; convert the high-level credential to generate a representation of the high-level credential that is formatted as a low-level credential so that it appears to be a conventional username and password pair; and pass a description of the high-level credential through a secured operating system layer using an interface designed to output low-level credentials.
-
-
22. An accommodation system comprising:
-
a request obtainer configured to obtain a request for a high-level credential from a low-level-credential-application, wherein low-level credentials utilizes username-and-password based authorization while high-level credentials do not employ username-and-password based authorization; a credential retriever configured to retrieve the requested credential from a database of credentials; a marshaler configured to marshal the requested credential and return the marshaled credential to the low-level-credential-application, wherein marshaling performed by the marshaler is characterized by converting a description of the high-level credential into a format recognizable as a low-level credential by the low-level-credential-application employing a low-level credential authorization model and passing a description of the high-level credential through a secured operating system layer using an interface designed to output low-level credentials. - View Dependent Claims (23, 24, 25)
-
-
26. A system for authenticating a user to a network, the system comprising:
-
a request obtainer configured to obtain a request for a high-level credential to authenticate the user to access a resource within the network, wherein the resource requires an appropriate credential before the user may access the resource, wherein a high-level credential do not utilize username-and-password based for high-level credential authorization; a credential retriever configured to retrieve the appropriate high-level credential from a database of credentials; a credential marshaler configured to generate a representation of the high-level credential formatted as a low-level credential so that it appears to be a conventional username and password pair to a low-level-credential-application, wherein a low-level credential utilizes username-and-password based authorization, and pass a description of the high-level credential through a secured operating system layer using an interface designed to output low-level credentials; and a credential returner configured to return the marshaled high-level credential to the resource within the network, so that the resource allows the user to access such resource; wherein the obtainer, retriever, marshaler, and returner are further configured to operate without user interaction. - View Dependent Claims (27, 28)
-
-
29. An application programming interface (API) method comprising:
-
receiving a CredUI-promptfor-credentials call having a set of parameters comprising a TargetName, Context, AuthFlags, and Flags; retrieving the parameters from the call to determine a specified resource; obtaining a high-level credential; associating the high-level credential with the specified resource; persisting the high-level credential into a database while maintaining the credential'"'"'s association with the specified resource; and passing a description of a high-level credential, in place of the low-level credential, through a secured operating system layer using an interface designed to output low-level credentials. - View Dependent Claims (30)
-
-
31. An application programming interface (API) method comprising:
-
receiving a CredUI-promptfor-credentials call having a set of parameters comprising a TargetName, UserName, Password, and Flags; retrieving the parameters from the call to determine a requesting application; obtaining a request from the application for a high-level credential; and passing a description of a high-level credential, in a format representing a low-level credential, through a secured operating system layer using an interface designed to output low-level credentials. - View Dependent Claims (32)
-
Specification