Identity validation
First Claim
Patent Images
1. A machine-implemented method to execute on a machine, comprising:
- receiving, by the machine, a sign-on token from a principal;
requesting, by the machine, first principal attributes from an identity service, types for the attributes and the attributes are defined by a specific policy that is evaluated and the attributes include identifying information for the principal, the identity service manages and supplies authentication services over a network for the principal and the first principal attributes previously provided to the identity service by the principal when the principal authenticated to the identity service for single sign on service;
acquiring, by the machine, second principal attributes from the principal when the principal is making a first access attempt of the method and on subsequent accesses the second principal attributes are acquired from a repository on behalf of the principal without requiring interaction with the principal;
validating, by the machine, the principal for access when the first principal attributes selectively match the second principal attributes based on a policy that drives selective comparisons between the first principal attributes and the second principal attributes, an independent assessment of the principal is performed via the selective match even when the principal is authenticated for initial access pursuant to the sign-on token, the subsequent accesses requiring no interaction with the principal to perform the independent assessment detecting, by the machine, an event defined by a second policy during principal access;
requesting, by the machine, an updated version of the first principal attributes from the identity service based on an event type for the event; and
terminating, by the machine, the principal access when the updated version does not match the second principal attributes.
3 Assignments
0 Petitions
Accused Products
Abstract
Techniques for validating identities are provided. A sign-on request is authenticated for a given principal. Attributes associated with that principal are acquired from an identity service and compared against local maintained attributes for that principal. If the identity-service acquired attributes match the local attributes, then the principal is validated for access. During principal access, selective events drive updates to the identity-service acquired attributes, and the comparison with the local attributes is performed again to determine whether the validated principal is to be invalidated or is to remain validated.
-
Citations
8 Claims
-
1. A machine-implemented method to execute on a machine, comprising:
-
receiving, by the machine, a sign-on token from a principal; requesting, by the machine, first principal attributes from an identity service, types for the attributes and the attributes are defined by a specific policy that is evaluated and the attributes include identifying information for the principal, the identity service manages and supplies authentication services over a network for the principal and the first principal attributes previously provided to the identity service by the principal when the principal authenticated to the identity service for single sign on service; acquiring, by the machine, second principal attributes from the principal when the principal is making a first access attempt of the method and on subsequent accesses the second principal attributes are acquired from a repository on behalf of the principal without requiring interaction with the principal; validating, by the machine, the principal for access when the first principal attributes selectively match the second principal attributes based on a policy that drives selective comparisons between the first principal attributes and the second principal attributes, an independent assessment of the principal is performed via the selective match even when the principal is authenticated for initial access pursuant to the sign-on token, the subsequent accesses requiring no interaction with the principal to perform the independent assessment detecting, by the machine, an event defined by a second policy during principal access;
requesting, by the machine, an updated version of the first principal attributes from the identity service based on an event type for the event; and
terminating, by the machine, the principal access when the updated version does not match the second principal attributes. - View Dependent Claims (2, 3, 4)
-
-
5. A machine-implemented method to execute on a machine, comprising:
-
detecting, by the machine, an event during a session with a principal the event detected based on evaluation of a policy and is detected as a federated identity request made by the principal; evaluating, by the machine, a second policy in response to the event the second policy resolved based on an event type for the event; acquiring, by the machine, first attributes from an identity service based on the second policy that defines types of attributes and the attributes defining indentifying information for the principal, the first attributes previously supplied to the identity service, which provides authentication services, when the principal authenticated to the identity service for single sign-on; selectively comparing based on the policy, by the machine, the first attributes against second attributes, the second attributes separately supplied by the principal during a first access to the method by the principal and the second attributes to further authenticate the principal during the session and the second attributes retained for subsequent access attempts to the method by the principal after the first access, the subsequent access requiring no interaction with the principal to perform an independent assessment of the first attributes against the second attributes; and deciding, by the machine, to terminate the session when the policy prohibits or when the first attributes do not match to and are not the same as the second attributes, an independent assessment of the principal is performed via the match of the first attributes to the second attributes even when the principal is authenticated for initial access to the single sign-on. - View Dependent Claims (6, 7, 8)
-
Specification