Identity validation

US 8,069,476 B2
Filed: 06/01/2006
Issued: 11/29/2011
Est. Priority Date: 06/01/2006
Status: Active Grant

First Claim

Patent Images

1. A machine-implemented method to execute on a machine, comprising:

receiving, by the machine, a sign-on token from a principal;

requesting, by the machine, first principal attributes from an identity service, types for the attributes and the attributes are defined by a specific policy that is evaluated and the attributes include identifying information for the principal, the identity service manages and supplies authentication services over a network for the principal and the first principal attributes previously provided to the identity service by the principal when the principal authenticated to the identity service for single sign on service;

acquiring, by the machine, second principal attributes from the principal when the principal is making a first access attempt of the method and on subsequent accesses the second principal attributes are acquired from a repository on behalf of the principal without requiring interaction with the principal;

validating, by the machine, the principal for access when the first principal attributes selectively match the second principal attributes based on a policy that drives selective comparisons between the first principal attributes and the second principal attributes, an independent assessment of the principal is performed via the selective match even when the principal is authenticated for initial access pursuant to the sign-on token, the subsequent accesses requiring no interaction with the principal to perform the independent assessment detecting, by the machine, an event defined by a second policy during principal access;

requesting, by the machine, an updated version of the first principal attributes from the identity service based on an event type for the event; and

terminating, by the machine, the principal access when the updated version does not match the second principal attributes.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for validating identities are provided. A sign-on request is authenticated for a given principal. Attributes associated with that principal are acquired from an identity service and compared against local maintained attributes for that principal. If the identity-service acquired attributes match the local attributes, then the principal is validated for access. During principal access, selective events drive updates to the identity-service acquired attributes, and the comparison with the local attributes is performed again to determine whether the validated principal is to be invalidated or is to remain validated.

Citations

8 Claims

1. A machine-implemented method to execute on a machine, comprising:
- receiving, by the machine, a sign-on token from a principal;
  
  requesting, by the machine, first principal attributes from an identity service, types for the attributes and the attributes are defined by a specific policy that is evaluated and the attributes include identifying information for the principal, the identity service manages and supplies authentication services over a network for the principal and the first principal attributes previously provided to the identity service by the principal when the principal authenticated to the identity service for single sign on service;
  
  acquiring, by the machine, second principal attributes from the principal when the principal is making a first access attempt of the method and on subsequent accesses the second principal attributes are acquired from a repository on behalf of the principal without requiring interaction with the principal;
  
  validating, by the machine, the principal for access when the first principal attributes selectively match the second principal attributes based on a policy that drives selective comparisons between the first principal attributes and the second principal attributes, an independent assessment of the principal is performed via the selective match even when the principal is authenticated for initial access pursuant to the sign-on token, the subsequent accesses requiring no interaction with the principal to perform the independent assessment detecting, by the machine, an event defined by a second policy during principal access;
  
  requesting, by the machine, an updated version of the first principal attributes from the identity service based on an event type for the event; and
  
  terminating, by the machine, the principal access when the updated version does not match the second principal attributes.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein acquiring further includes obtaining the second principal attributes directly from the principal when the sign-on token represents a first access attempt by the principal.
  - 3. The method of claim 1, wherein requesting further includes requesting the first principal attributes in response to another policy.
  - 4. The method of claim 1, wherein detecting further includes identifying the event as at least one of an attempt by the principal to access a sensitive resource and an attempt by the principal to acquire single sign-on status for purposes of accessing a different service.

5. A machine-implemented method to execute on a machine, comprising:
- detecting, by the machine, an event during a session with a principal the event detected based on evaluation of a policy and is detected as a federated identity request made by the principal;
  
  evaluating, by the machine, a second policy in response to the event the second policy resolved based on an event type for the event;
  
  acquiring, by the machine, first attributes from an identity service based on the second policy that defines types of attributes and the attributes defining indentifying information for the principal, the first attributes previously supplied to the identity service, which provides authentication services, when the principal authenticated to the identity service for single sign-on;
  
  selectively comparing based on the policy, by the machine, the first attributes against second attributes, the second attributes separately supplied by the principal during a first access to the method by the principal and the second attributes to further authenticate the principal during the session and the second attributes retained for subsequent access attempts to the method by the principal after the first access, the subsequent access requiring no interaction with the principal to perform an independent assessment of the first attributes against the second attributes; and
  
  deciding, by the machine, to terminate the session when the policy prohibits or when the first attributes do not match to and are not the same as the second attributes, an independent assessment of the principal is performed via the match of the first attributes to the second attributes even when the principal is authenticated for initial access to the single sign-on.
- View Dependent Claims (6, 7, 8)
- - 6. The method of claim 5, wherein detecting further includes recognizing the event as at least one of a single sign-on request by the principal to access another service, and an attempt by the principal to access a restricted resource.
  - 7. The method of claim 5, wherein evaluating further includes deciding whether the event warrants terminating the session of the principal or whether the event is acceptable.
  - 8. The method of claim 5 further comprising, ignoring, by the machine, the event and permitting the session to continue unabated when the policy permits and when the first attributes match the second attributes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Morris, Cameron Craig, Kinser, Stephen Hugh, Burch, Lloyd Leon
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Durham; Imhotep

Application Number

US11/444,945
Publication Number

US 20070283424A1
Time in Patent Office

2,007 Days
Field of Search

726/5, 726/6, 726/8, 726/10, 726/12
US Class Current

726/8
CPC Class Codes

G06F 21/31 User authentication

Identity validation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Identity validation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links