Method and system for providing a federated authentication service with gradual expiration of credentials
First Claim
1. A method for providing a single sign-on service, comprisingreceiving at an authentication server an authentication request from a particular user;
- performing an authentication of said particular user at said authentication server;
associating a time-dependent trust level with said authentication, said trust level having at least an initial value;
associating with at least one of a plurality of application servers a required minimum level of trust for a user to be granted access to said at least one application server;
receiving a validation request pertaining to said particular user and said application server;
calculating an updated instantaneous value for said time-dependent trust level associated with said authentication by adjusting the instantaneous value of said trust level based on at least a function of time;
granting said user access to said application server if said updated instantaneous value for said time-dependent trust level exceeds said required minimum level of trust associated with said application server.
2 Assignments
0 Petitions
Accused Products
Abstract
The present invention relates to the field of authentication of users of services over a computer network, more specifically within the paradigms of federated authentication or single sign-on. A known technique consists of associating different trust levels to different authentication mechanisms, wherein the respective trust levels give access to different information resources, notably to provide the possibility to protect more sensitive resources with a stronger form of authentication. The present invention provides a mechanism to allow the trust level to decrease without re-authenticating with the single sign on system, down to the level at which it is no longer sufficient to obtain access to a desired resource. Only then, the user needs to reauthenticate.
-
Citations
31 Claims
-
1. A method for providing a single sign-on service, comprising
receiving at an authentication server an authentication request from a particular user; -
performing an authentication of said particular user at said authentication server; associating a time-dependent trust level with said authentication, said trust level having at least an initial value; associating with at least one of a plurality of application servers a required minimum level of trust for a user to be granted access to said at least one application server; receiving a validation request pertaining to said particular user and said application server; calculating an updated instantaneous value for said time-dependent trust level associated with said authentication by adjusting the instantaneous value of said trust level based on at least a function of time; granting said user access to said application server if said updated instantaneous value for said time-dependent trust level exceeds said required minimum level of trust associated with said application server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system for providing a single sign-on service, comprising:
-
a first receiving agent for receiving an authentication request from a user; an authentication agent for authenticating said user; an issuing agent for issuing an authentication ticket for said user, wherein a time-dependent trust level is associated with said authentication ticket, said trust level having at least an initial value; a second receiving agent for receiving a validation request pertaining to said user from an application server, said request containing a reference to said authentication ticket, and said application server enforcing a required minimum level of trust; a processor for calculating an updated instantaneous value for said time-dependent trust level associated with said authentication ticket by adjusting the instantaneous value of said trust level based on at least a function of time; and a sending agent for sending a signal indicative of said calculating to said application server, said application server granting said user access dependent on said updated instantaneous value for said time-dependent trust level exceeding said required minimum level of trust. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
-
-
24. A system for providing a single sign-on service, comprising:
-
at least one server comprising; a receiving agent for receiving an authentication request from a user; an authentication agent for authenticating said user; and
,an issuing agent for issuing an authentication ticket for said user, wherein at least one initial trust level and at least one subsequent trust level are associated with said authentication ticket, said subsequent trust level having a lower value than said initial trust level and said subsequent trust level having a validity period extending beyond the validity period of said initial trust level; wherein each of said at least one server includes at least one of the receiving agent, the authentication agent, or the issuing agent. - View Dependent Claims (25, 26)
-
-
27. A method for providing a single sign-on service, comprising
receiving an authentication request from a user; -
authenticating said user; and
,issuing layered authentication ticket for said user, wherein a particular trust level and expiry time are associated with each of two or more layers of said authentication ticket and wherein the expiry time of any particular layer of said two or more layers is set to expire sooner than the expiry times of layers with a lower trust level than the trust level associated with said particular layer. - View Dependent Claims (28)
-
-
29. A method for providing a single sign-on service, comprising
receiving at an authentication server an authentication request from a particular user; -
performing an authentication of said particular user at said authentication server; associating a time-dependent trust level with said authentication; associating with at least one of a plurality or application servers a required minimum level of trust for a user to be granted access to said at least one application server; receiving an access request pertaining to said particular user and said application server; calculating an updated instantaneous value for said time-dependent trust level associated with said authentication by adjusting the instantaneous value of said trust level based on at least a function of time; granting said user access to said application server if said updated instantaneous value for said time-dependent trust level exceeds said required minimum level of trust associated with said application server. - View Dependent Claims (30, 31)
-
Specification