System, method, and apparatus for managing access to resources across a network
First Claim
1. A system for managing access across a plurality of resources, comprising:
- a user store connector configured to connect to one or more user stores to retrieve attributes;
an authentication connector configured to communicate with at least one authentication subsystem to authenticate a user to at least one of the plurality of resources through the use of a keychain module, the keychain module being adapted to construct an authentication configuration for the at least one of the plurality of resources by,discovering one or more form elements on the plurality of remote domains whereindiscovering the use of at least one of a HTTP basic, HTTP Digest, NTLM, and SSL handler;
enabling a single sign-on with a plurality of remote domains comprises,receiving a 401 “
Unauthorized”
code,turning off the use of the at least one of HTTP basic and HTTP Digest authentication handlers; and
cycling through Spring registered authentication handlers and receiving an authentication configuration from at least one of the Spring registered authentication handlers;
returning an authentication configuration from the plurality of remote domains;
removing differences between at least one of the plurality of protocols and a plurality of APIs;
communicating with the at least one of the plurality of resources to construct name/value pairs, andattempting a login on at least one of a plurality of remote domains, and at least one of,identifying in a response from the at least one of the plurality of resources what constitutes a failed login, andsaving to the authentication configuration a successful log-in ceremony with the at least one of the plurality of remote domains;
a policy engine configured to retrieve attributes from the user store connector corresponding to the user and use the attributes to evaluate access policies, which are defined for protection of resources, to determine whether or not the user should be granted access to the resources;
an admin component that is configured to enable the access policies to be defined relative to attributes and the resources; and
a policy store configured to store the access policies.
10 Assignments
0 Petitions
Accused Products
Abstract
A system, method and apparatus for managing access across a plurality of applications is disclosed. The system may include a user store connector configured to connect to one or more user stores to retrieve attributes; an authentication connector configured to communicate with at least one authentication subsystem to authenticate a user; a policy engine configured to retrieve attributes from the user store connector corresponding to a user and use the attributes to evaluate access policies, if any, which are defined for protection of resources, to determine whether or not the user should be granted access to the resources; an admin component that is configured to enable the access policies to be defined relative to attributes and the resources; and a policy store configured to store the access policies.
121 Citations
19 Claims
-
1. A system for managing access across a plurality of resources, comprising:
-
a user store connector configured to connect to one or more user stores to retrieve attributes; an authentication connector configured to communicate with at least one authentication subsystem to authenticate a user to at least one of the plurality of resources through the use of a keychain module, the keychain module being adapted to construct an authentication configuration for the at least one of the plurality of resources by, discovering one or more form elements on the plurality of remote domains wherein discovering the use of at least one of a HTTP basic, HTTP Digest, NTLM, and SSL handler; enabling a single sign-on with a plurality of remote domains comprises, receiving a 401 “
Unauthorized”
code,turning off the use of the at least one of HTTP basic and HTTP Digest authentication handlers; and cycling through Spring registered authentication handlers and receiving an authentication configuration from at least one of the Spring registered authentication handlers; returning an authentication configuration from the plurality of remote domains; removing differences between at least one of the plurality of protocols and a plurality of APIs; communicating with the at least one of the plurality of resources to construct name/value pairs, and attempting a login on at least one of a plurality of remote domains, and at least one of, identifying in a response from the at least one of the plurality of resources what constitutes a failed login, and saving to the authentication configuration a successful log-in ceremony with the at least one of the plurality of remote domains; a policy engine configured to retrieve attributes from the user store connector corresponding to the user and use the attributes to evaluate access policies, which are defined for protection of resources, to determine whether or not the user should be granted access to the resources; an admin component that is configured to enable the access policies to be defined relative to attributes and the resources; and a policy store configured to store the access policies. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for managing access across a plurality of resources hosted on a plurality of remote domains, the plurality of domains comprising at least one of a plurality of protocols and a plurality of APIs, the method comprising:
-
defining access policies for the plurality of resources relative to attributes and resources; receiving, the access policies for the plurality of resources by, connecting to one or more user stores to retrieve attributes, discovering one or more form elements on the plurality of remote domains through discovering the use of at least one of a HTTP basic, HTTP Digest, NTLM, and SSL handler, and returning at least a portion of an authentication configuration from the plurality of remote domains; communicating with a plurality of authentication subsystems to authenticate a user to the plurality of resources through the use of a keychain module, the keychain module being adapted to construct at least one authentication configuration for the plurality of resources by, communicating with the plurality of resources to construct name/value pairs, removing differences between the plurality of protocols and plurality of APIs, attempting a login on the plurality of remote domains, and at least one of, identifying in a response from the plurality of remote domains what constitutes a failed login, receiving a 401 “
Unauthorized”
code,turning off use of at least one of a HTTP basic and a HTTP Digest authentication handler, cycling through Spring registered authentication handlers and receiving an authentication configuration from at least one of the Spring registered authentication handlers, and saving to the authentication configuration a successful log-in ceremony with the plurality of remote domains; utilizing the attributes to evaluate the access policies to determine whether or not the user should be granted access to the resources; and enabling a single sign-on with the plurality of remote domains. - View Dependent Claims (10, 11)
-
-
8. The method of clam 7, including receiving a request to access one of the resources as a proxy address that differs from the actual address of the resource.
-
9. The method of clam 8, further comprising:
dropping cookies for the at least one of the plurality of remote domains so that subsequent requests for the at least one of the plurality of remote domains are, comprised of a one-time validation token, and recognized as coming from the user, even if the user requests resources from different domains.
-
12. An apparatus for managing access to a plurality of resources, comprising:
-
a request interceptor configured to receive requests from users to access the plurality of resources; an authentication connector configured to communicate with at least one authentication subsystem to authenticate a user to at least one of the plurality of resources through the use of a keychain module, the keychain module being adapted to construct an authentication configuration for the at least one of the plurality of resources by, discovering one or more form elements on the plurality of remote domains wherein discovering the use of at least one of a HTTP basic, HTTP Digest, NTLM, and SSL handler; enabling a single sign-on with a plurality of remote domains comprises, receiving a 401 “
Unauthorized”
code,turning off the use of the at least one of HTTP basic and HTTP Digest authentication handlers; and cycling through Spring registered authentication handlers and receiving an authentication configuration from at least one of the Spring registered authentication handlers; returning an authentication configuration from the plurality of remote domains; removing differences between at least one of the plurality of protocols and a plurality of APIs; communicating with the at least one of the plurality of resources to construct name/value pairs, and attempting a login on at least one of a plurality of remote domains, and at least one of, identifying in a response from the at least one of the plurality of resources what constitutes a failed login, and saving to the authentication configuration a successful log-in ceremony with the at least one of the plurality of remote domains; a session component configured to initiate an SSO session by triggering authentication with the authentication connector; a user store connector component configured to connect to one or more user stores so as to enable attributes for the user to retrieved; a policy cache, the policy cache adapted to store a plurality of access policies; and
a policy engine configured to retrieve attributes from the user store connector corresponding to the user and use the attributes to evaluate the access policies to determine whether or not the user should be granted access to the resources. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
Specification