Credential collection in an authentication server employing diverse authentication schemes

US 8,806,589 B2
Filed: 06/19/2012
Issued: 08/12/2014
Est. Priority Date: 06/19/2012
Status: Active Grant

First Claim

Patent Images

1. An authentication server comprising:

an access manager to receive an authentication request for a user seeking access to a resource, and to identify that a first authentication scheme is to be used for authenticating said user before allowing access to said resource,wherein said first authentication scheme specifies that all of a first set of credentials, and a second set of credentials and a third set of credentials are to be collected and checked for processing said authentication request; and

a custom module to send to said access manager a first command indicating said first set of credentials to be collected, wherein said custom module implements said first authentication scheme,said access manager, in response to receiving of said first command collecting said first set of credentials from said user, and checking, in combination with said custom module, whether said first set of credentials authenticates said user,said custom module to send to said access manager a second command after said checking, said second command indicating said second set of credentials to be collected,said access manager, in response to receiving of said second command, collecting said second set of credentials from said user and checking, in combination with said custom module, whether said second set of credentials authenticates said user,wherein said access manager is designed to perform said collecting and said checking in response to receiving only of a specific set of commands, wherein commands that are not included in said specific set are unknown commands, said specific set of commands including said first command and said second command,said custom module to send to said access manager a third command,said access manager to determine that said third command received from said custom module is not included in said specific set of commands and is accordingly an unknown command, wherein said access manager forwards unknown commands including said third command to a credential collection module and receives said third set of credentials from said credential collection module in response to forwarding said third command,wherein said access manager sends said third set of credentials to said custom module,wherein said authentication server operates to support unknown commands, including said third command, without having to modify a program logic of said access manager,wherein, in response to said first authentication scheme specifying that said first set of credentials, said second set of credentials, and said third set of credentials are to be collected and checked for processing said authentication request, said custom module sends said first command, said second command, and said third command, andsaid access manager, in combination with said custom module, collects and checks all of said first set of credentials, said second set of credentials, and said third set of credentials to process said authentication request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An aspect of the present invention facilitates flexible credential collection in an authentication server employing diverse authentication schemes. In an embodiment, an access manager in the authentication server determines that an authentication scheme is to be used for allowing access to a resource requested by a user. A custom module (implementing the authentication scheme) in the authentication server then sends to the access manager commands indicating corresponding sets of credentials to be collected. The access manager, in response to receiving each command, collects the corresponding credentials from the user and checks whether the collected credentials authenticates the user. The custom module sends each command after the checking of the previously collected credentials. Accordingly, a developer of the custom module is enabled to request for and to perform the authentication of the user based on different sets of credentials.

21 Citations

View as Search Results

17 Claims

1. An authentication server comprising:
- an access manager to receive an authentication request for a user seeking access to a resource, and to identify that a first authentication scheme is to be used for authenticating said user before allowing access to said resource,wherein said first authentication scheme specifies that all of a first set of credentials, and a second set of credentials and a third set of credentials are to be collected and checked for processing said authentication request; and
  
  a custom module to send to said access manager a first command indicating said first set of credentials to be collected, wherein said custom module implements said first authentication scheme,said access manager, in response to receiving of said first command collecting said first set of credentials from said user, and checking, in combination with said custom module, whether said first set of credentials authenticates said user,said custom module to send to said access manager a second command after said checking, said second command indicating said second set of credentials to be collected,said access manager, in response to receiving of said second command, collecting said second set of credentials from said user and checking, in combination with said custom module, whether said second set of credentials authenticates said user,wherein said access manager is designed to perform said collecting and said checking in response to receiving only of a specific set of commands, wherein commands that are not included in said specific set are unknown commands, said specific set of commands including said first command and said second command,said custom module to send to said access manager a third command,said access manager to determine that said third command received from said custom module is not included in said specific set of commands and is accordingly an unknown command, wherein said access manager forwards unknown commands including said third command to a credential collection module and receives said third set of credentials from said credential collection module in response to forwarding said third command,wherein said access manager sends said third set of credentials to said custom module,wherein said authentication server operates to support unknown commands, including said third command, without having to modify a program logic of said access manager,wherein, in response to said first authentication scheme specifying that said first set of credentials, said second set of credentials, and said third set of credentials are to be collected and checked for processing said authentication request, said custom module sends said first command, said second command, and said third command, andsaid access manager, in combination with said custom module, collects and checks all of said first set of credentials, said second set of credentials, and said third set of credentials to process said authentication request.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The authentication server of claim 1,wherein for said checking each set of said first set of credentials, said second set of credentials and said third set of credentials, said access manager sends the corresponding set of credentials to said custom module,wherein said custom module, in response to receiving the corresponding set of credentials from said access manager, determines whether the corresponding set of credentials authenticate said user, and sends a status of authentication to said access manager,wherein said status of authentication is said second command in response to receiving said first set of credentials, said third command in response to receiving said second set of credentials, and a result of authentication in response to receiving said third set of credentials and determining that said first set of credentials, said second set of credentials and said third set of credentials together authenticate said user.
  - 3. The authentication server of claim 1, further comprising:
    - a user interface module to provide a set of user interface elements for collecting said third set of credentials,wherein said credential collection module interfaces with said user interface module in response to receiving of said third command, and thereby collect said third set of credentials using said set of user interface elements.
  - 4. The authentication server of claim 3, wherein said custom module is implemented according to a plug-in architecture,wherein said credential collection module and said user interface module are implemented within said authentication server.
  - 5. The authentication server of claim 4, wherein said specific set of commands comprise a command for collecting a combination of user identifier and password, and a command for collecting an electronic file representing a digital certificatewherein said third command is for collecting a one time password (OTP).
  - 6. The authentication server of claim 3, wherein said credential collection module and said user interface module are provided in a client system from which said authentication request is received, said client system being implemented external to said authentication server.

7. A non-transitory machine readable medium storing one or more sequences of instructions for causing an authentication server to authenticate users, said one of more sequences of instructions comprising:
- a first set of instructions representing an access manager to receive an authentication request for a user seeking access to a resource, and to identify that a first authentication scheme is to be used for authenticating said user before allowing access to said resource,wherein said first authentication scheme specifies that all of a first set of credentials, a second set of credentials and a third set of credentials are to be collected and checked for processing said authentication request; and
  
  a second set of instructions representing a custom module implementing said first authentication scheme, said custom module to send to said access manager a first command and a second command, wherein said first command indicates that said first set of credentials is to be collected and said second command indicates that said second set of credentials is to be collected,said access manager, in response to receiving of said first command, to collect said first set of credentials from said user and to check, in combination with said custom module, whether said first set of credentials authenticates said user,said access manager, in response to receiving of said second command, to collect said second set of credentials from said user and to check, in combination with said custom module, whether said second set of credentials authenticates said user,wherein said custom module sends to said access manager said second command after said checking of said first set of credentials collected from said user,wherein said access manager is designed to perform said collecting and said checking in response to receiving only of a specific set of commands, wherein commands that are not included in said specific set are unknown commands, said specific set of commands including said first command and said second command,said custom module to send to said access manager a third command,said access manager to determine that said third command received from said custom module is not included in said specific set of commands and is accordingly an unknown command, wherein said access manager forwards unknown commands including said third command to a credential collection module and receives said third set of credentials from said credential collection module in response to forwarding said third command,wherein said access manager sends said third set of credentials to said custom module,wherein said authentication server operates to support unknown commands, including said third command, without having to modify a program logic of said access managerwherein, in response to said first authentication scheme specifying that said first set of credentials, said second set of credentials and said third set of credentials are to be collected and checked for processing said authentication request, said custom module sends said first command, said second command and said third command andsaid access manager collects and checks all of said first set of credentials, said second set of credentials and said third set of credentials to process said authentication request.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The non-transitory machine readable medium of claim 7, wherein for said checking each set of said first set of credentials, said second set of credentials and said third set of credentials, said access manager sends the corresponding set of credentials to said custom module,wherein said custom module, in response to receiving the corresponding set of credentials from said access manager, determines whether the corresponding set of credentials authenticate said user, and sends a status of authentication to said access manager,wherein said status of authentication is said second command in response to receiving said first set of credentials, said third command in response to receiving said second set of credentials, and a result of authentication in response to receiving said third set of credentials and determining that said first set of credentials, said second set of credentials and said third set of credentials together authenticate said user.
  - 9. The non-transitory machine readable medium of claim 8, said one or more sequences of instructions further comprising:
    - a third set of instructions representing a user interface module to provide a set of user interface elements for collecting said third set of credentials,wherein said credential collection module interfaces with said user interface module in response to receiving of said third command, and thereby collect said third set of credentials using said set of user interface elements.
  - 10. The non-transitory machine readable medium of claim 9, wherein said custom module is implemented according to a plug-in architecture,wherein said credential collection module and said user interface module are implemented within said authentication server.
  - 11. The non-transitory machine readable medium of claim 9, wherein said credential collection module and said user interface module are provided in a client system from which said authentication request is received, said client system being implemented external to said authentication server.

12. A method of authenticating users, said method being performed by an access manager in an authentication server, said method comprising:
- receiving an authentication request for a user seeking access to a resource;
  
  identifying a first authentication scheme to be used for authenticating said user before allowing access to said resource, wherein said first authentication scheme specifies that all of a first set of credentials, a second set of credentials and a third set of credentials are to be collected and checked for processing said authentication request;
  
  notifying a custom module implementing said first authentication scheme;
  
  receiving from said custom module, a first command indicating that said first set of credentials is to be collected;
  
  in response to said receiving of said first command, collecting said first set of credentials from said user and checking, in combination with said custom module, whether said first set of credentials authenticates said user;
  
  after said checking, receiving from said custom module, a second command indicating that said second set of credentials is to be collected;
  
  in response to said receiving of said second command, collecting said second set of credentials from said user and checking, in combination with said custom module, whether said second set of credentials authenticates said user,wherein said access manager is designed to perform said collecting and said checking in response to receiving only of a specific set of commands, wherein commands that are not included in said specific set are unknown commands, said specific set of commands including said first command and said second command;
  
  receiving from said custom module, a third command indicating that said third set of credentials is to be collected;
  
  determining that said third command is not contained in said specific set of commands and is accordingly an unknown command;
  
  forwarding unknown commands including said third command to a credential collection module, wherein said credential collection module is designed to collect said third set of credentials in response to said third command; and
  
  interfacing with said credential collection module for collecting said third set of credentials from said user and checking whether said third set of credentials authenticates said user by sending said third set of credentials to said custom module,wherein said authentication server operates to support unknown commands including said third command, without having to modify a program logic of said access manager,wherein, in response to said first authentication scheme specifying that said first set of credentials, said second set of credentials and said third set of credentials are to be collected and checked for processing said authentication request, said custom module sends said first command, said second command and said third command andsaid access manager collects and checks all of said first set of credentials, said second set of credentials and said third set of credentials to process said authentication request.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method of claim 12, wherein said checking of each set of said first set of credentials, said second set of credentials and said third set of credentials is performed by said custom module, said access manager sending the corresponding set of credentials to said custom module,wherein said custom module, in response to receiving the corresponding set of credentials from said access manager, determines whether the corresponding set of credentials authenticate said user, and sends a status of authentication to said access manager,wherein said status of authentication is said second command in response to receiving said first set of credentials, said third command in response to receiving said second set of credentials, and a result of authentication in response to receiving said third set of credentials and determining that said first set of credentials, said second set of credentials and said third set of credentials together authenticate said user.
  - 14. The method of claim 13, wherein said forwarding further comprises forwarding said third command to an user interface module designed to provide a set of user interface elements for collecting said third set of credentials,wherein said interfacing further comprises interfacing with said user interface module to collect said third set of credentials using said set of user interface elements.
  - 15. The method of claim 14, wherein said credential collection module and said user interface module are provided in a client system from which said authentication request is received, said client system being implemented external to said authentication server.
  - 16. The method of claim 14, wherein said custom module is implemented according to a plug-in architecture,wherein said credential collection module and said user interface module are implemented within said authentication server.
  - 17. The method of claim 16, wherein said specific set of commands comprise a command for collecting a combination of user identifier and password, and a command for collecting an electronic file representing a digital certificatewherein said third command is for collecting a one time password (OTP).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Subramanya, Ramya, Balakrishnan, Aarathi, Chatoth, Vikas Pooven
Primary Examiner(s)
Powers, William
Assistant Examiner(s)
BAYOU, YONAS A

Application Number

US13/526,563
Publication Number

US 20130340054A1
Time in Patent Office

784 Days
Field of Search

726/5
US Class Current

726/5
CPC Class Codes

G06F 21/33 using certificates

Credential collection in an authentication server employing diverse authentication schemes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Credential collection in an authentication server employing diverse authentication schemes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others