Access management system using trusted partner tokens

US 8,856,517 B2
Filed: 11/27/2012
Issued: 10/07/2014
Est. Priority Date: 11/27/2012
Status: Active Grant

First Claim

Patent Images

1. A method of using an access manager to establish a communication session between a resource and a user device, the method comprising:

receiving, by the access manager, and from the client system, a registration transmission comprising a client system identifier, wherein;

the client system comprises a software module that is a part of an Enterprise Software System (ESS); and

the access manager server is a part of the same ESS;

registering the client system with the access manager as a trusted partner to indicate that future authentications by the trusted partner within the ESS do not require a trusted third party, wherein the registering comprises;

sending a first cryptographic key to the client system; and

storing, at the access manager;

a second cryptographic key that is assigned to client system;

a trusted partner authentication scheme for the client system; and

a trusted partner identifier that identifies the client system;

receiving, by the access manager, and from the user device, a request to access the resource, wherein access to the resource is controlled at least in part by the client system;

determining, by the access manager, that the client system is part of the ESS and registered with the access manager as a trusted partner;

determining the trusted partner identifier for the client system;

accessing the second cryptographic key using the trusted partner identifier;

encrypting, by the access manager, a first encrypted token using the second cryptographic key, wherein;

encrypting the first encrypted token using the second cryptographic key indicates to the client system that the access manager is a trusted partner; and

the first encrypted token comprises a resource identifier that identifies the resource; and

sending, to the client system, and from the access manager, the first encrypted token;

receiving, by the access manager, and from the client device, a second encrypted token comprising a user identifier, wherein;

the second encrypted token signifies that the client system requested, received, and authenticated user credentials directly from the user device and that access to the resource has been granted by the client system; and

the user credentials are requested, received, and authenticated by the client system transparently such that the user device is not aware that an entity other than the access manager requested, received, and authenticated the user credentials;

determining whether the second encrypted token is received from a trusted partner by attempting to decrypt the second encrypted token using the second cryptographic key; and

if it is determined that the second encrypted token is received from a trusted partner, establishing, by the access manager, the communication session between the user device and the resource by asserting the user identifier.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of using an access manager server to establish a communication session between a resource and a user device may include receiving a request from the user device to access the resource, determining that the client system is registered as a trusted partner, sending the client system a first encrypted token that includes a resource identifier where the client system has access to a first cryptographic key that decrypts the first encrypted token. The method may also include receiving a second encrypted token that signifies that access to the resource has been granted by the client system where the second token comprises a user identifier and the access manager server has access to a second cryptographic key that decrypts the second token. The method may additionally include decrypting the second token and establishing the communication session between the user device and the resource using the user identifier.

8 Citations

View as Search Results

14 Claims

1. A method of using an access manager to establish a communication session between a resource and a user device, the method comprising:
- receiving, by the access manager, and from the client system, a registration transmission comprising a client system identifier, wherein;
  
  the client system comprises a software module that is a part of an Enterprise Software System (ESS); and
  
  the access manager server is a part of the same ESS;
  
  registering the client system with the access manager as a trusted partner to indicate that future authentications by the trusted partner within the ESS do not require a trusted third party, wherein the registering comprises;
  
  sending a first cryptographic key to the client system; and
  
  storing, at the access manager;
  
  a second cryptographic key that is assigned to client system;
  
  a trusted partner authentication scheme for the client system; and
  
  a trusted partner identifier that identifies the client system;
  
  receiving, by the access manager, and from the user device, a request to access the resource, wherein access to the resource is controlled at least in part by the client system;
  
  determining, by the access manager, that the client system is part of the ESS and registered with the access manager as a trusted partner;
  
  determining the trusted partner identifier for the client system;
  
  accessing the second cryptographic key using the trusted partner identifier;
  
  encrypting, by the access manager, a first encrypted token using the second cryptographic key, wherein;
  
  encrypting the first encrypted token using the second cryptographic key indicates to the client system that the access manager is a trusted partner; and
  
  the first encrypted token comprises a resource identifier that identifies the resource; and
  
  sending, to the client system, and from the access manager, the first encrypted token;
  
  receiving, by the access manager, and from the client device, a second encrypted token comprising a user identifier, wherein;
  
  the second encrypted token signifies that the client system requested, received, and authenticated user credentials directly from the user device and that access to the resource has been granted by the client system; and
  
  the user credentials are requested, received, and authenticated by the client system transparently such that the user device is not aware that an entity other than the access manager requested, received, and authenticated the user credentials;
  
  determining whether the second encrypted token is received from a trusted partner by attempting to decrypt the second encrypted token using the second cryptographic key; and
  
  if it is determined that the second encrypted token is received from a trusted partner, establishing, by the access manager, the communication session between the user device and the resource by asserting the user identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 further comprising:
    - receiving a second request from the user device to access a second resource, wherein access to the second resource is controlled at least in part by a second client system;
      
      determining that the second client system is registered with the access manager as a trusted partner;
      
      sending the second client system a third encrypted token;
      
      receiving from the second client system a fourth encrypted token, wherein the fourth encrypted token signifies that access to the second resource has been granted by the second client system;
      
      decrypting a the fourth encrypted token; and
      
      establishing a communication session between the user device and the second resource.
  - 3. The method of claim 1 further comprising redirecting the user device to the resource after the communication session has been established.
  - 4. The method of claim 1 wherein the first cryptographic key and the second cryptographic key comprise a same symmetric cryptographic key.
  - 5. The method of claim 1 wherein the first cryptographic key and the second cryptographic keys are each part of a public/private key pair.
  - 6. The method of claim 1 wherein the first encrypted token further comprises an authentication level.
  - 7. The method of claim 1 wherein the first encrypted token further comprises a time associated with the request.
  - 8. The method of claim 1 wherein the second encrypted token further comprises an email address.
  - 9. The method of claim 1 wherein the access manager is communicatively coupled to a fraud detection server.
  - 10. The method of claim 1 wherein the access manager is communicatively coupled to an identity management server.
  - 11. The method of claim 1 wherein the client system comprises a social network.

12. A non-transitory computer-readable memory having stored thereon a sequence of instructions which, when executed by one or more processors, causes the one or more processors to use an access manager to establish a communication session between a resource and a user device by:
- receiving, by the access manager, and from the client system, a registration transmission comprising a client system identifier, wherein;
  
  the client system comprises a software module that is a part of an Enterprise Software System (ESS); and
  
  the access manager server is a part of the same ESS;
  
  registering the client system with the access manager as a trusted partner to indicate that future authentications by the trusted partner within the ESS do not require a trusted third party, wherein the registering comprises;
  
  sending a first cryptographic key to the client system; and
  
  storing, at the access manager;
  
  a second cryptographic key that is assigned to client system;
  
  a trusted partner authentication scheme for the client system; and
  
  a trusted partner identifier that identifies the client system;
  
  receiving, by the access manager, and from the user device, a request to access the resource, wherein access to the resource is controlled at least in part by the client system;
  
  determining, by the access manager, that the client system is part of the ESS and registered with the access manager as a trusted partner;
  
  determining the trusted partner identifier for the client system;
  
  accessing the second cryptographic key using the trusted partner identifier;
  
  encrypting, by the access manager, a first encrypted token using the second cryptographic key, wherein;
  
  encrypting the first encrypted token using the second cryptographic key indicates to the client system that the access manager is a trusted partner; and
  
  the first encrypted token comprises a resource identifier that identifies the resource; and
  
  sending, to the client system, and from the access manager, the first encrypted token;
  
  receiving, by the access manager, and from the client device, a second encrypted token comprising a user identifier, wherein;
  
  the second encrypted token signifies that the client system requested, received, and authenticated user credentials directly from the user device and that access to the resource has been granted by the client system; and
  
  the user credentials are requested, received, and authenticated by the client system transparently such that the user device is not aware that an entity other than the access manager requested, received, and authenticated the user credentials;
  
  determining whether the second encrypted token is received from a trusted partner by attempting to decrypt the second encrypted token using the second cryptographic key; and
  
  if it is determined that the second encrypted token is received from a trusted partner, establishing, by the access manager, the communication session between the user device and the resource by asserting the user identifier.
- View Dependent Claims (14)
- - 14. The non-transitory computer-readable memory according to claim 12, wherein the instructions further cause the one or more processors to use an access manager to establish a communication session between a resource and a user device by redirecting the user device to the resource after the communication session has been established.

13. A system comprising:
- one or more processors; and
  
  a memory communicatively coupled with and readable by the one or more processors and having stored therein a sequence of instructions which, when executed by the on or more processors, cause the one or more processors to use an access manager to establish a communication session between a resource and a user device by;
  
  receiving, by the access manager, and from the client system, a registration transmission comprising a client system identifier, wherein;
  
  the client system comprises a software module that is a part of an Enterprise Software System (ESS); and
  
  the access manager server is a part of the same ESS;
  
  registering the client system with the access manager as a trusted partner to indicate that future authentications by the trusted partner within the ESS do not require a trusted third party, wherein the registering comprises;
  
  sending a first cryptographic key to the client system; and
  
  storing, at the access manager;
  
  a second cryptographic key that is assigned to client system;
  
  a trusted partner authentication scheme for the client system; and
  
  a trusted partner identifier that identifies the client system;
  
  receiving, by the access manager, and from the user device, a request to access the resource, wherein access to the resource is controlled at least in part by the client system;
  
  determining, by the access manager, that the client system is part of the ESS and registered with the access manager as a trusted partner;
  
  determining the trusted partner identifier for the client system;
  
  accessing the second cryptographic key using the trusted partner identifier;
  
  encrypting, by the access manager, a first encrypted token using the second cryptographic key, wherein;
  
  encrypting the first encrypted token using the second cryptographic key indicates to the client system that the access manager is a trusted partner; and
  
  the first encrypted token comprises a resource identifier that identifies the resource; and
  
  sending, to the client system, and from the access manager, the first encrypted token;
  
  receiving, by the access manager, and from the client device, a second encrypted token comprising a user identifier, wherein;
  
  the second encrypted token signifies that the client system requested, received, and authenticated user credentials directly from the user device and that access to the resource has been granted by the client system; and
  
  the user credentials are requested, received, and authenticated by the client system transparently such that the user device is not aware that an entity other than the access manager requested, received, and authenticated the user credentials;
  
  determining whether the second encrypted token is received from a trusted partner by attempting to decrypt the second encrypted token using the second cryptographic key; and
  
  if it is determined that the second encrypted token is received from a trusted partner, establishing, by the access manager, the communication session between the user device and the resource by asserting the user identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Balakrishnan, Aarathi, Martin, Madhu, Chathath, Vikas Pooven
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Nipa, Wasika

Application Number

US13/686,543
Publication Number

US 20140149741A1
Time in Patent Office

679 Days
Field of Search

None
US Class Current

713/159
CPC Class Codes

G06F 21/335   for accessing specific reso...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 9/3213   using tickets or tokens, e....

Access management system using trusted partner tokens

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

8 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Access management system using trusted partner tokens

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links