Access management architecture

US 8,955,037 B2
Filed: 05/04/2012
Issued: 02/10/2015
Est. Priority Date: 05/11/2011
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

one or more central processing units;

an access metadata repository of access metadata objects, wherein each access metadata object of a plurality of access metadata objects in the access metadata repository describes data associated with access services;

input/output logic configured to receive, from a first application, a first access request for a security token associated with a second application;

service management logic configured to determine a first request type associated with the first access request;

normalization logic configured to generate a first normalized access request; and

component management logic configured to select a first functional component to satisfy at least a portion of the first normalized access request based at least in part on the first normalized access request and an access metadata object associated with the first request type, said component management logic further configured to cause the first functional component to generate a first token that authorizes the first application to make changes associated with the second application on behalf of a user of the first application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access management system architecture is provided. In one embodiment, the architecture comprises modular and decoupled components, which allow composability of heterogeneous solutions.

28 Citations

View as Search Results

20 Claims

1. A system, comprising:
- one or more central processing units;
  
  an access metadata repository of access metadata objects, wherein each access metadata object of a plurality of access metadata objects in the access metadata repository describes data associated with access services;
  
  input/output logic configured to receive, from a first application, a first access request for a security token associated with a second application;
  
  service management logic configured to determine a first request type associated with the first access request;
  
  normalization logic configured to generate a first normalized access request; and
  
  component management logic configured to select a first functional component to satisfy at least a portion of the first normalized access request based at least in part on the first normalized access request and an access metadata object associated with the first request type, said component management logic further configured to cause the first functional component to generate a first token that authorizes the first application to make changes associated with the second application on behalf of a user of the first application.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein:
    - the component management logic is further configured to provide at least a portion of the first normalized access request to the first functional component; and
      
      the component management logic is further configured to cause the first functional component to generate at least a portion of a first response that conforms with the first request type associated with the first access request; and
      
      the service management logic is further configured to provide at least the portion of the first response to the first application.
  - 3. The system of claim 2, wherein:
    - the first application is a trusted application.
  - 4. The system of claim 3, wherein:
    - the input/output logic is further configured to receive a second access request from a second requesting entity, wherein the second access request includes a request for a security token associated with an identity provider;
      
      the normalization logic is further configured to generate a second normalized access request;
      
      the component management logic is further configured to cause the first functional component to generate a second token that authorizes access to the third application;
      
      wherein the first functional component is configured to generate the first taken in response to receiving at least a portion of the first normalized request; and
      
      wherein the first functional component is configured to generate the second token in response to receiving at least a portion of the second normalized request.
  - 5. The system of claim 1, wherein the request includes composite state information that identities a state associated with a first functional component and a state associated with a second functional component.
  - 6. The system of claim 1, further comprising:
    - an access policy repository configured to store access policy metadata for determining whether a request for access should be granted;
      
      a second functional component configured to generate a response that includes information associated with the access policy metadata to the first application in response to determining that the first normalized access request does not meet the criteria specified by the access policy metadata.
  - 7. The system of claim 1, wherein:
    - the input/output logic is further configured to receive a second access request from a second requesting entity;
      
      the service management logic is further configured to determine a second request type associated with the second access request;
      
      the normalization logic is further configured to generate a second normalized access request;
      
      the component management logic is further configured to select the first functional component to satisfy at least a portion of the second normalized access request based at least in part on the second normalized access request and an access metadata object associated with the second request type;
      
      the normalization logic is further configured to provide at least a portion of the second normalized access request to the first functional component; and
      
      the component management logic is further configured to cause the first functional component to generate at least a portion of a second response that conforms with second request type associated with the second access request; and
      
      the service management logic is further configured to provide at least the portion of the first response to the first application.

8. A method, comprising:
- maintaining an access metadata repository of access metadata objects, wherein each access metadata object of a plurality of access metadata objects in the access metadata repository describes data associated with access services;
  
  receiving, from a first application, a first access request for a security token associated with a second application;
  
  determining a first request type associated with the first access request;
  
  generating a first normalized access request;
  
  based at least in part on the first normalized access request and an access metadata object associated with the first request type, selecting a first functional component to satisfy at least a portion of the first normalized access request; and
  
  causing the first functional component to generate a first token that authorizes the first application to make changes associated with the second application on behalf of a user of the first application;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, further comprising:
    - providing at least a portion of the first normalized access request to the first functional component;
      
      generating at least a portion of a first response using the first functional component, the first response conforming with the first request type associated with the first access request; and
      
      providing at least the portion of the first response to the first application.
  - 10. The method of claim 9, wherein:
    - the first application is a trusted application.
  - 11. The method of claim 10, further comprising:
    - receiving a second access request from a second requesting entity, wherein the second access request includes a request for a security token associated with an identity provider;
      
      generating a second normalized access request;
      
      generating a second token that authorizes access to the third application;
      
      wherein the first token is generated by a token generation engine in response to receiving at least a portion of the first normalized request at the token generation engine;
      
      wherein the second token is generated by the token generation engine in response to receiving at least a portion of the second normalized request at the token generation engine.
  - 12. The method of claim 8, wherein the request includes composite state information that identifies a state associated with a first functional component and a state associated with a second functional component.
  - 13. The method of claim 8, further comprising:
    - maintaining an access policy repository that stores access policy metadata for determining whether a request for access should be granted;
      
      in response to determining that the first normalized access request does not meet the criteria specified by the access policy metadata, generating a response to the first application that includes information associated with the access policy metadata.
  - 14. The method of claim 8, further comprising:
    - receiving a second access request from a second requesting entity;
      
      determining a second request type associated with the second access request;
      
      generating a second normalized access request;
      
      based at least in part on the second normalized access request and an access metadata object associated with the second request type, selecting the first functional component to satisfy at least a portion of the second normalized access request;
      
      providing at least a portion of the second normalized access request to the first functional component;
      
      generating at least a portion of a second response using the first functional component, the second response conforming with the second request type associated with the second access request; and
      
      providing at least the portion of the first response to the first application.

15. A computer-readable non-transitory storage medium storing a plurality of instructions executable by one or more processors, the plurality of instructions comprising:
- maintaining an access metadata repository of access metadata objects, wherein each access metadata object of a plurality of access metadata objects in the access metadata repository describes data associated with access services;
  
  receiving, from a first application, a first access request for a security token associated with a second application;
  
  determining a first request type associated with the first access request;
  
  generating a first normalized access request;
  
  based at least in part on the first normalized access request and an access metadata object associated with the first request type, selecting a first functional component to satisfy at least a portion of the first normalized access request; and
  
  causing the first functional component to generate a first token that authorizes the first application to make changes associated with the second application on behalf of a user of the first application;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable non-transitory storage medium of claim 15, wherein the instructions further include instructions that cause the one or more processors to perform:
    - providing at least a portion of the first normalized access request to the first functional component;
      
      generating at least a portion of a first response using the first functional component, the first response conforming with the first request type associated with the first access request; and
      
      providing at least portion of the first response to the first application.
  - 17. The computer-readable non-transitory storage medium of claim 16, wherein:
    - the first application is a trusted application.
  - 18. The computer-readable non-transitory storage medium of claim 17, wherein the instructions further include instructions that cause the one or more processors to perform:
    - receiving a second access request from a second requesting entity, wherein the second access request includes a request for a security token associated with an identity provider;
      
      generating a second normalized access request;
      
      generating a second token that authorizes access to the third application;
      
      wherein the first token is generated by a token generation engine in response to receiving at least a portion of the first normalized request at the token generation engine;
      
      wherein the second token is generated by the token generation engine in response to receiving at least a portion of the second normalized request at the token generation engine.
  - 19. The computer-readable non-transitory storage medium of claim 15, wherein the request includes composite state information that identifies a state associated with a first functional component and a state associated with a second functional component.
  - 20. The computer-readable non-transitory storage medium of claim 15, wherein the instructions further include instructions that cause the one or more processors to perform:
    - receiving a second access request from a second requesting entity;
      
      determining a second request type associated with the second access request;
      
      generating a second normalized access request;
      
      based at least in part on the second normalized access request and an access metadata object associated with the second request type, selecting the first functional component to satisfy at least a portion of the second normalized access request;
      
      providing at least a portion of the second normalized access request to the first functional component;
      
      generating at least a portion of a second response using the first functional component, the second response conforming with the second request type associated with the second access request; and
      
      providing at least the portion of the first response to the first application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Srinivasan, Uppili, Motukuru, Vamsi, Turlapati, Ramana Rao S.
Primary Examiner(s)
BROWN, ANTHONY D

Application Number

US13/464,906
Publication Number

US 20120291090A1
Time in Patent Office

1,012 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

G06F 21/604 Tools and structures for ma...

G06F 21/6236 between heterogeneous systems

Access management architecture

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Access management architecture

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links