Managing authentication using common authentication framework circuitry

US 9,356,968 B1
Filed: 06/30/2014
Issued: 05/31/2016
Est. Priority Date: 06/30/2014
Status: Active Grant

First Claim

Patent Images

1. A method of managing user authentication via common authentication framework circuitry, the method comprising:

receiving, by the common authentication framework circuitry, authentication requests from client devices of users belonging to multiple enterprises, the authentication requests including user identifiers identifying the users belonging to the multiple enterprises;

accessing, by the common authentication framework circuitry, entries of an authentication policy database to select authentication policies for the authentication requests, selection of the authentication policies being based at least in part on the user identifiers of the authentication requests;

invoking, by the common authentication framework circuitry, authentication services in accordance with the selected authentication policies to perform user authentication operations in response to the authentication requests from the client devices;

wherein the common authentication framework circuitry (i) includes an authentication request queue to temporarily store the authentication requests and (ii) imposes a predefined sensitivity threshold as a measure of sensitivity; and

wherein the method further comprises;

receiving another authentication request from another client device of another user, the other authentication request including another user identifier which identifies the other user;

when an authentication request queue limit for the authentication request queue is not met, processing at least a portion of the other authentication request at a normal authentication service regardless of a sensitivity level of the other authentication request;

when (i) the authentication request queue limit for the authentication request queue is met and (ii) the sensitivity level of the other authentication request is greater than or equal to the predefined sensitivity threshold, processing at least a portion of the other authentication request at the normal authentication service; and

when (i) the authentication request queue limit for the authentication request queue is met and (ii) the sensitivity level of the other authentication request is less than the predefined sensitivity threshold, processing at least the portion of the other authentication request at a reserve authentication service which is different from the normal authentication service.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique manages user authentication via common authentication framework circuitry. The technique involves receiving, by the common authentication framework circuitry, authentication requests from client devices of users belonging to multiple enterprises, the authentication requests including user identifiers identifying the users belonging to the multiple enterprises. The technique further involves accessing, by the common authentication framework circuitry, entries of an authentication policy database to select authentication policies for the authentication requests. Selection of the authentication policies is based at least in part on the user identifiers of the authentication requests. The technique further involves invoking, by the common authentication framework circuitry, authentication services in accordance with the selected authentication policies to perform user authentication operations in response to the authentication requests from the client devices.

24 Citations

View as Search Results

20 Claims

1. A method of managing user authentication via common authentication framework circuitry, the method comprising:
- receiving, by the common authentication framework circuitry, authentication requests from client devices of users belonging to multiple enterprises, the authentication requests including user identifiers identifying the users belonging to the multiple enterprises;
  
  accessing, by the common authentication framework circuitry, entries of an authentication policy database to select authentication policies for the authentication requests, selection of the authentication policies being based at least in part on the user identifiers of the authentication requests;
  
  invoking, by the common authentication framework circuitry, authentication services in accordance with the selected authentication policies to perform user authentication operations in response to the authentication requests from the client devices;
  
  wherein the common authentication framework circuitry (i) includes an authentication request queue to temporarily store the authentication requests and (ii) imposes a predefined sensitivity threshold as a measure of sensitivity; and
  
  wherein the method further comprises;
  
  receiving another authentication request from another client device of another user, the other authentication request including another user identifier which identifies the other user;
  
  when an authentication request queue limit for the authentication request queue is not met, processing at least a portion of the other authentication request at a normal authentication service regardless of a sensitivity level of the other authentication request;
  
  when (i) the authentication request queue limit for the authentication request queue is met and (ii) the sensitivity level of the other authentication request is greater than or equal to the predefined sensitivity threshold, processing at least a portion of the other authentication request at the normal authentication service; and
  
  when (i) the authentication request queue limit for the authentication request queue is met and (ii) the sensitivity level of the other authentication request is less than the predefined sensitivity threshold, processing at least the portion of the other authentication request at a reserve authentication service which is different from the normal authentication service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 20)
- - 2. A method as in claim 1 wherein the authentication requests further include enterprise identifiers identifying the multiple enterprises;
    - and wherein accessing the entries of the authentication policy database to select the authentication policies for the authentication requests includes;
      
      selecting authentication policies for the authentication requests based on (i) the user identifiers of the authentication requests and (ii) the enterprise identifiers of the authentication requests.
  - 3. A method as in claim 2 wherein receiving the authentication requests includes:
    - receiving a first authentication request from a first client device of a first user belonging to a first enterprise, the first authentication request including a first user identifier which identifies the first user and a first enterprise identifier which identifies the first enterprise, andreceiving a second authentication request from a second client device of a second user belonging to a second enterprise, the second authentication request including a second user identifier which identifies the second user and a second enterprise identifier which identifies the second enterprise, the first enterprise and the second enterprise being separate organizational entities; and
      
      wherein selecting the authentication policies for the authentication requests includes;
      
      for the first authentication request, choosing a first authentication policy from a plurality of authentication policies in the authentication policy database based on the first user identifier and the first enterprise identifier, andfor the second authentication request, choosing a second authentication policy from the plurality of authentication policies based on the second user identifier and the second enterprise identifier.
  - 4. A method as in claim 3 wherein invoking the authentication services in accordance with the selected authentication policies to perform user authentication operations in response to the authentication requests from the client devices includes:
    - in response to the first authentication request, identifying a first set of authentication services based on the first authentication policy and invoking the first set of authentication services to authenticate a current user of the first client device, andin response to the second authentication request, identifying a second set of authentication services based on the second authentication policy and invoking the second set of authentication services to authenticate a current user of the second client device.
  - 5. A method as in claim 4 wherein the common authentication framework circuitry is constructed and arranged to operate as a common policy engine having different authentication factor modules which connect to different authentication service sources through different identity provider connectors;
    - wherein invoking the first set of authentication services includes directing a first set of the authentication factor modules of the common policy engine to provide a first set of authentication factors from the current user of the first client device to a first set of authentication service sources via a first set of identity provider connectors to authenticate the current user of the first client device; and
      
      wherein invoking the second set of authentication services includes directing a second set of the authentication factor modules of the common policy engine to provide a second set of authentication factors from the current user of the second client device to a second set of authentication service sources via a second set of identity provider connectors to authenticate the current user of the second client device.
  - 6. A method as in claim 5 wherein at least one of the first set of authentication service sources is (i) co-located with the common policy engine and (ii) remote from the first client device.
  - 7. A method as in claim 5 wherein at least one of the first set of authentication service sources is located at a third party service provider location which is (i) remote from the common policy engine and (ii) remote from the first client device.
  - 8. A method as in claim 5 wherein at least one of the first set of authentication service sources (i) resides within the first client device and (ii) is remote from the common policy engine.
  - 9. A method as in claim 5 wherein a first authentication service source of the first set of authentication service sources is (i) co-located with the common policy engine and (ii) remote from the first client device;
    - wherein a second authentication service source of the first set of authentication service sources is located at a third party service provider location which is (i) remote from the common policy engine and (ii) remote from the first client device; and
      
      wherein a third authentication service source of the first set of authentication service sources (i) resides within the first client device and (ii) is remote from the common policy engine.
  - 20. A method as in claim 1, further comprising:
    - during operation of the common authentication framework circuitry, modifying the authentication request queue limit to change processing capacity of at least a portion of the common authentication framework circuitry.

10. A common authentication framework apparatus, comprising:
- a communications interface;
  
  memory which holds an authentication policy database; and
  
  control circuitry coupled to the communications interface and the memory, the memory storing instructions which, when carried out by the control circuitry, cause the control circuitry to;
  
  receive authentication requests from client devices of users belonging to multiple enterprises through the communications interface, the authentication requests including user identifiers identifying the users belonging to the multiple enterprises,access entries of the authentication policy database to select authentication policies for the authentication requests, selection of the authentication policies being based at least in part on the user identifiers of the authentication requests, andinvoke authentication services in accordance with the selected authentication policies to perform user authentication operations in response to the authentication requests from the client devices;
  
  wherein the control circuitry (i) includes an authentication request queue to temporarily store the authentication requests and (ii) imposes a predefined sensitivity threshold as a measure of sensitivity; and
  
  wherein the control circuitry is further constructed and arranged to;
  
  receive another authentication request from another client device of another user, the other authentication request including another user identifier which identifies the other user,when an authentication request queue limit for the authentication request queue is not met, process at least a portion of the other authentication request at a normal authentication service regardless of a sensitivity level of the other authentication request,when (i) the authentication request queue limit for the authentication request queue is met and (ii) the sensitivity level of the other authentication request is greater than or equal to the predefined sensitivity threshold, process at least a portion of the other authentication request at the normal authentication service, andwhen (i) the authentication request queue limit for the authentication request queue is met and (ii) the sensitivity level of the other authentication request is less than the predefined sensitivity threshold, process at least the portion of the other authentication request at a reserve authentication service which is different from the normal authentication service.
- View Dependent Claims (11, 12, 13, 14)
- - 11. A common authentication framework apparatus as in claim 10 wherein the authentication requests further include enterprise identifiers identifying the multiple enterprises;
    - and wherein the control circuitry, when accessing the entries of the authentication policy database to select the authentication policies for the authentication requests, is constructed and arranged to;
      
      select authentication policies for the authentication requests based on (i) the user identifiers of the authentication requests and (ii) the enterprise identifiers of the authentication requests.
  - 12. A common authentication framework apparatus as in claim 11 wherein the control circuitry, when receiving the authentication requests, is constructed and arranged to:
    - receive a first authentication request from a first client device of a first user belonging to a first enterprise, the first authentication request including a first user identifier which identifies the first user and a first enterprise identifier which identifies the first enterprise, andreceive a second authentication request from a second client device of a second user belonging to a second enterprise, the second authentication request including a second user identifier which identifies the second user and a second enterprise identifier which identifies the second enterprise, the first enterprise and the second enterprise being separate organizational entities; and
      
      wherein the control circuitry, when selecting the authentication policies for the authentication requests, is constructed and arranged to;
      
      for the first authentication request, choose a first authentication policy from a plurality of authentication policies in the authentication policy database based on the first user identifier and the first enterprise identifier, andfor the second authentication request, choose a second authentication policy from the plurality of authentication policies based on the second user identifier and the second enterprise identifier.
  - 13. A common authentication framework apparatus as in claim 12 wherein the control circuitry, when invoking the authentication services in accordance with the selected authentication policies to perform user authentication operations in response to the authentication requests from the client devices, is constructed and arranged to:
    - in response to the first authentication request, identify a first set of authentication services based on the first authentication policy and invoke the first set of authentication services to authenticate a current user of the first client device, andin response to the second authentication request, identify a second set of authentication services based on the second authentication policy and invoke the second set of authentication services to authenticate a current user of the second client device.
  - 14. A common authentication framework apparatus as in claim 13 wherein the control circuitry is constructed and arranged to operate as a common policy engine having different authentication factor modules which connect to different authentication service sources through different identity provider connectors;
    - wherein the control circuitry, when invoking the first set of authentication services, is constructed and arranged to direct a first set of the authentication factor modules of the common policy engine to provide a first set of authentication factors from the current user of the first client device to a first set of authentication service sources via a first set of identity provider connectors to authenticate the current user of the first client device; and
      
      wherein the control circuitry, when invoking the second set of authentication services, is constructed and arranged to direct a second set of the authentication factor modules of the common policy engine to provide a second set of authentication factors from the current user of the second client device to a second set of authentication service sources via a second set of identity provider connectors to authenticate the current user of the second client device.

15. A computer program product having a non-transitory computer readable medium which stores a set of instructions to manage user authentication, the set of instructions, when carried out by computerized circuitry, causing the computerized circuitry to perform a method of:
- receiving authentication requests from client devices of users belonging to multiple enterprises, the authentication requests including user identifiers identifying the users belonging to the multiple enterprises;
  
  accessing entries of an authentication policy database to select authentication policies for the authentication requests, selection of the authentication policies being based at least in part on the user identifiers of the authentication requests; and
  
  invoking authentication services in accordance with the selected authentication policies to perform user authentication operations in response to the authentication requests from the client devices;
  
  wherein the computerized circuitry (i) includes an authentication request queue to temporarily store the authentication requests and (ii) imposes a predefined sensitivity threshold as a measure of sensitivity; and
  
  wherein the method further comprises;
  
  receiving another authentication request from another client device of another user, the other authentication request including another user identifier which identifies the other user;
  
  when an authentication request queue limit for the authentication request queue is not met, processing at least a portion of the other authentication request at a normal authentication service regardless of a sensitivity level of the other authentication request;
  
  when (i) the authentication request queue limit for the authentication request queue is met and (ii) the sensitivity level of the other authentication request is greater than or equal to the predefined sensitivity threshold, processing at least a portion of the other authentication request at the normal authentication service; and
  
  when (i) the authentication request queue limit for the authentication request queue is met and (ii) the sensitivity level of the other authentication request is less than the predefined sensitivity threshold, processing at least the portion of the other authentication request at a reserve authentication service which is different from the normal authentication service.
- View Dependent Claims (16, 17, 18, 19)
- - 16. A computer program product as in claim 15 wherein the authentication requests further include enterprise identifiers identifying the multiple enterprises;
    - and wherein accessing the entries of the authentication policy database to select the authentication policies for the authentication requests includes;
      
      selecting authentication policies for the authentication requests based on (i) the user identifiers of the authentication requests and (ii) the enterprise identifiers of the authentication requests.
  - 17. A computer program product as in claim 16 wherein receiving the authentication requests includes:
    - receiving a first authentication request from a first client device of a first user belonging to a first enterprise, the first authentication request including a first user identifier which identifies the first user and a first enterprise identifier which identifies the first enterprise, andreceiving a second authentication request from a second client device of a second user belonging to a second enterprise, the second authentication request including a second user identifier which identifies the second user and a second enterprise identifier which identifies the second enterprise, the first enterprise and the second enterprise being separate organizational entities; and
18. A computer program product as in claim 17 wherein invoking the authentication services in accordance with the selected authentication policies to perform user authentication operations in response to the authentication requests from the client devices includes:
- in response to the first authentication request, identifying a first set of authentication services based on the first authentication policy and invoking the first set of authentication services to authenticate a current user of the first client device, andin response to the second authentication request, identifying a second set of authentication services based on the second authentication policy and invoking the second set of authentication services to authenticate a current user of the second client device.
19. A computer program product as in claim 18 wherein the computerized circuitry is constructed and arranged to operate as a common policy engine having different authentication factor modules which connect to different authentication service sources through different identity provider connectors;
- wherein invoking the first set of authentication services includes directing a first set of the authentication factor modules of the common policy engine to provide a first set of authentication factors from the current user of the first client device to a first set of authentication service sources via a first set of identity provider connectors to authenticate the current user of the first client device; and
  
  wherein invoking the second set of authentication services includes directing a second set of the authentication factor modules of the common policy engine to provide a second set of authentication factors from the current user of the second client device to a second set of authentication service sources via a second set of identity provider connectors to authenticate the current user of the second client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Bruk, Vadim, Luke, Andrew, Dotan, Yedidya, Alikhani, Kayvan, Emami-Nouri, Mohsen, Friedman, Lawrence N.
Primary Examiner(s)
Abrishamkar, Kaveh
Assistant Examiner(s)
Alata, Ayoub

Application Number

US14/318,987
Time in Patent Office

701 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/30   Authentication, i.e. establ...

G06F 21/31   User authentication

G06F 21/45   Structures or tools for the...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 9/10   with particular housing, ph...

H04L 9/32   including means for verifyi...

H04L 9/321   involving a third party or ...

H04L 9/3226   using a predetermined code,...

Managing authentication using common authentication framework circuitry

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Managing authentication using common authentication framework circuitry

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links