Managing authentication using common authentication framework circuitry
First Claim
1. A method of managing user authentication via common authentication framework circuitry, the method comprising:
- receiving, by the common authentication framework circuitry, authentication requests from client devices of users belonging to multiple enterprises, the authentication requests including user identifiers identifying the users belonging to the multiple enterprises;
accessing, by the common authentication framework circuitry, entries of an authentication policy database to select authentication policies for the authentication requests, selection of the authentication policies being based at least in part on the user identifiers of the authentication requests;
invoking, by the common authentication framework circuitry, authentication services in accordance with the selected authentication policies to perform user authentication operations in response to the authentication requests from the client devices;
wherein the common authentication framework circuitry (i) includes an authentication request queue to temporarily store the authentication requests and (ii) imposes a predefined sensitivity threshold as a measure of sensitivity; and
wherein the method further comprises;
receiving another authentication request from another client device of another user, the other authentication request including another user identifier which identifies the other user;
when an authentication request queue limit for the authentication request queue is not met, processing at least a portion of the other authentication request at a normal authentication service regardless of a sensitivity level of the other authentication request;
when (i) the authentication request queue limit for the authentication request queue is met and (ii) the sensitivity level of the other authentication request is greater than or equal to the predefined sensitivity threshold, processing at least a portion of the other authentication request at the normal authentication service; and
when (i) the authentication request queue limit for the authentication request queue is met and (ii) the sensitivity level of the other authentication request is less than the predefined sensitivity threshold, processing at least the portion of the other authentication request at a reserve authentication service which is different from the normal authentication service.
9 Assignments
0 Petitions
Accused Products
Abstract
A technique manages user authentication via common authentication framework circuitry. The technique involves receiving, by the common authentication framework circuitry, authentication requests from client devices of users belonging to multiple enterprises, the authentication requests including user identifiers identifying the users belonging to the multiple enterprises. The technique further involves accessing, by the common authentication framework circuitry, entries of an authentication policy database to select authentication policies for the authentication requests. Selection of the authentication policies is based at least in part on the user identifiers of the authentication requests. The technique further involves invoking, by the common authentication framework circuitry, authentication services in accordance with the selected authentication policies to perform user authentication operations in response to the authentication requests from the client devices.
-
Citations
20 Claims
-
1. A method of managing user authentication via common authentication framework circuitry, the method comprising:
-
receiving, by the common authentication framework circuitry, authentication requests from client devices of users belonging to multiple enterprises, the authentication requests including user identifiers identifying the users belonging to the multiple enterprises; accessing, by the common authentication framework circuitry, entries of an authentication policy database to select authentication policies for the authentication requests, selection of the authentication policies being based at least in part on the user identifiers of the authentication requests; invoking, by the common authentication framework circuitry, authentication services in accordance with the selected authentication policies to perform user authentication operations in response to the authentication requests from the client devices; wherein the common authentication framework circuitry (i) includes an authentication request queue to temporarily store the authentication requests and (ii) imposes a predefined sensitivity threshold as a measure of sensitivity; and
wherein the method further comprises;receiving another authentication request from another client device of another user, the other authentication request including another user identifier which identifies the other user; when an authentication request queue limit for the authentication request queue is not met, processing at least a portion of the other authentication request at a normal authentication service regardless of a sensitivity level of the other authentication request; when (i) the authentication request queue limit for the authentication request queue is met and (ii) the sensitivity level of the other authentication request is greater than or equal to the predefined sensitivity threshold, processing at least a portion of the other authentication request at the normal authentication service; and when (i) the authentication request queue limit for the authentication request queue is met and (ii) the sensitivity level of the other authentication request is less than the predefined sensitivity threshold, processing at least the portion of the other authentication request at a reserve authentication service which is different from the normal authentication service. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 20)
-
-
10. A common authentication framework apparatus, comprising:
-
a communications interface; memory which holds an authentication policy database; and control circuitry coupled to the communications interface and the memory, the memory storing instructions which, when carried out by the control circuitry, cause the control circuitry to; receive authentication requests from client devices of users belonging to multiple enterprises through the communications interface, the authentication requests including user identifiers identifying the users belonging to the multiple enterprises, access entries of the authentication policy database to select authentication policies for the authentication requests, selection of the authentication policies being based at least in part on the user identifiers of the authentication requests, and invoke authentication services in accordance with the selected authentication policies to perform user authentication operations in response to the authentication requests from the client devices; wherein the control circuitry (i) includes an authentication request queue to temporarily store the authentication requests and (ii) imposes a predefined sensitivity threshold as a measure of sensitivity; and
wherein the control circuitry is further constructed and arranged to;receive another authentication request from another client device of another user, the other authentication request including another user identifier which identifies the other user, when an authentication request queue limit for the authentication request queue is not met, process at least a portion of the other authentication request at a normal authentication service regardless of a sensitivity level of the other authentication request, when (i) the authentication request queue limit for the authentication request queue is met and (ii) the sensitivity level of the other authentication request is greater than or equal to the predefined sensitivity threshold, process at least a portion of the other authentication request at the normal authentication service, and when (i) the authentication request queue limit for the authentication request queue is met and (ii) the sensitivity level of the other authentication request is less than the predefined sensitivity threshold, process at least the portion of the other authentication request at a reserve authentication service which is different from the normal authentication service. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A computer program product having a non-transitory computer readable medium which stores a set of instructions to manage user authentication, the set of instructions, when carried out by computerized circuitry, causing the computerized circuitry to perform a method of:
-
receiving authentication requests from client devices of users belonging to multiple enterprises, the authentication requests including user identifiers identifying the users belonging to the multiple enterprises; accessing entries of an authentication policy database to select authentication policies for the authentication requests, selection of the authentication policies being based at least in part on the user identifiers of the authentication requests; and invoking authentication services in accordance with the selected authentication policies to perform user authentication operations in response to the authentication requests from the client devices; wherein the computerized circuitry (i) includes an authentication request queue to temporarily store the authentication requests and (ii) imposes a predefined sensitivity threshold as a measure of sensitivity; and wherein the method further comprises; receiving another authentication request from another client device of another user, the other authentication request including another user identifier which identifies the other user; when an authentication request queue limit for the authentication request queue is not met, processing at least a portion of the other authentication request at a normal authentication service regardless of a sensitivity level of the other authentication request; when (i) the authentication request queue limit for the authentication request queue is met and (ii) the sensitivity level of the other authentication request is greater than or equal to the predefined sensitivity threshold, processing at least a portion of the other authentication request at the normal authentication service; and when (i) the authentication request queue limit for the authentication request queue is met and (ii) the sensitivity level of the other authentication request is less than the predefined sensitivity threshold, processing at least the portion of the other authentication request at a reserve authentication service which is different from the normal authentication service. - View Dependent Claims (16, 17, 18, 19)
wherein selecting the authentication policies for the authentication requests includes; for the first authentication request, choosing a first authentication policy from a plurality of authentication policies in the authentication policy database based on the first user identifier and the first enterprise identifier, and for the second authentication request, choosing a second authentication policy from the plurality of authentication policies based on the second user identifier and the second enterprise identifier.
-
-
18. A computer program product as in claim 17 wherein invoking the authentication services in accordance with the selected authentication policies to perform user authentication operations in response to the authentication requests from the client devices includes:
-
in response to the first authentication request, identifying a first set of authentication services based on the first authentication policy and invoking the first set of authentication services to authenticate a current user of the first client device, and in response to the second authentication request, identifying a second set of authentication services based on the second authentication policy and invoking the second set of authentication services to authenticate a current user of the second client device.
-
-
19. A computer program product as in claim 18 wherein the computerized circuitry is constructed and arranged to operate as a common policy engine having different authentication factor modules which connect to different authentication service sources through different identity provider connectors;
-
wherein invoking the first set of authentication services includes directing a first set of the authentication factor modules of the common policy engine to provide a first set of authentication factors from the current user of the first client device to a first set of authentication service sources via a first set of identity provider connectors to authenticate the current user of the first client device; and wherein invoking the second set of authentication services includes directing a second set of the authentication factor modules of the common policy engine to provide a second set of authentication factors from the current user of the second client device to a second set of authentication service sources via a second set of identity provider connectors to authenticate the current user of the second client device.
-
Specification