Configurable adaptive access manager callouts

US 9,531,697 B2
Filed: 04/30/2014
Issued: 12/27/2016
Est. Priority Date: 09/29/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

storing, at an authorization server computer, a mapping between an adaptive access manager and an identity domain of a plurality of identity domains;

receiving, at the authorization server computer, an authentication request for a user associated with the identity domain, wherein the authentication request includes one or more attributes, the one or more attributes identifying a source by which the authentication request was communicated;

in response to receiving the authentication request, determining, based on the mapping, that the adaptive access manager is associated with the identity domain with which the user is associated;

in response to determining that the adaptive access manager is associated with the identity domain with which the user is associated, applying an identity domain-specific policy of the identity domain to the authentication request based on the one or more attributes of the authentication request;

determining, based on applying the identity domain-specific policy to the authentication request, whether to call the adaptive access manager to determine a process for authenticating the user for the authentication request;

upon determining to call the adaptive access manager, sending, at the authorization server computer, a request to the adaptive access manager for information defining an authentication process for authenticating the user for the authentication request;

receiving, at the authorization server computer, from the adaptive access manager, a response including the information defining the authentication process;

determining, based on the information defining the authentication process, to perform a different authentication process, the different authentication process being distinct from a standard authentication process to authenticate the user for the authentication request; and

in response to determining to perform the different authentication process, the authorization server computer performing the different authentication process to authenticate the user for the authentication request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

Citations

20 Claims

1. A computer-implemented method comprising:
- storing, at an authorization server computer, a mapping between an adaptive access manager and an identity domain of a plurality of identity domains;
  
  receiving, at the authorization server computer, an authentication request for a user associated with the identity domain, wherein the authentication request includes one or more attributes, the one or more attributes identifying a source by which the authentication request was communicated;
  
  in response to receiving the authentication request, determining, based on the mapping, that the adaptive access manager is associated with the identity domain with which the user is associated;
  
  in response to determining that the adaptive access manager is associated with the identity domain with which the user is associated, applying an identity domain-specific policy of the identity domain to the authentication request based on the one or more attributes of the authentication request;
  
  determining, based on applying the identity domain-specific policy to the authentication request, whether to call the adaptive access manager to determine a process for authenticating the user for the authentication request;
  
  upon determining to call the adaptive access manager, sending, at the authorization server computer, a request to the adaptive access manager for information defining an authentication process for authenticating the user for the authentication request;
  
  receiving, at the authorization server computer, from the adaptive access manager, a response including the information defining the authentication process;
  
  determining, based on the information defining the authentication process, to perform a different authentication process, the different authentication process being distinct from a standard authentication process to authenticate the user for the authentication request; and
  
  in response to determining to perform the different authentication process, the authorization server computer performing the different authentication process to authenticate the user for the authentication request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, wherein performing the different authentication process includes sending a request for the user to provide a response to one or more challenge questions that are not asked for authentication according to the standard authentication process.
  - 3. The computer-implemented method of claim 1, wherein performing the different authentication process includes sending a request for the user to supply a code that was sent prior to the request to a device associated with the user.
  - 4. The computer-implemented method of claim 1, wherein performing the different authentication process includes performing one or more types of authentication operations specified in the response.
  - 5. The computer-implemented method of claim 1, wherein applying the identity domain-specific policy to the one or more attributes includes determining that the source is a type of device that satisfies the identity domain-specific policy, and wherein the adaptive access manager is called based on determining that the source is the type of device that satisfies the identity domain-specific policy.
  - 6. The computer-implemented method of claim 1, wherein the sending the request to the adaptive access manager includes the one or more attributes, and wherein the adaptive access manager determines the authentication process based on the one or more attributes.
  - 7. The computer-implemented method of claim 1, wherein the authentication process is determined based on an access profile for the user, the access profile indicating access history based on one or more previous authentication requests.
  - 8. The computer-implemented method of claim 1, wherein the adaptive access manager is one of a plurality of adaptive access managers, wherein each of the plurality of adaptive access managers is associated with a different one of the plurality of identity domains;
    - andwherein the determining that the adaptive access manager is associated with the identity domain with which the user is associated includes;
      
      determining that the adaptive access manager is a first adaptive access manager in the plurality of adaptive access managers based on the identity domain of the user matching a first identity domain associated with the first adaptive access manager, wherein the first identity domain is one of the plurality of identity domains.
  - 9. The computer-implemented method of claim 1, wherein the authorization server computer and the adaptive access manager are included in a cloud computing system.

10. A computer-readable memory comprising instructions which, when executed by one or more processors, cause the one or more processors to perform:
- storing, at an authorization server computer, a mapping between an adaptive access manager and an identity domain of a plurality of identity domains;
  
  receiving, at the authorization server computer, an authentication request for a user associated with the identity domain, wherein the authentication request includes one or more attributes, the one or more attributes identifying a source by which the authentication request was communicated;
  
  in response to receiving the authentication request, determining, based on the mapping, that the adaptive access manager is associated with the identity domain with which the user is associated;
  
  in response to determining that the first adaptive access manager is associated with the identity domain with which the user is associated, applying an identity domain-specific policy of the identity domain to the authentication request based on the one or more attributes of the authentication request;
  
  determining, based on applying the identity domain-specific policy to the authentication request, whether to call the adaptive access manager to determine a process for authenticating the user for the authentication request;
  
  upon determining to call the adaptive access manager, sending, at the authorization server computer, a request to the adaptive access manager for information defining an authentication process for authenticating the user for the authentication request;
  
  receiving, at the authorization server computer, from the adaptive access manager, a response including the information defining the authentication process;
  
  determining, based on the information defining the authentication process, to perform a different authentication process, the different authentication process being distinct from a standard authentication process to authenticate the user for the authentication request; and
  
  in response to determining to perform the different authentication process, the authorization server computer performing the different authentication process to authenticate the user for the authentication request.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The computer-readable memory of claim 10, wherein performing the different authentication process includes sending a request for the user to provide a response to one or more challenge questions that are not asked for authentication according to the standard authentication process.
  - 12. The computer-readable memory of claim 10, wherein performing the different authentication process includes sending a request for the user to supply a code that was sent prior to the request to a device associated with the user.
  - 13. The computer-readable memory of claim 10, wherein performing the different authentication process includes performing one or more types of authentication operations specified in the response.
  - 14. The computer-readable memory of claim 10, wherein the one or more attributes further identify an identity of the user.
  - 15. The computer-readable memory of claim 10, wherein the authorization server computer and the adaptive access manager are included in an enterprise computing system.

16. A system comprising:
- a first machine that includes a first adaptive access manager; and
  
  a second machine that includes an authorization server that is configured to;
  
  store a first mapping between the first adaptive access manager and a first identity domain of a plurality of identity domains;
  
  receive a first authentication request from a first user associated with the first identity domain, wherein the first authentication request includes one or more attributes, the one or more attributes identifying a source by which the first authentication request was communicated;
  
  determine, in response to receiving the first authentication request, and based on the first mapping, that the first user is associated with the first identity domain;
  
  in response to determining that the first user is associated with the first identity domain, apply a first identity domain-specific policy of the first identity domain to the first authentication request based on the one or more attributes of the first authentication request;
  
  determine, based on applying the first identity domain-specific policy to the first authentication request, whether to call the first adaptive access manager to determine a process for authenticating the first user for the first authentication request;
  
  upon determining to call the first adaptive access manager, send a first request to the first adaptive access manager for information defining a first authentication process for authenticating the first user for the first authentication request;
  
  receive, from the first adaptive access manager, a first response including the information defining the first authentication process;
  
  determine, based on the information defining the first authentication process, to perform a different authentication process, the different authentication process being distinct from a standard authentication process to authenticate the first user for the first authentication request; and
  
  in response to determining to perform the different authentication process, perform the different authentication process to authenticate the first user for the first authentication request.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein performing the different authentication process includes sending a request for the first user to provide a response to one or more challenge questions that are not asked for authentication according to the standard authentication process.
  - 18. The system of claim 16, wherein performing the different authentication process includes sending a request for the first user to supply a code that was sent prior to the request to a device associated with the first user.
  - 19. The system of claim 16, wherein performing the different authentication process includes performing one or more types of authentication operations specified in the first response.
  - 20. The system of claim 16, further comprising:
    - a third machine that includes a second adaptive access manager, and wherein the authorization server is configured to;
      
      store a second mapping between the second adaptive access manager and a second identity domain of the plurality of identity domains;
      
      receive a second authentication request from a second user associated with the second identity domain, wherein the second authentication request includes an attribute;
      
      determine, in response to receiving the second authentication request, and based on the second mapping, that the second user is associated with the second identity domain;
      
      in response to determining that the second user is associated with the second identity domain, apply a second identity domain-specific policy of the second identity domain with which the second user is associated to the attribute of the second authorization authentication request;
      
      determine, based on applying the second identity domain-specific policy to the attribute, whether to call the second adaptive access manager to determine a second authentication process for authenticating the second user for the second authentication request;
      
      upon determining to call the second adaptive access manager, sending a second request to the second adaptive access manager for information defining the standard authentication process for authenticating the second user for the second authentication request;
      
      receive, from the second adaptive access manager, a second response that indicates the second authentication process including the information defining the standard authentication process; and
      
      in response to receiving the second response, perform the standard authentication process to authenticate the second user for the second authentication request;
      
      wherein the second adaptive access manager differs from the first adaptive access manager; and
      
      wherein the second identity domain is separate from the first identity domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Sondhi, Ajay, Bhat, Shivaram, Hingarajiya, Ravi
Primary Examiner(s)
King, John B

Application Number

US14/266,496
Publication Number

US 20150089570A1
Time in Patent Office

972 Days
Field of Search

726 3- 7, 726/10, 726/28, 713/168, 713/173, 713/175, 713/185
US Class Current

1/1
CPC Class Codes

G06F 2221/2103   Challenge-response

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04W 12/06   Authentication

Configurable adaptive access manager callouts

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Configurable adaptive access manager callouts

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links