Virtualized data storage and management of policy and credential data sources

US 9,722,990 B2
Filed: 09/22/2014
Issued: 08/01/2017
Est. Priority Date: 09/20/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

providing, by a computer system implemented as a data manager, to one or more single sign-on services, an interface for accessing a plurality of storage systems, wherein the plurality of storage systems includes a first storage system having a first type of storage system and a second storage system having a second type of storage system, and wherein the first type of storage system is different from the second type of storage system;

receiving a data request, at the computer system, for a credential from a single sign-on service of the one or more single sign-on services, wherein the credential is stored at one of the plurality of storage systems, and wherein the data request includes one or more criteria for obtaining the credential for the single sign-on service;

identifying, at the computer system, one or more credential criteria in the data request based on the one or more criteria, wherein the one or more credential criteria are generated for the credential;

identifying a storage system associated with the data request based on the one or more credential criteria identified in the data request based on the one or more criteria;

selecting, from a plurality of plug-ins, a plug-in corresponding to the identified storage system, wherein each of the plurality of plug-ins correspond to a different one of the plurality of storage systems, wherein the plurality of plug-ins includes a first plug-in and a second plug-in, wherein the first plug-in that corresponds to the first type of storage system is implemented to convert the data request according to the first type of storage system, and wherein the second plug-in that corresponds to the second type of storage system is implemented to convert the data request according to the second type of storage system;

retrieving data associated with the data request from the identified storage system using the selected plug-in corresponding to the identified storage system; and

sending, to the single sign-on service for which the data request is received, the data associated with the data request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Web-based single sign-on can enable a user to log in to a single interface (such as through a web browser or thin client) and then provide SSO services to the user for one or more web applications. The web-based SSO system can be extended to support one or more different access control methods, such as form-fill, Federated (OIF), SSO Protected (OAM), and other policies. The web-based SSO system can include a user interface through which the user can access different web applications, systems, etc. and manage their credentials. Each SSO service can be associated with a web interface allowing the SSO services to be accessed over the web. The web interfaces can provide CRUD (create, read, update, delete) functionality for each SSO service. To support different access policy types, the web-based SSO system can include an extensible data manager that can manage data access to different types of repositories transparently.

Citations

20 Claims

1. A method comprising:
- providing, by a computer system implemented as a data manager, to one or more single sign-on services, an interface for accessing a plurality of storage systems, wherein the plurality of storage systems includes a first storage system having a first type of storage system and a second storage system having a second type of storage system, and wherein the first type of storage system is different from the second type of storage system;
  
  receiving a data request, at the computer system, for a credential from a single sign-on service of the one or more single sign-on services, wherein the credential is stored at one of the plurality of storage systems, and wherein the data request includes one or more criteria for obtaining the credential for the single sign-on service;
  
  identifying, at the computer system, one or more credential criteria in the data request based on the one or more criteria, wherein the one or more credential criteria are generated for the credential;
  
  identifying a storage system associated with the data request based on the one or more credential criteria identified in the data request based on the one or more criteria;
  
  selecting, from a plurality of plug-ins, a plug-in corresponding to the identified storage system, wherein each of the plurality of plug-ins correspond to a different one of the plurality of storage systems, wherein the plurality of plug-ins includes a first plug-in and a second plug-in, wherein the first plug-in that corresponds to the first type of storage system is implemented to convert the data request according to the first type of storage system, and wherein the second plug-in that corresponds to the second type of storage system is implemented to convert the data request according to the second type of storage system;
  
  retrieving data associated with the data request from the identified storage system using the selected plug-in corresponding to the identified storage system; and
  
  sending, to the single sign-on service for which the data request is received, the data associated with the data request.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the interface is a first interface, wherein the data request is received through the first interface, wherein the data request is converted by the selected plug-in corresponding to the identified storage system, and wherein the method further comprises:
    - sending the converted data request to the identified storage system through a second interface to retrieve the data associated with the data request, wherein the converted data request includes one or more operations that are specific to the identified storage system.
  - 3. The method of claim 2,wherein retrieving the data includes receiving a response from the identified storage system through the second interface, wherein the response includes the credential;
    - andwherein the method further includes;
      
      encrypting at least a portion of the credential; and
      
      reformatting the response based on the first interface and returning the response through the first interface.
  - 4. The method of claim 1, further comprising:
    - receiving a new plug-in associated with a new storage system from a client device of a user; and
      
      adding the new plug-in to a service provider interface.
  - 5. The method of claim 1, wherein the identified storage system is the first storage system, wherein the data request is a first data request, wherein the selected plug-in is a first plug-in, and wherein the method further comprises:
    - receiving a second data request, at the computer system, for a policy associated with an application;
      
      identifying the second storage system associated with the second data request;
      
      selecting, from the plurality of plug-ins, a second plug-in corresponding to the second identified storage system; and
      
      retrieving one or more policies associated with the application from the second identified storage system using the second selected plug-in corresponding to the second identified storage system.
  - 6. The method of claim 5, wherein the interface is a first interface, wherein the second data request is received through the first interface, wherein the second data request is converted by the second selected plug-in corresponding to the second identified storage system, and wherein the method further comprises:
    - sending the second converted data request to the second identified storage system through a second interface to retrieve at least one policy responsive to the second data request, wherein the second converted data request includes one or more operations that are specific to the second identified storage system.
  - 7. The method of claim 6, further comprising:
    - receiving a response from the second identified storage system through the second interface, wherein the response includes the policy; and
      
      reformatting the response based on the first interface and returning the response through the first interface.

8. A non-transitory computer-readable medium storing instructions executable by a processor of a computer system for performing a method, the method comprising:
- providing to one or more single sign-on services, an interface for accessing a plurality of storage systems, wherein the plurality of storage systems includes a first storage system having a first type of storage system and a second storage system having a second type of storage system, and wherein the first type of storage system is different from the second type of storage system;
  
  receiving a data request for a credential from a single sign-on service of the one or more single sign-on services, wherein the credential is stored at one of the plurality of storage systems, and wherein the data request includes one or more criteria for obtaining the credential for the single sign-on service;
  
  identifying, at the computer system, one or more credential criteria in the data request based on the one or more criteria, wherein the one or more credential criteria are generated for the credential;
  
  identifying a storage system associated with the data request based on the one or more credential criteria identified in the data request based on the one or more criteria;
  
  selecting, from a plurality of plug-ins, a plug-in corresponding to the identified storage system, wherein each of the plurality of plug-ins correspond to a different one of the plurality of storage systems, wherein the plurality of plug-ins includes a first plug-in and a second plug-in, wherein the first plug-in that corresponds to the first type of storage system is implemented to convert the data request according to the first type of storage system, and wherein the second plug-in that corresponds to the second type of storage system is implemented to convert the data request according to the second type of storage system;
  
  retrieving data associated with the data request from the identified storage system using the selected plug-in corresponding to the identified storage system; and
  
  sending, to the single sign-on service for which the data request is received, the data associated with the data request.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable medium of claim 8, wherein the interface is a first interface, wherein the data request is received through the first interface, wherein the data request is converted by the selected plug-in corresponding to the identified storage system, and wherein the method further comprises:
    - sending the converted data request to the identified storage system through a second interface to retrieve the data associated with the data request, wherein the converted data request includes one or more operations that are specific to the identified storage system.
  - 10. The non-transitory computer-readable medium of claim 9:
    - wherein retrieving the data includes receiving a response from the identified storage system through the second interface, wherein the response includes the credential; and
      
      wherein the method further includes;
      
      encrypting at least a portion of the credential; and
      
      reformatting the response based on the first interface and returning the response through the first interface.
  - 11. The non-transitory computer-readable medium of claim 8, wherein the method further comprises:
    - receiving a new plug-in associated with a new storage system from a client device of a user; and
      
      adding the new plug-in to a service provider interface.
  - 12. The non-transitory computer-readable medium of claim 8, wherein the identified storage system is a first storage system, wherein the data request is a first data request, wherein the selected plug-in is the first plug-in, and wherein the method further comprises:
    - receiving a second data request for a policy associated with an application;
      
      identifying the second storage system associated with the second data request;
      
      selecting, from the plurality of plug-ins, a second plug-in corresponding to the second identified storage system; and
      
      retrieving one or more policies associated with the application from the second identified storage system using the second selected plug-in corresponding to the second identified storage system.
  - 13. The non-transitory computer-readable medium of claim 12, wherein the interface is a first interface, wherein the second data request is received through the first interface, wherein the second data request is converted by the second selected plug-in corresponding to the second identified storage system, and wherein the method further comprises:
    - sending the second converted data request to the second identified storage system through a second interface to retrieve at least one policy responsive to the second data request, wherein the second converted data request includes one or more operations that are specific to the second identified storage system.
  - 14. The non-transitory computer-readable medium of claim 13, wherein the method further comprises:
    - receiving a response from the second identified storage system through the second interface, wherein the response includes the policy; and
      
      reformatting the response based on the first interface and returning the response through the first interface.

15. A system comprising:
- at least one processor; and
  
  a memory accessible to the at least one processor, the memory storing one or more instructions which, upon execution by the at least one processor, causes the at least one processor to perform operations for;
  
  providing, to one or more single sign-on services, an interface for accessing a plurality of storage systems, wherein the plurality of storage systems includes a first storage system having a first type of storage system and a second storage system having a second type of storage system, and wherein the first type of storage system is different from the second type of storage system;
  
  receiving a data request for a credential from a single sign-on service of the one or more single sign-on services, wherein the credential is stored at one of the plurality of storage systems, and wherein the data request includes one or more criteria for obtaining the credential for the single sign-on service;
  
  identifying one or more credential criteria in the data request based on the one or more criteria, wherein the one or more credential criteria are generated for the credential;
  
  identifying a storage system associated with the data request based on the one or more credential criteria identified in the data request based on the one or more criteria;
  
  selecting, from a plurality of plug-ins, a plug-in corresponding to the identified storage system, wherein each of the plurality of plug-ins correspond to a different one of the plurality of storage systems, wherein the plurality of plug-ins includes a first plug-in and a second plug-in, wherein the first plug-in that corresponds to the first type of storage system is implemented to convert the data request according to the first type of storage system, and wherein the second plug-in that corresponds to the second type of storage system is implemented to convert the data request according to the second type of storage system;
  
  retrieving data associated with the data request from the identified storage system using the selected plug-in corresponding to the identified storage system; and
  
  sending, to the single sign-on service for which the data request is received, the data associated with the data request.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the interface is a first interface, wherein the data request is received through the first interface, wherein the data request is converted by the selected plug-in corresponding to the identified storage system;
    - and wherein the at least one processor further executes compute code stored in the memory for;
      
      sending the converted data request to the identified storage system through a second interface to retrieve the data associated with the data request, wherein the converted data request includes one or more operations that are specific to the identified storage system.
  - 17. The system of claim 16:
    - wherein retrieving the data includes receiving a response from the identified storage system through the second interface, wherein the response includes the credential; and
      
      wherein the at least one processor further executes compute code stored in the memory for;
      
      encrypting at least a portion of the credential; and
      
      reformatting the response based on the first interface and returning the response through the first interface.
  - 18. The system of claim 15 wherein the at least one processor further executes compute code stored in the memory for:
    - receiving a new plug-in associated with a new storage system from a client device of a user; and
      
      adding the new plug-in to a service provider interface.
  - 19. The system of claim 15, wherein the identified storage system is the first storage system, wherein the data request is a first request, wherein the selected plug-in is a first plug-in, and wherein the at least one processor further executes compute code stored in the memory for:
    - receiving a second data request for a policy associated with an application;
      
      identifying the second storage system associated with the second data request;
      
      selecting, from the plurality of plug-ins, a second plug-in corresponding to the second identified storage system; and
      
      retrieving one or more policies associated with the application from the second identified storage system using the second selected plug-in corresponding to the second identified storage system.
  - 20. The system of claim 19, wherein the interface is a first interface, wherein the second data request is received through the first interface, wherein the second data request is converted by the second selected plug-in corresponding to the second identified storage system, and wherein the at least one processor further executes compute code stored in the memory for:
    - sending the second converted data request to the second identified storage system through a second interface to retrieve at least one policy responsive to the second data request, wherein the second converted data request includes one or more operations that are specific to the second identified storage system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Uchil, Mrudul, Jain, Swati
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
Savenkov, Vadim

Application Number

US14/493,236
Publication Number

US 20150089620A1
Time in Patent Office

1,044 Days
Field of Search

726 8
US Class Current
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/0815   providing single-sign-on or...

H04L 63/0838   using one-time-passwords

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Virtualized data storage and management of policy and credential data sources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Virtualized data storage and management of policy and credential data sources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links