System and method for centralized configuration and authentication

US 9,887,978 B2
Filed: 06/23/2015
Issued: 02/06/2018
Est. Priority Date: 06/23/2015
Status: Active Grant

First Claim

Patent Images

1. A computing system comprising:

a plurality of devices including a first device comprising at least one of circuitry and program code; and

an identity and access manager (IAM);

wherein in response to the first device receiving a first request from a given user to login to the first device, the first device is configured to;

generate a virtual user to mimic an existence of the given user on the first device, prior to verifying the existence of the given user on the first device; and

send a second request corresponding to the given user to the IAM, wherein the second request comprises a request for verification of both the existence of the given user for the first device and an authorization of use by the given user for the first device;

wherein in response to receiving from the IAM an indication that the given user is an authorized user of the first device, the first device is configured to create a session for the given user with privileges determined by user role information received from the IAM, wherein creating the session for the given user comprises updating or replacing information associated with the virtual user in order to transform the virtual user into the given user.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for efficiently obtaining user configuration information for a given device. Multiple devices are deployed in an environment and may be storage appliances. A directory service and an authentication service may be used to determine whether a login session attempt on a deployed device is successful. An identity and access manager (IAM) is used to for this determination and to communicate with the directory service and the authentication service. A device of the one or more of the deployed devices does not store user configuration information. Responsive to an attempted login by a user, the device mimics the existence of the user and generates a request for directory lookup and authentication for the user which is conveyed to an external device. If a positive response is received in response to the request, the user is permitted to login to the device and a session is created for the user.

49 Citations

View as Search Results

15 Claims

1. A computing system comprising:
- a plurality of devices including a first device comprising at least one of circuitry and program code; and
  
  an identity and access manager (IAM);
  
  wherein in response to the first device receiving a first request from a given user to login to the first device, the first device is configured to;
  
  generate a virtual user to mimic an existence of the given user on the first device, prior to verifying the existence of the given user on the first device; and
  
  send a second request corresponding to the given user to the IAM, wherein the second request comprises a request for verification of both the existence of the given user for the first device and an authorization of use by the given user for the first device;
  
  wherein in response to receiving from the IAM an indication that the given user is an authorized user of the first device, the first device is configured to create a session for the given user with privileges determined by user role information received from the IAM, wherein creating the session for the given user comprises updating or replacing information associated with the virtual user in order to transform the virtual user into the given user.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computing system as recited in claim 1, wherein the IAM comprises at least one of circuitry and program code, the system further comprising:
    - a user directory service configured to store user identification information for one or more users; and
      
      an authentication service configured to store user credential information for the one or more users;
      
      wherein in response to receiving the second request from the first device, the IAM is configured to;
      
      send a first query to the user directory service to verify an existence of the given user; and
      
      in response to receiving an indication from the user directory service indicating the existence of the given user, send a second query to the authentication service to verify whether the given user is an authorized user for the first device.
  - 3. The computing system as recited in claim 2, wherein in response to receiving an indication from the authentication service indicating the given user is an authorized user for the first device, the IAM is further configured to send a response to the first device, wherein the response comprises user role information and an indication that the given user is the authorized user for the first device.
  - 4. The computing system as recited in claim 1, wherein the first device of the plurality of devices is a storage appliance and the first device has not been configured for use by the given user.
  - 5. The computing system as recited in claim 1, wherein the first device is a storage appliance, and wherein the second request is conveyed to a second device that is a storage appliance, and in response to the second device receiving the second request from the first device, the second device is configured to forward the second request to a third device that includes the IAM.

6. A device comprising:
- a name switch service (NSS) module comprising at least one of circuitry and program code; and
  
  a pluggable authentication management (PAM) module comprising at least one of circuitry and program code;
  
  wherein in response to receiving a first request from a given user to login to the device, the NSS module is configured to generate a virtual user to mimic an existence of the given user on the device prior to verifying the existence of the given user for the device; and
  
  wherein in response to receiving an indication from the NSS indicating said existence, the PAM module is configured to convey a second request corresponding to the given user, wherein the second request comprises a request for verification of both the existence of the given user and an authorization of use by the given user for the device;
  
  wherein in response to receiving an indication indicating the given user is an authorized user of the first device, the device is configured to create a session for the given user by updating or replacing information associated with the virtual user in order to transform the virtual user into the given user.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The device as recited in claim 6, wherein to update the virtual user to be the given user on the device, the NSS module is further configured to update a data structure corresponding to the given user with received information comprising at least one of a user identifier (ID), a group ID, and a home directory for the given user.
  - 8. The device as recited in claim 6, wherein when the first request is received, the device has not been configured for use by the given user.
  - 9. The device as recited in claim 6, wherein the device is a storage appliance, and wherein the second request is conveyed to a second device that is a storage appliance.
  - 10. The device as recited in claim 6, wherein the device is configured to be used as part of a hierarchy of storage appliances.

11. A method for executing on a processor, the method comprising:
- receiving a first request at a first device from a given user to login to the first device;
  
  generating a virtual user to mimic an existence of the given user on the first device, prior to verifying the existence of the given user on the first device; and
  
  sending a second request corresponding to the given user to an identity and access manager (IAM), wherein the second request comprises a request for verification of both the existence of the given user for the first device and an authorization of use by the given user for the first device;
  
  wherein in response to receiving from the IAM an indication that the given user is an authorized user of the first device, the first device is configured to create a session for the given user with privileges determined by user role information received from the IAM, wherein creating the session for the given user comprises updating or replacing information associated with the virtual user in order to transform the virtual user into the given user.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method as recited in claim 11, wherein in response to receiving the second request, the method further comprises:
    - sending a first query to a user directory service to verify an existence of the given user, wherein the user directory service stores at least user identification information for one or more users; and
      
      in response to receiving an indication from the user directory service indicating the existence of the given user, sending a second query to an authentication service to verify whether the given user is an authorized user for the first device.
  - 13. The method as recited in claim 12, wherein in response to receiving an indication from the authentication service indicating the given user is an authorized user for the first device, the method further comprises the IAM sending a response to the first device, wherein the response comprises user role information and an indication as to whether the given user is the authorized user for the first device.
  - 14. The method as recited in claim 11, wherein the first device of the plurality of devices is a storage appliance and the first device has not been configured for use by the given user.
  - 15. The method as recited in claim 11, wherein the first device is a storage appliance, and wherein the second request is conveyed to a second device that is a storage appliance, and in response to the second device receiving the second request from the first device, the second device is configured to forward the second request to a third device that includes the IAM.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Veritas Technologies, LLC (Whitehouse Group Ltd.)
Original Assignee
Veritas Technologies, LLC (Whitehouse Group Ltd.)
Inventors
Goel, Vikas
Primary Examiner(s)
Parsons, Theodore C.
Assistant Examiner(s)
DE JESUS LASSALA, CARLOS MANUEL

Application Number

US14/747,440
Publication Number

US 20160380988A1
Time in Patent Office

959 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04W 12/06   Authentication

System and method for centralized configuration and authentication

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for centralized configuration and authentication

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links