System and method for centralized configuration and authentication
First Claim
1. A computing system comprising:
- a plurality of devices including a first device comprising at least one of circuitry and program code; and
an identity and access manager (IAM);
wherein in response to the first device receiving a first request from a given user to login to the first device, the first device is configured to;
generate a virtual user to mimic an existence of the given user on the first device, prior to verifying the existence of the given user on the first device; and
send a second request corresponding to the given user to the IAM, wherein the second request comprises a request for verification of both the existence of the given user for the first device and an authorization of use by the given user for the first device;
wherein in response to receiving from the IAM an indication that the given user is an authorized user of the first device, the first device is configured to create a session for the given user with privileges determined by user role information received from the IAM, wherein creating the session for the given user comprises updating or replacing information associated with the virtual user in order to transform the virtual user into the given user.
7 Assignments
0 Petitions
Accused Products
Abstract
A system and method for efficiently obtaining user configuration information for a given device. Multiple devices are deployed in an environment and may be storage appliances. A directory service and an authentication service may be used to determine whether a login session attempt on a deployed device is successful. An identity and access manager (IAM) is used to for this determination and to communicate with the directory service and the authentication service. A device of the one or more of the deployed devices does not store user configuration information. Responsive to an attempted login by a user, the device mimics the existence of the user and generates a request for directory lookup and authentication for the user which is conveyed to an external device. If a positive response is received in response to the request, the user is permitted to login to the device and a session is created for the user.
49 Citations
15 Claims
-
1. A computing system comprising:
-
a plurality of devices including a first device comprising at least one of circuitry and program code; and an identity and access manager (IAM); wherein in response to the first device receiving a first request from a given user to login to the first device, the first device is configured to; generate a virtual user to mimic an existence of the given user on the first device, prior to verifying the existence of the given user on the first device; and send a second request corresponding to the given user to the IAM, wherein the second request comprises a request for verification of both the existence of the given user for the first device and an authorization of use by the given user for the first device; wherein in response to receiving from the IAM an indication that the given user is an authorized user of the first device, the first device is configured to create a session for the given user with privileges determined by user role information received from the IAM, wherein creating the session for the given user comprises updating or replacing information associated with the virtual user in order to transform the virtual user into the given user. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A device comprising:
-
a name switch service (NSS) module comprising at least one of circuitry and program code; and a pluggable authentication management (PAM) module comprising at least one of circuitry and program code; wherein in response to receiving a first request from a given user to login to the device, the NSS module is configured to generate a virtual user to mimic an existence of the given user on the device prior to verifying the existence of the given user for the device; and wherein in response to receiving an indication from the NSS indicating said existence, the PAM module is configured to convey a second request corresponding to the given user, wherein the second request comprises a request for verification of both the existence of the given user and an authorization of use by the given user for the device; wherein in response to receiving an indication indicating the given user is an authorized user of the first device, the device is configured to create a session for the given user by updating or replacing information associated with the virtual user in order to transform the virtual user into the given user. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method for executing on a processor, the method comprising:
-
receiving a first request at a first device from a given user to login to the first device; generating a virtual user to mimic an existence of the given user on the first device, prior to verifying the existence of the given user on the first device; and sending a second request corresponding to the given user to an identity and access manager (IAM), wherein the second request comprises a request for verification of both the existence of the given user for the first device and an authorization of use by the given user for the first device; wherein in response to receiving from the IAM an indication that the given user is an authorized user of the first device, the first device is configured to create a session for the given user with privileges determined by user role information received from the IAM, wherein creating the session for the given user comprises updating or replacing information associated with the virtual user in order to transform the virtual user into the given user. - View Dependent Claims (12, 13, 14, 15)
-
Specification