Method and system for providing a federated authentication service with gradual expiration of credentials

US 8,281,379 B2
Filed: 11/13/2008
Issued: 10/02/2012
Est. Priority Date: 11/13/2008
Status: Active Grant

First Claim

Patent Images

1. A method for providing a single sign-on service, comprisingreceiving at an authentication server an authentication request from a particular user;

performing an authentication of said particular user at said authentication server;

associating a time-dependent trust level with said authentication, said trust level having at least an initial value;

associating with at least one of a plurality of application servers a required minimum level of trust for a user to be granted access to said at least one application server;

receiving a validation request pertaining to said particular user and said application server;

calculating an updated instantaneous value for said time-dependent trust level associated with said authentication by adjusting the instantaneous value of said trust level based on at least a function of time;

granting said user access to said application server if said updated instantaneous value for said time-dependent trust level exceeds said required minimum level of trust associated with said application server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to the field of authentication of users of services over a computer network, more specifically within the paradigms of federated authentication or single sign-on. A known technique consists of associating different trust levels to different authentication mechanisms, wherein the respective trust levels give access to different information resources, notably to provide the possibility to protect more sensitive resources with a stronger form of authentication. The present invention provides a mechanism to allow the trust level to decrease without re-authenticating with the single sign on system, down to the level at which it is no longer sufficient to obtain access to a desired resource. Only then, the user needs to reauthenticate.

43 Citations

View as Search Results

31 Claims

1. A method for providing a single sign-on service, comprisingreceiving at an authentication server an authentication request from a particular user;
- performing an authentication of said particular user at said authentication server;
  
  associating a time-dependent trust level with said authentication, said trust level having at least an initial value;
  
  associating with at least one of a plurality of application servers a required minimum level of trust for a user to be granted access to said at least one application server;
  
  receiving a validation request pertaining to said particular user and said application server;
  
  calculating an updated instantaneous value for said time-dependent trust level associated with said authentication by adjusting the instantaneous value of said trust level based on at least a function of time;
  
  granting said user access to said application server if said updated instantaneous value for said time-dependent trust level exceeds said required minimum level of trust associated with said application server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising generating an authentication ticket for said particular user.
  - 3. The method of claim 2, wherein said validation request contains a reference to said authentication ticket.
  - 4. The method of claim 1, wherein said function of time is a function of the time elapsed since said authentication.
  - 5. The method of claim 1, wherein said calculating also uses said initial value of said trust level.
  - 6. The method of claim 1, wherein said calculating also uses said required minimum level of trust, and wherein said calculating results in a symbolic value indicating authentication failure if said required minimum level of trust is not granted.
  - 7. The method of claim 1, wherein said receiving of said validation request takes place at said application server.
  - 8. The method of claim 1, wherein said receiving of said validation request takes place at said authentication server.
  - 9. The method of claim 1, wherein said calculating comprises decreasing said instantaneous value for said time-dependent trust level linearly with time.
  - 10. The method of claim 1, wherein said calculating comprises decreasing said instantaneous value for said time-dependent trust level exponentially with time.
  - 11. The method of claim 1, wherein said calculating comprises decreasing said instantaneous value for said time-dependent trust level as a series of step functions in the time domain.
  - 12. The method of claim 1, wherein said calculating takes place at said application server.
  - 13. The method of claim 1, wherein said calculating takes place at said authentication server.
  - 14. The method of claim 1, wherein said required minimum level of trust may vary at different application servers.
  - 15. The method of claim 1, wherein said calculating comprises decreasing said instantaneous value for said time-dependent trust level with time.

16. A system for providing a single sign-on service, comprising:
- a first receiving agent for receiving an authentication request from a user;
  
  an authentication agent for authenticating said user;
  
  an issuing agent for issuing an authentication ticket for said user, wherein a time-dependent trust level is associated with said authentication ticket, said trust level having at least an initial value;
  
  a second receiving agent for receiving a validation request pertaining to said user from an applicationserver, said request containing a reference to said authentication ticket, and said application server enforcing a required minimum level of trust;
  
  a processor for calculating an updated instantaneous value for said time-dependent trust level associated with said authentication ticket by adjusting the instantaneous value of said trust level based on at least a function of time; and
  
  a sending agent for sending a signal indicative of said calculating to said application server, saidapplication server granting said user access dependent on said updated instantaneous value for said time-dependent trust level exceeding said required minimum level of trust.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The system of claim 16, wherein said function of time is a function of the time elapsed since said authenticating.
  - 18. The system of claim 16, wherein said calculating also uses said initial value of said trust level.
  - 19. The system of claim 16, wherein said calculating also uses said required minimum level of trust, and wherein said calculating results in a symbolic value indicating authentication failure if said required minimum level of trust is not granted.
  - 20. The system of claim 16, wherein said calculating comprises decreasing said instantaneous value for said time-dependent trust level linearly with time.
  - 21. The system of claim 16, wherein said calculating comprises decreasing said instantaneous value for said time-dependent trust level exponentially with time.
  - 22. The system of claim 16, wherein said calculating comprises decreasing said instantaneous value for said time-dependent trust level as a series of step functions in the time domain.
  - 23. The method of claim 16, wherein said calculating comprises decreasing said instantaneous value for said time-dependent trust level with time.

24. A system for providing a single sign-on service, comprising:
- at least one server comprising;
  
  a receiving agent for receiving an authentication request from a user;
  
  an authentication agent for authenticating said user; and
  
  ,an issuing agent for issuing an authentication ticket for said user, wherein at least one initial trust leveland at least one subsequent trust level are associated with said authentication ticket, said subsequenttrust level having a lower value than said initial trust level and said subsequent trust level having a validity period extending beyond the validity period of said initial trust level;
  
  wherein each of said at least one server includes at least one of the receiving agent, the authentication agent, or the issuing agent.
- View Dependent Claims (25, 26)
- - 25. A system as recited in claim 24, wherein the at least one server comprises a first server and a second server and whereineach said server including a trust agent, each trust agent establishing a minimum level of trust, wherein said first server trust agent establishes a minimum level of trust which is independent of a minimum level of trust established by said second server trust agent.
  - 26. The system of claim 24 further comprising an access granting agent for granting said user access to an application wherein a minimum required trust level is associated with said application and wherein said granting agent grants said user access to said application if said initial trust level exceeds said minimum required trust level and the validity period of said initial trust level has not yet been exceeded or if said subsequent trust level exceeds said minimum required trust level and the validity period of said subsequent trust level has not yet been exceeded.

27. A method for providing a single sign-on service, comprisingreceiving an authentication request from a user;
- authenticating said user; and
  
  ,issuing layered authentication ticket for said user, wherein a particular trust level and expiry time are associated with each of two or more layers of said authentication ticket and wherein the expiry time of any particular layer of said two or more layers is set to expire sooner than the expiry times of layers with a lower trust level than the trust level associated with said particular layer.
- View Dependent Claims (28)
- - 28. The method of claim 27 further comprising granting said user access to a particular application server wherein said granting access depends on whether for at least one layer of said authentication ticket the associated expiry time has not yet expired and the associated trust level exceeds a minimum required trust level associated with said application server.

29. A method for providing a single sign-on service, comprisingreceiving at an authentication server an authentication request from a particular user;
- performing an authentication of said particular user at said authentication server;
  
  associating a time-dependent trust level with said authentication;
  
  associating with at least one of a plurality or application servers a required minimum level of trust for auser to be granted access to said at least one application server;
  
  receiving an access request pertaining to said particular user and said application server;
  
  calculating an updated instantaneous value for said time-dependent trust level associated with said authentication by adjusting the instantaneous value of said trust level based on at least a function of time;
  
  granting said user access to said application server if said updated instantaneous value for said time-dependent trust level exceeds said required minimum level of trust associated with said application server.
- View Dependent Claims (30, 31)
- - 30. The method of claim 29 wherein said calculating comprises decreasing said instantaneous value for said time-dependent trust level with time.
  - 31. The method of claim 30 wherein the pace of said decreasing with time is a function of user activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Onespan North America Incorporated (OneSpan, Inc.)
Original Assignee
Vasco Data Security Incorporated (OneSpan, Inc.)
Inventors
Noë, Frederik
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US12/270,486
Publication Number

US 20100122333A1
Time in Patent Office

1,419 Days
Field of Search

None
US Class Current

726/8
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/0815   providing single-sign-on or...

H04L 63/105   Multiple levels of security

H04L 9/3213   using tickets or tokens, e....

Method and system for providing a federated authentication service with gradual expiration of credentials

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

43 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for providing a federated authentication service with gradual expiration of credentials

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links