Privacy-preserving user attribute release and session management

US 8,850,546 B1
Filed: 09/30/2012
Issued: 09/30/2014
Est. Priority Date: 09/30/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising the steps of:

validating an externally-generated security token issued to a user;

extracting one or more claims from the validated externally-generated security token;

creating a session object to hold the extracted one or more claims;

issuing a plurality of internally-generated security tokens based on the session object to identify the user to respective protected resources in one or more local domains of an entity;

validating a given one of the internally-generated security tokens in conjunction with a request from the user for access to a given protected resource in a given one of the local domains using an access control module associated with the given local domain;

selectively releasing, by an internal issuing authority to the access control module associated with the given local domain, information associated with at least one extracted claim responsive to validation of the internally-generated security token; and

granting or denying access of the user to the given protected resource based on the selectively-released information;

wherein the externally-generated and internally-generated security tokens are respectively generated externally and internally relative to the entity;

wherein selectively releasing information associated with at least one extracted claim comprises releasing different sets of one or more user attributes in conjunction with different access requests directed to different ones of the protected resources; and

wherein said steps are performed by at least one processing device comprising a processor coupled to a memory.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An information processing system comprises one or more processing devices of at least one processing platform. In one embodiment, the system comprises cloud infrastructure that is configured to validate an externally-generated security token issued to a user, to extract one or more claims from the validated externally-generated security token, and to create a session object to hold the extracted claim or claims. The cloud infrastructure issues an internally-generated security token based on the session object that allows the user to be identified to a protected resource. The internally-generated security token is validated in conjunction with a request from the user for access to the protected resource, and information associated with at least one extracted claim is selectively released responsive to validation of the internally-generated security token. Access of the user to the protected resource is granted or denied based on the selectively-released information.

369 Citations

28 Claims

1. A method comprising the steps of:
- validating an externally-generated security token issued to a user;
  
  extracting one or more claims from the validated externally-generated security token;
  
  creating a session object to hold the extracted one or more claims;
  
  issuing a plurality of internally-generated security tokens based on the session object to identify the user to respective protected resources in one or more local domains of an entity;
  
  validating a given one of the internally-generated security tokens in conjunction with a request from the user for access to a given protected resource in a given one of the local domains using an access control module associated with the given local domain;
  
  selectively releasing, by an internal issuing authority to the access control module associated with the given local domain, information associated with at least one extracted claim responsive to validation of the internally-generated security token; and
  
  granting or denying access of the user to the given protected resource based on the selectively-released information;
  
  wherein the externally-generated and internally-generated security tokens are respectively generated externally and internally relative to the entity;
  
  wherein selectively releasing information associated with at least one extracted claim comprises releasing different sets of one or more user attributes in conjunction with different access requests directed to different ones of the protected resources; and
  
  wherein said steps are performed by at least one processing device comprising a processor coupled to a memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method of claim 1 wherein said at least one processing device is implemented in cloud infrastructure comprising said entity.
  - 3. The method of claim 1 wherein the plurality of internally-generated security tokens include a first internally-generated security token to represent that a valid login session has been established for the user and additional internally-generated security tokens comprising respective service-specific security tokens configured to permit the user to prove its identity to respective services provided in one or more local domains of the entity.
  - 4. The method of claim 1 wherein the externally-generated security token is received in the entity in conjunction with an access request from the user.
  - 5. The method of claim 1 wherein the externally-generated security token is generated by an identity provider external to the entity upon successful authentication of the user by the identity provider.
  - 6. The method of claim 5 further including the steps of:
    - responsive to receiving a request for access to the given protected resource from a user that has not established a login session with the entity, directing the user to a local domain single sign-on service to obtain an internally-generated security token for the given protected resource, wherein directing the user to the local domain single sign-on service comprises redirecting the access request from the access control module associated with the given local domain to the local domain single sign-on service; and
      
      responsive to determining that the externally-generated security token has not been received in the entity, directing the user to the external identity provider to obtain the externally-generated security token, wherein directing the user to the external identity provider comprises redirecting the access request from the local domain single sign-on service to the external identity provider.
  - 7. The method of claim 5 further including the step of directing the user to the external identity provider if the externally-generated security token is not received in the entity in conjunction with an initial access request from the user within a corresponding login session.
  - 8. The method of claim 7 wherein directing the user to the external identity provider comprises redirecting the initial access request to the external identity provider.
  - 9. The method of claim 8 wherein granting or denying access of the user to the given protected resource comprises granting or denying said access without requiring any further contact between the entity and the external identity provider other than that associated with redirection of the initial access request to the external identity provider.
  - 10. The method of claim 3 wherein the first internally-generated security token is generated for a corresponding login session of the user.
  - 11. The method of claim 1 wherein the externally-generated security token is configured for offline validation that does not require access to its corresponding external issuing authority and at least one of the internally-generated security tokens is configured for online validation that does require access to its corresponding internal issuing authority.
  - 12. The method of claim 11 wherein the internal issuing authority controls the step of selectively releasing information such that the given protected resource is unaware of at least a portion of said one or more extracted claims.
  - 13. The method of claim 1 wherein the user is associated with an enterprise that has established a trust relationship with the entity via exchange of certificates.
  - 14. The method of claim 10 wherein upon termination of the login session the extracted claims including the selectively-released information are deleted so as to preserve privacy in associated user attributes.
  - 15. The method of claim 14 wherein the user attributes are stored in memory of the entity only for the duration of the login session and are not written to persistent storage of the entity.
  - 16. The method of claim 1 wherein said one or more claims extracted from the externally-generated security token comprise at least one claim expressed in a security assertion mark-up language.
  - 17. The method of claim 1 wherein the one or more user attributes include at least an authenticated identifier of the user.
  - 18. The method of claim 1 wherein selectively releasing information associated with at least one extracted claim further comprises:
    - transforming the claim using one or more metadata mappings; and
      
      releasing information associated with the transformed claim.
  - 19. The method of claim 1 wherein selectively releasing information associated with at least one extracted claim further comprises releasing information in accordance with one or more specified policies.
  - 20. The method of claim 1 wherein the given protected resource is unaware of all the user attributes contained in said at least one extracted claim, so as to preserve privacy in certain ones of the user attributes relative to certain ones of the protected resources.
  - 21. The method of claim 1 further comprising providing session state information to the user so as to facilitate processing of additional access requests from the user within a given login session.
  - 22. A computer program product comprising a non-transitory processor-readable storage medium having encoded therein executable code of one or more software programs, wherein the one or more software programs when executed by at least one processing platform cause the processing platform to perform the steps of the method of claim 1.
  - 23. The method of claim 1 wherein the internal issuing authority comprises a local domain single sign-on service.

24. An apparatus comprising:
- information technology infrastructure comprising one or more processing devices, each of such processing devices comprising a processor coupled to a memory;
  
  said one or more processing devices being configured to perform the steps of;
  
  validating an externally-generated security token issued to a user;
  
  extracting one or more claims from the validated externally-generated security token;
  
  creating a session object to hold the extracted one or more claims;
  
  issuing a plurality of internally-generated security tokens based on the session object to identify the user to protected resources in respective ones of one or more local domains of an entity;
  
  validating a given one of the internally-generated security tokens in conjunction with a request from the user for access to a given protected resource in a given one of the local domains using an access control module associated with the given local domain;
  
  selectively releasing, by an internal issuing authority to the access control module associated with the given local domain, information associated with at least one extracted claim responsive to validation of the internally-generated security token; and
  
  granting or denying access of the user to the given protected resource based on the selectively-released information;
  
  wherein the externally-generated and internally-generated security tokens are respectively generated externally and internally relative to the entity that controls access to the protected resources; and
  
  wherein selectively releasing information associated with at least one extracted claim comprises releasing different sets of one or more user attributes in conjunction with different access requests directed to different one of the protected resources.
- View Dependent Claims (25, 26)
- - 25. The apparatus of claim 24 wherein the entity comprises cloud infrastructure of the information technology infrastructure.
  - 26. An information processing system comprising at least one processing platform which incorporates the apparatus of claim 24.

27. An apparatus comprising:
- a claims extractor configured to extract one or more claims from a validated security token of a first type;
  
  a token generator configured to issue a plurality of security tokens of a second type responsive to the validation of the security token of the first type, the plurality of security tokens of the second type identifying a user to protected resources in respective ones of one or more local domains; and
  
  access control modules associated with respective ones of the protected resources;
  
  wherein a given one of the security tokens of the second type is validated in conjunction with a request from the user for access to a given protected resource by its associated access control module, and information associated with at least one extracted claim is selectively released by an internal issuing authority to the access control module associated with the given protected resource responsive to validation of the security token of the second type; and
  
  wherein the access control module associated with the given protected resource grants or denies access of the user to the given protected resource based on the selectively-released information; and
  
  wherein the issuing authority is configured to selectively release information comprising different sets of one or more user attributes in conjunction with different access requests to different ones of the protected resources.
- View Dependent Claims (28)
- - 28. The apparatus of claim 27 wherein the claims extractor, token generator and access control module are implemented by cloud infrastructure, and further wherein the security tokens of the first and second types comprise respective externally-generated and internally-generated security tokens relative to the cloud infrastructure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Field, John P., Bharadwaj, Vijayanand, Ohsie, David A.
Primary Examiner(s)
Khoshnoodi, Nadia
Assistant Examiner(s)
Stocia, Adrian

Application Number

US13/632,014
Time in Patent Office

730 Days
Field of Search

None
US Class Current

726/8
CPC Class Codes

G06F 21/335   for accessing specific reso...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Privacy-preserving user attribute release and session management

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

369 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Privacy-preserving user attribute release and session management

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

369 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links