Flexible authentication framework

US 9,177,124 B2
Filed: 02/28/2007
Issued: 11/03/2015
Est. Priority Date: 03/01/2006
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating users in a secure search system, comprising:

receiving, using one or more processors, user identification information from a user in a secure enterprise system;

authenticating, using the one or more processors, the user to a plurality of secure data sources by providing the user identification information to a plurality of application program interfaces (APIs), with each API interfacing with a respective identity management computer system, and with each identity management computer system of a plurality of identity management computer systems managing identities for one or more secure data sources in the secure enterprise system, where each secure data source provides access to data by authenticated and authorized users, where a number or types of objects representing the user identification information required by a first identity management computer system is different from a number or types of objects representing the user identification information required by a second identity management computer system;

crawling, using the one or more processors, a secure data source associated with the at least one identity management computer system and building an index of documents based on the crawling;

receiving, using the one or more processors, a query from the user;

calling, using the one or more processors, back into the at least one identity management computer system to obtain a security attribute value for the user in response to the query;

appending, using the one or more processors, the security attribute value for the user to the query and using the appended query to query the index; and

based on the appended query and security attributes of documents in the secure data source, determining, using the one or more processors, one or more documents from the index of documents, that are accessible to the user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A flexible and extensible architecture allows for secure searching across an enterprise. Such an architecture can provide a simple Internet-like search experience to users searching secure content inside (and outside) the enterprise. The architecture allows for the crawling and searching of a variety of sources across an enterprise, regardless of whether any of these sources conform to a conventional user role model. The architecture further allows for security attributes to be submitted at query time, for example, in order to provide real-time secure access to enterprise resources. The user query also can be transformed to provide for dynamic querying that provides for a more current result list than can be obtained for static queries.

227 Citations

18 Claims

1. A method for authenticating users in a secure search system, comprising:
- receiving, using one or more processors, user identification information from a user in a secure enterprise system;
  
  authenticating, using the one or more processors, the user to a plurality of secure data sources by providing the user identification information to a plurality of application program interfaces (APIs), with each API interfacing with a respective identity management computer system, and with each identity management computer system of a plurality of identity management computer systems managing identities for one or more secure data sources in the secure enterprise system, where each secure data source provides access to data by authenticated and authorized users, where a number or types of objects representing the user identification information required by a first identity management computer system is different from a number or types of objects representing the user identification information required by a second identity management computer system;
  
  crawling, using the one or more processors, a secure data source associated with the at least one identity management computer system and building an index of documents based on the crawling;
  
  receiving, using the one or more processors, a query from the user;
  
  calling, using the one or more processors, back into the at least one identity management computer system to obtain a security attribute value for the user in response to the query;
  
  appending, using the one or more processors, the security attribute value for the user to the query and using the appended query to query the index; and
  
  based on the appended query and security attributes of documents in the secure data source, determining, using the one or more processors, one or more documents from the index of documents, that are accessible to the user.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method according to claim 1, wherein calling back into the at least one identity management computer system includes obtaining access information selected from a group consisting of role information, group information, and project information.
  - 3. The method according to claim 1, further comprising:
    - if the user cannot be validated, denying the user access to the secure data source.
  - 4. The method according to claim 1, further comprising:
    - refreshing access information for the user.
  - 5. The method according to claim 1, further comprising:
    - providing an additional API to allow the user identification information to be passed to an additional secure data source.
  - 6. The method according to claim 1, wherein:
    - calling back into the identity management computer system includes obtaining project information associated with the user.

7. A non-transitory computer readable storage medium storing instructions, which when executed by one or more processors cause the one or more processors to authenticate users in a secure search system, the instructions comprising:
- instructions for receiving user identification information from a user in a secure enterprise system;
  
  instructions for authenticating the user to a plurality of secure data sources by providing the user identification information to a plurality of application program interfaces (APIs), with each API interfacing with a respective identity management computer system, and with each identity management computer system of a plurality of identity management computer systems managing identities for one or more secure data sources in the secure enterprise system, where each secure data source provides access to data by authenticated and authorized users, where a number or types of objects representing the user identification information required by a first identity management computer system is different from a number or types of objects representing the user identification information required by a second identity management computer system;
  
  instructions for crawling a secure data source associated with the at least one identity management computer system and building an index of documents based on the crawling;
  
  instructions for receiving a query from the user;
  
  instructions for calling back into the at least one identity management computer system to obtain a security attribute value for the user in response to the query;
  
  instructions for appending the security attribute value for the user to the query and using the appended query to query the index; and
  
  instructions for determining, based on the appended query and security attributes of documents in the secure data source, one or more documents from the index of documents, that are accessible to the user.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The non-transitory computer-readable storage medium according to claim 7, whereininstructions for calling back into the at least one identity management computer system includes instructions for obtaining access information selected from a group consisting of role information, group information, and project information.
  - 9. The non-transitory computer-readable storage medium according to claim 7, further comprising:
    - instructions for denying the user access to the secure data source when the user cannot be validated.
  - 10. The non-transitory computer-readable storage medium according to claim 7, further comprising:
    - instructions for refreshing access information for the user.
  - 11. The non-transitory computer-readable storage medium according to claim 7, further comprising:
    - instructions for providing an additional API to allow the user identification information to be passed to an additional secure data source.
  - 12. The non-transitory computer-readable storage medium according to claim 7, wherein:
    - calling back into the identity management computer system includes obtaining project information associated with the user.

13. A secure search system comprising:
- one or more hardware processors; and
  
  one or more memory devices comprising instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising;
  
  receiving user identification information from a user in a secure enterprise system;
  
  authenticating the user to a plurality of secure data sources by providing the user identification information to a plurality of application program interfaces (APIs), with each API interfacing with a respective identity management computer system, and with each identity management computer system of a plurality of identity management computer systems managing identities for one or more secure data sources in the secure enterprise system, where each secure data source provides access to data by authenticated and authorized users, where a number or types of objects representing the user identification information required by a first identity management computer system is different from a number or types of objects representing the user identification information required by a second identity management computer system;
  
  crawling a secure data source associated with the at least one identity management computer system and building an index of documents based on the crawling;
  
  receiving a query from the user;
  
  calling back into the at least one identity management computer system to obtain a security attribute value for the user in response to the query;
  
  appending the security attribute value for the user to the query and using the appended query to query the index; and
  
  based on the appended query and security attributes of documents in the secure data source, determining one or more documents from the index of documents, that are accessible to the user.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The secure search system of claim 13, wherein calling back into the at least one identity management computer system includes obtaining access information selected from a group consisting of role information, group information, and project information.
  - 15. The secure search system of claim 13, wherein the one or more memory devices further comprise instructions that, when executed by the one or more processors, cause the one or more processors to perform further operations comprising:
    - denying the user access to the secure data source when the user cannot be validated.
  - 16. The secure search system of claim 13, wherein the one or more memory devices further comprise instructions that, when executed by the one or more processors, cause the one or more processors to perform further operations comprising:
    - refreshing access information for the user.
  - 17. The secure search system of claim 13, wherein the one or more memory devices further comprise instructions that, when executed by the one or more processors, cause the one or more processors to perform further operations comprising:
    - providing an additional API to allow the user identification information to be passed to an additional secure data source.
  - 18. The secure search system of claim 13, wherein calling back into the at least one identity management computer system includes obtaining project information associated with the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Krishnaprasad, Muralidhar, Davis, Mark, Ture, Mark, Hsin, Cindy, Bhavsar, Meeten, Koide, Hiroshi, Delgado, Joaquin, Yang, Chi-Ming, Nimani, Visar, Ouyang, Hui, Bhatkar, Sachin, Chang, Thomas
Primary Examiner(s)
HOLDER, BRADLEY W

Application Number

US11/680,530
Publication Number

US 20070208744A1
Time in Patent Office

3,170 Days
Field of Search

726/2, 726/3, 726/28
US Class Current

1/1
CPC Class Codes

G06F 16/2228   Indexing structures

G06F 16/2455   Query execution

G06F 16/248   Presentation of query results

G06F 16/93   Document management systems

G06F 16/951   Indexing; Web crawling tech...

G06F 16/9535   Search customisation based ...

G06F 16/9538   Presentation of query results

G06F 21/31   User authentication

G06F 21/6227   where protection concerns t...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

Flexible authentication framework

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

227 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Flexible authentication framework

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

227 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links