Secure trust-scored distributed multimedia collaboration session
US-9560076-B2 · Jan 31, 2017 · US
Techniques for authentication level step-down
US10257205B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10257205-B2 |
| Application number | US-201615294381-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 14, 2016 |
| Priority date | Oct 22, 2015 |
| Publication date | Apr 9, 2019 |
| Grant date | Apr 9, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques are disclosed to modify the authentication level of a session providing access to resources. In some embodiments, an access management system is configurable to enable voluntary (e.g., request by a user) or involuntary (e.g., by the access management system) reduce, or “step-down” the authentication level for a session if a lower authentication level exists. For example, an access management system may be configured to enable a user to request a step-down of the authentication level of a session to prevent access to resources at a higher authentication level. By reducing the authentication level to a lower authentication level, a user may be prompted to provide credentials for authentication according to the authentication schemes defined for higher authentication levels. These techniques can reduce, if not prevent, unauthorized access to protected resources by challenging a user for credentials to authenticate to higher authentication levels.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: receiving, at an access agent of a single-sign-on gateway, a first request to access a first resource from a computing device by a user, wherein the first resource is provided by a resource computer system; communicating, by the access agent, with an authorization engine of an access management system to identify a first authentication level at which access to the first resource is permitted; in response to identifying the first authentication level, determining, by a session engine of the access management system, authentication of the user at the first authentication level; based on determining that the user is authenticated at the first authentication level, establishing, by the session engine, a single-sign-on session at an authentication level for the computing device, wherein the authentication level of the session is the first authentication level that enables the user at the computing device to access the first resource provided by the resource computer system; receiving, at the access agent, a second request to access a second resource from the computing device by the user; communicating, by the access agent, with the authorization engine of the access management system to identify a second authentication level at which access to the second resource is permitted, wherein the first authentication level is different from the second authentication level at which the first resource is not accessible; determining, by the session engine, that the received second request is an event for reducing the authentication level for the computing device; modifying, by the session engine, the authentication level of the single sign-on session for the computing device from the first authentication level to the second authentication level based on the determination of the event, wherein the access to the first resource by the user at the computing device is prevented by modifying the authentication level of the single-sing-on session to the second authentication level; and sending, by the session engine, information concerning the modification of the authentication level to the access agent to indicate to the access agent that the authentication level of the single sign-on session for the computing device has changed from the first authentication level to the second authentication level. 2. The method of claim 1 , further comprising enabling, by the session engine, the computing device to access the second resource based on determining that the single sign-on session is active and that the authentication level of the single sign-on session is at the first authentication level. 3. The method of claim 1 , further comprising: sending, to the computing device, a request for credential information of the user to access the first resource at the first authentication level; receiving, from the computing device, the credential information; and determining the authentication of the user at the first authentication level based on verifying the credential information. 4. A system comprising: one or more processors; and a memory accessible to the one or more processors, the memory storing one or more instructions that, upon execution by the one or more processors, causes the one or more processors to: receive a first request to access a first resource from a computing device by a user, wherein the first resource is provided by a resource computer system; identify a first authentication level at which access to the first resource is permitted; in response to identifying the first authentication level, determine authentication of the user at the first authentication level; based on determining that the user is authenticated at the first authentication level, establish a single sign-on session at an authentication level for the computing device, wherein the authentication level of the session is the first authentication level that enables the user at the computing device to access the first resource provided by the resource computer system; after the single sign-on session is established at the first authentication level, receive a second request to access a second resource from the computing device by the user; identify a second authentication level at which access to the second resource is permitted, wherein the first authentication level is different from the second authentication level at which the first resource is not accessible; determine that the received second request is an event for reducing the authentication level for the computing device, modify the authentication level of the single sign-on session for the computing device from the first authentication level to the second authentication level based on the determination of the event, wherein the access to the first resource by the user at the computing device is prevented by modifying the authentication level of the single sign-on session to the second authentication level; and sending information concerning the modification of the authentication level to an access agent to indicate to the access agent that the authentication level of the single sign-on session for the computing device has changed from the first authentication level to the second authentication level. 5. The system of claim 4 , wherein the system is included in an access management system. 6. The system of claim 4 , wherein the one or more instructions that, upon execution by the one or more processors, further causes the one or more processors to enable the computing device to access the second resource based on determining that the single sign-on session is active and that the authentication level of the single sign-on session is at the first authentication level. 7. A non-transitory computer-readable medium storing one or more instructions that, upon execution by one or more processors, causes the one or more processors to: receive, at a computer system of an access management system a first request to access a first resource from a computing device by a user, wherein the first resource is provided by a resource computer system; identify, by the computer system, a first authentication level at which access to the first resource is permitted; in response to identifying the first authentication level, determine, by the computer system, authentication of the user at the first authentication level; based on determining that the user is authenticated at the first authentication level, establish, by the computer system, a single sign-on session at an authentication level for the computing device, wherein the authentication level of the session is the first authentication level that enables the user at the computing device to access the first resource provided by the resource computer system; after the single sign-on session is established at the first authentication level, receive, at the computer system, a second request to access a second resource from the computing device by the user; identify, at the computer system, a second authentication level at which access to the second resource is permitted, wherein the first authentication level is different from the second authentication level at which the first resource is not accessible; determine, by the computer system, that the received second request is an event for reducing the authentication level for the computing device; modify, by the computer system, the authentication level of the single sign-on session for the computing device from the first authentication level to the second authentication level based on the determination of the event, wherein the access to the first resource by the user at the computing device is prevented by modifying the authentication level of the single sign-on session to the second authentication level; and send, by th
Assignees
Inventors
Classifications
using passwords (cryptographic mechanisms or cryptographic arrangements for entity authentication using a predetermined code H04L9/3226) · CPC title
Entity profiles · CPC title
User authentication · CPC title
to a system of files or objects, e.g. local or distributed file system or database · CPC title
- H04L63/105Primary
Multiple levels of security · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10257205B2 cover?
- Techniques are disclosed to modify the authentication level of a session providing access to resources. In some embodiments, an access management system is configurable to enable voluntary (e.g., request by a user) or involuntary (e.g., by the access management system) reduce, or “step-down” the authentication level for a session if a lower authentication level exists. For example, an access ma…
- Who is the assignee on this patent?
- Oracle Int Corp
- What technology area does this patent fall under?
- Primary CPC classification H04L63/105. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Apr 09 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).