What technology area does this patent fall under?

Primary CPC classification H04L63/0815. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Jun 23 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Restricting access for a single sign-on (SSO) session

US10693859B2 · US · B2

Patent metadata
Field	Value
Publication number	US-10693859-B2
Application number	US-201514814209-A
Country	US
Kind code	B2
Filing date	Jul 30, 2015
Priority date	Jul 30, 2015
Publication date	Jun 23, 2020
Grant date	Jun 23, 2020

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Techniques are disclosed for restricting access to resources accessible in a SSO session. An access management system may provide access one or more resources by implementing an SSO system to provide a SSO session. An SSO session may provide an authenticated user with access to protected resources to which the user is entitled to access. In some instances, a user sharing a computer with other users may want to access a particular protected resource so as to restrict other users sharing the computer from accessing other protected resources accessible to the user in an SSO session. The access management system may enable the user to dynamically choose, such as during login, the protected resources which to restrict and/or permit. Upon successful authentication, a session may be established for only those protected resources that are permitted based on the user's selection, while the other resources are restricted.

First claim

Opening claim text (preview).

What is claimed is: 1. A method comprising: receiving, by a computer system from a client device operated by a first user, a request to access a first resource; requesting, by the computer system, credential data from the first user to access the first resource; in response to the request for the credential data, receiving, by the computer system from the client device operated by the first user, the credential data and scope information for establishing a session, wherein the scope information is provided by the first user and defines a first group of resources that are accessible by the client device during the session and/or a second group of resources that are restricted from access by the client device during the session, and wherein the first group of resources include the first resource that the first user is requesting to access; determining, by the computer system, the credential data for the first user is valid; in response to determining the credential data is valid, establishing, by the computer system, the session with the client device; determining, by the computer system, a scope of authentication for the session based on the scope information provided by the first user; configuring, by the computer system, the session for the client device based on the scope of authentication, wherein the session is configured to allow the client device to access the first group of resources during the session and/or restrict the client device from accessing the second group of resources during the session; determining, by the computer system, the first user operating the client device is authorized to access the first resource based on the configuration of the session; and in response to determining the first user operating the client device is authorized to access the first resource, sending, by the computer system, an authorization message to the client device to allow the first user to access the first resource. 2. The method of claim 1 , further comprising: upon configuring the session for the client device, receiving, by the computer system from the client device operated by a second user, a request to access a second resource within the session, wherein the second user is a same or different user from the first user; determining, by the computer system, the second user operating the client device is not authorized to access the second resource based on the configuration of the session, wherein the second group of resources include the second resource that the second user is request to access; and in response to determining the second user operating the client device is not authorized to access the second resource, sending, by the computer system, an authorization message to the client device to deny the second user access to the second resource. 3. The method of claim 2 , wherein the first resource corresponds to a first application and the second resource corresponds to a second application. 4. The method of claim 2 , wherein at least one of the first resource or the second resource is identified by a uniform resource identifier (URI). 5. The method of claim 1 , wherein the session is single-sign-on (SSO) session. 6. The method of claim 1 , wherein the scope information is provided by the first user in an interface provided by the client device, and wherein the interface includes one or more interactive elements to enable the first user to define the first group of resources and the second group of resources. 7. A system comprising: a memory; and one or more processors coupled to the memory and configured to: receive, from a client device operated by a first user, a request to access a first resource; requesting credential data from the first user to access the first resource; in response to the request for the credential data, receive, from the client device operated by the first user, the credential data and scope information for establishing a session, wherein the scope information is provided by the first user and defines a first group of resources that are accessible by the client device during the session and/or a second group of resources that are restricted from access by the client device during the session, and wherein the first group of resources include the first resource that the first user is requesting to access; determine the credential data for the first user is valid; in response to determining the credential data is valid, establish the session with the client device; determine a scope of authentication for the session based on the scope information provided by the first user; configure the session for the client device based on the scope of authentication, wherein the session is configured to allow the client device to access the first group of resources during the session and/or restrict the client device from accessing the second group of resources during the session; determine the first user operating the client device is authorized to access the first resource based on the configuration of the session; and in response to determining the first user operating the client device is authorized to access the first resource, sending an authorization message to the client device to allow the first user to access the first resource. 8. The system of claim 7 , wherein the one or more processors are further configured to: upon configuring the session for the client device, receive from the client device operated by a second user, a request to access a second resource within the session, wherein the second user is a same or different user from the first user; determine the second user operating the client device is not authorized to access the second resource based on the configuration of the session, wherein the second group of resources include the second resource that the second user is request to access; and in response to determining the second user operating the client device is not authorized to access the second resource, send an authorization message to the client device to deny the second user access to the second resource. 9. The system of claim 7 , wherein the scope information is provided by the first user in an interface provided by the client device, and wherein the interface includes one or more interactive elements to enable the first user to define the first group of resources and the second group of resources. 10. The system of claim 7 , wherein the session is single-sign-on (SSO) session. 11. A non-transitory computer-readable medium storing a set of instructions that are executable by one or more processors to: receive, from a client device operated by a first user, a request to access a first resource; requesting credential data from the first user to access the first resource; in response to the request for the credential data, receive, from the client device operated by the first user, the credential data and scope information for establishing a session, wherein the scope information is provided by the first user and defines a first group of resources that are accessible by the client device during the session and/or a second group of resources that are restricted from access by the client device during the session, and wherein the first group of resources include the first resource that the first user is requesting to access; determine the credential data for the first user is valid; in response to determining the credential data is valid, establish the session with the client device; determine a scope of authentication for the session based on the scope information provided by the first user; configure the session for the client device based on the scope of authentication, wherein the session is configured to allow the

Assignees

Oracle Int Corp

Inventors

Classifications

H04L63/0815Primary
providing single-sign-on or federations · CPC title
H04L63/102
Entity profiles · CPC title
H04L63/108
when the policy decisions are valid for a limited amount of time · CPC title
H04L63/101Primary
Access control lists [ACL] · CPC title
H04L67/10
in which an application is distributed across nodes in the network (software deployment G06F8/60; multiprogramming arrangements G06F9/46) · CPC title

Patent family

Related publications grouped by family.

View patent family 57883790

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US10693859B2 cover?: Techniques are disclosed for restricting access to resources accessible in a SSO session. An access management system may provide access one or more resources by implementing an SSO system to provide a SSO session. An SSO session may provide an authenticated user with access to protected resources to which the user is entitled to access. In some instances, a user sharing a computer with other u…
Who is the assignee on this patent?: Oracle Int Corp
What technology area does this patent fall under?: Primary CPC classification H04L63/0815. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Jun 23 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).