Establishing access sessions
US-2020272714-A1 · Aug 27, 2020 · US
Systems and method for authenticating users of a data processing platform from multiple identity providers
US11303644B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11303644-B2 |
| Application number | US-201916662466-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 24, 2019 |
| Priority date | Oct 10, 2019 |
| Publication date | Apr 12, 2022 |
| Grant date | Apr 12, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A system and method for authenticating users of a data processing platform stores a mapping of a unique user platform identifier to multiple user identity provider identifiers associated with multiple realms for a same user. In some examples, the method includes receiving a request from a client device to establish an access session to perform one or more actions on data of the data processing platform and receiving, from at least one of the first external identity provider of the first realm or the second external identity provider of the second realm, a user identity provider identifier associated with the request. In certain examples, the method includes granting permission to perform the one or more actions on the data of the data processing platform based at least in part on the received user identity provider identifier.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for authenticating users of a data processing platform comprising: storing a mapping of a unique user platform identifier to at least both of a first user identity provider identifier associated with a first external identity provider of a first realm and a second user identity provider identifier associated with a second external identity provider of a second realm for a same user using a multi-realm single user database, the multi-realm single user database comprising a data mapping structure, the data mapping structure comprising the unique user platform identifier, the first user identity provider identifier, and the second user identity provider identifier, the first user identity provider identifier being associated with first permission data, the second user identity provider identifier being associated with second permission data different from the first permission data; receiving a request from a client device to establish an access session to perform one or more actions on data of the data processing platform; receiving, from at least one of the first external identity provider of the first realm or the second external identity provider of the second realm, a user identity provider identifier associated with the request; generating merged permission data using the first permission data and the second permission data; granting permission to perform the one or more actions on the data of the data processing platform using the received user identity provider identifier and the merged permission data; wherein the method is carried out by one or more processors. 2. The method of claim 1 wherein the granting permission to perform the one or more actions on the data of the data processing platform comprises: determining if the received user identity provider identifier associated with the request matches either of the first user identity provider identifier or the second user identity provider identifier mapped to the unique user platform identifier and if so, using the unique user platform identifier for granting permissions to resources of the data processing platform during the access session. 3. The method of claim 2 wherein the storing a mapping of a unique user platform identifier comprises creating the unique user platform identifier as mapped to both the at least first user identity provider identifier associated with the first external identity provider of the first realm and the at least second user identity provider identifier associated with the second external identity provider of the second realm. 4. The method of claim 1 wherein the storing a mapping of a unique user platform identifier comprises: assigning a first user platform identifier to the first user identity provider identifier associated with the first external identity provider of the first realm and assigning a second user platform identifier to the second user identity provider identifier associated with the second external identity provider; linking the first user platform identifier to the second user platform identifier to link a the first permission data with the second permission data; and using at least one of either of the linked first user platform identifier or the second user platform identifier to grant permission to perform the one or more actions on the data. 5. The method of claim 1 wherein the generating merged permission data based at least in part upon the first permission data and the second permission data comprises: evaluating the first permission data associated with the first user identity provider identifier and the second permission data associated with the second user identity provider identifier; and resolving a conflict among the first permission data and the second permission data for the request to generate the merged permission data. 6. The method of claim 1 further comprising assigning a timeout period to at least one selected from a group consisting of the first permission data associated with the first user identity provider identifier and the second permission data associated with the second user identity provider identifier. 7. A system for authenticating users of a data processing platform comprising: one or more processors; and memory comprising stored executable instructions that when executed by the one or more processors causes the one or more processors to: store a mapping of a unique user platform identifier to at least both of a first user identity provider identifier associated with a first external identity provider of a first realm and a second user identity provider identifier associated with a second external identity provider of a second realm for a same user using a multi-realm single user database, the multi-realm single user database comprising a data mapping structure, the data mapping structure comprising the unique user platform identifier, the first user identity provider identifier, and the second user identity provider identifier, the first user identity provider identifier being associated with first permission data, the second user identity provider identifier being associated with second permission data different from the first permission data; receive a request from a client device to establish an access session to perform one or more actions on data of the data processing platform; receive, from at least one of the first external identity provider of the first realm or the second external identity provider of the second realm, a user identity provider identifier associated with the request; generate merged permission data using the first permission data and the second permission data; and grant permission to perform the one or more actions on the data of the data processing platform using the received user identity provider identifier and the merged permission data. 8. The system of claim 7 wherein the memory comprises stored executable instructions that when executed by the one or more processors causes the one or more processors to: grant permission to perform the one or more actions on the data of the data processing platform by at least determining if the received user identity provider identifier associated with the request matches either of the first user identity provider identifier or the second user identity provider identifier mapped to the unique user platform identifier and if so, using the unique user platform identifier for granting permissions to resources of the data processing platform during the access session. 9. The system of claim 8 wherein the memory comprises stored executable instructions that when executed by the one or more processors causes the one or more processors to: store a mapping of a unique user platform identifier by creating the unique user platform identifier as mapped to both the at least first user identity provider identifier associated with the first external identity provider of the first realm and the at least second user identity provider identifier associated with the second external identity provider of the second realm. 10. The system of claim 7 wherein the memory comprises stored executable instructions that when executed by the one or more processors causes the one or more processors to: store a mapping of a unique user platform identifier by: assigning a first user platform identifier to the first user identity provider identifier associated with the first external identity provider of the first realm and assigning a second user platform identifier to the second user identity provider identifier associated with the second external identity provider; linking the first user platform identifier to the second user platform identifier to a the first permission data with th
Assignees
Inventors
Classifications
providing single-sign-on or federations · CPC title
Authentication, i.e. establishing the identity or authorisation of security principals · CPC title
applying multi-factor authentication · CPC title
Authentication · CPC title
involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved (negotiation of communication capabilities H04L69/24) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11303644B2 cover?
- A system and method for authenticating users of a data processing platform stores a mapping of a unique user platform identifier to multiple user identity provider identifiers associated with multiple realms for a same user. In some examples, the method includes receiving a request from a client device to establish an access session to perform one or more actions on data of the data processing …
- Who is the assignee on this patent?
- Palantir Technologies Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/102. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Apr 12 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).