Authorization and access control system for access rights using relationship graphs
US-2024414161-A1 · Dec 12, 2024 · US
Systems and method for authenticating users of a data processing platform from multiple identity providers
US2024333717A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2024333717-A1 |
| Application number | US-202418438095-A |
| Country | US |
| Kind code | A1 |
| Filing date | Feb 9, 2024 |
| Priority date | Oct 10, 2019 |
| Publication date | Oct 3, 2024 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A system and method for authenticating users of a data processing platform stores a mapping of a unique user platform identifier to multiple user identity provider identifiers associated with multiple realms for a same user. In some examples, the method includes receiving a request from a client device to establish an access session to perform one or more actions on data of the data processing platform and receiving, from at least one of the first external identity provider of the first realm or the second external identity provider of the second realm, a user identity provider identifier associated with the request. In certain examples, the method includes granting permission to perform the one or more actions on the data of the data processing platform based at least in part on the received user identity provider identifier.
First claim
Opening claim text (preview).
1 .- 20 . (canceled) 21 . A method for authenticating users of a data processing platform comprising: receiving a request from a user to establish an access session to perform one or more actions on data of the data processing platform; receiving, from at least one of a first identity provider of a first realm or a second identity provider of a second realm, a user identity provider identifier corresponding to the request; based on the received user identity provider identifier, determining a user platform identifier by matching the received user identity provider identifier to at least one of a first user identity provider identifier assigned by the first identity provider of the first realm for the user or a second user identity provider identifier assigned by the second identity provider of the second realm for the user, wherein the user platform identifier is mapped to both the first user identity provider identifier and the second user identity provider identifier; evaluating first permission data associated with the first user identity provider identifier and second permission data associated with the second user identity provider identifier to resolve a conflict, wherein the first identity provider is associated with a first priority and the second identity provider is associated with a second priority different from the first priority; generating merged permission data for the unique user platform identifier based on the evaluation; and granting permission to perform the one or more actions on the data of the data processing platform using the received user identity provider identifier and the merged permission data; wherein the method is performed by one or more processors. 22 . The method of claim 21 , wherein each of the first realm and the second realm is a source of users or groups of users provided by the first identity provider and the second identity provider, respectively. 23 . The method of claim 21 , wherein the request includes the user identity provider identifier and a data resource identifier of a data resource associated with the data processing platform. 24 . The method of claim 21 , further comprising: generating a mapping of the user platform identifier to both of the first user identity provider identifier and the second user identity provider identifier for the user using a data mapping structure, wherein the data mapping structure comprises the unique user platform identifier, the first user identity provider identifier, and the second user identity provider identifier. 25 . The method of claim 24 , wherein the generating a mapping of the user platform identifier comprises creating the unique user platform identifier as mapped to both of the first user identity provider identifier associated with the first identity provider of the first realm and the second user identity provider identifier associated with the second identity provider of the second realm. 26 . The method of claim 24 , wherein the generating a mapping of the user platform identifier comprises: assigning a first user platform identifier to the first user identity provider identifier associated with the first identity provider of the first realm and assigning a second user platform identifier to the second user identity provider identifier associated with the second identity provider; linking the first user platform identifier to the second user platform identifier to link the first permission data with the second permission data; and using at least one of either of the linked first user platform identifier or the second user platform identifier to grant permission to perform the one or more actions on the data. 27 . The method of claim 21 , wherein the generating merged permission data for the unique user platform identifier based on the evaluation includes if the first priority is higher than the second priority, generating the merged permission data using the first permission data. 28 . The method of claim 21 , further comprising: assigning a timeout period to at least one selected from a group consisting of the first permission data associated with the first user identity provider identifier and the second permission data associated with the second user identity provider identifier. 29 . A system for authenticating users of a data processing platform comprising: one or more processors; and a memory comprising stored executable instructions that when executed by the one or more processors cause the one or more processors to perform operations comprising: receiving a request from a user to establish an access session to perform one or more actions on data of the data processing platform; receiving, from at least one of a first identity provider of a first realm or a second identity provider of a second realm, a user identity provider identifier corresponding to the request; based on the received user identity provider identifier, determining a user platform identifier by matching the received user identity provider identifier to at least one of a first user identity provider identifier assigned by the first identity provider of the first realm for the user or a second user identity provider identifier assigned by the second identity provider of the second realm for the user, wherein the user platform identifier is mapped to both the first user identity provider identifier and the second user identity provider identifier; evaluating first permission data associated with the first user identity provider identifier and second permission data associated with the second user identity provider identifier to resolve a conflict, wherein the first identity provider is associated with a first priority and the second identity provider is associated with a second priority different from the first priority; generating merged permission data for the unique user platform identifier based on the evaluation; and granting permission to perform the one or more actions on the data of the data processing platform using the received user identity provider identifier and the merged permission data. 30 . The system of claim 29 , wherein each of the first realm and the second realm is a source of users or groups of users provided by the first identity provider and the second identity provider, respectively. 31 . The system of claim 29 , wherein the request includes the user identity provider identifier and a data resource identifier of a data resource associated with the data processing platform. 32 . The system of claim 29 , wherein the operations further comprise: generating a mapping of the user platform identifier to both of the first user identity provider identifier and the second user identity provider identifier for the user using a data mapping structure, wherein the data mapping structure comprises the unique user platform identifier, the first user identity provider identifier, and the second user identity provider identifier. 33 . The system of claim 32 , wherein the generating a mapping of the user platform identifier comprises creating the unique user platform identifier as mapped to both of the first user identity provider identifier associated with the first identity provider of the first realm and the second user identity provider identifier associated with the second identity provider of the second realm. 34 . The system of claim 32 , wherein the generating a mapping of the user platform identifier comprises: assigning a first user platform identifier to the first user identity provider identifier associated with the first identity provider of the first realm and assigning a second user platform i
Assignees
Inventors
Classifications
when the policy decisions are valid for a limited amount of time · CPC title
by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity · CPC title
based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint · CPC title
providing single-sign-on or federations · CPC title
using different networks or channels, e.g. using out of band channels (cryptographic mechanisms or cryptographic arrangements for key distribution involving distinctive intermediate devices or communication paths H04L9/0827; cryptographic mechanisms or cryptographic arrangements for authentication using a plurality of channels H04L9/3215) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2024333717A1 cover?
- A system and method for authenticating users of a data processing platform stores a mapping of a unique user platform identifier to multiple user identity provider identifiers associated with multiple realms for a same user. In some examples, the method includes receiving a request from a client device to establish an access session to perform one or more actions on data of the data processing …
- Who is the assignee on this patent?
- Palantir Technologies Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/102. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Oct 03 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).