Dynamic flow control for access managers

摘要

A master flow controller can branch to a dynamic flow controller for a specific event in an authentication process. The master flow controller saves the state of the plug-in execution before branching the control into the dynamic flow controller. All the attributes stored in the authentication context by the authentication plug-in is saved and synchronized before the control is branched to the child flow controller. After the dynamic flow controller finishes execution, the state information is synchronized between flow controllers.

主权项

1. A method for managing authentication flows within an access manager that protects access a resource, the method comprising:
receiving, at one or more computer systems, information indicative of an occurrence of a predetermined event in an authentication flow that generates a valid session when an entity has access to the resource; determining, with one or more processors associated with the one or more computer systems, which authentication plugin to a master authentication flow controller of the access manager is to handle the predetermined event in the authentication flow; generating, with one or more processors associated with the one or more computer systems, an authentication context at the master flow controller in response to an instruction from the determined authentication plugin, the authentication context of the master flow controller having first authentication information that forms part of the valid session; initiating, with the one or more processors associated with the one or more computer systems, a branch an authentication context at the master flow controller in response to an instruction from the determined authentication plugin, the authentication context of the master flow controller having first authentication information that forms part of the valid session; generating, with the one or more processors associated with the one or more computer systems, an authentication context at the determined authentication plugin, the authentication context having second authentication information that forms part of the valid session; merging, with the one or more processors associated with the one or more computer systems, the second authentication information into the authentication context at the master authentication flow controller; and resuming, with the one or more processors associated with the one or more computer systems, the authentication flow using the second authentication information merged into the authentication context at the master authentication flow controller with the first authentication information.