Access management system using trusted partner tokens

摘要

A method of using an access manager server to establish a communication session between a resource and a user device may include receiving a request from the user device to access the resource, determining that the client system is registered as a trusted partner, sending the client system a first encrypted token that includes a resource identifier where the client system has access to a first cryptographic key that decrypts the first encrypted token. The method may also include receiving a second encrypted token that signifies that access to the resource has been granted by the client system where the second token comprises a user identifier and the access manager server has access to a second cryptographic key that decrypts the second token. The method may additionally include decrypting the second token and establishing the communication session between the user device and the resource using the user identifier.

主权项

1. A method of using an access manager to establish a communication session between a resource and a user device, the method comprising:
receiving, by the access manager, and from the client system, a registration transmission comprising a client system identifier, wherein:
the client system comprises a software module that is a part of an Enterprise Software System (ESS); andthe access manager server is a part of the same ESS; registering the client system with the access manager as a trusted partner to indicate that future authentications by the trusted partner within the ESS do not require a trusted third party, wherein the registering comprises:
sending a first cryptographic key to the client system; andstoring, at the access manager:
a second cryptographic key that is assigned to client system;a trusted partner authentication scheme for the client system; anda trusted partner identifier that identifies the client system; receiving, by the access manager, and from the user device, a request to access the resource, wherein access to the resource is controlled at least in part by the client system; determining, by the access manager, that the client system is part of the ESS and registered with the access manager as a trusted partner; determining the trusted partner identifier for the client system; accessing the second cryptographic key using the trusted partner identifier; encrypting, by the access manager, a first encrypted token using the second cryptographic key, wherein:
encrypting the first encrypted token using the second cryptographic key indicates to the client system that the access manager is a trusted partner; andthe first encrypted token comprises a resource identifier that identifies the resource; and sending, to the client system, and from the access manager, the first encrypted token; receiving, by the access manager, and from the client device, a second encrypted token comprising a user identifier, wherein:
the second encrypted token signifies that the client system requested, received, and authenticated user credentials directly from the user device and that access to the resource has been granted by the client system; andthe user credentials are requested, received, and authenticated by the client system transparently such that the user device is not aware that an entity other than the access manager requested, received, and authenticated the user credentials; determining whether the second encrypted token is received from a trusted partner by attempting to decrypt the second encrypted token using the second cryptographic key; and if it is determined that the second encrypted token is received from a trusted partner, establishing, by the access manager, the communication session between the user device and the resource by asserting the user identifier.