US11196733B2 - System and method for group of groups single sign-on demarcation based on first user login - Google Patents

System and method for group of groups single sign-on demarcation based on first user login Download PDF

Info

Publication number
US11196733B2
US11196733B2 US15/891,815 US201815891815A US11196733B2 US 11196733 B2 US11196733 B2 US 11196733B2 US 201815891815 A US201815891815 A US 201815891815A US 11196733 B2 US11196733 B2 US 11196733B2
Authority
US
United States
Prior art keywords
group
management controller
token
user
single sign
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US15/891,815
Other versions
US20190245843A1 (en
Inventor
Yee Ja
Marshal F. Savage
Cyril Jose
Srihari Srirangam
Anto DolphinJose Jesurajan Marystella
Farhan Mohammed Syed
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dell Products LP
Original Assignee
Dell Products LP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Assigned to DELL PRODUCTS L.P. reassignment DELL PRODUCTS L.P. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SYED, FARHAN MOHAMMED, SAVAGE, MARSHAL F., JESURAJAN MARYSTELLA, ANTO DOLPHINJOSE, JA, YEE, JOSE, CYRIL, SRIRANGAM, SRIHARI
Priority to US15/891,815 priority Critical patent/US11196733B2/en
Application filed by Dell Products LP filed Critical Dell Products LP
Assigned to CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT reassignment CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT PATENT SECURITY AGREEMENT (CREDIT) Assignors: DELL PRODUCTS L.P., EMC CORPORATION, EMC IP Holding Company LLC
Assigned to THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS COLLATERAL AGENT reassignment THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS COLLATERAL AGENT PATENT SECURITY AGREEMENT (NOTES) Assignors: DELL PRODUCTS L.P., EMC CORPORATION, EMC IP Holding Company LLC
Assigned to THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A. reassignment THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A. SECURITY AGREEMENT Assignors: CREDANT TECHNOLOGIES, INC., DELL INTERNATIONAL L.L.C., DELL MARKETING L.P., DELL PRODUCTS L.P., DELL USA L.P., EMC CORPORATION, EMC IP Holding Company LLC, FORCE10 NETWORKS, INC., WYSE TECHNOLOGY L.L.C.
Publication of US20190245843A1 publication Critical patent/US20190245843A1/en
Assigned to THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A. reassignment THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A. SECURITY AGREEMENT Assignors: CREDANT TECHNOLOGIES INC., DELL INTERNATIONAL L.L.C., DELL MARKETING L.P., DELL PRODUCTS L.P., DELL USA L.P., EMC CORPORATION, EMC IP Holding Company LLC, FORCE10 NETWORKS, INC., WYSE TECHNOLOGY L.L.C.
Assigned to EMC CORPORATION, EMC IP Holding Company LLC, DELL PRODUCTS L.P. reassignment EMC CORPORATION RELEASE OF SECURITY INTEREST AT REEL 046286 FRAME 0653 Assignors: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH
Publication of US11196733B2 publication Critical patent/US11196733B2/en
Application granted granted Critical
Assigned to DELL PRODUCTS L.P., EMC CORPORATION, EMC IP Holding Company LLC reassignment DELL PRODUCTS L.P. RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (046366/0014) Assignors: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals

Definitions

  • This disclosure relates generally to information handling systems and more particularly to systems and methods for single sign-on demarcation based on first user login.
  • An information handling system generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information.
  • information handling systems may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated.
  • the variations in information handling systems allow for information handling systems to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications.
  • information handling systems may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems.
  • a management controller may be a device, system, or apparatus for remote monitoring or management of an information handling system.
  • a management controller may be enabled to use a so-called ‘out-of-band’ network interface that is physically isolated from an ‘in-band’ network interface used generally for non-management communications.
  • the management controller may include, or be an integral part of, a baseboard management controller (BMC), a Dell Remote Access Controller (DRAC), or an Integrated Dell Remote Access Controller (iDRAC).
  • BMC baseboard management controller
  • DRAC Dell Remote Access Controller
  • iDRAC Integrated Dell Remote Access Controller
  • the management controller may be a secondary information handling system embedded in the information handling system.
  • a secondary information handling system which may be in the form of a management controller may communicate with other management controllers to form a local distributed computing node group.
  • the local distributed computing node group may be formed by using exchanging public keys and Internet Protocol (IP) address information.
  • IP Internet Protocol
  • one or more management controllers may form another distributed computing node group, which may not be previously communicatively coupled to the management controllers in the local distributed computing node group.
  • the management controllers in the other distributed computing node group may perform related functions to those in the local distributed computing node group, management controllers in the local distributed computing node group may not be able to communicate with the management controllers in the other distributed computing node group.
  • a user may log in to a plurality of management controllers in the local distributed computing node group and across the distributed computing group hierarchy.
  • Management controllers that are not in the local distributed computing node group may have privileges that are different than those in the local distributed computing node group.
  • a user account and the associated privilege levels may vary from one management controller to another. For example, a user account at a management controller that may not be in the local distributed computing node group may have privileges that are different than those in a local distributed computing node group.
  • the productivity of the user may be reduced by a need to enter the same user account credentials repeatedly to gain access to the management controllers.
  • a disclosed method for access in a management controller group hierarchy includes receiving a request for a user at an information handling system, determining whether a link of trust is established, and validating the single sign-on request.
  • the request may be to authenticate the user for access and may use a single sign-on token. Determining whether a link of trust is established may be based on an initial login location stored in the single sign-on token. Validating the single sign-on request may be based on a determination that the link of trust is established.
  • the method may include determining whether the initial login location corresponds to an initial information handling system in the same local group of the management controller group hierarchy as the information handling system that received the request and granting the user full access based on a determination that the initial login location corresponds to an initial information handling system in the same local group of the management controller group hierarchy as the information handling system that received the request.
  • the method may include determining whether the initial login location is recognized and based on a determination that the initial login location is not recognized, granting the user access to view information about an aggregate group in the management controller group hierarchy and denying the user access to the local group included in the aggregate group.
  • the aggregate group may include at least one local group of information handling systems.
  • the method may include receiving a request to elevate privileges of the user to enable access to a local group in the management controller group hierarchy, redirecting the request to a controlling member of the local group, and receiving a re-authenticated single sign-on token back from the controlling member of the local group.
  • the information handling system may not be in the local group.
  • the method may include determining whether the initial login location corresponds to an initial information handling system that manages an aggregate group in the management controller group hierarchy and granting the user full access based on a determination that the initial login location corresponds to the initial information handling system that manages the aggregate group in the management controller group hierarchy.
  • the aggregate group may include the information handling system that received the request.
  • the information handling system that received the request may be in a local group that is part of the aggregate group.
  • Another disclosed aspect includes an information handling system, comprising a processor subsystem having access to a first memory, and a management controller comprising a secondary processor having access to a second memory, the second memory including an embedded storage partition and the second memory storing instructions executable by the secondary processor.
  • a further disclosed aspect includes a management controller for an information handling system having a primary processor and a primary memory, the management controller comprising a secondary processor having access to a second memory, the second memory including an embedded storage partition and the second memory storing instructions executable by the secondary processor.
  • An additional disclosed aspect includes an article of manufacture comprising a non-transitory computer-readable medium storing instructions executable by a secondary processor, while an information handling system comprises a processor subsystem and the second processor.
  • FIG. 1 is a block diagram of selected elements of an information handling system for single sign-on, in accordance with some embodiments of the present disclosure
  • FIG. 2 is a block diagram of selected elements of a distributed computing node group for single sign-on, in accordance with some embodiments of the present disclosure
  • FIG. 3 is a block diagram of selected elements of a distributed computing group hierarchy, in accordance with some embodiments of the present disclosure
  • FIG. 4 is a block diagram of selected elements of a group of groups distributed computing group hierarchy, in accordance with some embodiments of the present disclosure
  • FIG. 5A is a block diagram of selected elements of a single sign-on token, in accordance with some embodiments of the present disclosure.
  • FIG. 5B is a block diagram of selected elements of an encrypted payload, in accordance with some embodiments of the present disclosure.
  • FIG. 6 is a flow chart depicting selected elements of a method for configuring a group of groups distributed computing group hierarchy, in accordance with some embodiments of the present disclosure
  • FIG. 7 is a flow chart depicting selected elements of a method for group of groups single sign-on demarcation based on first user login, in accordance with some embodiments of the present disclosure.
  • FIG. 8 is a flow chart depicting selected elements of a method for elevated privileges of single sign-on in a group of groups, in accordance with some embodiments of the present disclosure.
  • an information handling system may include an instrumentality or aggregate of instrumentalities operable to compute, classify, process, transmit, receive, retrieve, originate, switch, store, display, manifest, detect, record, reproduce, handle, or utilize various forms of information, intelligence, or data for business, scientific, control, entertainment, or other purposes.
  • an information handling system may be a personal computer, a PDA, a consumer electronic device, a network storage device, or another suitable device and may vary in size, shape, performance, functionality, and price.
  • the information handling system may include memory, one or more processing resources such as a central processing unit (CPU) or hardware or software control logic.
  • CPU central processing unit
  • Additional components or the information handling system may include one or more storage devices, one or more communications ports for communicating with external devices as well as various input and output (I/O) devices, such as a keyboard, a mouse, and a video display.
  • the information handling system may also include one or more buses operable to transmit communication between the various hardware components.
  • the information handling system may include firmware for controlling and/or communicating with, for example, hard drives, network circuitry, memory devices, I/O devices, and other peripheral devices.
  • firmware includes software embedded in an information handling system component used to perform predefined tasks.
  • Firmware is commonly stored in non-volatile memory, or memory that does not lose stored data upon the loss of power.
  • firmware associated with an information handling system component is stored in non-volatile memory that is accessible to one or more information handling system components.
  • firmware associated with an information handling system component is stored in non-volatile memory that is dedicated to and comprises part of that component.
  • Computer-readable media may include an instrumentality or aggregation of instrumentalities that may retain data and/or instructions for a period of time.
  • Computer-readable media may include, without limitation, storage media such as a direct access storage device (e.g., a hard disk drive or floppy disk), a sequential access storage device (e.g., a tape disk drive), compact disk, CD-ROM, DVD, random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), and/or flash memory (SSD); as well as communications media such wires, optical fibers, microwaves, radio waves, and other electromagnetic and/or optical carriers; and/or any combination of the foregoing.
  • storage media such as a direct access storage device (e.g., a hard disk drive or floppy disk), a sequential access storage device (e.g., a tape disk drive), compact disk, CD-ROM, DVD, random access memory (RAM), read-only memory (ROM), electrically erasable programmable
  • FIGS. 1-3 wherein like numbers are used to indicate like and corresponding parts.
  • FIG. 1 illustrates a block diagram depicting selected elements of an embodiment of information handling system 100 for single sign-on access. Also shown with information handling system 100 are external or remote elements, namely, network 155 and network storage resource 170 .
  • components of information handling system 100 may include, but are not limited to, processor subsystem 120 , which may comprise one or more processors, and system bus 121 that communicatively couples various system components to processor subsystem 120 including, for example, memory 130 , I/O subsystem 140 , local storage resource 150 , and network interface 160 .
  • System bus 121 may represent a variety of suitable types of bus structures, e.g., a memory bus, a peripheral bus, or a local bus using various bus architectures in selected embodiments.
  • such architectures may include, but are not limited to, Micro Channel Architecture (MCA) bus, Industry Standard Architecture (ISA) bus, Enhanced ISA (EISA) bus, Peripheral Component Interconnect (PCI) bus, PCI-Express bus, HyperTransport (HT) bus, and Video Electronics Standards Association (VESA) local bus.
  • MCA Micro Channel Architecture
  • ISA Industry Standard Architecture
  • EISA Enhanced ISA
  • PCI Peripheral Component Interconnect
  • PCI-Express PCI-Express
  • HT HyperTransport
  • VESA Video Electronics Standards Association
  • network interface 160 may be a suitable system, apparatus, or device operable to serve as an interface between information handling system 100 and a network 155 .
  • Network interface 160 may enable information handling system 100 to communicate over network 155 using a suitable transmission protocol and/or standard, including, but not limited to, transmission protocols and/or standards enumerated below with respect to the discussion of network 155 .
  • network interface 160 may be communicatively coupled via network 155 to network storage resource 170 .
  • Network 155 may be implemented as, or may be a part of, a storage area network (SAN), personal area network (PAN), local area network (LAN), a metropolitan area network (MAN), a wide area network (WAN), a wireless local area network (WLAN), a virtual private network (VPN), an intranet, the Internet or another appropriate architecture or system that facilitates the communication of signals, data and/or messages (generally referred to as data).
  • SAN storage area network
  • PAN personal area network
  • LAN local area network
  • MAN metropolitan area network
  • WAN wide area network
  • WLAN wireless local area network
  • VPN virtual private network
  • intranet the Internet or another appropriate architecture or system that facilitates the communication of signals, data and/or messages (generally referred to as data).
  • Network 155 may transmit data using a desired storage and/or communication protocol, including, but not limited to, Fibre Channel, Frame Relay, Asynchronous Transfer Mode (ATM), Internet protocol (IP), other packet-based protocol, small computer system interface (SCSI), Internet SCSI (iSCSI), Serial Attached SCSI (SAS) or another transport that operates with the SCSI protocol, advanced technology attachment (ATA), serial ATA (SATA), advanced technology attachment packet interface (ATAPI), serial storage architecture (SSA), integrated drive electronics (IDE), and/or any combination thereof.
  • Network 155 and its various components may be implemented using hardware, software, or any combination thereof.
  • information handling system 100 and network 155 may be included in a rack domain.
  • processor subsystem 120 may comprise a system, device, or apparatus operable to interpret and/or execute program instructions and/or process data, and may include a microprocessor, microcontroller, digital signal processor (DSP), application specific integrated circuit (ASIC), or another digital or analog circuitry configured to interpret and/or execute program instructions and/or process data.
  • processor subsystem 120 may interpret and/or execute program instructions and/or process data stored locally (e.g., in memory 130 and/or another component of physical hardware in processor subsystem 120 ).
  • processor subsystem 120 may interpret and/or execute program instructions and/or process data stored remotely (e.g., in network storage resource 170 ).
  • memory 130 may comprise a system, device, or apparatus operable to retain and/or retrieve program instructions and/or data for a period of time (e.g., computer-readable media).
  • memory 130 stores operating system 132 , which may represent instructions executable by processor subsystem 120 to operate information handling system 100 after booting.
  • operating system 132 may be stored at network storage resource 170 and may be accessed by processor subsystem 120 via network 155
  • Memory 130 may comprise random access memory (RAM), electrically erasable programmable read-only memory (EEPROM), a PCMCIA card, flash memory, magnetic storage, opto-magnetic storage, and/or a suitable selection and/or array of volatile or non-volatile memory that retains data after power to its associated information handling system, such as information handling system 100 , is powered down.
  • RAM random access memory
  • EEPROM electrically erasable programmable read-only memory
  • PCMCIA card electrically erasable programmable read-only memory
  • flash memory magnetic storage
  • opto-magnetic storage and/or a suitable selection and/or array of volatile or non-volatile memory that retains data after power to its associated information handling system, such as information handling system 100 , is powered down.
  • Local storage resource 150 may comprise computer-readable media (e.g., hard disk drive, floppy disk drive, CD-ROM, and/or other type of rotating storage media, flash memory, EEPROM, and/or another type of solid state storage media) and may be generally operable to store instructions and/or data.
  • local storage resource 150 may store executable code in the form of program files that may be loaded into memory 130 for execution, such as operating system 132 .
  • I/O subsystem 140 may comprise a system, device, or apparatus generally operable to receive and/or transmit data to/from/within information handling system 100 .
  • I/O subsystem 140 may represent, for example, a variety of communication interfaces, graphics interfaces, video interfaces, user input interfaces, and/or peripheral interfaces.
  • I/O subsystem 140 may include a Peripheral Component Interconnect Express (PCI-E) interface that is supported by processor subsystem 120 .
  • PCI-E Peripheral Component Interconnect Express
  • I/O subsystem 140 may comprise a touch panel and/or a display adapter.
  • the touch panel (not shown) may include circuitry for enabling touch functionality in conjunction with a display (not shown) that is driven by display adapter (not shown).
  • management controller (MC) 180 may include MC processor 182 as a second processor included with information handling system 100 for certain management tasks.
  • MC 180 may interface with processor subsystem 120 using any suitable communication link 181 including, but not limited to, a direct interface with a platform controller hub, a system bus, and a network interface.
  • the system bus may be system bus 121 , which may represent a variety of suitable types of bus structures, e.g., a memory bus, a peripheral bus, or a local bus using various bus architectures in selected embodiments.
  • such architectures may include, but are not limited to, Micro Channel Architecture (MCA) bus, Industry Standard Architecture (ISA) bus, Enhanced ISA (EISA) bus, Peripheral Component Interconnect (PCI) bus, PCI-Express bus, HyperTransport (HT) bus, and Video Electronics Standards Association (VESA) local bus.
  • MCA Micro Channel Architecture
  • ISA Industry Standard Architecture
  • EISA Enhanced ISA
  • PCI Peripheral Component Interconnect
  • PCI-Express PCI-Express
  • HT HyperTransport
  • VESA Video Electronics Standards Association
  • the network interface may be network interface 160 and/or network interface 190 .
  • the platform controller hub may provide additional functionality for the processor subsystem 120 .
  • the platform controller hub may be internal or external to a processor in processor subsystem 120 .
  • the direct interface may be any suitable interface to enable communications, including but not limited to Direct Media Interface (DMI) or PCI-Express.
  • DMI Direct Media Interface
  • PCI-Express PCI-Ex
  • MC processor 182 may have access to MC memory 184 , which may store MC firmware 186 , representing instructions executable by MC processor 182 . Also shown stored in MC memory 184 is MC storage partition 188 , which may represent an embedded storage partition for management controller 180 . MC firmware 186 may represent pre-boot instructions executable by MC processor 182 , for example, for preparing information handling system 100 to boot by activating various hardware components in preparation of launching operating system 132 for execution (also referred to as a basic input/output system (BIOS)). In certain embodiments, MC firmware 186 includes a Unified Extensible Firmware Interface (UEFI) according to a specification promulgated by the UEFI Forum (uefi.org).
  • UEFI Unified Extensible Firmware Interface
  • management controller 180 may be a secondary network interface to network interface 160 .
  • MC network interface 190 may provide “out-of-band” network access to management controller 180 , for example, even when network interface 160 is unavailable.
  • management controller 180 may execute MC firmware 186 on MC processor 182 and use MC network interface 190 even when other components in information handling system 100 are inoperable.
  • management controller 180 may represent an instance of iDRAC while MC firmware 186 may include a lifecycle controller, which may assist in a variety of functions including, but not limited to, monitoring, updating, maintaining, testing, and deploying one or more components for an information handling system.
  • Management controller 180 may communicate with other management controllers using MC network interface 190 .
  • a set of management controllers in communication may form a group, in which each management controller may be a node.
  • One of the management controllers in the group may operate as a group manager or a master.
  • the master may facilitate and manage secure communication between the management controllers in the group.
  • a set of groups in communication may form an aggregate group, in which each group may be a local group. Additional levels in the management controller hierarchy may be formed including, but not limited to, a bigger aggregate group including a set of aggregate groups.
  • a distributed computing node group may be part of a distributed computing group hierarchy with two or more levels of groups.
  • the distributed computing node group may be in the bottom level in the hierarchy and may be referred to as a local group.
  • One or more local groups may be registered to form an aggregate group.
  • the hierarchy may use a single sign-on token to enable a user to access multiple management controllers across the hierarchy without the need to repeatedly enter user access credentials.
  • the single sign-on token may include an initial login location corresponding to the management controller where the user first logged in. The initial login location may be used to determine whether a subsequent request for authentication by the user corresponds to a traversal up or down the hierarchy.
  • the initial login location may further be used to determine whether a subsequent request for authentication by the user corresponds to the same local group or same aggregate group.
  • Trust links may be formed between local groups and their corresponding aggregate group. For example, a trust link may be formed between “Local Group 1” and “Local Group 2” via “Aggregate Group 1.” The trust link may enable members of “Local Group 1” to view aggregate information about “Local Group 2” or to gain full access to “Local Group 2” based on a request to elevate the privileges of the user.
  • the user may gain full access to all local groups, such as “Local Group 1” and “Local Group 2,” down in the distributed computing group hierarchy from the aggregate group.
  • a set of information handling systems 200 may be grouped together to form a distributed computing node group 202 .
  • Group 202 may include a plurality of members 208 connected together with messaging channel 210 .
  • group 202 is shown with seven members, group 202 may include any number of members suitable to form a distributed computing node group.
  • Each member 208 may include a management controller 180 to manage group communications.
  • Members 208 and/or management controllers 180 may use messaging channel 210 to send and receive messages to each other.
  • the messages may be unencrypted, encrypted, signed, or unsigned.
  • Messaging channel 210 may include any suitable interface between management controllers, including but not limited to a network interface, such as Ethernet, and an I/O interface, such as PCI-E.
  • Group 202 may use secure messaging to improve the security of communications between members 208 .
  • Group 202 may also include a member 208 that is a master, such as a primary master 204 and/or a secondary master 206 .
  • the master may control and/or manage group 202 .
  • Control of group 202 may include the addition and/or removal of members from group 202 , and/or authenticating members of group 202 when the member transitions to an online state from an offline state.
  • the master may perform any operation sufficient to control or manage distributed computing node group 202 .
  • the primary master may be selected at random.
  • the primary master may be selected using the timestamp of entry into the group, in which the most recent member to join the group or the least recent member to join the group is elected the primary master.
  • the secondary master 206 may serve as the master when the primary master is offline or unavailable. The election or selection of the secondary master 206 may be performed in a similar manner as the primary master.
  • the distributed computing group hierarchy 300 may include a one or more routers 302 , which form part of a network.
  • the network may be a public and/or private network.
  • Router 302 - 2 may route data between different distributed groups and/or within a distributed group.
  • the distributed group 300 may also include one or more switches 304 . Downstream of the routers, switches 304 - 1 and 304 - 2 may interface exclusively with other switches ( 304 - 3 , 304 - 4 , 304 - 5 , 304 - 6 and 304 - 7 ).
  • the switches 304 and routers 302 may collectively operate to facilitate the transmission of messages between the nodes in the distributed group.
  • the nodes may be grouped together to perform a particular type of function.
  • group 306 - 1 may include two information handling systems 308 - 1 and 308 - 2 , which may be used for a SharePoint application.
  • Group 306 - 2 may include three information handling systems 308 - 3 , 308 - 4 , and 308 - 5 , which may be used for file and print operations.
  • Group 306 - 3 may include five information handling systems 308 - 6 , 308 - 7 , 308 - 8 , 308 - 9 , and 308 - 10 , which may be used for running various other applications.
  • Each group may be uniquely identified through one or more attributes including, but not limited to, group name, universally unique identifier (UUID), or group passcode.
  • group name e.g., group name
  • UUID universally unique identifier
  • group passcode e.g., group passcode
  • groups 306 - 1 , 306 - 2 , and 306 - 3 may be subsystems within the same information handling system, such as a virtualized environment operating on the information handling system.
  • Distributed computing group hierarchy 400 may include two or more levels of distributed computing node groups.
  • larger aggregate group 1 ( 415 ) which may operate as an enterprise datacenter server, may include aggregate group 1 ( 410 - 1 ), aggregate group 2 ( 410 - 2 ), and aggregate group 3 ( 410 - 3 ).
  • Aggregate group 1 ( 410 - 1 ) which may operate as an employee access server, may include local group Q ( 406 - 3 ), local group R ( 406 - 4 ), and local group S ( 406 - 5 ).
  • Each local group may include many management controllers.
  • local group Q ( 406 - 3 ) may include over one hundred management controllers.
  • Aggregate group 2 ( 410 - 2 ), which may operate as a business data analytics server, may include local group 1 ( 406 - 1 ) and local group 2 ( 406 - 2 ).
  • Aggregate group 3 ( 410 - 3 ) may operate as a web portal server and may include local group A ( 406 - 6 ).
  • a user that logs in to a local group may have full access to management controllers in the group. For example, the user may be able to read and write information and configuration files to each management controller in the local group.
  • the user may have read only access to other local groups ( 406 ) in distributed computing group hierarchy 400 .
  • a user that logs in to local group 1 ( 406 - 1 ) may be able to read aggregate information about local group Q ( 406 - 3 ).
  • Aggregate information may include, for example, the health status of local group Q ( 406 - 3 ). However, the aggregate information may not include information specific to a particular management controller or information handling system.
  • the user may also have read only access to aggregate information of other aggregate groups ( 410 ) or larger aggregate groups ( 415 ).
  • the user may gain full access to each management controller in each local group 406 below the aggregate group 410 in the distributed computing group hierarchy 400 .
  • the user may gain full access, including the ability to read and write information and configuration files, to each management controller in local group Q ( 406 - 3 ), local group R ( 406 - 4 ), and local group S ( 406 - 5 ).
  • distributed computing group hierarchy 400 may include two or more levels that are suitable for distributing computing.
  • Management controllers in distributed computing group hierarchy 400 may enable the user to sign on to a local group ( 406 ) and use the same user account credentials without requiring the user to repeatedly enter the information.
  • Management controllers modify a single sign-on token, such as a JSON web token, to include a login location tag, which may represent the server or group identifier corresponding to the location where the user first logged in.
  • the single sign-on token containing the login location tag may be used to authenticate the user account credentials for access to other management controllers.
  • the login location tag may contain the universally unique identifier (UUID) of the management controller or a suitable identifier for the local group, such as one or more portions of the Internet Protocol address for the local group.
  • UUID universally unique identifier
  • Other management controllers may receive the single sign-on token and evaluate the login location tag in the token to determine whether a trust link is established with the group associated with the initial log in location. If a trust link is established, management controllers in the same local group may provide for full access privileges and management controllers in the same aggregate group may provide for read only access privileges to aggregate information.
  • Single sign-on token 500 may include encrypted header 505 , encrypted payload 510 , and signature 515 .
  • Encrypted header 505 may provide information about the type of structure used by the single sign-on token and the type of algorithm used for signature 515 .
  • the type of structure may be a JSON web token or a modified JSON web token with a login location tag and the type of algorithm may be SHA256.
  • Encrypted payload 510 may provide information about the single sign-on, including the fields described for FIG. 5B .
  • Signature 515 may be a signature of encrypted header 505 and encrypted payload 510 .
  • the signature may be a JSON web signature using the SHA256 algorithm with an RSA key length of 4096 bits.
  • Encrypted payload 510 may include a plurality of fields, including login location tag 525 , issuer group manager unit ID 530 , audience group manager unit ID 535 , expiration time of token 540 , issuance time of token 545 , and member ID 550 .
  • Login location tag 525 may indicate the server or identify a group or universally unique identifier (UUID) of a master of a group corresponding to the management controller where the user first logged in.
  • UUID universally unique identifier
  • login location tag 525 may indicate the server using a server service tag.
  • Issuer group manager unit ID 530 may indicate the UUID of the group manager, the UUID of the group manager of the aggregate group, the master of a local group, or a member of a local group that issues the single sign-on token.
  • the issuer group manager unit ID 530 may correspond to a different management controller than login location tag 525 .
  • the issuer group manager unit ID 530 may correspond to the same management controller as login location tag 525 .
  • Audience group manager unit ID 535 may indicate the UUID of the management controller that is the group manager of the aggregate group, the master of a local group, or a member of the local group that is the intended audience for the single sign-on token. Specifying the UUID of the master of the local group, for example, may indicate that the local group is the audience for the single sign-on token.
  • specifying the UUID of the management controller that is the group manager of the aggregate group may indicate that the aggregate group is the audience for the single sign-on token, which may provide the user with full access to the management controllers in the local groups that are part of the aggregate group.
  • Expiration time of token 540 may indicate when the single sign-on token is set to expire. The expiration time may be defined in any suitable increment, such as 30 seconds. The time may be measured relative to the time at the issuer group manager as specified by issuance time of token 545 , which may be defined in the same increment as expiration time of token 540 . The user may need to prove user account credentials again after the single sign-on token expires.
  • Member ID 550 may indicate the member UUID of the management controller that most recently used single sign-on token 500 . Although encrypted payload is shown with six fields, any number of fields suitable for single sign-on in a distributed computing group hierarchy may be used.
  • Method 600 may be implemented by any of the elements shown in FIGS. 1-5 .
  • Method 600 may be initiated by any suitable criteria and may initiate operation at any suitable point.
  • method 600 may initiate operation at 605 .
  • Method 600 may include greater or fewer steps than those illustrated.
  • method 600 may execute its steps in an order that is different than those illustrated below.
  • Method 600 may terminate at any suitable step.
  • method 600 may repeat operation at any suitable step. Portions of method 600 may be performed in parallel and repeat with respect to other portions of method 600 .
  • a management controller may receive a request to authenticate a user for access.
  • the request may include user access credentials or a single-on token.
  • the management controller may authenticate the user by verifying the user access credentials or the single sign-on token.
  • the management controller may create a single sign-on token for the user with an initial login location corresponding to the management controller if the request included user access credentials.
  • the initial login location may be any suitable identifier for the management controller, such as the UUID of the management controller or the Internet Protocol address of the management controller in the distributed computing group hierarchy.
  • the management controller may be used to create a group of groups by registering the local group with an aggregate group. Registration may include adding a certificate for the local group for the aggregate group and adding a certificate for the aggregate group with the local group.
  • the certification may include the Internet Protocol address of a group member, a group UUID, and a group shared public key.
  • the certificates may be imported and exported using a group manager or by manual handling of certificates. Manual handling of the certificates may include the group manager displaying a base64 encoded certificate as a quick response (QR) code for a user to scan using a mobile information handling system.
  • QR quick response
  • the group manager of the local group may export the certificate of the local group
  • the group manager of the aggregate group may import the certificate of the local group and export the certificate of the aggregate group
  • the group manager of the local group may then import the certificate of the aggregate group.
  • the group managers of the local group and aggregate group may display QR codes representing their certificates. In this case, the user may scan the QR codes using a mobile information handling system, and import the local group certificate into the aggregate group and the aggregate group certificate into the local group.
  • the management controller may be used to register other local groups with the aggregate group. For example, “Local Group 2,” “Local Group 3,” and “Local Group 4” may join “Aggregate Group 1.”
  • the management controller may be used to create a larger aggregate group. For example, “Larger Aggregate Group 1” may be created to include “Aggregate Group 1.”
  • other aggregate groups may be registered with the larger aggregate group. For example, “Aggregate Group 2” and “Aggregate Group 3” may be registered with the “Larger Aggregate Group 1.”
  • Method 700 may be implemented by any of the elements shown in FIGS. 1-6 .
  • Method 700 may be initiated by any suitable criteria and may initiate operation at any suitable point.
  • method 700 may initiate operation at 705 .
  • Method 700 may include greater or fewer steps than those illustrated.
  • method 700 may execute its steps in an order that is different than those illustrated below.
  • Method 700 may terminate at any suitable step.
  • method 700 may repeat operation at any suitable step. Portions of method 700 may be performed in parallel and repeat with respect to other portions of method 700 .
  • a management controller may receive a request to authenticate the user for access to a target management controller.
  • it may be determined whether the request corresponds to traversing up the distributed computing group hierarchy. If the request corresponds to traversing upward, method 700 may proceed to 715 . Otherwise, method 700 may proceed to 720 .
  • it may be determined whether a trust link is established to the aggregate group.
  • a trust link may be established between groups at any two levels in the distributed computing group hierarchy. For example, a trust link may be established between a local group and an aggregate group. As another example, a trust link may be established between an aggregate group and a larger aggregate group. The aggregate group may be the group in which the target management controller resides.
  • method 700 may proceed to 740 . Otherwise, method 700 may proceed to 755 .
  • a trust link is established from the aggregate group.
  • the target management controller may be a member of the aggregate group. If a trust link is established, method 700 may proceed to 730 . Otherwise, method 700 may proceed to 755 .
  • read only access may be allowed for the user. The user may be able to read aggregate information about the target management controller based on the initial login location of the user and the location of the target management controller.
  • the initial login location is in the same local group as the target management controller.
  • the initial login location in the single sign-on token may be used to determine the local group for which the user has access. If the local groups are the same, method 700 may proceed to 750 . Otherwise, method 700 may proceed to 755 .
  • full access to the local group of the target management controller may be allowed using the single sign-on token. For example, the information and configuration files of each management controller in the local group may be read, written, and/or modified.
  • user access may be denied.
  • Method 800 may be implemented by any of the elements shown in FIGS. 1-7 .
  • Method 800 may be initiated by any suitable criteria and may initiate operation at any suitable point.
  • method 800 may initiate operation at 805 .
  • Method 800 may include greater or fewer steps than those illustrated.
  • method 800 may execute its steps in an order that is different than those illustrated below.
  • Method 800 may terminate at any suitable step.
  • method 800 may repeat operation at any suitable step. Portions of method 800 may be performed in parallel and repeat with respect to other portions of method 800 .
  • a management controller may receive a request from a user to elevate the privileges of the user for the user to gain access to another local group.
  • the management controller may operate as the group manager for the local group.
  • the user may have previously provided user account credentials to log in to the local group.
  • a single sign-on token with the initial login location may have been created when the user first logged in using user account credentials.
  • the management controller may determine which other local group the request is directed to by using any suitable identifier for the other local group, such as the UUID or Internet Protocol address of the group manager or master for the other local group. If the other local group is already registered with the aggregate group, the group manager of the aggregate group may hold a certificate corresponding to the other local group.
  • the certificate may include one or more identifiers corresponding to the other local group including, but not limited to, the Internet Protocol address of a group member, a group UUID, and a group shared public key. If the other local group is registered with the aggregate group, method 800 may proceed to 815 .
  • method 800 may proceed to 825 .
  • the management controller that received the request may redirect the request to a controlling member.
  • the controlling member may be the controlling member of the other local group or the controlling member of the aggregate group that includes the local group at which the request was received and the other local group.
  • the controlling member of the aggregate group such as the group manager or master of the aggregate group or larger aggregate group, may have all the required information to authenticate the user using a single sign-on token.
  • the management controller that received the request may include a single sign-on token for the user in the redirection. For example, the management controller may redirect the request to the group manager or master of the other local group.
  • the redirection may result in the user being prompted by a member of the other local group for user account credentials to elevate the access privileges for the user.
  • the user may be shown a new webpage or window in which the user may enter user account credentials for authentication, such as biometric authentication, smartcard authentication, and/or authentication using a username and password. Other suitable forms of authentication that may verify the identity and credentials of the user may be used.
  • the controlling member may update the single sign-on token after the user is authenticated.
  • the single sign-on token may be updated with the initial login location such that the user has full access to at least two local groups.
  • the controlling member may create a new single sign-on token or a portion of a new single sign-on token, such as the initial login location, and send the information back to the management controller that redirected the request.
  • the management controller that received the request may wait for the controlling member of the other local group to authenticate the user using the single sign-on token.
  • the management controller may receive a single sign-on token from the controlling member of the other local group.
  • the management controller may register the other local group with the aggregate group corresponding to the initial login location. Registration may be performed by group managers and/or a user, as described in more detail for 620 and 625 of FIG. 6 above. For example, if the initial login location was a management controller in “Local Group 1,” which is part of “Aggregate Group 1,” the other local group (“Local Group 2”) may be registered with “Aggregate Group 1.”

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Methods and systems for access in a management controller group hierarchy may involve receiving a request for a user at an information handling system, determining whether a link of trust is established, and validating the single sign-on request. The request may be to authenticate the user for access using a single sign-on token. Determination of whether the link of trust is established may be based on an initial login location stored in the single sign-on token. Validation of the single sign-on token may be based on a determination that the link of trust is established.

Description

BACKGROUND Field of the Disclosure
This disclosure relates generally to information handling systems and more particularly to systems and methods for single sign-on demarcation based on first user login.
Description of the Related Art
As the value and use of information continues to increase, individuals and businesses seek additional ways to process and store information. One option available to users is information handling systems. An information handling system generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information. Because technology and information handling needs and requirements vary between different users or applications, information handling systems may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated. The variations in information handling systems allow for information handling systems to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications. In addition, information handling systems may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems.
The use of management controllers in information handling systems has increased in recent years. Broadly speaking, a management controller may be a device, system, or apparatus for remote monitoring or management of an information handling system. A management controller may be enabled to use a so-called ‘out-of-band’ network interface that is physically isolated from an ‘in-band’ network interface used generally for non-management communications. The management controller may include, or be an integral part of, a baseboard management controller (BMC), a Dell Remote Access Controller (DRAC), or an Integrated Dell Remote Access Controller (iDRAC). The management controller may be a secondary information handling system embedded in the information handling system.
SUMMARY
A secondary information handling system, which may be in the form of a management controller may communicate with other management controllers to form a local distributed computing node group. The local distributed computing node group may be formed by using exchanging public keys and Internet Protocol (IP) address information. In addition, one or more management controllers may form another distributed computing node group, which may not be previously communicatively coupled to the management controllers in the local distributed computing node group. Although the management controllers in the other distributed computing node group may perform related functions to those in the local distributed computing node group, management controllers in the local distributed computing node group may not be able to communicate with the management controllers in the other distributed computing node group. Thus, it may be desirable for the local distributed computing node group to communicate with other management controllers, such as those in another distributed computing node group, arranged in a distributed computing group hierarchy having two or more levels of distributed computing node groups.
A user, such as an administrator, may log in to a plurality of management controllers in the local distributed computing node group and across the distributed computing group hierarchy. Management controllers that are not in the local distributed computing node group may have privileges that are different than those in the local distributed computing node group. A user account and the associated privilege levels may vary from one management controller to another. For example, a user account at a management controller that may not be in the local distributed computing node group may have privileges that are different than those in a local distributed computing node group. However, the productivity of the user may be reduced by a need to enter the same user account credentials repeatedly to gain access to the management controllers. Thus, it may be desirable to enable the user to gain access to a plurality of management controllers without the user entering the same user account credentials repeatedly as the user navigates through the management controllers arranged in a distributed computing group hierarchy.
In one aspect, a disclosed method for access in a management controller group hierarchy includes receiving a request for a user at an information handling system, determining whether a link of trust is established, and validating the single sign-on request. The request may be to authenticate the user for access and may use a single sign-on token. Determining whether a link of trust is established may be based on an initial login location stored in the single sign-on token. Validating the single sign-on request may be based on a determination that the link of trust is established.
In certain embodiments the method may include determining whether the initial login location corresponds to an initial information handling system in the same local group of the management controller group hierarchy as the information handling system that received the request and granting the user full access based on a determination that the initial login location corresponds to an initial information handling system in the same local group of the management controller group hierarchy as the information handling system that received the request. The method may include determining whether the initial login location is recognized and based on a determination that the initial login location is not recognized, granting the user access to view information about an aggregate group in the management controller group hierarchy and denying the user access to the local group included in the aggregate group. The aggregate group may include at least one local group of information handling systems. The method may include receiving a request to elevate privileges of the user to enable access to a local group in the management controller group hierarchy, redirecting the request to a controlling member of the local group, and receiving a re-authenticated single sign-on token back from the controlling member of the local group. The information handling system may not be in the local group. The method may include determining whether the initial login location corresponds to an initial information handling system that manages an aggregate group in the management controller group hierarchy and granting the user full access based on a determination that the initial login location corresponds to the initial information handling system that manages the aggregate group in the management controller group hierarchy. The aggregate group may include the information handling system that received the request. The information handling system that received the request may be in a local group that is part of the aggregate group.
Another disclosed aspect includes an information handling system, comprising a processor subsystem having access to a first memory, and a management controller comprising a secondary processor having access to a second memory, the second memory including an embedded storage partition and the second memory storing instructions executable by the secondary processor.
A further disclosed aspect includes a management controller for an information handling system having a primary processor and a primary memory, the management controller comprising a secondary processor having access to a second memory, the second memory including an embedded storage partition and the second memory storing instructions executable by the secondary processor.
An additional disclosed aspect includes an article of manufacture comprising a non-transitory computer-readable medium storing instructions executable by a secondary processor, while an information handling system comprises a processor subsystem and the second processor.
BRIEF DESCRIPTION OF THE DRAWINGS
For a more complete understanding of the present invention and its features and advantages, reference is now made to the following description, taken in conjunction with the accompanying drawings, in which:
FIG. 1 is a block diagram of selected elements of an information handling system for single sign-on, in accordance with some embodiments of the present disclosure;
FIG. 2 is a block diagram of selected elements of a distributed computing node group for single sign-on, in accordance with some embodiments of the present disclosure;
FIG. 3 is a block diagram of selected elements of a distributed computing group hierarchy, in accordance with some embodiments of the present disclosure;
FIG. 4 is a block diagram of selected elements of a group of groups distributed computing group hierarchy, in accordance with some embodiments of the present disclosure;
FIG. 5A is a block diagram of selected elements of a single sign-on token, in accordance with some embodiments of the present disclosure;
FIG. 5B is a block diagram of selected elements of an encrypted payload, in accordance with some embodiments of the present disclosure;
FIG. 6 is a flow chart depicting selected elements of a method for configuring a group of groups distributed computing group hierarchy, in accordance with some embodiments of the present disclosure;
FIG. 7 is a flow chart depicting selected elements of a method for group of groups single sign-on demarcation based on first user login, in accordance with some embodiments of the present disclosure; and
FIG. 8 is a flow chart depicting selected elements of a method for elevated privileges of single sign-on in a group of groups, in accordance with some embodiments of the present disclosure.
 DESCRIPTION OF PARTICULAR EMBODIMENT(S)
In the following description, details are set forth by way of example to facilitate discussion of the disclosed subject matter. It should be apparent to a person of ordinary skill in the field, however, that the disclosed embodiments are exemplary and not exhaustive of all possible embodiments.
For the purposes of this disclosure, an information handling system may include an instrumentality or aggregate of instrumentalities operable to compute, classify, process, transmit, receive, retrieve, originate, switch, store, display, manifest, detect, record, reproduce, handle, or utilize various forms of information, intelligence, or data for business, scientific, control, entertainment, or other purposes. For example, an information handling system may be a personal computer, a PDA, a consumer electronic device, a network storage device, or another suitable device and may vary in size, shape, performance, functionality, and price. The information handling system may include memory, one or more processing resources such as a central processing unit (CPU) or hardware or software control logic. Additional components or the information handling system may include one or more storage devices, one or more communications ports for communicating with external devices as well as various input and output (I/O) devices, such as a keyboard, a mouse, and a video display. The information handling system may also include one or more buses operable to transmit communication between the various hardware components.
Additionally, the information handling system may include firmware for controlling and/or communicating with, for example, hard drives, network circuitry, memory devices, I/O devices, and other peripheral devices. As used in this disclosure, firmware includes software embedded in an information handling system component used to perform predefined tasks. Firmware is commonly stored in non-volatile memory, or memory that does not lose stored data upon the loss of power. In certain embodiments, firmware associated with an information handling system component is stored in non-volatile memory that is accessible to one or more information handling system components. In the same or alternative embodiments, firmware associated with an information handling system component is stored in non-volatile memory that is dedicated to and comprises part of that component.
For the purposes of this disclosure, computer-readable media may include an instrumentality or aggregation of instrumentalities that may retain data and/or instructions for a period of time. Computer-readable media may include, without limitation, storage media such as a direct access storage device (e.g., a hard disk drive or floppy disk), a sequential access storage device (e.g., a tape disk drive), compact disk, CD-ROM, DVD, random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), and/or flash memory (SSD); as well as communications media such wires, optical fibers, microwaves, radio waves, and other electromagnetic and/or optical carriers; and/or any combination of the foregoing.
Particular embodiments are best understood by reference to FIGS. 1-3 wherein like numbers are used to indicate like and corresponding parts.
Turning now to the drawings, FIG. 1 illustrates a block diagram depicting selected elements of an embodiment of information handling system 100 for single sign-on access. Also shown with information handling system 100 are external or remote elements, namely, network 155 and network storage resource 170.
As shown in FIG. 1, components of information handling system 100 may include, but are not limited to, processor subsystem 120, which may comprise one or more processors, and system bus 121 that communicatively couples various system components to processor subsystem 120 including, for example, memory 130, I/O subsystem 140, local storage resource 150, and network interface 160. System bus 121 may represent a variety of suitable types of bus structures, e.g., a memory bus, a peripheral bus, or a local bus using various bus architectures in selected embodiments. For example, such architectures may include, but are not limited to, Micro Channel Architecture (MCA) bus, Industry Standard Architecture (ISA) bus, Enhanced ISA (EISA) bus, Peripheral Component Interconnect (PCI) bus, PCI-Express bus, HyperTransport (HT) bus, and Video Electronics Standards Association (VESA) local bus.
In FIG. 1, network interface 160 may be a suitable system, apparatus, or device operable to serve as an interface between information handling system 100 and a network 155. Network interface 160 may enable information handling system 100 to communicate over network 155 using a suitable transmission protocol and/or standard, including, but not limited to, transmission protocols and/or standards enumerated below with respect to the discussion of network 155. In some embodiments, network interface 160 may be communicatively coupled via network 155 to network storage resource 170. Network 155 may be implemented as, or may be a part of, a storage area network (SAN), personal area network (PAN), local area network (LAN), a metropolitan area network (MAN), a wide area network (WAN), a wireless local area network (WLAN), a virtual private network (VPN), an intranet, the Internet or another appropriate architecture or system that facilitates the communication of signals, data and/or messages (generally referred to as data). Network 155 may transmit data using a desired storage and/or communication protocol, including, but not limited to, Fibre Channel, Frame Relay, Asynchronous Transfer Mode (ATM), Internet protocol (IP), other packet-based protocol, small computer system interface (SCSI), Internet SCSI (iSCSI), Serial Attached SCSI (SAS) or another transport that operates with the SCSI protocol, advanced technology attachment (ATA), serial ATA (SATA), advanced technology attachment packet interface (ATAPI), serial storage architecture (SSA), integrated drive electronics (IDE), and/or any combination thereof. Network 155 and its various components may be implemented using hardware, software, or any combination thereof. In certain embodiments, information handling system 100 and network 155 may be included in a rack domain.
As depicted in FIG. 1, processor subsystem 120 may comprise a system, device, or apparatus operable to interpret and/or execute program instructions and/or process data, and may include a microprocessor, microcontroller, digital signal processor (DSP), application specific integrated circuit (ASIC), or another digital or analog circuitry configured to interpret and/or execute program instructions and/or process data. In some embodiments, processor subsystem 120 may interpret and/or execute program instructions and/or process data stored locally (e.g., in memory 130 and/or another component of physical hardware in processor subsystem 120). In the same or alternative embodiments, processor subsystem 120 may interpret and/or execute program instructions and/or process data stored remotely (e.g., in network storage resource 170).
Also in FIG. 1, memory 130 may comprise a system, device, or apparatus operable to retain and/or retrieve program instructions and/or data for a period of time (e.g., computer-readable media). As shown in the example embodiment of FIG. 1, memory 130 stores operating system 132, which may represent instructions executable by processor subsystem 120 to operate information handling system 100 after booting. It is noted that in different embodiments, operating system 132 may be stored at network storage resource 170 and may be accessed by processor subsystem 120 via network 155 Memory 130 may comprise random access memory (RAM), electrically erasable programmable read-only memory (EEPROM), a PCMCIA card, flash memory, magnetic storage, opto-magnetic storage, and/or a suitable selection and/or array of volatile or non-volatile memory that retains data after power to its associated information handling system, such as information handling system 100, is powered down.
Local storage resource 150 may comprise computer-readable media (e.g., hard disk drive, floppy disk drive, CD-ROM, and/or other type of rotating storage media, flash memory, EEPROM, and/or another type of solid state storage media) and may be generally operable to store instructions and/or data. For example, local storage resource 150 may store executable code in the form of program files that may be loaded into memory 130 for execution, such as operating system 132. In information handling system 100, I/O subsystem 140 may comprise a system, device, or apparatus generally operable to receive and/or transmit data to/from/within information handling system 100. I/O subsystem 140 may represent, for example, a variety of communication interfaces, graphics interfaces, video interfaces, user input interfaces, and/or peripheral interfaces. For example, I/O subsystem 140 may include a Peripheral Component Interconnect Express (PCI-E) interface that is supported by processor subsystem 120. In certain embodiments, I/O subsystem 140 may comprise a touch panel and/or a display adapter. The touch panel (not shown) may include circuitry for enabling touch functionality in conjunction with a display (not shown) that is driven by display adapter (not shown).
Also shown in FIG. 1 is management controller (MC) 180, which may include MC processor 182 as a second processor included with information handling system 100 for certain management tasks. MC 180 may interface with processor subsystem 120 using any suitable communication link 181 including, but not limited to, a direct interface with a platform controller hub, a system bus, and a network interface. The system bus may be system bus 121, which may represent a variety of suitable types of bus structures, e.g., a memory bus, a peripheral bus, or a local bus using various bus architectures in selected embodiments. For example, such architectures may include, but are not limited to, Micro Channel Architecture (MCA) bus, Industry Standard Architecture (ISA) bus, Enhanced ISA (EISA) bus, Peripheral Component Interconnect (PCI) bus, PCI-Express bus, HyperTransport (HT) bus, and Video Electronics Standards Association (VESA) local bus. The network interface may be network interface 160 and/or network interface 190. The platform controller hub may provide additional functionality for the processor subsystem 120. The platform controller hub may be internal or external to a processor in processor subsystem 120. The direct interface may be any suitable interface to enable communications, including but not limited to Direct Media Interface (DMI) or PCI-Express.
MC processor 182 may have access to MC memory 184, which may store MC firmware 186, representing instructions executable by MC processor 182. Also shown stored in MC memory 184 is MC storage partition 188, which may represent an embedded storage partition for management controller 180. MC firmware 186 may represent pre-boot instructions executable by MC processor 182, for example, for preparing information handling system 100 to boot by activating various hardware components in preparation of launching operating system 132 for execution (also referred to as a basic input/output system (BIOS)). In certain embodiments, MC firmware 186 includes a Unified Extensible Firmware Interface (UEFI) according to a specification promulgated by the UEFI Forum (uefi.org). Also included with management controller 180 is MC network interface 190, which may be a secondary network interface to network interface 160. MC network interface 190 may provide “out-of-band” network access to management controller 180, for example, even when network interface 160 is unavailable. Thus, management controller 180 may execute MC firmware 186 on MC processor 182 and use MC network interface 190 even when other components in information handling system 100 are inoperable. It is noted that, in certain embodiments, management controller 180 may represent an instance of iDRAC while MC firmware 186 may include a lifecycle controller, which may assist in a variety of functions including, but not limited to, monitoring, updating, maintaining, testing, and deploying one or more components for an information handling system.
Management controller 180 may communicate with other management controllers using MC network interface 190. A set of management controllers in communication may form a group, in which each management controller may be a node. One of the management controllers in the group may operate as a group manager or a master. The master may facilitate and manage secure communication between the management controllers in the group. A set of groups in communication may form an aggregate group, in which each group may be a local group. Additional levels in the management controller hierarchy may be formed including, but not limited to, a bigger aggregate group including a set of aggregate groups.
A distributed computing node group may be part of a distributed computing group hierarchy with two or more levels of groups. For example, the distributed computing node group may be in the bottom level in the hierarchy and may be referred to as a local group. One or more local groups may be registered to form an aggregate group. The hierarchy may use a single sign-on token to enable a user to access multiple management controllers across the hierarchy without the need to repeatedly enter user access credentials. The single sign-on token may include an initial login location corresponding to the management controller where the user first logged in. The initial login location may be used to determine whether a subsequent request for authentication by the user corresponds to a traversal up or down the hierarchy. The initial login location may further be used to determine whether a subsequent request for authentication by the user corresponds to the same local group or same aggregate group. Trust links may be formed between local groups and their corresponding aggregate group. For example, a trust link may be formed between “Local Group 1” and “Local Group 2” via “Aggregate Group 1.” The trust link may enable members of “Local Group 1” to view aggregate information about “Local Group 2” or to gain full access to “Local Group 2” based on a request to elevate the privileges of the user. If the initial login location corresponds to the group manager of an aggregate group, such as “Aggregate Group 1,” the user may gain full access to all local groups, such as “Local Group 1” and “Local Group 2,” down in the distributed computing group hierarchy from the aggregate group.
Referring now to FIG. 2, a block diagram of selected elements of a distributed computing node group for single sign-on is shown in accordance with some embodiments of the present disclosure. A set of information handling systems 200 may be grouped together to form a distributed computing node group 202. Group 202 may include a plurality of members 208 connected together with messaging channel 210. Although group 202 is shown with seven members, group 202 may include any number of members suitable to form a distributed computing node group.
Each member 208 may include a management controller 180 to manage group communications. Members 208 and/or management controllers 180 may use messaging channel 210 to send and receive messages to each other. The messages may be unencrypted, encrypted, signed, or unsigned. Messaging channel 210 may include any suitable interface between management controllers, including but not limited to a network interface, such as Ethernet, and an I/O interface, such as PCI-E. Group 202 may use secure messaging to improve the security of communications between members 208.
Group 202 may also include a member 208 that is a master, such as a primary master 204 and/or a secondary master 206. The master may control and/or manage group 202. Control of group 202 may include the addition and/or removal of members from group 202, and/or authenticating members of group 202 when the member transitions to an online state from an offline state. The master may perform any operation sufficient to control or manage distributed computing node group 202. For example, the primary master may be selected at random. As another example, the primary master may be selected using the timestamp of entry into the group, in which the most recent member to join the group or the least recent member to join the group is elected the primary master. The secondary master 206 may serve as the master when the primary master is offline or unavailable. The election or selection of the secondary master 206 may be performed in a similar manner as the primary master.
Referring now to FIG. 3, a block diagram of selected elements of a distributed computing group hierarchy is shown in accordance with some embodiments of the present disclosure. The distributed computing group hierarchy 300 may include a one or more routers 302, which form part of a network. The network may be a public and/or private network. Router 302-2 may route data between different distributed groups and/or within a distributed group. The distributed group 300 may also include one or more switches 304. Downstream of the routers, switches 304-1 and 304-2 may interface exclusively with other switches (304-3, 304-4, 304-5, 304-6 and 304-7). The switches 304 and routers 302 may collectively operate to facilitate the transmission of messages between the nodes in the distributed group.
The nodes may be grouped together to perform a particular type of function. For example, group 306-1 may include two information handling systems 308-1 and 308-2, which may be used for a SharePoint application. Group 306-2 may include three information handling systems 308-3, 308-4, and 308-5, which may be used for file and print operations. Group 306-3 may include five information handling systems 308-6, 308-7, 308-8, 308-9, and 308-10, which may be used for running various other applications. Each group may be uniquely identified through one or more attributes including, but not limited to, group name, universally unique identifier (UUID), or group passcode. Although a particular number of information handling systems are shown, one or more information handling systems may be configured to form one or more portions of a group or one or more groups. For example, groups 306-1, 306-2, and 306-3 may be subsystems within the same information handling system, such as a virtualized environment operating on the information handling system.
Referring now to FIG. 4, a block diagram of selected elements of a group of groups distributed computing group hierarchy is shown in accordance with some embodiments of the present disclosure. Distributed computing group hierarchy 400 may include two or more levels of distributed computing node groups. For example, larger aggregate group 1 (415), which may operate as an enterprise datacenter server, may include aggregate group 1 (410-1), aggregate group 2 (410-2), and aggregate group 3 (410-3). Aggregate group 1 (410-1), which may operate as an employee access server, may include local group Q (406-3), local group R (406-4), and local group S (406-5). Each local group may include many management controllers. For example, local group Q (406-3) may include over one hundred management controllers. Aggregate group 2 (410-2), which may operate as a business data analytics server, may include local group 1 (406-1) and local group 2 (406-2). Aggregate group 3 (410-3) may operate as a web portal server and may include local group A (406-6).
A user that logs in to a local group may have full access to management controllers in the group. For example, the user may be able to read and write information and configuration files to each management controller in the local group. The user may have read only access to other local groups (406) in distributed computing group hierarchy 400. For example, a user that logs in to local group 1 (406-1) may be able to read aggregate information about local group Q (406-3). Aggregate information may include, for example, the health status of local group Q (406-3). However, the aggregate information may not include information specific to a particular management controller or information handling system. The user may also have read only access to aggregate information of other aggregate groups (410) or larger aggregate groups (415). If the user initially logs into the group manager of an aggregate group 410, the user may gain full access to each management controller in each local group 406 below the aggregate group 410 in the distributed computing group hierarchy 400. For example, if the user initially logs into the group manager of aggregate group 1 (410-1), the user may gain full access, including the ability to read and write information and configuration files, to each management controller in local group Q (406-3), local group R (406-4), and local group S (406-5).
Although three levels are shown in the distributed computing group hierarchy 400, distributed computing group hierarchy 400 may include two or more levels that are suitable for distributing computing.
Management controllers in distributed computing group hierarchy 400 may enable the user to sign on to a local group (406) and use the same user account credentials without requiring the user to repeatedly enter the information. Management controllers modify a single sign-on token, such as a JSON web token, to include a login location tag, which may represent the server or group identifier corresponding to the location where the user first logged in. The single sign-on token containing the login location tag may be used to authenticate the user account credentials for access to other management controllers. For example, if the user first logged in to a management controller in local group S (406-5), the login location tag may contain the universally unique identifier (UUID) of the management controller or a suitable identifier for the local group, such as one or more portions of the Internet Protocol address for the local group. Other management controllers may receive the single sign-on token and evaluate the login location tag in the token to determine whether a trust link is established with the group associated with the initial log in location. If a trust link is established, management controllers in the same local group may provide for full access privileges and management controllers in the same aggregate group may provide for read only access privileges to aggregate information.
Referring now to FIG. 5A, a block diagram of selected elements of a single sign-on token is shown in accordance with some embodiments of the present disclosure. Single sign-on token 500 may include encrypted header 505, encrypted payload 510, and signature 515. Encrypted header 505 may provide information about the type of structure used by the single sign-on token and the type of algorithm used for signature 515. For example, the type of structure may be a JSON web token or a modified JSON web token with a login location tag and the type of algorithm may be SHA256. Encrypted payload 510 may provide information about the single sign-on, including the fields described for FIG. 5B. Signature 515 may be a signature of encrypted header 505 and encrypted payload 510. For example, the signature may be a JSON web signature using the SHA256 algorithm with an RSA key length of 4096 bits.
Referring now to FIG. 5B, a block diagram of selected elements of an encrypted payload is shown in accordance with some embodiments of the present disclosure. Encrypted payload 510 may include a plurality of fields, including login location tag 525, issuer group manager unit ID 530, audience group manager unit ID 535, expiration time of token 540, issuance time of token 545, and member ID 550. Login location tag 525 may indicate the server or identify a group or universally unique identifier (UUID) of a master of a group corresponding to the management controller where the user first logged in. For example, login location tag 525 may indicate the server using a server service tag. If the server service tag corresponds to a management controller in the local group, the user may gain full access privileges. If the server service tag does not correspond to a management controller in the local group, the user may have read only access to aggregate group or larger aggregate group information. Issuer group manager unit ID 530 may indicate the UUID of the group manager, the UUID of the group manager of the aggregate group, the master of a local group, or a member of a local group that issues the single sign-on token. The issuer group manager unit ID 530 may correspond to a different management controller than login location tag 525. If the user has traversed through the distributed computing group hierarchy back to the management controller at which the user initially logged in, the issuer group manager unit ID 530 may correspond to the same management controller as login location tag 525. Audience group manager unit ID 535 may indicate the UUID of the management controller that is the group manager of the aggregate group, the master of a local group, or a member of the local group that is the intended audience for the single sign-on token. Specifying the UUID of the master of the local group, for example, may indicate that the local group is the audience for the single sign-on token. As another example, specifying the UUID of the management controller that is the group manager of the aggregate group may indicate that the aggregate group is the audience for the single sign-on token, which may provide the user with full access to the management controllers in the local groups that are part of the aggregate group. Expiration time of token 540 may indicate when the single sign-on token is set to expire. The expiration time may be defined in any suitable increment, such as 30 seconds. The time may be measured relative to the time at the issuer group manager as specified by issuance time of token 545, which may be defined in the same increment as expiration time of token 540. The user may need to prove user account credentials again after the single sign-on token expires. Member ID 550 may indicate the member UUID of the management controller that most recently used single sign-on token 500. Although encrypted payload is shown with six fields, any number of fields suitable for single sign-on in a distributed computing group hierarchy may be used.
Referring now to FIG. 6, a flow chart depicting selected elements of a method for configuring a group of groups distributed computing group hierarchy is shown in accordance with some embodiments of the present disclosure. Method 600 may be implemented by any of the elements shown in FIGS. 1-5. Method 600 may be initiated by any suitable criteria and may initiate operation at any suitable point. In one embodiment, method 600 may initiate operation at 605. Method 600 may include greater or fewer steps than those illustrated. Moreover, method 600 may execute its steps in an order that is different than those illustrated below. Method 600 may terminate at any suitable step. Moreover, method 600 may repeat operation at any suitable step. Portions of method 600 may be performed in parallel and repeat with respect to other portions of method 600.
At 605, a management controller may receive a request to authenticate a user for access. The request may include user access credentials or a single-on token. At 610, the management controller may authenticate the user by verifying the user access credentials or the single sign-on token. At 615, the management controller may create a single sign-on token for the user with an initial login location corresponding to the management controller if the request included user access credentials. The initial login location may be any suitable identifier for the management controller, such as the UUID of the management controller or the Internet Protocol address of the management controller in the distributed computing group hierarchy.
At 620, the management controller may be used to create a group of groups by registering the local group with an aggregate group. Registration may include adding a certificate for the local group for the aggregate group and adding a certificate for the aggregate group with the local group. The certification may include the Internet Protocol address of a group member, a group UUID, and a group shared public key. The certificates may be imported and exported using a group manager or by manual handling of certificates. Manual handling of the certificates may include the group manager displaying a base64 encoded certificate as a quick response (QR) code for a user to scan using a mobile information handling system. For example, the group manager of the local group may export the certificate of the local group, the group manager of the aggregate group may import the certificate of the local group and export the certificate of the aggregate group, and the group manager of the local group may then import the certificate of the aggregate group. As another example, the group managers of the local group and aggregate group may display QR codes representing their certificates. In this case, the user may scan the QR codes using a mobile information handling system, and import the local group certificate into the aggregate group and the aggregate group certificate into the local group.
At 625, the management controller may be used to register other local groups with the aggregate group. For example, “Local Group 2,” “Local Group 3,” and “Local Group 4” may join “Aggregate Group 1.” At 630, the management controller may be used to create a larger aggregate group. For example, “Larger Aggregate Group 1” may be created to include “Aggregate Group 1.” At 635, other aggregate groups may be registered with the larger aggregate group. For example, “Aggregate Group 2” and “Aggregate Group 3” may be registered with the “Larger Aggregate Group 1.”
Referring now to FIG. 7, a flow chart depicting selected elements of a method for group of groups single sign-on demarcation based on first user login is shown in accordance with some embodiments of the present disclosure. Method 700 may be implemented by any of the elements shown in FIGS. 1-6. Method 700 may be initiated by any suitable criteria and may initiate operation at any suitable point. In one embodiment, method 700 may initiate operation at 705. Method 700 may include greater or fewer steps than those illustrated. Moreover, method 700 may execute its steps in an order that is different than those illustrated below. Method 700 may terminate at any suitable step. Moreover, method 700 may repeat operation at any suitable step. Portions of method 700 may be performed in parallel and repeat with respect to other portions of method 700.
At 705, a management controller may receive a request to authenticate the user for access to a target management controller. At 710, it may be determined whether the request corresponds to traversing up the distributed computing group hierarchy. If the request corresponds to traversing upward, method 700 may proceed to 715. Otherwise, method 700 may proceed to 720. At 715, it may be determined whether a trust link is established to the aggregate group. A trust link may be established between groups at any two levels in the distributed computing group hierarchy. For example, a trust link may be established between a local group and an aggregate group. As another example, a trust link may be established between an aggregate group and a larger aggregate group. The aggregate group may be the group in which the target management controller resides. If a trust link is established, method 700 may proceed to 740. Otherwise, method 700 may proceed to 755. At 720, it may be determined whether the request corresponds to traversing down the distributed computing group hierarchy. If the request corresponds to traversing downward, method 700 may proceed to 725. Otherwise, method 700 may proceed to 745.
At 725, it may be determined whether a trust link is established from the aggregate group. The target management controller may be a member of the aggregate group. If a trust link is established, method 700 may proceed to 730. Otherwise, method 700 may proceed to 755. At 730, it may be determined whether the initial login location is in the same aggregate group as the aggregate group of the target management controller. If the aggregate groups are the same, method 700 may proceed to 735. Otherwise, method 700 may proceed to 755. At 735, it may be determined whether the initial login location is the group manager of the same aggregate group as the aggregate group of the target management controller. If the initial login location is the group manager of the same aggregate group, method 700 may proceed to 750. Otherwise, method 700 may proceed to 740. At 740, read only access may be allowed for the user. The user may be able to read aggregate information about the target management controller based on the initial login location of the user and the location of the target management controller.
At 745, it may be determined whether the initial login location is in the same local group as the target management controller. The initial login location in the single sign-on token may be used to determine the local group for which the user has access. If the local groups are the same, method 700 may proceed to 750. Otherwise, method 700 may proceed to 755. At 750, full access to the local group of the target management controller may be allowed using the single sign-on token. For example, the information and configuration files of each management controller in the local group may be read, written, and/or modified. At 755, user access may be denied.
Referring now to FIG. 8, a flow chart depicting selected elements of a method for elevated privileges of single sign-on in a group of groups is shown in accordance with some embodiments of the present disclosure. Method 800 may be implemented by any of the elements shown in FIGS. 1-7. Method 800 may be initiated by any suitable criteria and may initiate operation at any suitable point. In one embodiment, method 800 may initiate operation at 805. Method 800 may include greater or fewer steps than those illustrated. Moreover, method 800 may execute its steps in an order that is different than those illustrated below. Method 800 may terminate at any suitable step. Moreover, method 800 may repeat operation at any suitable step. Portions of method 800 may be performed in parallel and repeat with respect to other portions of method 800.
At 805, a management controller may receive a request from a user to elevate the privileges of the user for the user to gain access to another local group. The management controller may operate as the group manager for the local group. The user may have previously provided user account credentials to log in to the local group. A single sign-on token with the initial login location may have been created when the user first logged in using user account credentials.
At 810, it may be determined whether the other local group is registered with the aggregate group associated with the management controller that received the request. The management controller may determine which other local group the request is directed to by using any suitable identifier for the other local group, such as the UUID or Internet Protocol address of the group manager or master for the other local group. If the other local group is already registered with the aggregate group, the group manager of the aggregate group may hold a certificate corresponding to the other local group. The certificate may include one or more identifiers corresponding to the other local group including, but not limited to, the Internet Protocol address of a group member, a group UUID, and a group shared public key. If the other local group is registered with the aggregate group, method 800 may proceed to 815. Otherwise, method 800 may proceed to 825. At 815, the management controller that received the request may redirect the request to a controlling member. The controlling member may be the controlling member of the other local group or the controlling member of the aggregate group that includes the local group at which the request was received and the other local group. The controlling member of the aggregate group, such as the group manager or master of the aggregate group or larger aggregate group, may have all the required information to authenticate the user using a single sign-on token. The management controller that received the request may include a single sign-on token for the user in the redirection. For example, the management controller may redirect the request to the group manager or master of the other local group. The redirection may result in the user being prompted by a member of the other local group for user account credentials to elevate the access privileges for the user. For example, the user may be shown a new webpage or window in which the user may enter user account credentials for authentication, such as biometric authentication, smartcard authentication, and/or authentication using a username and password. Other suitable forms of authentication that may verify the identity and credentials of the user may be used. For example, the controlling member may update the single sign-on token after the user is authenticated. The single sign-on token may be updated with the initial login location such that the user has full access to at least two local groups. As another example, the controlling member may create a new single sign-on token or a portion of a new single sign-on token, such as the initial login location, and send the information back to the management controller that redirected the request.
At 820, the management controller that received the request may wait for the controlling member of the other local group to authenticate the user using the single sign-on token. The management controller may receive a single sign-on token from the controlling member of the other local group. At 825, the management controller may register the other local group with the aggregate group corresponding to the initial login location. Registration may be performed by group managers and/or a user, as described in more detail for 620 and 625 of FIG. 6 above. For example, if the initial login location was a management controller in “Local Group 1,” which is part of “Aggregate Group 1,” the other local group (“Local Group 2”) may be registered with “Aggregate Group 1.”
The above disclosed subject matter is to be considered illustrative, and not restrictive, and the appended claims are intended to cover all such modifications, enhancements, and other embodiments which fall within the true spirit and scope of the present disclosure. Thus, to the maximum extent allowed by law, the scope of the present disclosure is to be determined by the broadest permissible interpretation of the following claims and their equivalents, and shall not be restricted or limited by the foregoing detailed description.

Claims (17)

What is claimed is:
1. A method for access in a management controller group hierarchy, comprising:
receiving a request for a user at a first management controller of a first information handling system in a management controller group hierarchy, the request to authenticate the user for access using a single sign-on token and the management controller group hierarchy formed with two or more levels, each level formed with one or more groups corresponding to one or more management controllers of one or more information handling systems;
determining whether a link of trust is established based on an initial login location stored in the single sign-on token;
validating the request to authenticate the user for access using the single sign-on token based on a determination that the link of trust is established;
determining whether the initial login location is recognized;
based on a determination that the initial login location is not recognized:
granting the user access to view information about an aggregate group in the management controller group hierarchy, the aggregate group including a first local group in the management controller group hierarchy; and
denying the user access to the first local group of the aggregate group.
2. The method of claim 1, further comprising:
receiving a re-authenticated single sign-on token from a controlling member of a second local group in the management controller group hierarchy, the re-authenticated single sign-on token received after a request to elevate privileges is received and the second local group not including the first management controller; and
granting the user full access to the second local group of the aggregate group based on receiving the re-authenticated single sign-on token from the controlling member of the second local group.
3. The method of claim 1, further comprising:
receiving a request to elevate privileges of the user to enable access to a second local group in the management controller group hierarchy, the second local group in the management controller group hierarchy not including the first management controller of the first information handling system;
redirecting the request to elevate privileges to a controlling member of the second local group; and
receiving a re-authenticated single sign-on token back from the controlling member of the second local group.
4. The method of claim 3, further comprising:
determining whether a login location stored in the re-authenticated single sign-on token corresponds to a second management controller that manages the aggregate group in the management controller group hierarchy, the aggregate group including the first management controller of the first information handling system that received the request to authenticate the user for access; and
granting the user full access to the first local group and second local group based on a determination that the login location stored in the re-authenticated single sign-on token corresponds to the second management controller that manages the aggregate group in the management controller group hierarchy.
5. The method in claim 1, wherein determining whether the link of trust is established based on the initial login location is based on a determination whether the management controller of the first information handling system and a second management controller of a second information handling system are part of the same local group in the management controller group hierarchy.
6. An information handling system, comprising:
a processor subsystem comprising a primary processor having access to a first memory;
a management controller comprising a secondary processor having access to a second memory, the second memory including an embedded storage partition and the second memory storing instructions executable by the secondary processor to:
receive a request for a user at the management controller of the information handling system in a management controller group hierarchy, the request to authenticate the user for access using a single sign-on token and the management controller group hierarchy formed with two or more levels, each level formed with one or more groups corresponding to one or more management controllers of one or more information handling systems;
determine whether a link of trust is established based on an initial login location stored in the single sign-on token;
validate request to authenticate the user for access using the single sign-on token based on a determination that the link of trust is established;
determine whether the initial login location is recognized;
based on a determination that the initial login location is not recognized:
grant the user access to view information about an aggregate group in the management controller group hierarchy, the aggregate group including a first local group in the management controller group hierarchy; and
deny the user access to the first local group of the aggregate group.
7. The information handling system of claim 6, further comprising instructions executable by the secondary processor to:
receive a re-authenticated single sign-on token from a controlling member of a second local group in the management controller group hierarchy, the re-authenticated single sign-on token received after a request to elevate privileges is received and the second local group not including the management controller; and
grant the user full access to the second local group of the aggregate group based on receipt of the re-authenticated single sign-on token from the controlling member of the second local group.
8. The information handling system of claim 6, further comprising instructions executable by the secondary processor to:
receive a request to elevate privileges of the user to enable access to a second local group in the management controller group hierarchy, the second local group in the management controller group hierarchy not including the management controller of the information handling system;
redirect the request to elevate privileges to a controlling member of the second local group; and
receive a re-authenticated single sign-on token back from the controlling member of the second local group.
9. The information handling system of claim 8, further comprising instructions executable by the secondary processor to:
determine whether a login location stored in the re-authenticated single sign-on token corresponds to another management controller that manages the aggregate group in the management controller group hierarchy, the aggregate group including the management controller of the information handling system that received the request to authenticate the user for access; and grant the user full access to the first local group and the second local group based on a determination that the login location stored in the re-authenticated single sign-on token corresponds to the management controller that manages the aggregate group in the management controller group hierarchy.
10. The information handling system of claim 6, wherein a determination of whether the link of trust is established based on the initial login location is based on a determination whether the management controller of the information handling system and a target management controller of another second information handling system are part of the same local group in the management controller group hierarchy.
11. The information handling system of claim 6, wherein the initial login location stored in the single sign-on token indicates a service tag that corresponds to an initial management controller of an initial information handling system that corresponds to the initial login location.
12. A management controller for an information handling system having a primary processor and a primary memory, the management controller comprising a secondary processor having access to a secondary memory, the secondary memory including an embedded storage partition and the secondary memory storing instructions executable by the secondary processor to:
receive a request for a user at the management controller of the information handling system in a management controller group hierarchy, the request to authenticate the user for access using a single sign-on token and the management controller group hierarchy formed with two or more levels, each level formed with one or more groups corresponding to one or more management controllers of one or more information handling systems;
determine whether a link of trust is established based on an initial login location stored in the single sign-on token;
validate the request to authenticate the user for access using the single sign-on token based on a determination that the link of trust is established;
determine whether the initial login location is recognized;
based on a determination that the initial login location is not recognized:
grant the user access to view information about an aggregate group in the management controller group hierarchy, the aggregate group including a first local group in the management controller group hierarchy; and
deny the user access to the first local group included in the aggregate group.
13. The management controller of claim 12, further comprising instructions executable by the secondary processor to:
receive a re-authenticated single sign-on token from a controlling member of a second local group in the management controller group hierarchy, the re-authenticated single sign-on token received after a request to elevate privileges is received and the second local group not including the management controller; and
grant the user full access to the second local group of the aggregate group based on receipt of the re-authenticated single sign-on token from the controlling member of the second local group.
14. The management controller of claim 12, further comprising instructions executable by the secondary processor to:
receive a request to elevate privileges of the user to enable access to a second local group in the management controller group hierarchy, the second local group in the management controller group hierarchy not including the management controller of the information handling system;
redirect the request to elevate privileges to a controlling member of the second local group; and
receive a re-authenticated single sign-on token back from the controlling member of the second local group.
15. The management controller of claim 14, further comprising instructions executable by the secondary processor to:
determine whether a login location stored in the re-authenticated single sign-on token corresponds to another management controller that manages the aggregate group in the management controller group hierarchy, the aggregate group including the management controller of the information handling system that received the request to authenticate the user for access; and
grant the user full access to the first local group and the second local group based on a determination that the login location stored in the re-authenticated single sign-on token corresponds to the management controller that manages the aggregate group in the management controller group hierarchy.
16. The management controller of claim 12, wherein a determination of whether the link of trust is established based on the initial login location is based on a determination whether the management controller of the information handling system and a target management controller of another information handling system are part of the same local group in the management controller group hierarchy.
17. The management controller of claim 12, wherein the initial login location stored in the single sign-on token indicates a service tag that corresponds to an initial management controller of an initial information handling system that corresponds to the initial login location.
US15/891,815 2018-02-08 2018-02-08 System and method for group of groups single sign-on demarcation based on first user login Active 2040-02-13 US11196733B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US15/891,815 US11196733B2 (en) 2018-02-08 2018-02-08 System and method for group of groups single sign-on demarcation based on first user login

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US15/891,815 US11196733B2 (en) 2018-02-08 2018-02-08 System and method for group of groups single sign-on demarcation based on first user login

Publications (2)

Publication Number Publication Date
US20190245843A1 US20190245843A1 (en) 2019-08-08
US11196733B2 true US11196733B2 (en) 2021-12-07

Family

ID=67475853

Family Applications (1)

Application Number Title Priority Date Filing Date
US15/891,815 Active 2040-02-13 US11196733B2 (en) 2018-02-08 2018-02-08 System and method for group of groups single sign-on demarcation based on first user login

Country Status (1)

Country Link
US (1) US11196733B2 (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102187546B1 (en) * 2019-01-30 2020-12-07 문재호 Group Communication Service Providing Method, System and Computer-readable Medium
US11526928B2 (en) 2020-02-03 2022-12-13 Dell Products L.P. System and method for dynamically orchestrating application program interface trust
WO2021232347A1 (en) * 2020-05-21 2021-11-25 Citrix Systems, Inc. Cross device single sign-on
US20220103543A1 (en) * 2020-09-25 2022-03-31 Dell Products, Lp Secure authentication method for performing a host operation using a delegated authorization mechanism
US20220292178A1 (en) * 2021-03-15 2022-09-15 Dell Products, L.P. Systems and methods for scaled user authentication in modern workspaces
US12277495B1 (en) 2021-03-31 2025-04-15 Amazon Technologies, Inc. Hyper-rectangle network for gradient exchange
US20230036002A1 (en) * 2021-07-26 2023-02-02 Dell Products L.P. Delegated authorization via single access token
US12169537B2 (en) * 2021-10-01 2024-12-17 Dell Products, L.P. Scope-based access control system and method
US12294586B2 (en) * 2022-01-24 2025-05-06 Dell Products, L.P. Systems and methods for instance-based permissions for data center management tasks

Citations (103)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010000358A1 (en) * 1998-06-12 2001-04-19 Kousei Isomichi Gateway system and recording medium
US6295361B1 (en) 1998-06-30 2001-09-25 Sun Microsystems, Inc. Method and apparatus for multicast indication of group key change
US6339423B1 (en) * 1999-08-23 2002-01-15 Entrust, Inc. Multi-domain access control
US20020073320A1 (en) * 2000-12-07 2002-06-13 International Business Machines Corporation Aggregated authenticated identity apparatus for and method therefor
US20030051026A1 (en) * 2001-01-19 2003-03-13 Carter Ernst B. Network surveillance and security system
US20030120948A1 (en) * 2001-12-21 2003-06-26 Schmidt Donald E. Authentication and authorization across autonomous network systems
US20030145204A1 (en) * 2002-01-29 2003-07-31 Mehrdad Nadooshan Method and apparatus for simultaneously establishing user identity and group membership
US20030154403A1 (en) * 2001-08-14 2003-08-14 Keinsley Brian E. Web-based security with controlled access to data and resources
US20030163733A1 (en) * 2002-02-28 2003-08-28 Ericsson Telefon Ab L M System, method and apparatus for federated single sign-on services
US20040070604A1 (en) * 2002-10-10 2004-04-15 Shivaram Bhat Plugin architecture for extending polices
US20040098615A1 (en) * 2002-11-16 2004-05-20 Mowers David R. Mapping from a single sign-in service to a directory service
US20040111645A1 (en) * 2002-12-05 2004-06-10 International Business Machines Corporation Method for providing access control to single sign-on computer networks
US20040128393A1 (en) * 2002-12-31 2004-07-01 International Business Machines Corporation Method and system for consolidated sign-off in a heterogeneous federated environment
US20040260952A1 (en) * 2003-05-28 2004-12-23 Newman Gary H. Secure user access subsystem for use in a computer information database system
US20050005094A1 (en) * 2003-06-18 2005-01-06 Microsoft Corporation System and method for unified sign-on
US20050021978A1 (en) * 2003-06-26 2005-01-27 Sun Microsystems, Inc. Remote interface for policy decisions governing access control
US20050081055A1 (en) * 2003-10-10 2005-04-14 Bea Systems, Inc. Dynamically configurable distributed security system
US20050097353A1 (en) * 2003-10-10 2005-05-05 Bea Systems, Inc. Policy analysis tool
US20050097166A1 (en) * 2003-10-10 2005-05-05 Bea Systems, Inc. Policy inheritance through nested groups
US20050097352A1 (en) * 2003-10-10 2005-05-05 Bea Systems, Inc. Embeddable security service module
US20050204041A1 (en) * 2004-03-10 2005-09-15 Microsoft Corporation Cross-domain authentication
US20050251852A1 (en) * 2003-10-10 2005-11-10 Bea Systems, Inc. Distributed enterprise security system
US20050251851A1 (en) * 2003-10-10 2005-11-10 Bea Systems, Inc. Configuration of a distributed security system
US20050257245A1 (en) * 2003-10-10 2005-11-17 Bea Systems, Inc. Distributed security system with dynamic roles
US20050262362A1 (en) * 2003-10-10 2005-11-24 Bea Systems, Inc. Distributed security system policies
KR20050117275A (en) * 2004-06-10 2005-12-14 세종대학교산학협력단 Method for single-sign-on based on markup language, and system for the same
US20050283443A1 (en) * 2004-06-16 2005-12-22 Hardt Dick C Auditable privacy policies in a distributed hierarchical identity management system
US20060123472A1 (en) * 2004-12-07 2006-06-08 Microsoft Corporation Providing tokens to access federated resources
US7137006B1 (en) * 1999-09-24 2006-11-14 Citicorp Development Center, Inc. Method and system for single sign-on user access to multiple web servers
US20060259614A1 (en) * 2005-05-11 2006-11-16 Bea Systems, Inc. System and method for distributed data redaction
US20060259954A1 (en) * 2005-05-11 2006-11-16 Bea Systems, Inc. System and method for dynamic data redaction
US20060259977A1 (en) * 2005-05-11 2006-11-16 Bea Systems, Inc. System and method for data redaction client
US20080021997A1 (en) * 2006-07-21 2008-01-24 Hinton Heather M Method and system for identity provider migration using federated single-sign-on operation
US20080072300A1 (en) * 2006-08-15 2008-03-20 Zachary Adam Garbow Methods and Apparatus for Improving Security of a Network System
US20080072301A1 (en) * 2004-07-09 2008-03-20 Matsushita Electric Industrial Co., Ltd. System And Method For Managing User Authentication And Service Authorization To Achieve Single-Sign-On To Access Multiple Network Interfaces
US20080077809A1 (en) * 2006-09-22 2008-03-27 Bea Systems, Inc. Credential Vault Encryption
US20080134286A1 (en) * 2000-04-19 2008-06-05 Amdur Eugene Computer system security service
US20080235361A1 (en) * 2007-03-21 2008-09-25 David Crosbie Management layer method and apparatus for dynamic assignment of users to computer resources
US7480934B2 (en) * 2003-06-17 2009-01-20 International Business Machines Corporation Multiple identity management in an electronic commerce site
US7512965B1 (en) * 2000-04-19 2009-03-31 Hewlett-Packard Development Company, L.P. Computer system security service
US20090249440A1 (en) * 2008-03-30 2009-10-01 Platt Darren C System, method, and apparatus for managing access to resources across a network
US7685206B1 (en) * 2004-02-12 2010-03-23 Microsoft Corporation Authorization and access control service for distributed network resources
US20100306830A1 (en) * 2002-06-06 2010-12-02 Hardt Dick C Distributed Hierarchical Identity Management
US20100325427A1 (en) * 2009-06-22 2010-12-23 Nokia Corporation Method and apparatus for authenticating a mobile device
US20120054741A1 (en) * 2010-08-31 2012-03-01 Hewlett-Packard Development Company, L.P. User authentication virtual machine
US8255984B1 (en) * 2009-07-01 2012-08-28 Quest Software, Inc. Single sign-on system for shared resource environments
US20130086656A1 (en) * 2011-10-04 2013-04-04 Qualcomm Incorporated Method and Apparatus for Protecting a Single Sign-on Domain from Credential Leakage
US20130086669A1 (en) * 2011-09-29 2013-04-04 Oracle International Corporation Mobile application, single sign-on management
US8418232B2 (en) * 2008-03-07 2013-04-09 Aspect Software, Inc. Extensible permissions for administrative and target permissions
US20130212665A1 (en) * 2012-02-15 2013-08-15 Oracle International Corporation Signing off from multiple domains accessible using single sign-on
US20130232557A1 (en) * 2012-03-01 2013-09-05 Fujitsu Limited Service usage management method, recording medium, and information processing device
US8544069B1 (en) * 2011-04-29 2013-09-24 Intuit Inc. Methods systems and articles of manufacture for implementing user access to remote resources
US20130332606A1 (en) * 2012-06-12 2013-12-12 Microsoft Corporation Gate Keeper Cookie
US8677451B1 (en) * 2010-06-22 2014-03-18 Cellco Partnership Enabling seamless access to a domain of an enterprise
US20140093082A1 (en) 2011-07-11 2014-04-03 Lg Electronics Inc. Traffic encryption key management for machine to machine multicast group
US20140123233A1 (en) * 2012-11-01 2014-05-01 Miiicasa Taiwan Inc. Verification of network device position
US20140208119A1 (en) * 2013-01-21 2014-07-24 International Business Machines Corporation Controlling Exposure of Sensitive Data and Operation Using Process Bound Security Tokens in Cloud Computing Environment
US20140230027A1 (en) * 2011-01-07 2014-08-14 Interdigital Patent Holdings, Inc. Client and server group sso with local openid
US20140269327A1 (en) * 2007-04-18 2014-09-18 John C. Fulknier Mobile network operating method
US20140295821A1 (en) * 2013-03-29 2014-10-02 Citrix Systems, Inc. Providing mobile device management functionalities
US20150180858A1 (en) * 2013-12-23 2015-06-25 Cellco Partnership D/B/A Verizon Wireless Single sign on (sso) authorization and authentication for mobile communication devices
US20150244706A1 (en) * 2014-02-26 2015-08-27 Secureauth Corporation Security object creation, validation, and assertion for single sign on authentication
US20150365399A1 (en) * 2014-06-16 2015-12-17 Adobe Systems Incorporated Method and apparatus for sharing server resources using a local group
US20160088023A1 (en) * 2014-09-24 2016-03-24 Oracle International Corporation Services within reverse proxy servers
US20160117176A1 (en) * 2014-10-24 2016-04-28 Dell Products L.P. Pre-boot diagnostic display
US20160182499A1 (en) * 2014-12-22 2016-06-23 Mcafee, Inc. Trust establishment between a trusted execution environment and peripheral devices
US20160218866A1 (en) 2015-01-27 2016-07-28 Qualcomm Incorporated Group key announcement and distribution for a data link group
GB2536044A (en) 2015-03-05 2016-09-07 Bell Identification Bv Method and apparatus for authenticating and processing secure transactions using a mobile device
US9501273B1 (en) * 2015-09-25 2016-11-22 International Business Machines Corporation Data sharing
US20160344582A1 (en) 2014-01-10 2016-11-24 Hewlett Packard Enterprise Development Lp Call home cluster
US20160365975A1 (en) 2015-06-09 2016-12-15 Intel Corporation System, apparatus and method for group key distribution for a network
US20170026144A1 (en) 2015-07-22 2017-01-26 Robert Bosch Gmbh Method and device for validating a timestamp of a data transmission
US20170126404A1 (en) * 2015-05-08 2017-05-04 Panasonic Intellectual Property Management Co., Ltd. Authentication method, authentication system, and controller
US20170149770A1 (en) * 2015-11-24 2017-05-25 International Business Machines Corporation Using an out-of-band password to provide enhanced sso functionality
US20170149767A1 (en) * 2015-11-24 2017-05-25 International Business Machines Corporation Using a service-provider password to simulate f-sso functionality
US20170171950A1 (en) 2014-08-11 2017-06-15 RAB Lighting Inc. Wireless lighting control systems and methods
US20170170963A1 (en) * 2014-10-31 2017-06-15 Vmware, Inc. Step-up authentication for single sign-on
US9705871B2 (en) * 2013-12-13 2017-07-11 T-Mobile U.S.A., Inc Identity and access management
US20170244716A1 (en) * 2016-02-18 2017-08-24 Motorola Mobility Llc Apparatus and Method for Accessing a Network
US20170250812A1 (en) * 2016-02-25 2017-08-31 International Business Machines Corporation Align session security for connected systems
US20170359440A1 (en) * 2016-06-14 2017-12-14 Dell Products L.P. Resource management system
US20180020007A1 (en) * 2016-07-15 2018-01-18 Dell Products L.P. System and method for speed dialing information handling system configuration changes
US20180019869A1 (en) * 2016-07-15 2018-01-18 Dell Products L.P. System and method for secure messaging between distributed computing nodes
US9887836B1 (en) 2014-09-26 2018-02-06 Amazon Technologies, Inc. Unified management of cryptographic keys using virtual keys and referrals
US20180052772A1 (en) * 2015-05-14 2018-02-22 Hitachi, Ltd. Storage system and storage control method
US20180083953A1 (en) * 2016-09-21 2018-03-22 Kyocera Document Solutions Inc. Authentication system and authentication method capable of realizing single-sign-on function used for application program on image forming apparatus
US20180088928A1 (en) * 2016-09-28 2018-03-29 Mcafee, Inc. Device-driven auto-recovery using multiple recovery sources
US20180103062A1 (en) * 2016-10-06 2018-04-12 Dell Products L.P. Systems and methods for integration of directory service with management controllers
US9992186B1 (en) * 2015-06-30 2018-06-05 EMC IP Holding Company LLC SAML representation for multi-tenancy environments
US20180219863A1 (en) * 2017-01-31 2018-08-02 Pivotal Software, Inc. Invocation path security in distributed systems
US10057246B1 (en) * 2015-08-31 2018-08-21 EMC IP Holding Company LLC Method and system for performing backup operations using access tokens via command line interface (CLI)
US20190028461A1 (en) * 2017-07-21 2019-01-24 International Business Machines Corporation Privacy-aware id gateway
US20190103968A1 (en) * 2017-09-29 2019-04-04 Oracle International Corporation Trusted token relay infrastructure
US20190102534A1 (en) * 2017-10-02 2019-04-04 Red Hat, Inc. Single sign-on management for multiple independent identity providers
US20190158498A1 (en) * 2017-11-21 2019-05-23 Vmware, Inc. Adaptive device enrollment
US20190158506A1 (en) * 2017-11-21 2019-05-23 Vmware, Inc. Adaptive device enrollment
US20190163896A1 (en) * 2017-11-28 2019-05-30 American Express Travel Related Services Company, Inc. Single Sign-On Solution Using Blockchain
US10320796B2 (en) * 2010-11-18 2019-06-11 Microsoft Technology Licensing, Llc Securing partner-enabled web service
US10382426B2 (en) * 2015-07-02 2019-08-13 Adobe Inc. Authentication context transfer for accessing computing resources via single sign-on with single use access tokens
US20200073656A1 (en) * 2018-06-13 2020-03-05 Dell Products, Lp Method and Apparatus for Drift Management in Clustered Environments
US10623395B2 (en) * 2017-01-04 2020-04-14 Dell Products, L.P. System and method for directory service authentication on a service processor
US10637846B2 (en) * 2017-08-30 2020-04-28 Capital One Services, Llc System and method for cloud-based analytics
US10715458B1 (en) * 2017-12-08 2020-07-14 Amazon Technologies, Inc. Organization level identity management

Patent Citations (107)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010000358A1 (en) * 1998-06-12 2001-04-19 Kousei Isomichi Gateway system and recording medium
US6295361B1 (en) 1998-06-30 2001-09-25 Sun Microsystems, Inc. Method and apparatus for multicast indication of group key change
US6339423B1 (en) * 1999-08-23 2002-01-15 Entrust, Inc. Multi-domain access control
US7137006B1 (en) * 1999-09-24 2006-11-14 Citicorp Development Center, Inc. Method and system for single sign-on user access to multiple web servers
US7512965B1 (en) * 2000-04-19 2009-03-31 Hewlett-Packard Development Company, L.P. Computer system security service
US20080134286A1 (en) * 2000-04-19 2008-06-05 Amdur Eugene Computer system security service
US20020073320A1 (en) * 2000-12-07 2002-06-13 International Business Machines Corporation Aggregated authenticated identity apparatus for and method therefor
US20030051026A1 (en) * 2001-01-19 2003-03-13 Carter Ernst B. Network surveillance and security system
US20030154403A1 (en) * 2001-08-14 2003-08-14 Keinsley Brian E. Web-based security with controlled access to data and resources
US20030120948A1 (en) * 2001-12-21 2003-06-26 Schmidt Donald E. Authentication and authorization across autonomous network systems
US20030145204A1 (en) * 2002-01-29 2003-07-31 Mehrdad Nadooshan Method and apparatus for simultaneously establishing user identity and group membership
US20030163733A1 (en) * 2002-02-28 2003-08-28 Ericsson Telefon Ab L M System, method and apparatus for federated single sign-on services
US20100306830A1 (en) * 2002-06-06 2010-12-02 Hardt Dick C Distributed Hierarchical Identity Management
US20040070604A1 (en) * 2002-10-10 2004-04-15 Shivaram Bhat Plugin architecture for extending polices
US20040098615A1 (en) * 2002-11-16 2004-05-20 Mowers David R. Mapping from a single sign-in service to a directory service
US20040111645A1 (en) * 2002-12-05 2004-06-10 International Business Machines Corporation Method for providing access control to single sign-on computer networks
US20040128393A1 (en) * 2002-12-31 2004-07-01 International Business Machines Corporation Method and system for consolidated sign-off in a heterogeneous federated environment
US20040260952A1 (en) * 2003-05-28 2004-12-23 Newman Gary H. Secure user access subsystem for use in a computer information database system
US7480934B2 (en) * 2003-06-17 2009-01-20 International Business Machines Corporation Multiple identity management in an electronic commerce site
US20050005094A1 (en) * 2003-06-18 2005-01-06 Microsoft Corporation System and method for unified sign-on
US20050021978A1 (en) * 2003-06-26 2005-01-27 Sun Microsystems, Inc. Remote interface for policy decisions governing access control
US20050262362A1 (en) * 2003-10-10 2005-11-24 Bea Systems, Inc. Distributed security system policies
US20050081055A1 (en) * 2003-10-10 2005-04-14 Bea Systems, Inc. Dynamically configurable distributed security system
US20050257245A1 (en) * 2003-10-10 2005-11-17 Bea Systems, Inc. Distributed security system with dynamic roles
US20050251852A1 (en) * 2003-10-10 2005-11-10 Bea Systems, Inc. Distributed enterprise security system
US20050097166A1 (en) * 2003-10-10 2005-05-05 Bea Systems, Inc. Policy inheritance through nested groups
US20050097353A1 (en) * 2003-10-10 2005-05-05 Bea Systems, Inc. Policy analysis tool
US20050097352A1 (en) * 2003-10-10 2005-05-05 Bea Systems, Inc. Embeddable security service module
US20050251851A1 (en) * 2003-10-10 2005-11-10 Bea Systems, Inc. Configuration of a distributed security system
US7685206B1 (en) * 2004-02-12 2010-03-23 Microsoft Corporation Authorization and access control service for distributed network resources
US20050204041A1 (en) * 2004-03-10 2005-09-15 Microsoft Corporation Cross-domain authentication
KR20050117275A (en) * 2004-06-10 2005-12-14 세종대학교산학협력단 Method for single-sign-on based on markup language, and system for the same
US20050283443A1 (en) * 2004-06-16 2005-12-22 Hardt Dick C Auditable privacy policies in a distributed hierarchical identity management system
US20080072301A1 (en) * 2004-07-09 2008-03-20 Matsushita Electric Industrial Co., Ltd. System And Method For Managing User Authentication And Service Authorization To Achieve Single-Sign-On To Access Multiple Network Interfaces
US20060123472A1 (en) * 2004-12-07 2006-06-08 Microsoft Corporation Providing tokens to access federated resources
US20060259614A1 (en) * 2005-05-11 2006-11-16 Bea Systems, Inc. System and method for distributed data redaction
US20060259977A1 (en) * 2005-05-11 2006-11-16 Bea Systems, Inc. System and method for data redaction client
US20060259954A1 (en) * 2005-05-11 2006-11-16 Bea Systems, Inc. System and method for dynamic data redaction
US20080021997A1 (en) * 2006-07-21 2008-01-24 Hinton Heather M Method and system for identity provider migration using federated single-sign-on operation
US20080072300A1 (en) * 2006-08-15 2008-03-20 Zachary Adam Garbow Methods and Apparatus for Improving Security of a Network System
US20080077809A1 (en) * 2006-09-22 2008-03-27 Bea Systems, Inc. Credential Vault Encryption
US20080235361A1 (en) * 2007-03-21 2008-09-25 David Crosbie Management layer method and apparatus for dynamic assignment of users to computer resources
US20140269327A1 (en) * 2007-04-18 2014-09-18 John C. Fulknier Mobile network operating method
US8418232B2 (en) * 2008-03-07 2013-04-09 Aspect Software, Inc. Extensible permissions for administrative and target permissions
US20090249440A1 (en) * 2008-03-30 2009-10-01 Platt Darren C System, method, and apparatus for managing access to resources across a network
US20100325427A1 (en) * 2009-06-22 2010-12-23 Nokia Corporation Method and apparatus for authenticating a mobile device
US8255984B1 (en) * 2009-07-01 2012-08-28 Quest Software, Inc. Single sign-on system for shared resource environments
US8677451B1 (en) * 2010-06-22 2014-03-18 Cellco Partnership Enabling seamless access to a domain of an enterprise
US20120054741A1 (en) * 2010-08-31 2012-03-01 Hewlett-Packard Development Company, L.P. User authentication virtual machine
US10320796B2 (en) * 2010-11-18 2019-06-11 Microsoft Technology Licensing, Llc Securing partner-enabled web service
US20140230027A1 (en) * 2011-01-07 2014-08-14 Interdigital Patent Holdings, Inc. Client and server group sso with local openid
US8544069B1 (en) * 2011-04-29 2013-09-24 Intuit Inc. Methods systems and articles of manufacture for implementing user access to remote resources
US20140093082A1 (en) 2011-07-11 2014-04-03 Lg Electronics Inc. Traffic encryption key management for machine to machine multicast group
US20130086669A1 (en) * 2011-09-29 2013-04-04 Oracle International Corporation Mobile application, single sign-on management
US20130086656A1 (en) * 2011-10-04 2013-04-04 Qualcomm Incorporated Method and Apparatus for Protecting a Single Sign-on Domain from Credential Leakage
US20130212665A1 (en) * 2012-02-15 2013-08-15 Oracle International Corporation Signing off from multiple domains accessible using single sign-on
US20130232557A1 (en) * 2012-03-01 2013-09-05 Fujitsu Limited Service usage management method, recording medium, and information processing device
US20130332606A1 (en) * 2012-06-12 2013-12-12 Microsoft Corporation Gate Keeper Cookie
US20140123233A1 (en) * 2012-11-01 2014-05-01 Miiicasa Taiwan Inc. Verification of network device position
US20140208119A1 (en) * 2013-01-21 2014-07-24 International Business Machines Corporation Controlling Exposure of Sensitive Data and Operation Using Process Bound Security Tokens in Cloud Computing Environment
US20140295821A1 (en) * 2013-03-29 2014-10-02 Citrix Systems, Inc. Providing mobile device management functionalities
US9705871B2 (en) * 2013-12-13 2017-07-11 T-Mobile U.S.A., Inc Identity and access management
US20150180858A1 (en) * 2013-12-23 2015-06-25 Cellco Partnership D/B/A Verizon Wireless Single sign on (sso) authorization and authentication for mobile communication devices
US20160344582A1 (en) 2014-01-10 2016-11-24 Hewlett Packard Enterprise Development Lp Call home cluster
US20150244706A1 (en) * 2014-02-26 2015-08-27 Secureauth Corporation Security object creation, validation, and assertion for single sign on authentication
US10404678B2 (en) * 2014-02-26 2019-09-03 Secureauth Corporation Security object creation, validation, and assertion for single sign on authentication
US20150365399A1 (en) * 2014-06-16 2015-12-17 Adobe Systems Incorporated Method and apparatus for sharing server resources using a local group
US9419962B2 (en) * 2014-06-16 2016-08-16 Adobe Systems Incorporated Method and apparatus for sharing server resources using a local group
US20170171950A1 (en) 2014-08-11 2017-06-15 RAB Lighting Inc. Wireless lighting control systems and methods
US20160088023A1 (en) * 2014-09-24 2016-03-24 Oracle International Corporation Services within reverse proxy servers
US9887836B1 (en) 2014-09-26 2018-02-06 Amazon Technologies, Inc. Unified management of cryptographic keys using virtual keys and referrals
US20160117176A1 (en) * 2014-10-24 2016-04-28 Dell Products L.P. Pre-boot diagnostic display
US20170170963A1 (en) * 2014-10-31 2017-06-15 Vmware, Inc. Step-up authentication for single sign-on
US20160182499A1 (en) * 2014-12-22 2016-06-23 Mcafee, Inc. Trust establishment between a trusted execution environment and peripheral devices
US20160218866A1 (en) 2015-01-27 2016-07-28 Qualcomm Incorporated Group key announcement and distribution for a data link group
GB2536044A (en) 2015-03-05 2016-09-07 Bell Identification Bv Method and apparatus for authenticating and processing secure transactions using a mobile device
US20170126404A1 (en) * 2015-05-08 2017-05-04 Panasonic Intellectual Property Management Co., Ltd. Authentication method, authentication system, and controller
US20180052772A1 (en) * 2015-05-14 2018-02-22 Hitachi, Ltd. Storage system and storage control method
US20160365975A1 (en) 2015-06-09 2016-12-15 Intel Corporation System, apparatus and method for group key distribution for a network
US9992186B1 (en) * 2015-06-30 2018-06-05 EMC IP Holding Company LLC SAML representation for multi-tenancy environments
US10382426B2 (en) * 2015-07-02 2019-08-13 Adobe Inc. Authentication context transfer for accessing computing resources via single sign-on with single use access tokens
US20170026144A1 (en) 2015-07-22 2017-01-26 Robert Bosch Gmbh Method and device for validating a timestamp of a data transmission
US10057246B1 (en) * 2015-08-31 2018-08-21 EMC IP Holding Company LLC Method and system for performing backup operations using access tokens via command line interface (CLI)
US9501273B1 (en) * 2015-09-25 2016-11-22 International Business Machines Corporation Data sharing
US20170149770A1 (en) * 2015-11-24 2017-05-25 International Business Machines Corporation Using an out-of-band password to provide enhanced sso functionality
US20170149767A1 (en) * 2015-11-24 2017-05-25 International Business Machines Corporation Using a service-provider password to simulate f-sso functionality
US20170244716A1 (en) * 2016-02-18 2017-08-24 Motorola Mobility Llc Apparatus and Method for Accessing a Network
US20170250812A1 (en) * 2016-02-25 2017-08-31 International Business Machines Corporation Align session security for connected systems
US20170359440A1 (en) * 2016-06-14 2017-12-14 Dell Products L.P. Resource management system
US20180020007A1 (en) * 2016-07-15 2018-01-18 Dell Products L.P. System and method for speed dialing information handling system configuration changes
US20180019869A1 (en) * 2016-07-15 2018-01-18 Dell Products L.P. System and method for secure messaging between distributed computing nodes
US20180083953A1 (en) * 2016-09-21 2018-03-22 Kyocera Document Solutions Inc. Authentication system and authentication method capable of realizing single-sign-on function used for application program on image forming apparatus
US20180088928A1 (en) * 2016-09-28 2018-03-29 Mcafee, Inc. Device-driven auto-recovery using multiple recovery sources
US20180103062A1 (en) * 2016-10-06 2018-04-12 Dell Products L.P. Systems and methods for integration of directory service with management controllers
US10397241B2 (en) * 2016-10-06 2019-08-27 Dell Products L.P. Systems and methods for integration of directory service with management controllers
US10623395B2 (en) * 2017-01-04 2020-04-14 Dell Products, L.P. System and method for directory service authentication on a service processor
US20180219863A1 (en) * 2017-01-31 2018-08-02 Pivotal Software, Inc. Invocation path security in distributed systems
US20210021995A1 (en) * 2017-01-31 2021-01-21 Pivotal Software, Inc. Invocation path security in distributed systems
US20190028461A1 (en) * 2017-07-21 2019-01-24 International Business Machines Corporation Privacy-aware id gateway
US10637846B2 (en) * 2017-08-30 2020-04-28 Capital One Services, Llc System and method for cloud-based analytics
US20190103968A1 (en) * 2017-09-29 2019-04-04 Oracle International Corporation Trusted token relay infrastructure
US20190102534A1 (en) * 2017-10-02 2019-04-04 Red Hat, Inc. Single sign-on management for multiple independent identity providers
US20190158506A1 (en) * 2017-11-21 2019-05-23 Vmware, Inc. Adaptive device enrollment
US20190158498A1 (en) * 2017-11-21 2019-05-23 Vmware, Inc. Adaptive device enrollment
US20190163896A1 (en) * 2017-11-28 2019-05-30 American Express Travel Related Services Company, Inc. Single Sign-On Solution Using Blockchain
US10715458B1 (en) * 2017-12-08 2020-07-14 Amazon Technologies, Inc. Organization level identity management
US20200073656A1 (en) * 2018-06-13 2020-03-05 Dell Products, Lp Method and Apparatus for Drift Management in Clustered Environments

Non-Patent Citations (8)

* Cited by examiner, † Cited by third party
Title
"Multi-SSO (SAML 2.0) errors and fixes", 2014, obtained online from <https://docs.servicenow.com/bundle/paris-platform-administration/page/integrate/saml/reference/saml-errors.html>, retrieved on Aug. 9, 2021 (Year: 2014). *
Alaattin Burak Bekmezci, et al., A multi-layered approach to securing enterprise applications by using TLS, two-factor authentication and single sign-on, May 2-5, 2018, 2018 26th Signal Processing and Communications Applications Conference (SIU), pp. 1-4. *
M. Jones et al., "JSON Web Token (JWT)", May 2015, Internet Engineering Task Force (IETF) Request for Comments: 7519 (Year: 2015). *
UEFI, "Unified Extensible Firmware Interface (UEFI) Specification", Retrieved from <http://uefi.org> May 2017; 2899 pages.
Wikipedia contributors. (Jan. 27, 2019). Vector clock. In Wikipedia, The Free Encyclopedia. Retrieved 21:52, Feb. 5, 2019, from https://en.wikipedia.org/w/index.php?title=Vector_clock&oldid=880371107; 3 pages.
Wikipedia contributors. (Jun. 12, 2018). Lamport timestamps. In Wikipedia, The Free Encyclopedia. Retrieved 21:50, Feb. 5, 2019, from https://en.wikipedia.org/w/index.php?title=Lamport_timestamps&oldid=845598900; 4 pages.
Wikipedia contributors. (May 16, 2018). Matrix clock. In Wikipedia, The Free Encyclopedia. Retrieved 21:52, Feb. 5, 2019, from https://en.wikipedia.org/w/index.php?title=Matrix_clock&oldid˜841539991; 1 page.
Wikipedia contributors. (Oct. 8, 2018). Replay attack. In Wikipedia, The Free Encyclopedia. Retrieved 21:49, Feb. 5, 2019, from https://en.wikipedia.org/w/index php?title=Replay_attack&oldid=863032627; 6 pages.

Also Published As

Publication number Publication date
US20190245843A1 (en) 2019-08-08

Similar Documents

Publication Publication Date Title
US11196733B2 (en) System and method for group of groups single sign-on demarcation based on first user login
US10853511B2 (en) Securely accessing and processing data in a multi-tenant data store
EP3582470B1 (en) Step-up authentication for single sign-on
US9053305B2 (en) System and method for generating one-time password for information handling resource
EP3606000B1 (en) Component commissioning to iot hub using permissioned blockchain
US11968303B2 (en) Keyless authentication scheme of computing services
US20190379656A1 (en) Authentication and authorization of users in an information handling system between baseboard management controller and host operating system users
US10841318B2 (en) Systems and methods for providing multi-user level authorization enabled BIOS access control
US10713363B2 (en) System and method of configuring information handling systems
US10594671B2 (en) System and method for preventing well behaving clients from causing account lockouts in a group
US11757859B2 (en) Run-time attestation of a user workspace
EP4193568B1 (en) Tenant aware mutual tls authentication
JP7513584B2 (en) Method, computer program product, and system for managing shared authentication credentials - Patents.com
US11068598B2 (en) Chassis internal device security
CN116368774A (en) Determine session duration for device authentication
US20250007898A1 (en) Location Aware Trusted Cloud Resource Provisioning
US20250004639A1 (en) Memory Pool Management Using a Cloud Platform
US12061688B2 (en) Device provisioning using secure credentials for a first deployment
US10805302B2 (en) Systems and methods to secure platform application services between platform client applications and platform services
US11405379B1 (en) Multi-factor message-based authentication for network resources
US10372939B2 (en) System and method to remotely provision out-of-band system
US20240232314A1 (en) Authenticator to authorize persistent operations
US20250047489A1 (en) Techniques for binding tokens to a device and collecting device posture signals
US20230239302A1 (en) Role-based access control for cloud features
US20250005128A1 (en) Trusted Cloud Device Lifecycle Management

Legal Events

Date Code Title Description
AS Assignment

Owner name: DELL PRODUCTS L.P., TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:JA, YEE;SAVAGE, MARSHAL F.;JOSE, CYRIL;AND OTHERS;SIGNING DATES FROM 20180130 TO 20180207;REEL/FRAME:045290/0313

FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

AS Assignment

Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLAT

Free format text: PATENT SECURITY AGREEMENT (CREDIT);ASSIGNORS:DELL PRODUCTS L.P.;EMC CORPORATION;EMC IP HOLDING COMPANY LLC;REEL/FRAME:046286/0653

Effective date: 20180529

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., A

Free format text: PATENT SECURITY AGREEMENT (NOTES);ASSIGNORS:DELL PRODUCTS L.P.;EMC CORPORATION;EMC IP HOLDING COMPANY LLC;REEL/FRAME:046366/0014

Effective date: 20180529

Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT, NORTH CAROLINA

Free format text: PATENT SECURITY AGREEMENT (CREDIT);ASSIGNORS:DELL PRODUCTS L.P.;EMC CORPORATION;EMC IP HOLDING COMPANY LLC;REEL/FRAME:046286/0653

Effective date: 20180529

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS COLLATERAL AGENT, TEXAS

Free format text: PATENT SECURITY AGREEMENT (NOTES);ASSIGNORS:DELL PRODUCTS L.P.;EMC CORPORATION;EMC IP HOLDING COMPANY LLC;REEL/FRAME:046366/0014

Effective date: 20180529

AS Assignment

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., T

Free format text: SECURITY AGREEMENT;ASSIGNORS:CREDANT TECHNOLOGIES, INC.;DELL INTERNATIONAL L.L.C.;DELL MARKETING L.P.;AND OTHERS;REEL/FRAME:049452/0223

Effective date: 20190320

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., TEXAS

Free format text: SECURITY AGREEMENT;ASSIGNORS:CREDANT TECHNOLOGIES, INC.;DELL INTERNATIONAL L.L.C.;DELL MARKETING L.P.;AND OTHERS;REEL/FRAME:049452/0223

Effective date: 20190320

AS Assignment

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., TEXAS

Free format text: SECURITY AGREEMENT;ASSIGNORS:CREDANT TECHNOLOGIES INC.;DELL INTERNATIONAL L.L.C.;DELL MARKETING L.P.;AND OTHERS;REEL/FRAME:053546/0001

Effective date: 20200409

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE AFTER FINAL ACTION FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: ADVISORY ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

AS Assignment

Owner name: EMC IP HOLDING COMPANY LLC, TEXAS

Free format text: RELEASE OF SECURITY INTEREST AT REEL 046286 FRAME 0653;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058298/0093

Effective date: 20211101

Owner name: EMC CORPORATION, MASSACHUSETTS

Free format text: RELEASE OF SECURITY INTEREST AT REEL 046286 FRAME 0653;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058298/0093

Effective date: 20211101

Owner name: DELL PRODUCTS L.P., TEXAS

Free format text: RELEASE OF SECURITY INTEREST AT REEL 046286 FRAME 0653;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058298/0093

Effective date: 20211101

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: EMC IP HOLDING COMPANY LLC, TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (046366/0014);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:060450/0306

Effective date: 20220329

Owner name: EMC CORPORATION, MASSACHUSETTS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (046366/0014);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:060450/0306

Effective date: 20220329

Owner name: DELL PRODUCTS L.P., TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (046366/0014);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:060450/0306

Effective date: 20220329

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4

OSZAR »