US 12,074,861 B2
Systems and methods for identity and access management with extended trust
Edward Wrenbeck, Ira, MI (US); Gopalakrishnan Brijesh, Novi, MI (US); Apurva Tiwari, Farmington Hills, MI (US); Dileep Kunnath Madathil, Troy, MI (US); and Gaspare Bastone, Macomb, MI (US)
Assigned to OPEN TEXT HOLDINGS, INC., Menlo Park, CA (US)
Filed by OPEN TEXT HOLDINGS, INC., San Mateo, CA (US)
Filed on Dec. 30, 2021, as Appl. No. 17/566,466.
Claims priority of provisional application 63/132,340, filed on Dec. 30, 2020.
Prior Publication US 2022/0210145 A1, Jun. 30, 2022
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/0815 (2013.01) [H04L 63/0884 (2013.01); H04L 63/102 (2013.01); H04L 63/107 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method for identity and access management (IAM) with extended trust, the method comprising:
receiving, by an IAM extended trust server (ETS) operating in an enterprise computing network, a request from a user device of a user to access a first resource in the enterprise computing network;
verifying, by the IAM ETS with a cloud-based IAM platform, whether the user is authorized to access the first resource, wherein, once authorized, the cloud-based IAM platform generates an authentication token, starts a global session, and communicates the authentication token to the IAM ETS;
parsing, by the IAM ETS, the authentication token generated by the cloud-based IAM platform;
determining, by the IAM ETS from the authentication token, a home zone for the user where the user is provisioned in the cloud-based IAM platform so that the user's identity is known to the cloud-based IAM platform;
fetching, by the IAM ETS from the cloud-based IAM platform, user-specific session information;
authorizing, by the IAM ETS, access by the user to the first resource in the home zone in the enterprise computing network;
directing, by the IAM ETS, a browser on the user device to the first resource in the enterprise computing network;
providing, by the IAM ETS, the user-specific session information to the first resource in the enterprise computing network such that the user is able to access the first resource in the global session;
receiving, by the IAM ETS, a second request from the user device to access a second resource;
determining, by the IAM ETS, that the second resource resides in a geographical zone that is different from the home zone;
checking, by the IAM ETS communicating with the cloud-based IAM platform, whether the user is authorized to access the second resource in the geographical zone; and
responsive to an indication from the cloud-based IAM platform that the user is authorized to access the second resource in the geographical zone, redirecting the browser on the user device to the second resource in the geographical zone during the global session and without initiating a new session for the user.