User Authentication

US 20020112155A1
Filed: 02/26/2001
Published: 08/15/2002
Est. Priority Date: 07/10/2000
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a user for a plurality of domains in a network-based system, comprising the steps of:

receiving a request for a protected resource, said resource is in a first domain;

redirecting said request to a second domain; and

authenticating said user for said first domain at said second domain.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention authenticates a user for multiple resources distributed across multiple domains through the performance of a single authentication. User access requests for a protected resource in a first domain are received and redirected to a second domain. User authentication is performed at the second domain. In one embodiment, the system transmits an authentication cookie for the second domain to the user after authentication at the second domain. In another embodiment, the system further redirects subsequent resource requests for resources in the first domain or a third domain to the second domain. The second domain confirms the user'"'"'s authentication for applicable portions of the first, second, and third domains using the cookie.

Citations

46 Claims

1. A method for authenticating a user for a plurality of domains in a network-based system, comprising the steps of:
- receiving a request for a protected resource, said resource is in a first domain;
  
  redirecting said request to a second domain; and
  
  authenticating said user for said first domain at said second domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 28, 29, 30, 31, 32, 33, 34, 35, 36, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 2. The method of claim 1, further comprising the step of:
    - determining whether said first and second domains reside on a single Web Server.
  - 3. The method of claim 1, further comprising the step of:
    - transmitting an authentication cookie for said second domain to said user after said step of authentication.
  - 4. The method of claim 3, further comprising the step of:
    - authorizing said user for said resource.
  - 5. The method of claim 3, further comprising the steps of:
    - redirecting a subsequent resource request for a resource in a third domain to said second domain;
      
      transmitting said cookie t o said second domain; and
      
      confirming authentication of said user for said third domain using said cookie.
  - 6. The method of claim 5, wherein:
    - said first and third domains are one domain.
  - 7. The method of claim 1, wherein:
    - said first and second domains reside on a single Web Server.
  - 8. The method of claim 6, wherein:
    - said first, second, and third domains reside on a single Web Server.
  - 9. The method of claim 1, wherein:
    - said step of authenticating is performed according to an authentication rule of said second domain.
  - 10. The method of claim 9, wherein:
    - said authentication rule is a default rule for verifying user identities to authenticate users for resources in said second policy domain.
  - 11. The method of claim 9, wherein:
    - said authentication rule is a policy rule for verifying user identities to authenticate users for resources matched to a policy of said second policy domain.
  - 12. The method of claim 1, wherein:
    - said second domain is a preferred host.
  - 13. The method of claim 1, wherein:
    - said step of redirecting is transparent to said user.
  - 14. The method of claim 6, wherein:
    - said second step of redirecting is transparent to said user.
  - 15. The method of claim 3, wherein:
    - said cookie is encrypted.
  - 16. The method of claim 3, wherein:
    - said cookie is encrypted using RC4 encryption, said cookie comprising;
      
      an authentication level, a user id, a user ip address, a session start time, an idle start time, and a secured hash.
  - 17. The method of claim 1, wherein:
    - said system is a Access Management System.
  - 18. The method of claim 1, wherein:
    - said system is an Access System.
  - 19. The method of claim 1, wherein:
    - said step of authenticating comprises the steps of;
      
      receiving entered user data;
      
      accessing user identity profile information from a Directory Server; and
      
      comparing said entered user data with said user identity profile information.
  - 20. The method of claim 1, wherein:
    - said network is the Internet.
  - 21. The method of claim 1, wherein:
    - said resource is a web page.
  - 22. The method of claim 1, wherein:
    - said resource is an application.
  - 23. The method of claim 1, wherein:
    - said step of redirecting is performed by a Web Server plug-in.
  - 24. The method of claim 23, wherein:
    - said plug-in is an NSAPI Web Server plug-in.
  - 25. The method of claim 23, wherein:
    - said plug-in is an ISAPI Web Server plug-in.
  - 28. One or more processor readable storage devices according to claim 27, wherein said method further comprises the step of:
    - determining whether said first and second domains reside on a single Web Server.
  - 29. One or more processor readable storage devices according to claim 27, wherein said method further comprises the step of:
    - transmitting an authentication cookie for said second domain to said user after said step of authentication.
  - 30. One or more processor readable storage devices according to claim 29, wherein said method further comprises the step of:
    - authorizing said user for said resource.
  - 31. One or more processor readable storage devices according to claim 29, wherein said method further comprises the steps of:
    - redirecting a subsequent resource request for a resource in a third domain to said second domain;
      
      transmitting said cookie to said second domain; and
      
      authenticating said user at said second domain using said cookie.
  - 32. One or more processor readable storage devices according to claim 27, wherein:
    - said second domain is a preferred host.
  - 33. One or more processor readable storage devices according to claim 29, wherein:
    - said cookie is encrypted.
  - 34. One or more processor readable storage devices according to claim 27, wherein:
    - said system is a Access Management System.
  - 35. One or more processor readable storage devices according to claim 27, wherein:
    - said system is an Access System.
  - 36. One or more processor readable storage devices according to claim 27, wherein:
    - said step of authenticating comprises the steps of;
      
      receiving entered user data;
      
      accessing user identity profile information from a Directory Server; and
      
      comparing said entered user data with said user identity profile information.
  - 38. An apparatus according to claim 37, wherein said method further includes the step of:
    - determining whether said first and second domains reside on a single Web Server.
  - 39. An apparatus according to claim 37, wherein said method further includes the step of:
    - transmitting an authentication cookie for said second domain to said user after said step of authentication.
  - 40. An apparatus according to claim 39, wherein said method further includes the step of:
    - authorizing said user for said resource.
  - 41. An apparatus according to claim 39, wherein said method further includes the steps of:
    - redirecting a subsequent resource request for a resource in a third domain to said second domain;
      
      transmitting said cookie to said second domain; and
      
      authenticating said user at said second domain using said cookie.
  - 42. An apparatus according to claim 37, wherein:
    - said second domain is a preferred host.
  - 43. An apparatus according to claim 39, wherein:
    - said cookie is encrypted.
  - 44. An apparatus according to claim 37, wherein:
    - said system is a Access Management System.
  - 45. An apparatus according to claim 37, wherein:
    - said system is an Access System.
  - 46. An apparatus according to claim 37, wherein:
    - said step of authenticating comprises the steps of;
      
      receiving entered user data;
      
      accessing user identity profile information from a Directory Server; and
      
      comparing said entered user data with said user identity profile information.

26. A method for authenticating a user for a plurality of domains in an Access System, comprising the steps of:
- receiving a request for a protected resource, said resource is in a first domain;
  
  determining whether said first and second domains reside on a single Web Server;
  
  redirecting said request to a second domain, said second domain is a preferred host;
  
  authenticating said user for said first domain at said second domain according to an authentication rule associated with said second domain, said step of authenticating comprising the steps of;
  
  receiving entered user data, accessing user identity profile information from a Directory Server, and comparing said entered user data with said user identity profile information;
  
  transmitting an encrypted authentication cookie for said second domain to said user;
  
  authorizing said user for said resource;
  
  redirecting a subsequent resource request for a resource in a third domain to said second domain, said first and second steps of redirecting being transparent to said user, said first, second, and third domains residing on a single Web Server;
  
  transmitting said cookie to said second domain; and
  
  confirming authentication of said user for said third domain using said cookie.

27. One or more processor readable storage devices having processor readable code embodied on said processor readable storage devices, said processor readable code for programming one or more processors to perform a method comprising the steps of:
- receiving a user request for a protected resource, said resource is in a first domain;
  
  redirecting said request to a second domain; and
  
  authenticating said user at said second domain.

37. An apparatus, comprising:
- a communication interface;
  
  one or more storage devices; and
  
  one or more processors in communication with said one or more storage devices and said communication interface, said one or more processors programmed to preform a method comprising the steps of;
  
  receiving a user request for a protected resource, said resource is in a first domain, redirecting said request to a second domain, and authenticating said user at said second domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Martherus, Robin E., Ramamurthy, Srinivasagopalan

Granted Patent

US 7,194,764 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

User Authentication

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

User Authentication

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links