Methods and systems for controlling the scope of delegation of authentication credentials
First Claim
1. A method comprising:
- identifying a target service to which access is sought on behalf of a client;
causing a server operatively coupled to the client to request access to the target service on behalf of the client, from a trusted third-party, wherein the server provides the trusted third-party with a credential authenticating the server, information about the target service, and a service credential previously provided by the client to the server.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems are provided for controlling the scope of delegation of authentication credentials within a network environment. A server is configured to provide a trusted third-party with a ticket authenticating the server, information about a target service that a server seeks to access on behalf of the client, and a service ticket associated with the client. This service ticket may be provided by the client or may be a previously granted service ticket granted to the server for itself in the name of the client. The trusted third-party grants a new service ticket to access the target service to the server, in the client'"'"'s name, if such delegation is permitted according to delegation constraints associated with the client.
-
Citations
64 Claims
-
1. A method comprising:
-
identifying a target service to which access is sought on behalf of a client;
causing a server operatively coupled to the client to request access to the target service on behalf of the client, from a trusted third-party, wherein the server provides the trusted third-party with a credential authenticating the server, information about the target service, and a service credential previously provided by the client to the server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 14, 15, 17, 18, 19, 20, 21, 22, 23, 24, 25, 27, 28, 29, 30)
-
-
12. A method comprising:
-
identifying a target service to which access is sought on behalf of a client; and
causing a server operatively coupled to the client to request access to the target service on behalf of the client, from a trusted third party, wherein the server provides the trusted third party with a service credential authenticating the server, information about the target service, and a service credential previously provided by the client for the service, and wherein the client ticket includes implementation-specific identity information.
-
-
16. A computer-readable medium having computer-executable instructions for performing tasks comprising:
-
in a server, determining a target service to which access is sought on behalf of a client coupled to the server;
requesting a new service credential from a trusted third-party by providing the trusted third-party with a credential authenticating the server, information about the target service, and a service credential associated with the client and the requesting server.
-
-
26. A system comprising:
-
a credential granting mechanism configured to receive a request for a new service credential from a server and in response generate the new service credential if delegation is allowable, and wherein the request includes ;
a credential authenticating the requesting server, identifying information about a target service to which access is sought on behalf of a client coupled to the server, and a service credential that was previously granted to the client for use with the server.
-
-
31. A system comprising:
a server configured to generate a request for a new service credential from a trusted third-party, the new service credential being associated with a client and a target service, the request comprising;
a credential authenticating the server, information about the target service, and a service credential associated with the client and the server. - View Dependent Claims (32, 33, 34, 35, 37, 39)
-
36. A computer-readable medium having stored thereon a data structure, comprising:
-
a credential authenticating a first server, information identifying a second server, and a service credential associated with a client and the first server.
-
-
38. A method comprising:
-
separately authenticating a server and a client;
providing the server with a server ticket granting ticket;
providing the client with a client ticket granting ticket and a service ticket for use with the server;
providing the server with a new service ticket for use by the server for use with a new service without requiring the server to have access to the client ticket granting ticket.
-
-
40. A method comprising:
-
identifying a target service to which access is sought on behalf of a client that has been authenticated using a first authentication method;
causing a server that is operatively coupled to the target service and the client to request a service credential to itself from a second authentication method trusted third-party by identifying the client and the first authentication protocol; and
causing the server to request a new service credential, for use by the server and the target service, from the second authentication method trusted third-party, wherein the server provides the trusted third-party with a credential authenticating the server, information about the target service, and the service credential to itself. - View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 50, 51, 52, 53, 54, 55, 56, 57, 59, 60, 61, 62, 63, 64)
-
-
49. A computer-readable medium having computer-executable instructions for performing tasks comprising:
-
identifying a target service to which access is sought on behalf of a client that has been authenticated using a first authentication method;
causing a server that is operatively coupled to the target service and the client to request a service ticket to itself from a second authentication method trusted third-party by identifying the client and the first authentication protocol; and
causing the server to request a new service ticket, for use by the server and the identified service, from the second authentication method trusted third-party, wherein the server provides the trusted third-party with a ticket authenticating the server, information about the target service, and the service ticket to itself.
-
-
58. A system comprising:
-
a server configurable to;
identify a target service to which access is sought on behalf of a client that has been authenticated using a first authentication method, request a service credential to itself from a second authentication method trusted third-party by identifying the client and the first authentication method, and subsequently request a new service credential, for use by the server and the target service, from the second authentication method trusted third-party, wherein the server provides the second authentication method trusted third-party with a credential authenticating the server, information about the target service, and the service credential to itself.
-
Specification