Method and system for a single-sign-on mechanism within application service provider (ASP) aggregation

US 20030061512A1
Filed: 09/27/2001
Published: 03/27/2003
Est. Priority Date: 09/27/2001
Status: Active Grant

First Claim

Patent Images

1. A method for access management in a distributed data processing system, the method comprising:

receiving from a client a request to access a resource protected by an application service provider (ASP) aggregator service, wherein the ASP aggregator service provides single-sign-on functionality for a plurality of net-sourced applications, wherein at least one of the net-sourced applications is hosted by an ASP;

in response to a determination that the client or a user of the client has not been properly authenticated by the ASP aggregator service for a current client session, requiring the client or the user of the client to successfully complete an authentication process; and

sending to the client a response to the request received from the client, wherein the response is accompanied by an aggregator token, wherein the aggregator token comprises a logon resource identifier.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A methodology for providing a single-sign-on mechanism within an ASP aggregator service is presented. An aggregator token is generated by an ASP aggregator service and sent to a client device after its user has been successfully authenticated during a single-sign-on operation that is provided by the ASP aggregator service. The aggregator token then accompanies any request from the client to aggregated applications within the ASP aggregator service'"'"'s infrastructure. The aggregator token comprises an indication of an address or resource identifier within the ASP aggregator service to which a client/user can be redirected when the client/user needs to be authenticated by the ASP aggregator service. In other words, the address/identifier is associated with a logon resource; when a request from a client is sent to this address, the ASP aggregator service responds with an authentication challenge to force the user to complete a single-sign-on operation.

185 Citations

38 Claims

1. A method for access management in a distributed data processing system, the method comprising:
- receiving from a client a request to access a resource protected by an application service provider (ASP) aggregator service, wherein the ASP aggregator service provides single-sign-on functionality for a plurality of net-sourced applications, wherein at least one of the net-sourced applications is hosted by an ASP;
  
  in response to a determination that the client or a user of the client has not been properly authenticated by the ASP aggregator service for a current client session, requiring the client or the user of the client to successfully complete an authentication process; and
  
  sending to the client a response to the request received from the client, wherein the response is accompanied by an aggregator token, wherein the aggregator token comprises a logon resource identifier.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein a logon resource identified by the logon resource identifier prompts the client or a user of the client to complete an authentication operation.
  - 3. The method of claim 1 wherein the logon resource identifier is a Uniform Resource Identifier (URI).
  - 4. The method of claim 3 wherein the logon resource identifier is a Uniform Resource Locator, and the logon resource is a logon Web page.
  - 5. The method of claim 1 further comprising:
    - receiving from the client a request to access a net-sourced application hosted by an ASP;
      
      extracting a logon resource identifier from an aggregator token that accompanies the request, wherein the aggregator token originated from the ASP aggregator service, wherein the ASP aggregator service provides single-sign-on functionality for a plurality of net-sourced applications, wherein at least one of the net-sourced applications is the net-sourced application hosted by the ASP; and
      
      sending to the client a response indicating the logon resource identifier as a redirectable destination.

6. A method for access management in a distributed data processing system, the method comprising:
- receiving from a client a request to access a net-sourced application hosted by an application service provider (ASP);
  
  extracting a logon resource identifier from an aggregator token that accompanies the request, wherein the aggregator token originated from an ASP aggregator service, wherein the ASP aggregator service provides single-sign-on functionality for a plurality of net-sourced applications, wherein at least one of the net-sourced applications is the net-sourced application hosted by the ASP; and
  
  sending to the client a response indicating the logon resource identifier as a redirectable destination.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The method of claim 6 further comprising:
    - determining that the client or a user of the client has not been properly authenticated prior to sending the response to the client.
  - 8. The method of claim 7 further comprising:
    - determining that the request was not accompanied with a valid application authentication token.
  - 9. The method of claim 6 where in access for the client to the net-sourced application is controlled by the ASP on a subscription basis.
  - 10. The method of claim 6 wherein a logon resource identified by the logon resource identifier prompts the client or a user of the client to complete an authentication operation.
  - 11. The method of claim 6 wherein the logon resource identifier is a Uniform Resource Identifier (URI).
  - 12. The method of claim 11 wherein the logon resource identifier is a Uniform Resource Locator, and the logon resource is a logon Web page.

13. A method for access management in a distributed data processing system, the method comprising:
- receiving from a client a request to access a logon resource identified by a logon resource identifier that has been extracted from an aggregator token, wherein access to the logon resource is protected by an application service provider (ASP) aggregator service, wherein the ASP aggregator service provides single-sign-on functionality for a plurality of net-sourced applications;
  
  requiring the client or the user of the client to successfully complete an authentication process associated with the logon resource;
  
  extracting an origination identifier from the request, wherein the origination identifier identifies a net-sourced application that is one of the plurality of net-sourced applications; and
  
  sending a response to the client, wherein the response indicates the origination identifier as a redirectable destination.
- View Dependent Claims (14, 15)
- - 14. The method of claim 13 wherein the logon resource identifier is a Uniform Resource Identifier (URI).
  - 15. The method of claim 14 wherein the logon resource identifier is a Uniform Resource Locator, and the logon resource is a logon Web page.

16. An apparatus for access management in a distributed data processing system, the apparatus comprising:
- means for receiving from a client a request to access a resource protected by an application service provider (ASP) aggregator service, wherein the ASP aggregator service provides single-sign-on functionality for a plurality of net-sourced applications, wherein at least one of the net-sourced applications is hosted by an ASP;
  
  means for requiring the client or the user of the client to successfully complete an authentication process in response to a determination that the client or a user of the client has not been properly authenticated by the ASP aggregator service for a current client session; and
  
  means for sending to the client a response to the request received from the client, wherein the response is accompanied by an aggregator token, wherein the aggregator token comprises a logon resource identifier.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus of claim 16 wherein a logon resource identified by the logon resource identifier prompts the client or a user of the client to complete an authentication operation.
  - 18. The apparatus of claim 16 wherein the logon resource identifier is a Uniform Resource Identifier (URI).
  - 19. The apparatus of claim 18 wherein the logon resource identifier is a Uniform Resource Locator, and the logon resource is a logon Web page.
  - 20. The apparatus of claim 16 further comprising:
    - means for receiving from the client a request to access a net-sourced application hosted by an ASP;
      
      means for extracting a logon resource identifier from an aggregator token that accompanies the request, wherein the aggregator token originated from the ASP aggregator service, wherein the ASP aggregator service provides single-sign-on functionality for a plurality of net-sourced applications, wherein at least one of the net-sourced applications is the net-sourced application hosted by the ASP; and
      
      means for sending to the client a response indicating the logon resource identifier as a redirectable destination.

21. An apparatus for access management in a distributed data processing system, the apparatus comprising:
- means for receiving from a client a request to access a net-sourced application hosted by an application service provider (ASP);
  
  means for extracting a logon resource identifier from an aggregator token that accompanies the request, wherein the aggregator token originated from an ASP aggregator service, wherein the ASP aggregator service provides single-sign-on functionality for a plurality of net-sourced applications, wherein at least one of the net-sourced applications is the net-sourced application hosted by the ASP; and
  
  means for sending to the client a response indicating the logon resource identifier as a redirectable destination.
- View Dependent Claims (22, 23, 24, 25, 26, 27)
- - 22. The apparatus of claim 21 further comprising:
    - means for determining that the client or a user of the client has not been properly authenticated prior to sending the response to the client.
  - 23. The apparatus of claim 22 further comprising:
    - means for determining that the request was not accompanied with a valid application authentication token.
  - 24. The apparatus of claim 21 wherein access for the client to the net-sourced application is controlled by the ASP on a subscription basis.
  - 25. The apparatus of claim 21 wherein a logon resource identified by the logon resource identifier prompts the client or a user of the client to complete an authentication operation.
  - 26. The apparatus of claim 21 wherein the logon resource identifier is a Uniform Resource Identifier (URI).
  - 27. The apparatus of claim 26 wherein the logon resource identifier is a Uniform Resource Locator, and the logon resource is a logon Web page.

28. An apparatus for access management in a distributed data processing system, the apparatus comprising:
- means for receiving from a client a request to access a logon resource identified by a logon resource identifier that has been extracted from an aggregator token, wherein access to the logon resource is protected by an application service provider (ASP) aggregator service, wherein the ASP aggregator service provides single-sign-on functionality for a plurality of net-sourced applications;
  
  means for requiring the client or the user of the client to successfully complete an authentication process associated with the logon resource;
  
  means for extracting an origination identifier from the request, wherein the origination identifier identifies a net-sourced application that is one of the plurality of net-sourced applications; and
  
  means for sending a response to the client, wherein the response indicates the origination identifier as a redirectable destination.
- View Dependent Claims (29, 30)
- - 29. The apparatus of claim 28 wherein the logon resource identifier is a Uniform Resource Identifier (URI).
  - 30. The apparatus of claim 29 wherein the logon resource identifier is a Uniform Resource Locator, and the logon resource is a logon Web page.

31. A computer program product in a computer readable medium for use in a distributed data processing system for managing access to resources, the computer program product comprising:
- instructions for receiving from a client a request to access a resource protected by an application service provider (ASP) aggregator service, wherein the ASP aggregator service provides single-sign-on functionality for a plurality of net-sourced applications, wherein at least one of the net-sourced applications is hosted by an ASP;
  
  instructions for requiring the client or the user of the client to successfully complete an authentication process in response to a determination that the client or a user of the client has not been properly authenticated by the ASP aggregator service for a current client session; and
  
  instructions for sending to the client a response to the request received from the client, wherein the response is accompanied by an aggregator token, wherein the aggregator token comprises a logon resource identifier.
- View Dependent Claims (32, 33, 34)
- - 32. The computer program product of claim 31 wherein a logon resource identified by the logon resource identifier prompts the client or a user of the client to complete an authentication operation.
  - 33. The computer program product of claim 31 wherein the logon resource identifier is a Uniform Resource Locator, and the logon resource is a logon Web page.
  - 34. The computer program product of claim 31 further comprising:
    - instructions for receiving from a client a request to access a net-sourced application hosted by an ASP;
      
      instructions for extracting a logon resource identifier from an aggregator token that accompanies the request, wherein the aggregator token originated from an ASP aggregator service, wherein the ASP aggregator service provides single-sign-on functionality for a plurality of net-sourced applications, wherein at least one of the net-sourced applications is the net-sourced application hosted by the ASP; and
      
      instructions for sending to the client a response indicating the logon resource identifier as a redirectable destination.

35. A computer program product in a computer readable medium for use in a distributed data processing system for managing access to resources, the computer program product comprising:
- instructions for receiving from a client a request to access a net-sourced application hosted by an application service provider (ASP);
  
  instructions for extracting a logon resource identifier from an aggregator token that accompanies the request, wherein the aggregator token originated from an ASP aggregator service, wherein the ASP aggregator service provides single-sign-on functionality for a plurality of net-sourced applications, wherein at least one of the net-sourced applications is the net-sourced application hosted by the ASP; and
  
  instructions for sending to the client a response indicating the logon resource identifier as a redirectable destination.
- View Dependent Claims (36, 37)
- - 36. The computer program product of claim 35 further comprising:
    - instructions for determining that the client or a user of the client has not been properly authenticated prior to sending the response to the client.
  - 37. The computer program product of claim 36 further comprising:
    - instructions for determining that the request was not accompanied with a valid application authentication token.

38. A computer program product in a computer readable medium for use in a distributed data processing system for managing access to resources, the computer program product comprising:
- instructions for receiving from a client a request to access a logon resource identified by a logon resource identifier that has been extracted from an aggregator token, wherein access to the logon resource is protected by an application service provider (ASP) aggregator service, wherein the ASP aggregator service provides single-sign-on functionality for a plurality of net-sourced applications;
  
  instructions for requiring the client or the user of the client to successfully complete an authentication process associated with the logon resource;
  
  instructions for extracting an origination identifier from the request, wherein the origination identifier identifies a net-sourced application that is one of the plurality of net-sourced applications; and
  
  instructions for sending a response to the client, wherein the response indicates the origination identifier as a redirectable destination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AirBNB Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Flurry, Gregory Alan, Nickolas, Stewart Earle, Lawton, Bill

Granted Patent

US 7,530,099 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

Method and system for a single-sign-on mechanism within application service provider (ASP) aggregation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

185 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for a single-sign-on mechanism within application service provider (ASP) aggregation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

185 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links