Single sign on for kerberos authentication
First Claim
1. A method for providing client single-sign-on (SSO) to a plurality of servers comprising the steps of:
- transmitting a set of login parameters from a client to a first server;
performing by said first server an authentication on said set of login parameters using an authentication service, and receiving an authentication approval ticket from said authentication service;
creating a SSOToken responsive by said first server in response to receipt of said authentication approval ticket, said SSOToken with being associated with said authentication approval ticket, said SSOToken having a unique token number and originating server indication;
providing said SSOToken to said client; and
providing said associated authentication approval ticket to a second server upon receipt of a credentials request from said second server, said credentials request containing said SSOToken.
1 Assignment
0 Petitions
Accused Products
Abstract
A single-sign-on process and mechanism for a client who wishes to access multiple servers in an environment, where the servers employ the Kerberos authentification process. During an initial log in process to a first server by the client, the first server performs a Kerberos authentification on the client and stores the ticket-granting ticket (TGT) for that client in server memory. The first server then provides the client with a token corresponding to that stored TGT, but does not transmit the TGT itself to the client. When the client requests service from subsequent server, the client provides the token with the request. The subsequent server then requests the client'"'"'s TGT from the first server using the client-supplied token. The first server retrieves the TGT from memory, and transmits it to the subsequent server. The subsequent server then may use the TGT to determine if the client is authorized to access the service or resource requested.
-
Citations
15 Claims
-
1. A method for providing client single-sign-on (SSO) to a plurality of servers comprising the steps of:
-
transmitting a set of login parameters from a client to a first server;
performing by said first server an authentication on said set of login parameters using an authentication service, and receiving an authentication approval ticket from said authentication service;
creating a SSOToken responsive by said first server in response to receipt of said authentication approval ticket, said SSOToken with being associated with said authentication approval ticket, said SSOToken having a unique token number and originating server indication;
providing said SSOToken to said client; and
providing said associated authentication approval ticket to a second server upon receipt of a credentials request from said second server, said credentials request containing said SSOToken. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-readable medium encoded with software for providing client single-sign-on (SSO) to a plurality of servers, said software causing one or more computers to perform the steps of:
-
transmitting a set of login parameters from a client to a first server;
performing by said first server an authentication on said set of login parameters using an authentication service, receiving an authentication approval ticket from said authentication service;
creating a SSOToken responsive by said first server in response to receipt of said authentication approval ticket, said SSOToken with being associated with said authentication approval ticket, said SSOToken having a unique token number and originating server indication;
providing said SSOToken to said client; and
providing said associated authentication approval ticket to a second server upon receipt of a credentials request from said second server, said credentials request containing said SSOToken. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A client single-sign-on (SSO) system for allowing a client to perform one authenticated sign on to a plurality of severs, said system comprising:
-
an authenticated credential set associated with said client;
a SSO Token containing a unique token identifier and a reference to a first server which received said authenticated credential set;
a SSO Token to credential set storage accessible by said first server and in which said authenticated credential set and SSO Token are stored and associated;
a means for providing said SSO Token to said client; and
a first server means for providing said authenticated credential set associated with said SSO Token to a second server in response to a request for credentials from said second server, said request for credentials containing said SSO Token for said client, thereby providing proxied authentication to said second server from said first server. - View Dependent Claims (12, 13, 14, 15)
-
Specification