Single sign on for kerberos authentication

US 20030188193A1
Filed: 03/28/2002
Published: 10/02/2003
Est. Priority Date: 03/28/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method for providing client single-sign-on (SSO) to a plurality of servers comprising the steps of:

transmitting a set of login parameters from a client to a first server;

performing by said first server an authentication on said set of login parameters using an authentication service, and receiving an authentication approval ticket from said authentication service;

creating a SSOToken responsive by said first server in response to receipt of said authentication approval ticket, said SSOToken with being associated with said authentication approval ticket, said SSOToken having a unique token number and originating server indication;

providing said SSOToken to said client; and

providing said associated authentication approval ticket to a second server upon receipt of a credentials request from said second server, said credentials request containing said SSOToken.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A single-sign-on process and mechanism for a client who wishes to access multiple servers in an environment, where the servers employ the Kerberos authentification process. During an initial log in process to a first server by the client, the first server performs a Kerberos authentification on the client and stores the ticket-granting ticket (TGT) for that client in server memory. The first server then provides the client with a token corresponding to that stored TGT, but does not transmit the TGT itself to the client. When the client requests service from subsequent server, the client provides the token with the request. The subsequent server then requests the client'"'"'s TGT from the first server using the client-supplied token. The first server retrieves the TGT from memory, and transmits it to the subsequent server. The subsequent server then may use the TGT to determine if the client is authorized to access the service or resource requested.

Citations

15 Claims

1. A method for providing client single-sign-on (SSO) to a plurality of servers comprising the steps of:
- transmitting a set of login parameters from a client to a first server;
  
  performing by said first server an authentication on said set of login parameters using an authentication service, and receiving an authentication approval ticket from said authentication service;
  
  creating a SSOToken responsive by said first server in response to receipt of said authentication approval ticket, said SSOToken with being associated with said authentication approval ticket, said SSOToken having a unique token number and originating server indication;
  
  providing said SSOToken to said client; and
  
  providing said associated authentication approval ticket to a second server upon receipt of a credentials request from said second server, said credentials request containing said SSOToken.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method as set forth in claim 1 wherein said step of performing an authentication comprises performing a Kerberos authentication, wherein said step of receiving an authentication approval ticket comprises receiving a Kerberos ticket-granting ticket, and where said step of providing said associated authentication approval ticket to a second server comprises providing said Kerberos ticket-granting ticket.
  - 3. The method as set forth in claim 1 wherein said step of providing said SSOToken to said client further comprises providing a secure communications link between said first server and said client through which said SSOToken is exchanged.
  - 4. The method as set forth in claim 1 wherein said step of providing said associated authentication approval ticket to a second server further comprises providing a secure communications link between said first server and said second server through which said SSOToken and ticket-granting ticket are exchanged.
  - 5. The method as set forth in claim 1 further comprising the step of checking a local data store of associated SSOTokens and ticket-granting tickets to determine if a ticket-granting ticket has been previously stored for the requesting client, thereby eliminating the need to either perform an authentication with an authentication server or to request credentials from an originating server.

6. A computer-readable medium encoded with software for providing client single-sign-on (SSO) to a plurality of servers, said software causing one or more computers to perform the steps of:
- transmitting a set of login parameters from a client to a first server;
  
  performing by said first server an authentication on said set of login parameters using an authentication service, receiving an authentication approval ticket from said authentication service;
  
  creating a SSOToken responsive by said first server in response to receipt of said authentication approval ticket, said SSOToken with being associated with said authentication approval ticket, said SSOToken having a unique token number and originating server indication;
  
  providing said SSOToken to said client; and
  
  providing said associated authentication approval ticket to a second server upon receipt of a credentials request from said second server, said credentials request containing said SSOToken.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer readable medium as set forth in claim 6 wherein said software for performing an authentication comprises software for performing a Kerberos authentication, wherein said software for receiving an authentication approval ticket comprises software for receiving a Kerberos ticket-granting ticket, and where said software for providing said associated authentication approval ticket to a second server comprises software for providing said Kerberos ticket-granting ticket.
  - 8. The computer readable medium as set forth in claim 6 wherein said software for providing said SSOToken to said client further comprises software for providing a secure communications link between said first server and said client through which said SSOToken is exchanged.
  - 9. The computer readable medium as set forth in claim 6 wherein said software for providing said associated authentication approval ticket to a second server further comprises software for providing a secure communications link between said first server and said second server through which said SSOToken and ticket-granting ticket are exchanged.
  - 10. The computer readable medium as set forth in claim 6 further comprising software for checking a local data store of associated SSOTokens and ticket-granting tickets to determine if a ticket-granting ticket has been previously stored for the requesting client, thereby eliminating the need to either perform an authentication with an authentication server or to request credentials from an originating server.

11. A client single-sign-on (SSO) system for allowing a client to perform one authenticated sign on to a plurality of severs, said system comprising:
- an authenticated credential set associated with said client;
  
  a SSO Token containing a unique token identifier and a reference to a first server which received said authenticated credential set;
  
  a SSO Token to credential set storage accessible by said first server and in which said authenticated credential set and SSO Token are stored and associated;
  
  a means for providing said SSO Token to said client; and
  
  a first server means for providing said authenticated credential set associated with said SSO Token to a second server in response to a request for credentials from said second server, said request for credentials containing said SSO Token for said client, thereby providing proxied authentication to said second server from said first server.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system as set forth in claim 11 wherein said authenticated credential set comprises a Kerberos ticket-granting ticket.
  - 13. The system as set forth in claim 11 wherein said means for providing said SSO Token to said client comprises a secure sockets layer communications link.
  - 14. The system as set forth in claim 11 wherein said first server means for providing said authenticated credential set associated with said SSO Token to a second server comprises a secure sockets layer communication link.
  - 15. The system as set forth in claim 11 further comprising a second server storage for caching said SSO Token which is provided by said first server such that said second server may avoid requesting credentials upon subsequent service requests from said client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Venkataramappa, Vishwanath

Application Number

US10/112,499
Publication Number

US 20030188193A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/0807 using tickets, e.g. Kerbero...

H04L 63/0815 providing single-sign-on or...

Single sign on for kerberos authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Single sign on for kerberos authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links