Method and system for user-determined authentication in a federated environment

US 20040002878A1
Filed: 06/28/2002
Published: 01/01/2004
Est. Priority Date: 06/28/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method for authenticating a user within a data processing system, the method comprising:

receiving at an e-commerce service provider a request from a client for access to a controlled resource; and

allowing a specification of one of a plurality of authentication service providers to be used by the e-commerce service provider in determining access to the controlled resource for the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, or computer program product is presented for cross-domain, single-sign-on, authentication functionality. A user may contract with one or more authentication service providers (ANSPs). E-commerce service providers (ECSPs), such as online banks or online merchants, also maintain a relationship with an ANSP such that the ECSP can trust the authenticated identity of a user that is vouched-for by the ANSP on behalf of the user. The user can visit any e-commerce service provider in a federated environment without having to establish an a priori relationship with that particular ECSP. As long as the ECSP'"'"'s domain has a relationship with at least one of the user'"'"'s authentication service providers, then the user will be able to have a single-sign-on experience at that ECSP.

208 Citations

52 Claims

1. A method for authenticating a user within a data processing system, the method comprising:
- receiving at an e-commerce service provider a request from a client for access to a controlled resource; and
  
  allowing a specification of one of a plurality of authentication service providers to be used by the e-commerce service provider in determining access to the controlled resource for the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising:
    - receiving a specification of an authentication service provider along with the request for access to the controlled resource.
  - 3. The method of claim 2 further comprising:
    - retrieving the specification of an authentication service provider from a cookie.
  - 4. The method of claim 1 further comprising:
    - providing a user selection of one of the plurality of authentication service providers if an authentication service provider was not received along with the request for access to the controlled resource.
  - 5. The method of claim 4 further comprising:
    - providing a user selection to persistently associate with the user the user selection of one of the plurality of authentication service providers.
  - 6. The method of claim 1 further comprising:
    - sending an authentication request from the e-commerce service provider to the specified authentication service provider; and
      
      determining at the e-commerce service provider whether to provide access to the controlled resource based on an authentication response from the specified authentication service provider.
  - 7. The method of claim 1 further comprising:
    - in response to receiving the request from the client for access to the controlled resource, determining if the e-commerce service provider has a valid authentication credential for the client; and
      
      in response to a determination that the e-commerce service provider has a valid authentication credential for the client, performing an access control decision for the request from the client for access to the controlled resource without sending an authentication request to one of the plurality of authentication service providers.

8. A method for authenticating a user within a data processing system, the method comprising:
- receiving at a first server a request from a client for access to a controlled resource;
  
  in response to a determination that the first server has an identity of a second server that supports an authentication service that was previously associated with the client, sending an authentication request to the second server from the first server;
  
  in response to a determination that the first server does not have an identity of a second server that supports an authentication service that was previously associated with the client;
  
  allowing a user to choose an identity for the second server; and
  
  sending an authentication request to the second server from the first server.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 9. The method of claim 8 further comprising:
    - receiving an authentication response from the second server; and
      
      determining whether to provide access to the controlled resource based on an indicated status in the authentication response.
  - 10. The method of claim 8 further comprising:
    - in response to receiving the request from the client for access to the controlled resource, determining if the first server has a valid authentication credential for the client at the first server; and
      
      in response to a determination that the first server has a valid authentication credential for the client at the first server, performing an access control decision for the request from the client for access to the controlled resource without sending an authentication request to the second server from the first server.
  - 11. The method of claim 8 further comprising:
    - determining at the second server whether the second server has a valid authentication credential for the client; and
      
      in response to a determination that the second server has a valid authentication credential for the client, returning a valid authentication status in response to the authentication request.
  - 12. The method of claim 8 further comprising:
    - associating with the client the user'"'"'s choice of the identity of the second server.
  - 13. The method of claim 12 further comprising:
    - storing the user'"'"'s choice of the identity of the second server in a persistent cookie at the client.
  - 14. The method of claim 12 further comprising:
    - allowing a user to choose whether to store the user'"'"'s choice of the identity of the second server in a cookie at the client.
  - 15. The method of claim 12 further comprising:
    - allowing a user to choose whether to persistently associate the user'"'"'s choice of the identity of the second server with the user.
  - 16. The method of claim 12 further comprising:
    - allowing a user to choose whether to establish a relationship with the authentication service at the second server.
  - 17. The method of claim 8 further comprising:
    - using HTTP redirection via the client to send the authentication request to the second server.

18. An,apparatus for authenticating a user within a data processing system, the apparatus comprising:
- means for receiving at an e-commerce service provider a request from a client for access to a controlled resource; and
  
  means for allowing a specification of one of a plurality of authentication service providers to be used by the e-commerce service provider in determining access to the controlled resource for the client.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The apparatus of claim 18 further comprising:
    - means for receiving a specification of an authentication service provider along with the request for access to the controlled resource.
  - 20. The apparatus of claim 19 further comprising:
    - means for retrieving the specification of an authentication service provider from a cookie.
  - 21. The,apparatus of claim 18 further comprising:
    - means for providing a user selection of one of the plurality of authentication service providers if an authentication service provider was not received along with the request for access to the controlled resource.
  - 22. The apparatus of claim 21 further comprising:
    - means for providing a user selection to persistently associate with the user the user selection of one of the plurality of authentication service providers.
  - 23. The apparatus of claim 18 further comprising:
    - means for sending an authentication request from the e-commerce service provider to the specified authentication service provider; and
      
      means for determining at the e-commerce service provider whether to provide access to the controlled resource based on an authentication response from the specified authentication service provider.
  - 24. The apparatus of claim 18 further comprising:
    - means for determining if the e-commerce service provider has a valid authentication credential for the client in response to receiving the request from the client for access to the controlled resource; and
      
      means for performing an access control decision for the request from the client for access to the controlled resource without sending an authentication request to one of the plurality of authentication service providers in response to a determination that the e-commerce service provider has a valid authentication credential for the client.

25. An apparatus for authenticating a user within a data processing system, the apparatus comprising:
- means for receiving at a first server a request from a client for access to a controlled resource;
  
  means for sending an authentication request to the second server from the first server in response to a determination that the first server has an identity of a second server that supports an authentication service that was previously associated with the client;
  
  means for allowing a user to choose an identity for the second server in response to a determination that the first server does not have an identity of a second server that supports an authentication service that was previously associated with the client; and
  
  means for sending an authentication request to the second server from the first server in response to a determination that the first server does not have an identity of a second server that supports an authentication service that was previously associated with the client.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 26. The apparatus of claim 25 further comprising:
    - means for receiving an authentication response from the second server; and
      
      means for determining whether to provide access to the controlled resource based on an indicated status in the authentication response.
  - 27. The apparatus of claim 25 further comprising:
    - mean for determining if the first server has a valid authentication credential for the client at the first server in response to receiving the request from the client for access to the controlled resource; and
      
      means for performing an access control decision for the request from the client for access to the controlled resource without sending an authentication request to the second server from the first server in response to a determination that the first server has a valid authentication credential for the client at the first server.
  - 28. The apparatus of claim 25 further comprising:
    - means for determining at the second server whether the second server has a valid authentication credential for the client; and
      
      means for returning a valid authentication status in response to the authentication request in response to a determination that the second server has a valid authentication credential for the client.
  - 29. The apparatus of claim 25 further comprising:
    - means for associating with the client the user'"'"'s choice of the identity of the second server.
  - 30. The apparatus of claim 29 further comprising:
    - means for storing the user'"'"'s choice of the identity of the second server in a persistent cookie at the client.
  - 31. The apparatus of claim 29 further comprising:
    - means for allowing a user to choose whether to store the user'"'"'s choice of the identity of the second server in a cookie at the client.
  - 32. The apparatus of claim 29 further comprising:
    - means for allowing a user to choose whether to persistently associate the user'"'"'s choice of the identity of the second server with the user.
  - 33. The apparatus of claim 29 further comprising:
    - means for allowing a user to choose whether to establish a relationship with the authentication service at the second server.
  - 34. The apparatus of claim 25 further comprising:
    - means for using HTTP redirection via the client to send the authentication request to the second server.

35. A computer program product in a computer readable medium for use in authenticating a user within a data processing system, the computer program product comprising:
- means for receiving at an e-commerce service provider a request from a client for access to a controlled resource; and
  
  means for allowing a specification of one of a plurality of authentication service providers to be used by the e-commerce service provider in determining access to the controlled resource for the client.
- View Dependent Claims (36, 37, 38, 39, 40, 41)
- - 36. The computer program product of claim 35 further comprising:
    - means for receiving a specification of an authentication service provider along with the request for access to the controlled resource.
  - 37. The computer program product of claim 36 further comprising:
    - means for retrieving the specification of an authentication service provider from a cookie.
  - 38. The computer program product of claim 35 further comprising:
    - means for providing a user selection of one of the plurality of authentication service providers if an authentication service provider was not received along with the request for access to the controlled resource.
  - 39. The computer program product of claim 38 further comprising:
    - means for providing a user selection to persistently associate with the user the user selection of one of the plurality of authentication service providers.
  - 40. The computer program product of claim 35 further comprising:
    - means for sending an authentication request from the e-commerce service provider to the specified authentication service provider; and
      
      means for determining at the e-commerce service provider whether to provide access to the controlled resource based on an authentication response from the specified authentication service provider.
  - 41. The computer program product of claim 35 further comprising:
    - means for determining if the e-commerce service provider has a valid authentication credential for the client in response to receiving the request from the client for access to the controlled resource; and
      
      means for performing an access control decision for the request from the client for access to the controlled resource without sending an authentication request to one of the plurality of authentication service providers in response to a determination that the e-commerce service provider has a valid authentication credential for the client.

42. A computer program product in a computer readable medium for use in authenticating a user within a data processing system, the computer program product comprising:
- means for receiving at a first server a request from a client for access to a controlled resource;
  
  means for sending an authentication request to the second server from the first server in response to a determination that the first server has an identity of a second server that supports an authentication service that was previously associated with the client;
  
  means for allowing a user to choose an identity for the second server in response to a determination that the first server does not have an identity of a second server that supports an authentication service that was previously associated with the client; and
  
  means for sending an authentication request to the second server from the first server in response to a determination that the first server does not have an identity of a second server that supports an authentication service that was previously associated with the client.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 43. The computer program product of claim 42 further comprising:
    - means for receiving an authentication response from the second server; and
      
      means for determining whether to provide access to the controlled resource based on an indicated status in the authentication response.
  - 44. The computer program product of claim 42 further comprising:
    - mean for determining if the first server has a valid authentication credential for the client at the first server in response to receiving the request from the client for access to the controlled resource; and
      
      means for performing an access control decision for the request from the client for access to the controlled resource without sending an authentication request to the second server from the first server in response to a determination that the first server has a valid authentication credential for the client at the first server.
  - 45. The computer program product of claim 42 further comprising:
    - means for determining at the second server whether the second server has a valid authentication credential for the client; and
      
      means for returning a valid authentication status in response to the authentication request in response to a determination that the second server has a valid authentication credential for the client.
  - 46. The computer program product of claim 42 further comprising:
    - means for associating with the client the user'"'"'s choice of the identity of the second server.
  - 47. The computer program product of claim 46 further comprising:
    - means for storing the user'"'"'s choice of the identity of the second server in a persistent cookie at the client.
  - 48. The computer program product of claim 46 further comprising:
    - means for allowing a user to choose whether to store the user'"'"'s choice of the identity of the second server in a cookie at the client.
  - 49. The computer program product of claim 46 further comprising:
    - means for allowing a user to choose whether to persistently associate the user'"'"'s choice of the identity of the second server with the user.
  - 50. The computer program product of claim 46 further comprising:
    - means for allowing a user to choose whether to establish a relationship with the authentication service at the second server.
  - 51. The computer program product of claim 42 further comprising:
    - means for using HTTP redirection via the client to send the authentication request to the second server.

52. A network data message comprising:
- a transport protocol header;
  
  a Uniform Resource Identifier (URI) associated with a controlled resource; and
  
  an authentication service provider token that indicates a domain identity of an authentication service provider, wherein the authentication service provider is one of a plurality of authentication service providers in a federated environment that may be used in responding to a request to access the controlled resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Maria Hinton, Heather

Application Number

US10/184,664
Publication Number

US 20040002878A1
Time in Patent Office

Days
Field of Search
US Class Current

705/7
CPC Class Codes

G06Q 20/3821   Electronic credentials

G06Q 30/06   Buying, selling or leasing ...

H04L 63/0815   providing single-sign-on or...

Method and system for user-determined authentication in a federated environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

208 Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for user-determined authentication in a federated environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

208 Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links