Cross platform network authentication and authorization model

US 20040093515A1
Filed: 11/12/2002
Published: 05/13/2004
Est. Priority Date: 11/12/2002
Status: Active Grant

First Claim

Patent Images

1. In a computing environment, a method comprising:

receiving a request for a ticket, the request comprising data in a format that is independent of any particular platform;

deserializing the request data into a data structure that provides access to credentials within the request data;

accessing the credentials to authenticate the credentials and determine role information based on the credentials;

constructing a ticket including the role information;

preparing the ticket for transmission;

inserting the prepared ticket into a response message that is formatted in a format that is independent of any particular platform; and

returning the ticket in response to the request.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A model for authentication and authorization of users and applications that use network services. A client requests a ticket by providing credentials (user ID and password), e.g., over HTTP/SOAP/XML in the UDDI framework. An authentication adapter in a receiving server deserializes the request into a data structure that provides access to the security ID and password attributes, and passes these attributes to an ID management system to perform authentication. The credentials also determine the user'"'"'s or application'"'"'s privileges. The authentication adapter constructs a ticket object for the client incorporating the privileges and other information, e.g., the security ID and a date/time stamp. The ticket object is serialized, encrypted, encoded for transmission and inserted into an appropriately-formatted XML message and returned to the requesting client. The client attaches the authentication ticket to subsequent service requests that require authentication. To validate the ticket, the ticket object is reconstructed from the request data.

139 Citations

40 Claims

1. In a computing environment, a method comprising:
- receiving a request for a ticket, the request comprising data in a format that is independent of any particular platform;
  
  deserializing the request data into a data structure that provides access to credentials within the request data;
  
  accessing the credentials to authenticate the credentials and determine role information based on the credentials;
  
  constructing a ticket including the role information;
  
  preparing the ticket for transmission;
  
  inserting the prepared ticket into a response message that is formatted in a format that is independent of any particular platform; and
  
  returning the ticket in response to the request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method of claim 1 wherein preparing the ticket for transmission comprises serializing the ticket into a data stream.
  - 3. The method of claim 2 wherein the data stream comprises binary data, and wherein preparing the ticket for transmission further comprises converting the binary data to ASCII data.
  - 4. The method of claim 2 wherein preparing the ticket for transmission further comprises encrypting the data stream into encrypted binary data.
  - 5. The method of claim 4 wherein preparing the ticket for transmission further comprises converting the data stream from the encrypted binary data to ASCII data.
  - 6. The method of claim 1 wherein inserting the prepared ticket comprises placing the prepared ticket into an XML message.
  - 7. The method of claim 1 wherein inserting the prepared ticket comprises placing the prepared ticket into a SOAP message.
  - 8. The method of claim 1 wherein inserting the prepared ticket comprises placing the prepared ticket into a UDDI authToken tag in a SOAP message.
  - 9. The method of claim 1 wherein accessing the credentials to authenticate the credentials comprises, providing a security ID and password data to an ID management system.
  - 10. The method of claim 1 wherein accessing the credentials to authenticate the credentials and determine role information based on the credentials comprises, providing the credentials to a Windows®
    - -based security interface.
  - 11. The method of claim 10 wherein providing the credentials to a Windows®
    - -based security interface comprises passing a security ID and password data to a called function.
  - 12. The method of claim 10 wherein providing the credentials to a Windows®
    - -based security interface comprises passing a user ID and a password data to a LogonUser application programming interface.
  - 13. The method of claim 1 wherein constructing the ticket further comprises including the security ID in the ticket.
  - 14. The method of claim 1 wherein constructing the ticket further comprises including date information in the ticket.
  - 15. The method of claim 1 further comprising, receiving the ticket from the client in association with a service request, and in response, authorizing the client to receive a service.
  - 16. The method of claim 1 further comprising, receiving the ticket from the client in association with service request data, and deserializing the service request data.
  - 17. The method of claim 1 further comprising, receiving the ticket from the client in association with service request data, and extracting from the service request data a data structure that provides access to information within the ticket.
  - 18. The method of claim 17 wherein extracting from the service request data a data structure comprises deserializing the service request data.
  - 19. The method of claim 18 wherein extracting from the service request data a data structure comprises converting ASCII data including the ticket information into binary data including the ticket information.
  - 20. The method of claim 19 further comprising, decrypting the binary data into unencrypted data.
  - 21. The method of claim 20 further comprising, deserializing the unencrypted data into a data structure that provides access to the ticket information including the role information.
  - 22. The method of claim 21 further comprising, authorizing the client to receive a service based at least in part on an evaluation of the role information.
  - 23. A computer-readable medium having computer-executable instructions for performing the method of claim 1.

24. In a computer network having a client, a system comprising:
- a server connected to the client to receive requests from the client, including a client request to receive a ticket, the request comprising data in a format that is independent of any particular platform;
  
  an authentication adapter associated with the server, the authentication adapter invoked by the server to handle the ticket request received from the client, the authentication adapter configured to;
  
  1) deserialize the request data into a data structure that provides access to credentials within the request data;
  
  2) access the credentials to authenticate the credentials;
  
  3) determine role information based on the credentials;
  
  4) construct a ticket including the role information;
  
  5) prepare the ticket for transmission;
  
  6) insert the prepared ticket into a response message that is formatted in a format that is independent of any particular platform; and
  
  7) provide the response message to the server; and
  
  the server returning the ticket to the client in response to the request.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 39)
- - 25. The system of claim 24 wherein the authentication adapter prepares the ticket for transmission by serializing the ticket into a data stream, encrypting the data stream into encrypted binary data, and converting the encrypted binary data to ASCII data
  - 26. The system of claim 24 wherein the authentication adapter serializes the response message.
  - 27. The system of claim 24 wherein the response message comprises an XML message.
  - 28. The system of claim 24 wherein the response message comprises a SOAP message.
  - 29. The system of claim 24 wherein the authentication adapter inserts the prepared ticket by placing the prepared ticket into a UDDI authToken tag in a SOAP message.
  - 30. The system of claim 24 wherein the authentication adapter accesses the ticket to authenticate the credentials by providing the credentials to an ID management system.
  - 31. The system of claim 30 wherein the ID management system includes a Windows®
    - -based security interface.
  - 32. The system of claim 31 wherein the Windows®
    - -based security interface comprises a LogonUser application programming interface.
  - 33. The system of claim 24 wherein the ticket constructed by the authentication adapter further includes a security ID.
  - 34. The system of claim 24 wherein the ticket constructed by the authentication adapter further includes date information.
  - 35. The system of claim 24 further comprising, another server that receives the ticket from the client in association with a service request, and in response, extracts the ticket from the client, authorizes the client based on the ticket, and provides a service to the client in response to the service request.
  - 36. The system of claim 35 wherein the other server extracts the ticket by deserializing at least part of the service request data corresponding to the ticket into a data stream, decoding the data stream into encrypted binary data representing the ticket, decrypting the encrypted binary data into a decrypted data stream, and deserializing the decrypted data stream into a data structure that provides access to information within the ticket.
  - 39. The system of claim 24 further comprising, receiving the ticket from the client in association with a service request, extracting the ticket from the client, determining whether the ticket authorizes the client to receive a requested service, and if so, providing the requested service to the client in response to the service request.

37. In a computing environment, a method comprising:
- receiving a request for a ticket, the request comprising data in a UDDI get_authToken request and including credentials;
  
  deserializing the request data into an object that provides access to the credentials;
  
  providing the credentials to an ID management system that authenticates the credentials and determines role information based on the credentials;
  
  constructing a ticket including a security identifier, the role information and date information;
  
  preparing the ticket for transmission, including encrypting the ticket and inserting the ticket into a UDDI authToken ticket response message; and
  
  returning the ticket in response to the request.
- View Dependent Claims (38, 40)
- - 38. The method of claim 37 wherein preparing the ticket for transmission further comprises converting binary data to ASCII data.
  - 40. A computer-readable medium having computer-executable instructions for performing the method of claim 37.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Reeves, Charles R. Jr.

Granted Patent

US 7,178,163 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/10
CPC Class Codes

H04L 63/0807 using tickets, e.g. Kerbero...

H04L 63/10 for controlling access to d...

Cross platform network authentication and authorization model

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

139 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Cross platform network authentication and authorization model

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

139 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links