Integrating legacy application/data access with single sign-on in a distributed computing environment

US 20040098595A1
Filed: 11/14/2002
Published: 05/20/2004
Est. Priority Date: 11/14/2002
Status: Active Grant

First Claim

Patent Images

1. A method of integrating legacy access with single sign-on in a distributed computing environment, comprising steps of:

establishing a first secure session from a client on a user'"'"'s workstation to a server, wherein the secure session establishment authenticates the user'"'"'s identity from identifying information passed from the client;

storing the identifying information in a security token accessible to the server; and

using the identifying information stored in the security token to authenticate the user for access to a legacy host application or system, whereby the authentication occurs programmatically and does not require the user to re-enter his identifying information.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides methods, systems, computer program products, and methods of doing business whereby legacy host application/system access is integrated with single sign-on in a modem distributed computing environment. A security token used for signing on to the modem computing environment is leveraged, and is mapped to user credentials for the legacy host environment. These user credentials are programmatically inserted into a legacy host data stream, thereby giving the end user the look and feel of seamless access to all applications/systems, including not only modem computing applications/systems but also those residing on (or accessible through) legacy hosts. In addition to providing users with the advantages of single sign-on, the disclosed techniques enable limiting the number of user identifiers and passwords an enterprise has to manage.

201 Citations

19 Claims

1. A method of integrating legacy access with single sign-on in a distributed computing environment, comprising steps of:
- establishing a first secure session from a client on a user'"'"'s workstation to a server, wherein the secure session establishment authenticates the user'"'"'s identity from identifying information passed from the client;
  
  storing the identifying information in a security token accessible to the server; and
  
  using the identifying information stored in the security token to authenticate the user for access to a legacy host application or system, whereby the authentication occurs programmatically and does not require the user to re-enter his identifying information.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as claimed in claim 1, wherein the step of using the identifying information further comprises the steps of:
    - requesting a legacy host access agent to generate a password substitute, based on the user'"'"'s identifying information from the security token and an identifier of the legacy host application or system;
      
      passing the password substitute and a legacy host identifier of the user to the client on the user workstation;
      
      establishing a second secure session between an emulator client operating on the user'"'"'s workstation and an emulator server on a host where the legacy host application or system will be accessible;
      
      receiving a sign-on data stream from the legacy host application or system at the emulator client over the second secure session;
      
      programmatically inserting the password substitute and the legacy host identifier into the sign-on data stream, creating a modified data stream;
      
      returning the modified data stream from the emulator client to the emulator server, over the second secure session; and
      
      sending, by the legacy host application or system, the password substitute and the legacy host identifier to the legacy host access agent for transparently authenticating the user.
  - 3. The method as claimed in claim 2, wherein the emulator client is downloaded dynamically to the user workstation, responsive to determining that the user wishes to execute legacy host applications and/or systems.
  - 4. The method as claimed in claim 1, wherein the step of using the identifying information further comprises the steps of:
    - retrieving the user'"'"'s password from secure storage over a trusted secure connection, based on the user'"'"'s identifying information from the security token and an identifier of the legacy host application or system;
      
      passing the password and a legacy host identifier of the user to the client on the user workstation;
      
      establishing a second secure session between an emulator client operating on the user'"'"'s workstation and an emulator server on a host where the legacy host application or system will be accessible;
      
      receiving sign-on data stream from the legacy host application or system at the emulator client over the second secure session;
      
      programmatically inserting the password and the legacy host identifier into the sign-on data stream, creating a modified data stream;
      
      returning the modified data stream from the emulator client to the emulator server, over the second secure session; and
      
      sending, by the legacy host application or system, the password and the legacy host identifier to the legacy host access agent for transparently authenticating the user.
  - 5. The method as claimed in claim 1, wherein the step of using the identifying information further comprises the steps of:
    - requesting a legacy host access agent to generate a password substitute, based on the user'"'"'s identifying information from the security token and an identifier of the legacy host application or system;
      
      passing the password substitute and a legacy host identifier of the user to an emulator client at the server, where this emulator client operates as a proxy for the client on the user'"'"'s workstation;
      
      establishing a second secure session between the emulator client and an emulator server on a host where the legacy host application or system will be accessible;
      
      receiving a sign-on data stream from the legacy host application or system at the emulator client over the second secure session;
      
      programmatically inserting the password substitute and the legacy host identifier into the sign-on data stream, creating a modified data stream;
      
      returning the modified data stream from the emulator client to the emulator server, over the second secure session; and
      
      sending, by the legacy host application or system, the password substitute and the legacy host identifier to the legacy host access agent for transparently authenticating the user.
  - 6. The method as claimed in claim 1, wherein the step of using the identifying information further comprises the steps of:
    - retrieving the user'"'"'s password from secure storage over a trusted secure connection, based on the user'"'"'s identifying information from the security token and an identifier of the legacy host application or system;
      
      passing the password and a legacy host identifier of the user to an emulator client at the server, where this emulator client operates as a proxy for the client on the user'"'"'s workstation;
      
      establishing a second secure session between the emulator client and an emulator server on a host where the legacy host application or system will be accessible;
      
      receiving a sign-on data stream from the legacy host application or system at the emulator client over the second secure session;
      
      programmatically inserting the password and the legacy host identifier into the sign-on data stream, creating a modified data stream;
      
      returning the modified data stream from the emulator client to the emulator server, over the second secure session; and
      
      sending, by the legacy host application or system, the password and the legacy host identifier to the legacy host access agent for transparently authenticating the user.

7. A system for integrating legacy access with single sign-on in a distributed computing environment, comprising:
- means for establishing a first secure session from a client on a user'"'"'s workstation to a server, wherein the secure session establishment authenticates the user'"'"'s identity from identifying information passed from the client;
  
  means for storing the identifying information in a security token accessible to the server; and
  
  means for using the identifying information stored in the security token to authenticate the user for access to a legacy host application or system, whereby the authentication occurs programmatically and does not require the user to re-enter his identifying information.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system as claimed in claim 7, wherein the means for using the identifying information further comprises:
    - means for requesting a legacy host access agent to generate a password substitute, based on the user'"'"'s identifying information from the security token and an identifier of the legacy host application or system;
      
      means for passing the password substitute and a legacy host identifier of the user to the client on the user workstation;
      
      means for establishing a second secure session between an emulator client operating on the user'"'"'s workstation and an emulator server on a host where the legacy host application or system will be accessible;
      
      means for receiving a sign-on data stream from the legacy host application or system at the emulator client over the second secure session;
      
      means for programmatically inserting the password substitute and the legacy host identifier into the sign-on data stream, creating a modified data stream;
      
      means for returning the modified data stream from the emulator client to the emulator server, over the second secure session; and
      
      means for sending, by the legacy host application or system, the password substitute and the legacy host identifier to the legacy host access agent for transparently authenticating the user.
  - 9. The system as claimed in claim 8, wherein the emulator client is downloaded dynamically to the user workstation, responsive to determining that the user wishes to execute legacy host applications and/or systems.
  - 10. The system as claimed in claim 7, wherein the means for using the identifying information further comprises:
    - means for retrieving the user'"'"'s password from secure storage over a trusted secure connection, based on the user'"'"'s identifying information from the security token and an identifier of the legacy host application or system;
      
      means for passing the password and a legacy host identifier of the user to the client on the user workstation;
      
      means for establishing a second secure session between an emulator client operating on the user'"'"'s workstation and an emulator server on a host where the legacy host application or system will be accessible;
      
      means for receiving a sign-on data stream from the legacy host application or system at the emulator client over the second secure session;
      
      means for programmatically inserting the password and the legacy host identifier into the sign-on data stream, creating a modified data stream;
      
      means for returning the modified data stream from the emulator client to the emulator server, over the second secure session; and
      
      means for sending, by the legacy host application or system, the password and the legacy host identifier to the legacy host access agent for transparently authenticating the user.
  - 11. The system as claimed in claim 7, wherein the means for using the identifying information further comprises:
    - means for requesting a legacy host access agent to generate a password substitute, based on the user'"'"'s identifying information from the security token and an identifier of the legacy host application or system;
      
      means for passing the password substitute and a legacy host identifier of the user to an emulator client at the server, where this emulator client operates as a proxy for the client on the user'"'"'s workstation;
      
      means for establishing a second secure session between the emulator client and an emulator server on a host where the legacy host application or system will be accessible;
      
      means for receiving a sign-on data stream from the legacy host application or system at the emulator client over the second secure session;
      
      means for programmatically inserting the password substitute and the legacy host identifier into the sign-on data stream, creating a modified data stream;
      
      means for returning the modified data stream from the emulator client to the emulator server, over the second secure session; and
      
      means for sending, by the legacy host application or system, the password substitute and the legacy host identifier to the legacy host access agent for transparently authenticating the user.
  - 12. The system as claimed in claim 7, wherein the means for using the identifying information further comprises:
    - means for retrieving the user'"'"'s password from secure storage over a trusted secure connection, based on the user'"'"'s identifying information from the security token and an identifier of the legacy host application or system;
      
      means for passing the password and a legacy host identifier of the user to an emulator client at the server, where this emulator client operates as a proxy for the client on the user'"'"'s workstation;
      
      means for establishing a second secure session between the emulator client and an emulator server on a host where the legacy host application or system will be accessible;
      
      means for receiving a sign-on data stream from the legacy host application or system at the emulator client over the second secure session;
      
      means for programmatically inserting the password and the legacy host identifier into the sign-on data stream, creating a modified data stream;
      
      means for returning the modified data stream from the emulator client to the emulator server, over the second secure session; and
      
      means for sending, by the legacy host application or system, the password and the legacy host identifier to the legacy host access agent for transparently authenticating the user.

13. A computer program product for integrating legacy access with single sign-on in a distributed computing environment, the computer program product embodied on one or more computer-readable media and comprising:
- computer-readable program code means for establishing a first secure session from a client on a user'"'"'s workstation to a server, wherein the secure session establishment authenticates the user'"'"'s identity from identifying information passed from the client;
  
  computer-readable program code means for storing the identifying information in a security token accessible to the server; and
  
  computer-readable program code means for using the identifying information stored in the security token to authenticate the user for access to a legacy host application or system, whereby the authentication occurs programmatically and does not require the user to re-enter his identifying information.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer program product as claimed in claim 13, wherein the computer-readable program code means for using the identifying information further comprises:
    - computer-readable program code means for requesting a legacy host access agent to generate a password substitute, based on the user'"'"'s identifying information from the security token and an identifier of the legacy host application or system;
      
      computer-readable program code means for passing the password substitute and a legacy host identifier of the user to the client on the user workstation;
      
      computer-readable program code means for establishing a second secure session between an emulator client operating on the user'"'"'s workstation and an emulator server on a host where the legacy host application or system will be accessible;
      
      computer-readable program code means for receiving a sign-on data stream from the legacy host application or system at the emulator client over the second secure session;
      
      computer-readable program code means for programmatically inserting the password substitute and the legacy host identifier into the sign-on data stream, creating a modified data stream;
      
      computer-readable program code means for returning the modified data stream from the emulator client to the emulator server, over the second secure session; and
      
      computer-readable program code means for sending, by the legacy host application or system, the password substitute and the legacy host identifier to the legacy host access agent for transparently authenticating the user.
  - 15. The computer program product as claimed in claim 14, wherein the emulator client is downloaded dynamically to the user workstation, responsive to determining that the user wishes to execute legacy host applications and/or systems.
  - 16. The computer program product as claimed in claim 13, wherein the computer-readable problem code means for using the identifying information further comprises:
    - computer-readable program code means for retrieving the user'"'"'s password from secure storage over a trusted secure connection, based on the user'"'"'s identifying information from the security token and an identifier of the legacy host application or system;
      
      computer-readable program code means for passing the password and a legacy host identifier of the user to the client on the user workstation;
      
      computer-readable program code means for establishing a second secure session between an emulator client operating on the user'"'"'s workstation and an emulator server on a host where the legacy host application or system will be accessible;
      
      computer-readable program code means for receiving a sign-on data stream from the legacy host application or system at the emulator client over the second secure session;
      
      computer-readable program code means for programmatically inserting the password and the legacy host identifier into the sign-on data stream, creating a modified data stream;
      
      computer-readable program code means for returning the modified data stream from the emulator client to the emulator server, over the second secure session; and
      
      computer-readable program code means for sending, by the legacy host application or system, the password and the legacy host identifier to the legacy host access agent for transparently authenticating the user.
  - 17. The computer program product as claimed in claim 13, wherein the computer-readable program code means for using the identifying information further comprises:
    - computer-readable program code means for requesting a legacy host access agent to generate a password substitute, based on the user'"'"'s identifying information from the security token and an identifier of the legacy host application or system;
      
      computer-readable program code means for passing the password substitute and a legacy host identifier of the user to an emulator client at the server, where this emulator client operates as a proxy for the client on the user'"'"'s workstation;
      
      computer-readable program code means for establishing a second secure session between the emulator client and an emulator server on a host where the legacy host application or system will be accessible;
      
      computer-readable program code means for receiving a sign-on data stream from the legacy host application or system at the emulator client over the second secure session;
      
      computer-readable program code means for programmatically inserting the password substitute and the legacy host identifier into the sign-on data stream, creating a modified data stream;
      
      computer-readable program code means for returning the modified data stream from the emulator client to the emulator server, over the second secure session; and
      
      computer-readable program code means for sending, by the legacy host application or system, the password substitute and the legacy host identifier to the legacy host access agent for transparently authenticating the user.
  - 18. The computer program product as claimed in claim 13, wherein the computer-readable program code means for using the identifying information further comprises:
    - computer-readable program code means for retrieving the user'"'"'s password from secure storage over a trusted secure connection, based on the user'"'"'s identifying information from the security token and an identifier of the legacy host application or system;
      
      computer-readable program code means for passing the password and a legacy host identifier of the user to an emulator client at the server, where this emulator client operates as a proxy for the client on the user'"'"'s workstation;
      
      computer-readable program code means for establishing a second secure session between the emulator client and an emulator server on a host where the legacy host application or system will be accessible;
      
      computer-readable program code means for receiving a sign-on data stream from the legacy host application or system at the emulator client over the second secure session;
      
      computer-readable program code means for programmatically inserting the password and the legacy host identifier into the sign-on data stream, creating a modified data stream;
      
      computer-readable program code means for returning the modified data stream from the emulator client to the emulator server, over the second secure session; and
      
      computer-readable program code means for sending, by the legacy host application or system, the password and the legacy host identifier to the legacy host access agent for transparently authenticating the user.

19. A method of doing business by seamlessly integrating legacy access with single sign-on in a distributed computing environment, comprising steps of:
- providing function for establishing a first secure session from a client on a user'"'"'s workstation to a server, wherein the secure session establishment authenticates the user'"'"'s identity from identifying information passed from the client;
  
  providing function for storing the identifying information in a security token accessible to the server; and
  
  providing function for using the identifying information stored in the security token to authenticate the user for access to a legacy host application or system, whereby the authentication occurs programmatically and does not require the user to re-enter his identifying information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hulu LLC (The Walt Disney Company)
Original Assignee
International Business Machines Corporation
Inventors
Muppidi, Sridhar R., Aupperle, Bryan E., King, Julie H.

Granted Patent

US 7,426,642 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/185
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

H04L 63/083 using passwords cryptograph...

Integrating legacy application/data access with single sign-on in a distributed computing environment

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

201 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Integrating legacy application/data access with single sign-on in a distributed computing environment

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

201 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links