Passive client single sign-on for Web applications

US 20040230831A1
Filed: 05/12/2003
Published: 11/18/2004
Est. Priority Date: 05/12/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a resource challenge from a resource server of a resource realm through a Web-based client of an account realm, the resource challenge being generated responsive to a request for access to a Web application provided by the resource server, the resource realm and the account realm sharing a trust policy in a federation;

sending a security token service challenge to an account security token service module of the account realm through the Web-based client, responsive to receiving the resource challenge;

verifying an account security token received from the account security token service module through the Web-based client, responsive to the sending of the security token service challenge, the account security token being formatted in accordance with the trust policy in the federation; and

sending a resource security token generated by the resource security token service module through the Web-based client to the resource server to authenticate the user for access to the Web application, responsive to verifying the account security token.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system provides single sign-on capabilities for accessing a Web application through a passive client across multiple realms within a federation. A federation refers to different organizations or realms that have employed agreements, standards, and/or cooperative technologies to make user identity and entitlements portable between the organizations. Communications are redirected through a client in one realm to obtain a security token that can allow the resource server in the other realm to authenticate the user for access to the Web application.

222 Citations

58 Claims

1. A method comprising:
- receiving a resource challenge from a resource server of a resource realm through a Web-based client of an account realm, the resource challenge being generated responsive to a request for access to a Web application provided by the resource server, the resource realm and the account realm sharing a trust policy in a federation;
  
  sending a security token service challenge to an account security token service module of the account realm through the Web-based client, responsive to receiving the resource challenge;
  
  verifying an account security token received from the account security token service module through the Web-based client, responsive to the sending of the security token service challenge, the account security token being formatted in accordance with the trust policy in the federation; and
  
  sending a resource security token generated by the resource security token service module through the Web-based client to the resource server to authenticate the user for access to the Web application, responsive to verifying the account security token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein the account security token has a format that is dependent upon the trust policy in the federation.
  - 3. The method of claim 1 wherein the security token service challenge has a format that is dependent upon the trust policy in the federation.
  - 4. The method of claim 1 wherein content of the account security token is dependent upon the trust policy in the federation.
  - 5. The method of claim 1 wherein content of the security token service challenge is dependent upon the trust policy in the federation.
  - 6. The method of claim 1 wherein the resource challenge has a format that is dependent upon a trust policy in the resource realm.
  - 7. The method of claim 1 wherein the resource security token has a format that is dependent upon a trust policy in the resource realm.
  - 8. The method of claim 1 wherein the account security token is generated responsive to authentication of the user by the account security token service module in the account realm.
  - 9. The method of claim 1 further comprising:
    - determining a realm in which the user is a member, the realm representing the account realm.
  - 10. The method of claim 1 further comprising:
    - receiving the resource challenge from the resource server by a redirection through a passive client in the account realm.
  - 11. The method of claim 1 further comprising:
    - redirecting the security token service challenge to the account security token service module of the account realm through a passive client in the account realm.
  - 12. The method of claim 1 further comprising:
    - receiving the account security token from the account security token service module by a redirection through a passive client in the account realm.

13. A method comprising:
- receiving a resource security token generated by a resource security token service module of a resource realm, responsive to verification by the resource security token service module of an account security token received from an account realm, wherein the resource realm and the account realm share a trust policy in a federation; and
  
  authenticating a user of the account realm for access to a Web application provided by a resource server of the resource realm, based on the resource security token.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The method of claim 13 wherein the account security token has a format that is dependent upon the trust policy in the federation.
  - 15. The method of claim 13 wherein content of the account security token is dependent upon the trust policy in the federation.
  - 16. The method of claim 13 further comprising:
    - sending a resource challenge to the resource security token service module in the resource realm, responsive to a request from the user for access to a Web application.
  - 17. The method of claim 13 further comprising:
    - sending a resource challenge to the resource security token service module in the resource realm, responsive to a request from the user for access to a Web application, wherein the resource challenge has a format that is dependent upon a trust policy in the resource realm.
  - 18. The method of claim 13 wherein the resource security token has a format that is dependent upon a trust policy in the resource realm.
  - 19. The method of claim 13 wherein the resource security token is generated responsive to authentication of the user by the resource security token service module in the resource realm.
  - 20. The method of claim 13 further comprising:
    - receiving the resource security token from the resource security token service by a redirection through a passive client in the account realm.
  - 21. The method of claim 13 further comprising:
    - redirecting a resource challenge to the resource security token service module of the account realm through a passive client in the account realm.

22. A method comprising:
- receiving a security token service challenge of an account realm from a security token service module of a resource realm through a Web-based client of an account realm, the security token service challenge being generated responsive to a request by a user for access to a Web application provided by a resource server of the resource realm, the resource realm and the account realm sharing a trust policy in a federation; and
  
  sending an account security token to the resource security token service module of the resource realm through the Web-based client, responsive to receiving the security token service challenge, to authenticate the user for access to the Web application.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The method of claim 22 wherein the account security token has a format that is dependent upon the trust policy in the federation.
  - 24. The method of claim 22 wherein content of the account security token is dependent upon the trust policy in the federation.
  - 25. The method of claim 22 wherein the account security token is generated responsive to authentication of the user by the account security token service module in the account realm.
  - 26. The method of claim 22 further comprising:
    - receiving the resource challenge from the resource security token service by a redirection through a passive client in the account realm.
  - 27. The method of claim 22 further comprising:
    - redirecting an account security token to the resource security token service module of the resource realm through a passive client in the account realm.

28. A computer program product encoding a computer program for executing on a computer system a computer process, the computer process comprising:
- receiving a resource challenge from a resource server of a resource realm through a Web-based client of an account realm, the resource challenge being generated responsive to a request for access to a Web application provided by the resource server, the resource realm and the account realm sharing a trust policy in a federation;
  
  sending a security token service challenge to an account security token service module of the account realm through the Web-based client, responsive to receiving the resource challenge;
  
  verifying an account security token received from the account security token service module through the Web-based client, responsive to the sending of the security token service challenge, the account security token being formatted in accordance with the trust policy in the federation; and
  
  sending a resource security token generated by the resource security token service module through the Web-based client to the resource server to authenticate the user for access to the Web application, responsive to verifying the account security token.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 29. The computer program product of claim 28 wherein the account security token has a format that is dependent upon the trust policy in the federation.
  - 30. The computer program product of claim 28 wherein the security token service challenge has a format that is dependent upon the trust policy in the federation.
  - 31. The computer program product of claim 28 wherein content of the account security token is dependent upon the trust policy in the federation.
  - 32. The computer program product of claim 28 wherein content of the security token service challenge is dependent upon the trust policy in the federation.
  - 33. The computer program product of claim 28 wherein the resource challenge has a format that is dependent upon a trust policy in the resource realm.
  - 34. The computer program product of claim 28 wherein the resource security token has a format that is dependent upon a trust policy in the resource realm.
  - 35. The computer program product of claim 28 wherein the account security token is generated responsive to authentication of the user by the account security token service module in the account realm.
  - 36. The computer program product of claim 28 wherein the computer process further comprises:
    - determining a realm in which the user is a member, the realm representing the account realm.
  - 37. The computer program product of claim 28 wherein the computer process further comprises:
    - receiving the resource challenge from the resource server by a redirection through a passive client in the account realm.
  - 38. The computer program product of claim 28 wherein the computer process further comprises:
    - redirecting the security token service challenge to the account security token service module of the account realm through a passive client in the account realm.
  - 39. The computer program product of claim 28 wherein the computer process further comprises:
    - receiving the account security token from the account security token service module by a redirection through a passive client in the account realm.

40. A computer program product encoding a computer program for executing on a computer system a computer process, the computer process comprising:
- receiving a resource security token generated by a resource security token service module of a resource realm, responsive to verification by the resource security token service module of an account security token received from an account realm, wherein the resource realm and the account realm share a trust policy in a federation; and
  
  authenticating a user of the account realm for access to a Web application provided by a resource server of the resource realm, based on the resource security token.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48)
- - 41. The computer program product of claim 40 wherein the account security token has a format that is dependent upon the trust policy in the federation.
  - 42. The computer program product of claim 40 wherein content of the account security token is dependent upon the trust policy in the federation.
  - 43. The computer program product of claim 40 wherein the computer process further comprises:
    - sending a resource challenge to the resource security token service module in the resource realm, responsive to a request from the user for access to a Web application.
  - 44. The computer program product of claim 40 wherein the computer process further comprises:
    - sending a resource challenge to the resource security token service module in the resource realm, responsive to a request from the user for access to a Web application, wherein the resource challenge has a format that is dependent upon a trust policy in the resource realm.
  - 45. The computer program product of claim 40 wherein the resource security token has a format that is dependent upon a trust policy in the resource realm.
  - 46. The computer program product of claim 40 wherein the resource security token is generated responsive to authentication of the user by the resource security token service module in the resource realm.
  - 47. The computer program product of claim 40 wherein the computer process further comprises:
    - receiving the resource security token from the resource security token service by a redirection through a passive client in the account realm.
  - 48. The computer program product of claim 40 wherein the computer process further comprises:
    - redirecting a resource challenge to the resource security token service module of the account realm through a passive client in the account realm.

49. A computer program product encoding a computer program for executing on a computer system a computer process, the computer process comprising:
- receiving a security token service challenge of an account realm from a security token service module of a resource realm through a Web-based client of an account realm, the security token service challenge being generated responsive to a request by a user for access to a Web application provided by a resource server of the resource realm, the resource realm and the account realm sharing a trust policy in a federation; and
  
  sending an account security token to the resource security token service module of the resource realm through the Web-based client, responsive to receiving the security token service challenge, to authenticate the user for access to the Web application.
- View Dependent Claims (50, 51, 52, 53, 54)
- - 50. The computer program product of claim 49 wherein the account security token has a format that is dependent upon the trust policy in the federation.
  - 51. The computer program product of claim 49 wherein content of the account security token is dependent upon the trust policy in the federation.
  - 52. The computer program product of claim 49 wherein the account security token is generated responsive to authentication of the user by the account security token service module in the account realm.
  - 53. The computer program product of claim 49 wherein the computer process further comprises:
    - receiving the resource challenge from the resource security token service by a redirection through a passive client in the account realm.
  - 54. The computer program product of claim 49 wherein the computer process further comprises:
    - redirecting an account security token to the resource security token service module of the resource realm through a passive client in the account realm.

55. A system comprising:
- a Web-based client in an account realm to generate a request for access to a Web application provided by a resource server of a resource realm, wherein the account realm and the resource realm share a trust policy in a federation;
  
  the resource server to send a resource challenge through the Web-based client to a resource security token service module of the resource realm, the resource challenge being generated by the resource server responsive to the request, the request being received through the Web-based client from a user of the account realm;
  
  the resource security token service module to generate a security token service challenge, responsive to receipt of the resource challenge;
  
  an account security token service module of the account realm to receive the security token service challenge from the resource security token service through the Web-based client and to generate an account security token in accordance with the trust policy in the federation;
  
  the resource security token service module to verify the account security token received from the account security token service of the account realm through the Web-based client and to generate a resource security token;
  
  the resource server to verify the resource security token generated by the resource security token service module to authenticate the user for access to the Web application.

56. A system comprising:
- a resource security token service module of a resource realm to receive a resource challenge from a resource server through a Web-based client, wherein the resource challenge is generated responsive to a request by a user for access to a Web application provided by the resource server of the resource realm and the resource realm and the account realm share a trust policy in a federation; and
  
  the resource security token server module to send a resource security token to an account security token service module of the account realm through the Web-based client, responsive to receiving the resource challenge, in order to authenticate the user for access to the Web application.

57. A system comprising:
- a resource server to receive a resource security token generated by a resource security token service module of a resource realm, responsive to verification by the resource security token service module of an account security token received from an account realm, wherein the resource realm and the account realm share a trust policy in a federation; and
  
  the resource server to authenticate a user of the account realm for access to a Web application provided by a resource server of the resource realm, based on the resource security token.

58. A system comprising:
- an account security token service module of an account realm to receive a security token service challenge of an account realm from a security token service module of a resource realm through a Web-based client, wherein the security token service challenge is generated responsive to a request by a user for access to a Web application provided by a resource server of the resource realm and the resource realm and the account realm share a trust policy in a federation; and
  
  the account security token service module to send an account security token to the resource security token service module of the resource realm through the Web-based client, responsive to receiving the security token service challenge, to authenticate the user for access to the Web application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Johnson, Ryan D., Dusche, Michael S., Tevosyan, John Kahren, Rouskov, Yordan, Gray, Josh Thomas, Hur, Matthew, Spelman, Jeffrey F., Dixon, Brendan W.

Granted Patent

US 8,108,920 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06F 21/33   using certificates

H04L 63/0428   wherein the data content is...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

Passive client single sign-on for Web applications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

222 Citations

58 Claims

Specification

Solutions

Use Cases

Quick Links

Passive client single sign-on for Web applications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

222 Citations

58 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links