System and method of providing credentials in a network

US 20050198501A1
Filed: 03/02/2004
Published: 09/08/2005
Est. Priority Date: 03/02/2004
Status: Active Grant

First Claim

Patent Images

1. A method for authentication in a network, the method comprising:

creating a credential string which is derived from a session ID;

sending a UserID associated with the session ID and the credential string to a software application;

receiving a confirmation request which includes the credential string; and

sending a response in reply to the confirmation request to validate the credential string to authenticate the UserID.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system is provided to provide single sign on (SSO) functionality in a network that avoids storing a user'"'"'s credentials in persistent storage. A session may be initiated with a portal which sends a session ID derivative as a credential string instead of a user'"'"'s password to a target application. When the target application attempts to authenticate the user, by sending a request to a LDAP directory, the request is intercepted by a LDAP proxy that instead validates the UserID with the LDAP directory and the password is validated by a credential validator component which verifies with the portal that the credential string presented as the user password has been produced from the active session ID. In an embodiment, the credential string validator validates each short-living credential only once and upon detecting a second validation request for the same string, initiates a security breech process. A target application proxy may also be employed to terminate all sessions with the UserID when duplicate session requests occur.

Citations

22 Claims

1. A method for authentication in a network, the method comprising:
- creating a credential string which is derived from a session ID;
  
  sending a UserID associated with the session ID and the credential string to a software application;
  
  receiving a confirmation request which includes the credential string; and
  
  sending a response in reply to the confirmation request to validate the credential string to authenticate the UserID.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising the step of maintaining a password at a portal and not sending the password to authenticate the UserID.
  - 3. The method of claim 2, wherein the credential string is an encrypted hash of the session ID.
  - 4. The method of claim 1, further comprising the steps of:
    - performing a lightweight directory access protocol (LDAP) lookup using the UserID; and
      
      if the LDAP lookup confirms the UserID and the response validates the credential string, returning a successful authentication reply to the software application for establishing a session associated with the session ID, otherwise sending an unsuccessful authentication reply to the software application.
  - 5. The method of claim 1, wherein the sending of a UserID and the credential string avoids at least one of sending a user'"'"'s password outside of a portal server and storing the password in persistent memory.
  - 6. The method of claim 1, further comprising the steps of:
    - sending the UserID associated with the session ID and the credential string to a software application proxy;
      
      checking whether the session ID and credential string has been previously received within a predetermined time period; and
      
      if affirmative, initiating a security breach procedure.
  - 7. The method of claim 6, wherein the security breach procedure causes the termination of any session associated with the UserID.
  - 8. The method of claim 1, wherein the receiving step and sending a response step is performed by an authentication proxy.

9. A method for authenticating a user request for a software application, the method comprising:
- receiving a UserID and credential string at an authentication proxy server;
  
  sending a confirmation request from the authentication proxy to a portal, the confirmation request includes the credential string;
  
  receiving a response at the authentication proxy for the confirmation request; and
  
  validating the UserID using a light weight directory access protocol (LDAP) lookup request and the response.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9, further comprising providing a confirmation to the software application if the response is affirmative and the UserID is authenticated by the LDAP lookup.
  - 11. The method of claim 9, further comprising creating the credential string from a session ID at the portal.
  - 12. The method of claim 11, further comprising encrypting the credential string.
  - 13. The method of claim 12, further comprising validating the confirmation request by assuring that the credential string has been received only once for confirmation at the portal, otherwise, if presented more than once, performing at least one of initiating a security breach procedure and notifying a software application proxy.
  - 14. The method of claim 9, further comprising receiving the UserID and a password during a logon to the portal, wherein the UserID is validated in the validating step and the password is maintained at the portal and used to process the confirmation request.

15. A system for authenticating a session, comprising:
- an authentication proxy which receives requests to authenticate a UserID and credential string; and
  
  a credential string validation component which receives requests to validate the credential string, wherein the credential string validation component checks whether the credential string has been previously received for validation within a predetermined time period.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The system of claim 15, wherein the authentication proxy performs lightweight directory access protocol (LDAP) lookups using the UserID and sends the credential string to the credential string validation component and receives a validation reply.
  - 17. The system of claim 16, wherein the authentication proxy sends an affirmative authentication reply to a software application when both the LDAP lookup is successful and the validation reply indicates a valid credential string.
  - 18. The system of claim 17, wherein the authentication proxy receives the UserID and credential string from a software application.
  - 19. The system of claim 15, further comprising a software application proxy which receives the UserID and credential string and detects whether the UserID and credential string has been previously received within a predetermined time period.
  - 20. The system of claim 19, further comprising a portal to create and encrypt the credential string by hashing a session ID, the portal sends the credential string and the UserID to the software application proxy, and does not send a password associated with the UserID.
  - 21. The system of claim 15, further comprising:
    - a portal for accepting a logon by a user and for creating the credential string from an associated session ID;
      
      a lightweight directory access protocol (LDAP) directory for authenticating UserIDs and which is accessible by the authentication proxy; and
      
      a software application proxy for intercepting the UserID and credential string sent by the portal for monitoring duplicate occurrences of the UserID and credential string.

22. A computer program product comprising a computer usable medium having readable program code embodied in the medium, the computer program product including at least one program code to:
- create a credential string which is derived from a session ID;
  
  send a UserID associated with the session ID and the credential string to a software application;
  
  receive a confirmation request which includes the credential string; and
  
  send a response in reply to the confirmation request to validate the credential string to authenticate the UserID.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Vishnevsky, Boris, Andreev, Dmitry, Vilshansky, Gregory

Granted Patent

US 8,364,957 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 61/4523   using lightweight directory...

H04L 63/0815   providing single-sign-on or...

H04L 63/0846   using time-dependent-passwo...

System and method of providing credentials in a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of providing credentials in a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links