FEDERATED AUTHENTICATION SERVICE
First Claim
1. A system for authenticating a subject residing in a subject domain on a network to a server application residing in a server domain on the network, wherein an authentication mechanism residing in an authentication domain on the network affects the service provided by the server application, the system comprising:
- a client for communicating with other components of the system and for authenticating the subject to other components of the system by providing client credentials on behalf of the subject, wherein said client also resides in the subject domain, wherein the subject is selected from humans, client applications and applets; and
a protocol proxy for communicating between said client and the authentication mechanism and for authenticating said client based on said client credentials, for obtaining from the authentication mechanism temporary credentials for said client to access the server application, and for creating from said temporary credentials an authentication name assertion allowing said client to access the server application.
3 Assignments
0 Petitions
Accused Products
Abstract
A federated authentication service technology (10) for authenticating a subject (20) residing in a subject domain (12) on a network to a server application (38) residing in a server domain (18), wherein an authentication mechanism (32) residing in an authentication domain (16) affects the service provided by the server application (38). A client (22), which may be integrated non-human instances of the subject (20), authenticates the subject (20) and a protocol proxy (34) mediates with the authentication mechanism (32) to obtain a name assertion which the client can use to access the server application (38). When multiple authentication mechanisms (32) are available, an optional agent (24), mechanism resolution process (26) and mechanism repository (28), all residing in an agent domain (14), may be used to resolve to one suitable authentication mechanism (32).
62 Citations
18 Claims
-
1. A system for authenticating a subject residing in a subject domain on a network to a server application residing in a server domain on the network, wherein an authentication mechanism residing in an authentication domain on the network affects the service provided by the server application, the system comprising:
-
a client for communicating with other components of the system and for authenticating the subject to other components of the system by providing client credentials on behalf of the subject, wherein said client also resides in the subject domain, wherein the subject is selected from humans, client applications and applets; and
a protocol proxy for communicating between said client and the authentication mechanism and for authenticating said client based on said client credentials, for obtaining from the authentication mechanism temporary credentials for said client to access the server application, and for creating from said temporary credentials an authentication name assertion allowing said client to access the server application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for authenticating a subject residing in a subject domain on a network to a server application residing in a server domain on the network, wherein an authentication mechanism residing in an authentication domain on the network affects the service provided by the server application, the method comprising the steps:
-
(a) authenticating the subject to a protocol proxy with a client by providing subject credentials on behalf of the subject, wherein the subject is selected from humans, client applications and applets;
(b) obtaining a name assertion from said protocol proxy via the authentication mechanism which will allow said client to access the server application, thereby mediating between said protocol proxy and the authentication mechanism to permit the subject to access the server application via said client;
(c) creating an authentication name assertion with said protocol proxy based on said subject credentials which will allow said client to access the server application;
(d) communicating said authentication name assertion to said client; and
(e) communicating said authentication name assertion to the server application. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification