FEDERATED AUTHENTICATION SERVICE

US 20060075473A1
Filed: 10/24/2005
Published: 04/06/2006
Est. Priority Date: 04/07/2001
Status: Active Grant

First Claim

Patent Images

1. A system for authenticating a subject residing in a subject domain on a network to a server application residing in a server domain on the network, wherein an authentication mechanism residing in an authentication domain on the network affects the service provided by the server application, the system comprising:

a client for communicating with other components of the system and for authenticating the subject to other components of the system by providing client credentials on behalf of the subject, wherein said client also resides in the subject domain, wherein the subject is selected from humans, client applications and applets; and

a protocol proxy for communicating between said client and the authentication mechanism and for authenticating said client based on said client credentials, for obtaining from the authentication mechanism temporary credentials for said client to access the server application, and for creating from said temporary credentials an authentication name assertion allowing said client to access the server application.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A federated authentication service technology (10) for authenticating a subject (20) residing in a subject domain (12) on a network to a server application (38) residing in a server domain (18), wherein an authentication mechanism (32) residing in an authentication domain (16) affects the service provided by the server application (38). A client (22), which may be integrated non-human instances of the subject (20), authenticates the subject (20) and a protocol proxy (34) mediates with the authentication mechanism (32) to obtain a name assertion which the client can use to access the server application (38). When multiple authentication mechanisms (32) are available, an optional agent (24), mechanism resolution process (26) and mechanism repository (28), all residing in an agent domain (14), may be used to resolve to one suitable authentication mechanism (32).

62 Citations

View as Search Results

18 Claims

1. A system for authenticating a subject residing in a subject domain on a network to a server application residing in a server domain on the network, wherein an authentication mechanism residing in an authentication domain on the network affects the service provided by the server application, the system comprising:
- a client for communicating with other components of the system and for authenticating the subject to other components of the system by providing client credentials on behalf of the subject, wherein said client also resides in the subject domain, wherein the subject is selected from humans, client applications and applets; and
  
  a protocol proxy for communicating between said client and the authentication mechanism and for authenticating said client based on said client credentials, for obtaining from the authentication mechanism temporary credentials for said client to access the server application, and for creating from said temporary credentials an authentication name assertion allowing said client to access the server application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein said protocol proxy resides in the authentication domain on the network.
  - 3. The system of claim 1, wherein said protocol proxy uses a standard security protocol to communicate with said client and a mechanism-specific protocol to communicate with the authentication mechanism.
  - 4. The system of claim 1, wherein at least one of said client and said protocol proxy authenticates using SRP protocol.
  - 5. The system of claim 1, wherein said protocol proxy produces a signed name assertion.
  - 6. The system of claim 5, wherein said signed name assertion is contained in a S2ML document.
  - 7. The system of claim 5, wherein said protocol proxy further produces a signed name entitlement.
  - 8. The system of claim 1, wherein said protocol proxy uses a proxy name assertion to authenticate itself to the client.
  - 9. The system of claim 1, further comprising an adapter for receiving said authentication name assertion, recreating said credentials, and permitting said client to access the server application based on said credentials.

10. A method for authenticating a subject residing in a subject domain on a network to a server application residing in a server domain on the network, wherein an authentication mechanism residing in an authentication domain on the network affects the service provided by the server application, the method comprising the steps:
- (a) authenticating the subject to a protocol proxy with a client by providing subject credentials on behalf of the subject, wherein the subject is selected from humans, client applications and applets;
  
  (b) obtaining a name assertion from said protocol proxy via the authentication mechanism which will allow said client to access the server application, thereby mediating between said protocol proxy and the authentication mechanism to permit the subject to access the server application via said client;
  
  (c) creating an authentication name assertion with said protocol proxy based on said subject credentials which will allow said client to access the server application;
  
  (d) communicating said authentication name assertion to said client; and
  
  (e) communicating said authentication name assertion to the server application.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, wherein said protocol proxy resides in the authentication domain on the network.
  - 12. The method of claim 10, wherein said protocol proxy uses a standard security protocol to communicate with said client and a mechanism-specific protocol to communicate with the authentication mechanism.
  - 13. The method of claim 10, wherein at least one of said client and said protocol proxy authenticates using SRP protocol.
  - 14. The method of claim 10, wherein said protocol proxy produces a signed name assertion.
  - 15. The method of claim 14, wherein said signed name assertion is contained in a S2ML document.
  - 16. The method of claim 14, wherein said protocol proxy further produces a signed name entitlement.
  - 17. The method of claim 10, wherein said protocol proxy uses a proxy name assertion to authenticate itself to the client.
  - 18. The method of claim 10, further comprising an adapter, and the method further comprising:
    - receiving said authentication name assertion with said adapter;
      
      recreating said credentials with said adapter; and
      
      permitting said client to access the server application based on said credentials.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Proofpoint Incorporated
Original Assignee
Secure Data In Motion, Inc. (Proofpoint Incorporated)
Inventors
Olkin, Terry M., Moreh, Jahanshah, Bruns, Logan O'Sullivan, Perrin, Trevor S.

Granted Patent

US 7,194,547 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0815   providing single-sign-on or...

H04L 63/0884   by delegation of authentica...

H04L 63/205   involving negotiation or de...

FEDERATED AUTHENTICATION SERVICE

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

62 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

FEDERATED AUTHENTICATION SERVICE

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links