Trusted third party authentication for web services
First Claim
1. At a computer system, a method of authenticating a web services:
- component, the method comprising;
an act of sending an authentication request to an authentication service;
an act of receiving an authentication response from the authentication service, the authentication response including two instances of a first symmetric session key for securing communication between the Web services component and an access granting service, the first instance of the first symmetric session key secured for delivery to the Web services client and included in a first proof token, the second instance of the first symmetric session key encrypted with a secret symmetric key of the security token service and included in a token granting token;
an act of sending an access request for access to a Web service to the access granting service, the access request including the token granting token; and
an act of receiving an access granting response from the access granting service, the access granting response including two instances of a second symmetric session key for securing communication between the Web services component and the Web service, the first instance of the second symmetric session key being encrypted with the first symmetric session key and included in a second proof token, the second instance of the second symmetric session key being encrypted with a public key from a public/private key pair corresponding to the Web service and included in a service token.
2 Assignments
0 Petitions
Accused Products
Abstract
The present invention extends to trusted third party authentication for Web services. Web services trust and delegate user authentication responsibility to a trusted third party that acts as an identity provider for the trusting Web services. The trusted third party authenticates users through common authentication mechanisms, such as, for example, username/password and X.509 certificates and uses initial user authentication to bootstrap subsequent secure sessions with Web services. Web services construct user identity context using a service session token issued by the trusted third party and reconstruct security states without having to use a service-side distributed cache.
-
Citations
20 Claims
-
1. At a computer system, a method of authenticating a web services:
- component, the method comprising;
an act of sending an authentication request to an authentication service;
an act of receiving an authentication response from the authentication service, the authentication response including two instances of a first symmetric session key for securing communication between the Web services component and an access granting service, the first instance of the first symmetric session key secured for delivery to the Web services client and included in a first proof token, the second instance of the first symmetric session key encrypted with a secret symmetric key of the security token service and included in a token granting token;
an act of sending an access request for access to a Web service to the access granting service, the access request including the token granting token; and
an act of receiving an access granting response from the access granting service, the access granting response including two instances of a second symmetric session key for securing communication between the Web services component and the Web service, the first instance of the second symmetric session key being encrypted with the first symmetric session key and included in a second proof token, the second instance of the second symmetric session key being encrypted with a public key from a public/private key pair corresponding to the Web service and included in a service token. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- component, the method comprising;
-
9. At a computer system including a security token service, a method of authenticating a Web services component, the method comprising:
-
an act of receiving an authentication request from a Web services component;
an act of validating authentication data contained in the authentication request;
an act of sending an authentication response to the Web services client, the authentication response including two instances of a symmetric session key for securing communication between the Web services component and an access granting service, the first instance of the symmetric session key secured for delivery to the Web services component and included in a first proof token, the second instance of the symmetric session key encrypted with a secret symmetric key of the security token service and included in a token granting token; and
an act of receiving an access request for access to a Web service from the Web services component, the access request including the token granting token;
an act of verifying that the Web service component has an authenticated session to the security token service based on the contents of the token granting token; and
an act of sending an access granting response to the Web service component, the access granting response including two instances of a second symmetric session key for securing communication between the Web services component and the Web service, the first instance of the second symmetric session key being encrypted with the first symmetric session key and including in a second proof token, the second instance of the second symmetric session key being encrypted with a public key from a public/private key pair corresponding to the Web service and included in a service token. - View Dependent Claims (10, 11, 12, 13)
-
-
14. At a computer system including a Web service, a method of granting access to the Web service, the method comprising:
-
an act of receiving a security token request from a Web service component, the request including a service token that was issued from a security token service, the service token including identity information for the Web service component and an encrypted symmetric session key for securing communication between the Web services client and the Web service, the encrypted symmetric session key being encrypted using the public key from a public/private key pair corresponding to the Web service. an act of decrypting the encrypted symmetric session key with the private key from the public/private key pair;
an act of authorizing the Web service component to access the Web service based on the contents of the service token;
an act of generating a master symmetric session key for securing communication between the Web services client and the Web service;
an act of encrypting the master symmetric session key using the symmetric session key to generate an encrypted master symmetric session key;
an act of including the encrypted master symmetric session key along with a security context token in a security token response; and
an act of sending the security token response to the Web services component such that communication between the Web services component and the Web service can be secured using derived symmetric session keys derived from the master symmetric session key. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification