Method and apparatus for end-to-end identity propagation

US 20070199056A1
Filed: 04/24/2007
Published: 08/23/2007
Est. Priority Date: 08/05/2003
Status: Active Grant

First Claim

Patent Images

1. A method for end-to-end identity propagation to a backend-tier application that is not single sign-on enabled, comprising:

receiving a request from a user at a middle-tier application to access private data from the backend-tier application;

redirecting the user to a single sign-on server;

receiving a token from the single sign-on server, wherein the token is used to verify the user'"'"'s identity;

presenting the token to the backend-tier application to prove that the middle-tier is authorized to act on behalf of the user;

accessing the private data from the backend-tier application; and

providing the private data to the user.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system that facilitates end-to-end identity propagation to a backend-tier application that is not single sign-on enabled. During operation, the system receives request from a user at a middle-tier application to access private data from the backend-tier application. Upon receiving this request, the system redirects the user to a single sign-on server that verifies authentication credentials of the user. The middle-tier application then receives a token from the single sign-on server authorizing access to a backend-tier application. Next, the middle-tier application uses the token to access the private data from the backend-tier application, and then provides the private data to the user.

24 Citations

View as Search Results

24 Claims

1. A method for end-to-end identity propagation to a backend-tier application that is not single sign-on enabled, comprising:
- receiving a request from a user at a middle-tier application to access private data from the backend-tier application;
  
  redirecting the user to a single sign-on server;
  
  receiving a token from the single sign-on server, wherein the token is used to verify the user'"'"'s identity;
  
  presenting the token to the backend-tier application to prove that the middle-tier is authorized to act on behalf of the user;
  
  accessing the private data from the backend-tier application; and
  
  providing the private data to the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the token includes the authentication credential of the user, and wherein the token is recognized as valid by a backend-tier application.
  - 3. The method of claim 2, wherein the backend-tier application can use the token to access applications in an additional tier of applications.
  - 4. The method of claim 1, wherein the token includes a security certificate, and wherein the security certificate is recognized as valid by a single sign-on enabled database application.
  - 5. The method of claim 4, wherein the single sign-on enabled database application can use the token to access applications in an additional tier of applications.
  - 6. The method of claim 1, wherein the token includes a user-name and a password that can be used by the middle-tier application to access a third-party service.
  - 7. The method of claim 6, wherein the token includes a standards based extensible markup language (XML) formatted token recognized by the third party service which complies with web standards.
  - 8. The method of claim 7, wherein the third-party service includes a web-based application.

9. A storage device storing instructions that when executed by a computer cause the computer to perform a method for end-to-end identity propagation to a backend-tier application that is not single sign-on enabled, wherein the storage device does not include computer instruction signals embodied in a transmission medium, the method comprising:
- receiving a request from a user at a middle-tier application to access private data from the backend-tier application;
  
  redirecting the user to a single sign-on server;
  
  receiving a token from the single sign-on server, wherein the token is used to verify the user'"'"'s identity;
  
  presenting the token to the backend-tier application to prove that the middle-tier is authorized to act on behalf of the user;
  
  accessing the private data from the backend-tier application; and
  
  providing the private data to the user.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The storage device of claim 9, wherein the token includes the authentication credential of the user, and wherein the token is recognized as valid by a backend-tier application.
  - 11. The storage device of claim 10, wherein the backend-tier application can use the token to access applications in an additional tier of applications.
  - 12. The storage device of claim 9, wherein the token includes a security certificate, and wherein the security certificate is recognized as valid by a single sign-on enabled database application.
  - 13. The storage device of claim 12, wherein the single sign-on enabled database application can use the token to access applications in an additional tier of applications.
  - 14. The storage device of claim 9, wherein the token includes a user-name and a password that can be used by the middle-tier application to access a third-party service.
  - 15. The storage computer readable storage device of claim 14, wherein the token includes a standards based extensible markup language (XML) formatted token recognized by the third party service which complies with web standards.
  - 16. The storage device of claim 15, wherein the third-party service includes a web-based application.

17. An apparatus for end-to-end identity propagation to a backend-tier application that is not single sign-on enabled, comprising:
- a receiving mechanism configured to receive a request from a user at a middle-tier application to access private data from the backend-tier application;
  
  a redirecting mechanism configured to redirect the user to a single sign-on server;
  
  wherein the receiving mechanism is further configured to receive a token from the single sign-on server, wherein the token is used to verify the user'"'"'s identity;
  
  an access mechanism configured to present the token to the backend-tier application to prove that the middle-tier is authorized to act on behalf of the user and to access the private data from the backend-tier application; and
  
  a providing mechanism configured to provide the private data to the user.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The apparatus of claim 17, wherein the token includes the authentication credential of the user, and wherein the token is recognized as valid by a backend-tier application.
  - 19. The apparatus of claim 18, wherein the backend-tier application can use the token to access applications in an additional tier of applications.
  - 20. The apparatus of claim 17, wherein the token includes a security certificate, and wherein the security certificate is recognized as valid by a single sign-on enabled database application.
  - 21. The apparatus of claim 20, wherein the single sign-on enabled database application can use the token to access applications in an additional tier of applications.
  - 22. The apparatus of claim 17, wherein the token includes a user-name and a password that can be used by the middle-tier application to access a third-party service.
  - 23. The apparatus of claim 22, wherein the token includes a standards based extensible markup language (XML) formatted token recognized by the third party service which complies with web standards.
  - 24. The apparatus of claim 23, wherein the third-party service includes a web-based application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arun Swaminathan, Gaurav Bhatia
Original Assignee
Arun Swaminathan, Gaurav Bhatia
Inventors
Bhatia, Gaurav, Swaminathan, Arun

Granted Patent

US 7,913,298 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/8
CPC Class Codes

G06F 21/33   using certificates

G06F 21/335   for accessing specific reso...

G06F 21/41   where a single sign-on prov...

H04L 63/0815   providing single-sign-on or...

Method and apparatus for end-to-end identity propagation

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for end-to-end identity propagation

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others