System, method and program for user authentication, and recording medium on which the program is recorded

US 20070199059A1
Filed: 02/14/2005
Published: 08/23/2007
Est. Priority Date: 03/30/2004
Status: Active Grant

First Claim

Patent Images

1-24. -24. (canceled)

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and system for user authentication in a federated computing environment. The method includes a first method for recording server authentication information, including: establishing a trusting relationship between a first and second server, obtaining an authentication policy of the second server, and registering the authentication policy of the second server within the first server. The method includes a second method for registering new user authentication information of a new user, including: verifying that the new user authentication information conforms to an authentication policy of the first server, and registering the new user authentication information in the first server. The method includes a third method for authenticating a user, including: receiving an access request from the user to access the federated computing environment, receiving notification based on input authentication information that the user has been authorized for the requested access, and permitting the user to access the federated computing environment.

57 Citations

View as Search Results

49 Claims

1-24. -24. (canceled)

25. A method for recording server authentication information, comprising:
- establishing, by a first server of a plurality of servers in a federated computing environment, a trusting relationship between the first server and a second server of the plurality of servers;
  
  after said establishing the trusting relationship, obtaining by the first server an authentication policy of the second server, wherein an authentication policy for each server of the plurality of servers is defined as at least one rule of each server for authenticating users of the federated computing environment; and
  
  after said obtaining the authentication policy of the second server, registering by the first server the authentication policy of the second server within the first server.
- View Dependent Claims (26, 27, 28, 29, 30, 31)
- - 26. The method of claim 25, wherein said establishing the trusting relationship comprises exchanging, by the first server, an electronic certificate of the first server with an electronic certificate of the second server in accordance with a Public Key Infrastructure (PKI) method.
  - 27. The method of claim 25, wherein said obtaining the authentication policy of the second server comprises accessing the authentication policy of the second server from a profile table prepared by an administrator of the second server.
  - 28. The method of claim 25, wherein the at least one rule includes a number of alphabetic characters of a user identification (ID), a number of numeric characters of the user ID, a data size for fingerprint authentication, a data size for voice print authentication, and combinations thereof.
  - 29. The method of claim 25, wherein said registering the authentication policy of the second server comprises registering the authentication policy of the second server in an authentication policy table of the first server, wherein the authentication policy table of the first server comprises an authentication policy of each server of the plurality of servers registered therein.
  - 30. The method of claim 29, wherein the authentication policy table of the first server further comprises:
    - a server address of each server registered therein; and
      
      a relative priority of each server of a group of servers having a same authentication policy in the authentication policy table=
  - 31. The method of claim 29, wherein the authentication policy of the second server is identical to an authentication policy of the first server, wherein a first common identifier (ID) exists in an authentication information Lightweight Directory Access Protocol (LDAP) of the first server and in an authentication information LDAP of the second server, wherein the first common user ID is used by a first user in the first server and by a second user in the second server such that the second user differs from the first user, and wherein the method further comprises:
    - after said registering the authentication policy of the second server, registering by the first server the first common user ID in a exceptional ID table of the first server, wherein the exceptional ID table of the first server stores common user IDs and an indication of one or more servers associated with each common user ID stored in the exceptional ID table of the first server.

34. A method for registering new user authentication information of a new user, comprising:
- accepting, by a first server of a plurality of servers in a federated computing environment, the new user authentication information, wherein the new user authentication information does not exist in an authentication information Lightweight Directory Access Protocol (LDAP) of the first server for the new user;
  
  after said accepting, verifying by the first server that the new user authentication information conforms to an authentication policy of the first server, wherein an authentication policy for each server of the plurality of servers is defined as at least one rule of each server for authenticating users of the federated computing environment; and
  
  after said verifying, registering by the first server the new user authentication information in the authentication information LDAP of the first server.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41)
- - 35. The method of claim 34, wherein said verifying comprises using a profile table prepared by an administrator of the first server, wherein the profile table describes the authentication policy of the first server.
  - 36. The method of claim 34, wherein after said verifying and before said registering the new user authentication information, the method further comprises:
    - identifying, by the first server, a second server of the plurality of servers such that an authentication policy of the second server is identical with the authentication policy of the first server, wherein a first common identifier (ID) exists in an authentication information Lightweight Directory Access Protocol (LDAP) of the first server and in an authentication information LDAP of the second server, and wherein the first common user ID is used by a first user in the first server and by a second user in the second server such that the second user differs from the first user; and
      
      after said identifying the second server, registering by the first server the first common user ID in a exceptional ID table of the first server, wherein the exceptional ID table of the first server stores common user IDs and an indication of one or more servers associated with each common user ID stored in the exceptional ID table of the first server.
  - 37. The method of claim 36, wherein said identifying comprises using an authentication policy table of the first server to identify the second server, wherein the authentication policy table of the first server comprises an authentication policy of each server of the plurality of servers registered therein.
  - 38. The method of claim 37, wherein the authentication policy table of the first server further comprises a server address of each server registered therein.
  - 39. The method of claim 37, wherein the authentication policy table of the first server further comprises a relative priority of each server of a group of servers having a same authentication policy in the authentication policy table.
  - 40. A system comprising a computing system adapted to perform the method of claim 34 via execution of a computer program on a processor of the first server, wherein the computer program is stored on a computer readable storage medium of the first server, and wherein the computing system comprises the federated computing environment.
  - 41. A computer readable storage medium comprising a computer program adapted to perform the method of claim 34 by being executed on a processor of the first server.

42. A method for authenticating a user, comprising:
- receiving, by a first server of a plurality of servers in a federated computing environment, an access request from the user to access the federated computing environment, wherein the first server comprises an authentication policy table, wherein the authentication policy table of the first server comprises an authentication policy of each server of the plurality of servers registered therein, and wherein an authentication policy for each server of the plurality of servers is defined as at least one rule of each server for authenticating users of the federated computing environment;
  
  after said receiving the access request, receiving by the first server input authentication information from the user;
  
  obtaining, by the first server, a server address of a second server having an authentication policy that matches an authentication policy of the first server;
  
  transmitting, by the first server to the second server via the server address of a second server, the input authentication information;
  
  after said transmitting the input authentication information to the second server, receiving by the first server from the second server a notification that the second server has successfully authorized the user; and
  
  after said receiving the notification that the second server has successfully authorized the user, permitting the user to access the federated computing environment, wherein said permitting is performed by the first server.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49)
- - 43. The method of claim 42, wherein at least one additional server has an authentication policy that matches an authentication policy of the first server, wherein said obtaining the server address of the second server comprises selecting the second server rather than selecting any server of the at least one additional server because a relative priority of the second server in the authentication policy table of the first server is a higher relative priority than is a relative priority of each server of at least one additional server in the authentication policy table of the first server.
  - 44. The method of claim 42, wherein before said transmitting the input authentication information to the second server, the method further comprises:
    - determining, by the first server, that a user identification (ID) of the user is not in an exceptional ID table of the first server, wherein the exceptional ID table of the first server stores common user IDs and an indication of one or more servers associated with each common user ID stored in the exceptional ID table of the first server.
  - 45. The method of claim 42, wherein after said transmitting the input authentication information to the second server and before said permitting the user to access the federated computing environment, the method further comprises:
    - receiving by the first server from the second server a token that may be used by the user to access the federated computing environment; and
      
      sending, by the first server, the token to the user.
  - 46. The method of claim 45, wherein the token is a credential and a cookie.
  - 47. The method of claim 45, wherein the token is a Security Assertion Markup Language (SAML) token.
  - 48. A system comprising a computing system adapted to perform the method of claim 42 via execution of a computer program on a processor of the first server, wherein the computer program is stored on a computer readable storage medium of the first server, and wherein the computing system comprises the federated computing environment.
  - 49. A computer readable storage medium comprising a computer program adapted to perform the method of claim 42 by being executed on a processor of the first server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AirBNB Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Takehi, Masahiro

Granted Patent

US 7,712,129 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/10
CPC Class Codes

G06F 21/31   User authentication

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

System, method and program for user authentication, and recording medium on which the program is recorded

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

57 Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and program for user authentication, and recording medium on which the program is recorded

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links