AUTHENTICATED AND COMMUNICATING VERIFIABLE AUTHORIZATION BETWEEN DISPARATE NETWORK DOMAINS

US 20070289004A1
Filed: 08/17/2007
Published: 12/13/2007
Est. Priority Date: 08/28/2002
Status: Active Grant

First Claim

Patent Images

1. A method for a user to access a secure Internet site, the method utilizing user credential data and other user data, the method comprising the steps of:

a first, authentication server checking user credential data according to a first predetermined plan;

said authentication server authorizing said user to access a secure Internet site to transmit a specified transaction thereat if said user credentials permit;

said authentication server creating a digitally signed request comprising said other user data for said authorized user according to said predetermined plan;

transmitting said digitally signed request from the authentication server to a second, vendor server at said secure Internet site and maintaining in a database, an ID for a vendor and specific requirements of the vendor;

the authentication server creating a web page for the vendor using said specific requirements, and sending said web page to the user;

said user adding user information to said web page and sending said web page, with said user information, to the vendor server;

verifying the validity of said digitally signed request including the step of passing said request from the vendor server at the secure Internet site to a third, verification server, separate from the vendor server; and

said verification server determining whether said digitally signed request is valid and thereby determining whether said specified transaction is authorized.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Verifiable authentication credentials are provided to foreign systems without passing an id and password to the protected resource. A user wishing to access a secure remote site is prompted for credentials, the credentials are authenticated locally and a digitally signed token is created. The token is redirected to the secure remote site by the user'"'"'s browser using HTTP redirection. The digitally signature is verified by the secure remote site preferably by a digital signature web service. The remote site establishes communications with the user if the digital signature is valid.

Citations

30 Claims

1. A method for a user to access a secure Internet site, the method utilizing user credential data and other user data, the method comprising the steps of:
- a first, authentication server checking user credential data according to a first predetermined plan;
  
  said authentication server authorizing said user to access a secure Internet site to transmit a specified transaction thereat if said user credentials permit;
  
  said authentication server creating a digitally signed request comprising said other user data for said authorized user according to said predetermined plan;
  
  transmitting said digitally signed request from the authentication server to a second, vendor server at said secure Internet site and maintaining in a database, an ID for a vendor and specific requirements of the vendor;
  
  the authentication server creating a web page for the vendor using said specific requirements, and sending said web page to the user;
  
  said user adding user information to said web page and sending said web page, with said user information, to the vendor server;
  
  verifying the validity of said digitally signed request including the step of passing said request from the vendor server at the secure Internet site to a third, verification server, separate from the vendor server; and
  
  said verification server determining whether said digitally signed request is valid and thereby determining whether said specified transaction is authorized.
- View Dependent Claims (2, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1 wherein said Internet site comprises world wide web pages.
  - 6. A method according to claim 1, wherein said user credential data is user credential data of a first user;
    - and further comprising the step of;
      
      said vendor server establishing a communication session with said first user if said digitally signed request is valid.
  - 7. The method according to claim 6 wherein a given digital signature is used to create said digitally signed request, and said verifying step comprises the further steps of:
    - sending said digital signature to a digital signature verification service at a verification Internet site; and
      
      receiving an indication of the validity of said digital signature from said verification Internet site.
  - 8. The method according to claim 1 wherein said checking user credentials step further comprises the steps of:
    - checking said user credentials against data in a common directory;
      
      creating token message;
      
      creating a redirect URL to the secure Internet site; and
      
      communicating the redirect URL to a user browser.
  - 9. The method according to claim 8 wherein said token message comprises any one of XML data, an expiration field or unique user information.
  - 10. The method according to claim 8 wherein said redirect URL is digitally signed.

3. (canceled)

4. (canceled)

5. (canceled)

11. A system for a user to access a secure Internet site, the system utilizing user credential data and other user data, the system, comprising:
- a first, authorization server checking user credential data according to a first predetermined plan; and
  
  authorizing said user to access a secure Internet site to transact a specified transaction thereat if said user credentials permit;
  
  said authorization server creating a digitally signed request comprising said other user data for said authorized user according to a second predetermined plan; and
  
  a transmitting said digitally signed request to a second vendor server at said secure Internet site;
  
  a database holding an ID for a vendor and specific requirements of the vendor;
  
  said authentication server creating a web page for the vendor using said specific requirements, and sending said web page to the user;
  
  said user adding user information to said web page and sending said web page, with said user information, to the vendor server; and
  
  a third, digital signature verifier server, separate from the vendor server, receiving the digitally signed request from the vendor server at the secure Internet site to determine whether said digitally signed request is valid and thereby to determine whether said specified transaction is authorized.
- View Dependent Claims (12, 16, 17, 18, 19, 20)
- - 12. The system according to claim 11 wherein said Internet site comprises world wide web pages.
  - 16. The system according to claim 11 further comprising:
    - a receiver receiving said digitally signed request at said secure Internet site; and
      
      a session establisher establishing a communication session with said first user if said digitally signed request is valid.
  - 17. The system according to claim 16 wherein said digital signature verifier further comprises:
    - signature sender sending said digital signature to a digital signature verification service at a verification Internet site; and
      
      a signature validity receiver receiving an indication of the validity of said digital signature from said verification Internet site.
  - 18. The system according to claim 11 wherein said checker further comprises:
    - a user checker checking said user credential against data in a common directory;
      
      a token generator creating token message;
      
      a redirection creator creating a redirect URL to the secure Internet site; and
      
      a redirect communicator communicating the redirect URL to a user browser.
  - 19. The system according to claim 18 wherein said token message comprises any one of XML data, an expiration field or unique user information.
  - 20. The system according to claim 18 wherein said redirect URL is digitally signed.

13. (canceled)

14. (canceled)

15. (canceled)

21. A computer program product for a user to access a secure Internet site, the computer program product utilizing user credential data and other user data, the computer program product comprising a computer readable medium having computer readable program code therein, the computer program product comprising:
- computer readable program code for using a first, authentication server for checking user credential data according to a first predetermined plan;
  
  computer readable program code for using the authentication server for authorizing said user to access a secure Internet site to transact a specified transaction thereat if said user credentials permit;
  
  computer readable program code for using the authentication server for creating a digitally authorized user according to a second predetermined plan; and
  
  computer readable program code for transmitting said digitally signed request from the authentication server to a second, vendor server at said secure Internet site;
  
  computer readable program code for using the authentication server for creating a web page for a given vendor using specific requirements of said given vendor, and sending said web page to the user;
  
  computer readable program code for enabling said user to add user information to said web page to send said web page, with said user information, to the vendor server; and
  
  computer readable program code for passing said request from the vendor server at the secure Internet site to a third, verification server, separate from the vendor server, to determine whether said digitally signed request is valid and thereby to determine whether said specified transaction is authorized.
- View Dependent Claims (22, 26, 27, 28, 30)
- - 22. The computer program product according to claim 21 wherein said Internet site comprises world wide web pages.
  - 26. A computer program product according to claim 21 further comprising:
    - computer readable program code for receiving said digitally signed request at said secure Internet site; and
      
      computer readable program code for establishing a communication session with said first user if said digitally signed request is valid.
  - 27. The computer program product according to claim 26 wherein said verification server further comprises:
    - computer readable program code for sending said digital signature to a digital signature verification service at a verification Internet site; and
      
      computer readable program code for receiving an indication of the validity of said digital signature from said verification Internet site.
  - 28. The computer program product according to claim 21 wherein said authorization server further comprises:
    - computer reader program code for checking said user credentials against data in a common directory;
      
      computer readable program code for creating token message;
      
      a redirection creator creating a redirect URL to the secure Internet site; and
      
      computer readable program code for communicating the redirect URL to a user browser.
  - 30. The computer program product according to claim 28 wherein said redirect URL is digitally signed.

23. (canceled)

24. (canceled)

25. (canceled)

29. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Chao, Li-Lung, Kebinger, James, Goodman, Brian

Granted Patent

US 8,499,339 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

H04L 2209/68   Special signature format, e...

H04L 63/08   for authentication of entit...

H04L 63/12   Applying verification of th...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3247   involving digital signatures

AUTHENTICATED AND COMMUNICATING VERIFIABLE AUTHORIZATION BETWEEN DISPARATE NETWORK DOMAINS

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

AUTHENTICATED AND COMMUNICATING VERIFIABLE AUTHORIZATION BETWEEN DISPARATE NETWORK DOMAINS

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links