Single sign on with proxy services

US 20070294752A1
Filed: 06/01/2006
Published: 12/20/2007
Est. Priority Date: 06/01/2006
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving an authentication request from a principal;

authenticating the principal; and

supplying an authentication message for use by an identity service on behalf of the principal, wherein the authentication message serves as a new authentication request and as a new authentication response for single sign-on access of the principal to the identity service.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for proxing services with a single sign on are provided. A principal authenticates to a first identity service. The first identity service is in a trusted relationship with a second identity service. An authentication request is sent to the second identity service and the request includes an authentication response supplied by the first identity service in response to successful authentication of the principal to the first identity service. In response to the authentication request and the accompanying response, the principal is authenticated for access to the second identity service. Furthermore, targeted services accessible to the second identity service are proxied from and to the principal during interactions between the principal and an external service of that principal.

46 Citations

View as Search Results

25 Claims

1. A method, comprising:
- receiving an authentication request from a principal;
  
  authenticating the principal; and
  
  supplying an authentication message for use by an identity service on behalf of the principal, wherein the authentication message serves as a new authentication request and as a new authentication response for single sign-on access of the principal to the identity service.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising, making a target service available to interactions between the principal and an external service, wherein the target service is directly accessible from an environment of the identity service.
  - 3. The method of claim 1, wherein supplying further includes redirecting the principal to the identity service and including with the redirection the new authentication request and the new authentication response represented by the authentication message, and wherein the identity service authenticates the principal automatically in response to the new authentication response included with the authentication message.
  - 4. The method of claim 3, wherein supplying further includes representing the new authentication response as a first authentication token that informs the identity service that the principal is currently already properly authenticated to the processing associated with the method.
  - 5. The method of claim 4, wherein supplying further includes adding a second authentication to a second redirection of the principal, wherein the second authentication represents authentication of the principal to the identity service and wherein the second redirection directs the principal to request a target service that is to be proxied on behalf of the principal from the identity service.
  - 6. The method of claim 1, wherein supplying further includes representing the new authentication response as an instruction to the identity service to enforce its own independent authentication with the principal before considering the principal authenticated to the identity service.
  - 7. The method of claim 1 further comprising, interacting with the principal via a World-Wide Web (WWW) browser over the Internet using at least one of a Security Assertion Markup Language (SAML), a Liberty Alliance markup language, and Web Services (WS) Foundation markup language.

8. A method, comprising:
- receiving an authentication request and an authentication response as a single sign-on transaction from a principal;
  
  detecting, from an identity service, an instruction, which is represented in the authentication response; and
  
  taking an action in response to the instruction to authenticate the principal for access to targeted services.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein detecting further includes identifying the instruction as an assertion from the identity service that the principal is currently already authenticated to the identity service.
  - 10. The method of claim 9, wherein taking further includes authenticating the principal, in response to the assertion, and supplying an authentication token to the principal indicating that the principal is authenticated for access to the targeted services.
  - 11. The method of claim 8, wherein detecting further includes identifying the instruction as an identity service request from the identity service to independently authenticate the principal.
  - 12. The method of claim 11, wherein taking further includes interactively authenticating the principal via a challenge and response dialogue in response to the identity service request and supplying an authentication token to the principal that indicates the principal is authenticated for access to the targeted services, if authentication is successful.
  - 13. The method of claim 8 further comprising:
    - receiving an authentication service token from the identity service or an external service associated with the principal, wherein the authentication service token indicates the principal has been authenticated for access to the targeted services, and wherein the targeted services are external to the identity service; and
      
      using the authentication service token to proxy the targeted services to the identity service or the external service associated with the principal.

14. A method, comprising:
- receiving a request for access from a principal or an external service associated with the principal, wherein the request includes a first authentication token, the first authentication token indicating the principal is currently already authenticated to a first identity service and a second authentication token indicating the principal is also currently authenticated to a second identity service;
  
  acquiring a service token for a targeted service that can be made accessible to the first identity service or external service; and
  
  supplying the first identity service or external service with the service token for accessing the targeted service, wherein the first identity service passes the service token to the external service thereby making the targeted service accessible from and to the principal via the external service or the first identity service via the service token.
- View Dependent Claims (15, 16, 17)
- - 15. The method of claim 14, wherein receiving further includes receiving the request as a browser redirection forced by the first identity service during interactions with the principal, and wherein the first authentication token is automatically supplied in the request during the redirection.
  - 16. The method of claim 14, wherein acquiring further includes evaluating policy to ensure the targeted service is a type of service, which is permissibly accessible to the principal or external service associated with the principal.
  - 17. The method of claim 14, wherein acquiring further includes determining that the targeted service is authorized for access by the first identity service in response to an identifier associated with the first identity service.

18. A system, comprising:
- a first identity service; and
  
  a second identity service, wherein the first identity service is to authenticate a principal for access to the first identity service and is to facilitate authentication of the principal to the second identity service by formulating a second identity service authentication request on behalf of the principal, wherein the second identity authentication request also includes an authentication response that is to be included with the second identity authentication request, and wherein the authentication response is relied upon by the second identity service to determine authentication of the principal to the second identity service.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The system of claim 18 further comprising, an external service that is accessible via the first identity service and that is adapted to supply an authentication service token to the first identity service or the second identity service, wherein the second identity service is adapted to supply proxied access to a targeted service of the second identity service in response to the authentication service token to the first identity service or the external service so that the targeted service can be accessed from an environment of the external service.
  - 20. The system of claim 19, wherein the targeted service is registered at the first identity service and accessible to the principal via the first identity service and wherein the authorization service token permits the principal or the external service to also access the targeted service from the environment of the first identity service acting as a proxy for the external service or principal.
  - 21. The system of claim 18, wherein the principal is to interact with the first identity service and the second identity service via World-Wide Web (WWW) browser interactions over the Internet.
  - 22. The system of claim 18, wherein the first identity service is to inform the second identity service to independently interact with the principal to determine authentication to the second identity service, wherein the second identity service is informed to independently authenticate the principal via the authentication response.
  - 23. The system of claim 18, wherein the first identity service is to inform the second identity service to rely on authentication of the principal in response to the first identity service asserting, in the authentication response, that the first identity service has already authenticated the principal for access to the first identity service.
  - 24. The system of claim 18, wherein a targeted service associated with the second identity service is proxied through the first identity service to the an external service associated with the principal in response to a request for access from the principal interacting with the external service.
  - 25. The system of claim 18, wherein a common access context from a perspective of the principal is achieved when the principal is authenticated to the first identity service to permit the principal to access services available in an environment of the first identity service and other services available in another environment associated with the second identity service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Burch, Lloyd Leon, Morris, Cameron Craig, Kinser, Stephen Hugh

Granted Patent

US 8,327,426 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/8
CPC Class Codes

G06F 21/33   using certificates

G06F 21/41   where a single sign-on prov...

H04L 63/0815   providing single-sign-on or...

Single sign on with proxy services

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

46 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Single sign on with proxy services

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others