EXTERNAL USER LIFECYCLE MANAGEMENT FOR FEDERATED ENVIRONMENTS
First Claim
1. A method, operative within a federated environment in which a point of contact serves as an intermediary between a client browser and an authentication service, comprising:
- providing an external authentication interface through which the authentication service authenticates a user associated with the client browser using information communicated in a first HTTP request-response exchange; and
extending the external authentication interface to enable the point of contact to terminate the user session using information passed in a second HTTP request-response exchange.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention provides a generic technique that externalizes the management of a user session, particularly in the context of a federated environment. The invention obviates any requirement to design and implement special software (or any requirement to modify a previously installed plug-in) to enable third party SSOp-aware applications to manage the lifecycle of a user session. In an illustrative embodiment, the user session lifecycle is managed externally through an external authentication interface (EAI) that has been extended to enable any POC (or SSOp-aware application) to interface to a federated identity provider component using a simple HTTP transport mechanism. In the inventive approach, HTTP request and response headers carry the information that is used by the POC to initiate and later destroy a user session, and such information is provided by a federated entity without requiring use of a special authentication API.
-
Citations
26 Claims
-
1. A method, operative within a federated environment in which a point of contact serves as an intermediary between a client browser and an authentication service, comprising:
-
providing an external authentication interface through which the authentication service authenticates a user associated with the client browser using information communicated in a first HTTP request-response exchange; and extending the external authentication interface to enable the point of contact to terminate the user session using information passed in a second HTTP request-response exchange. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method, operative in a federated environment comprising at least one identity provider, and one service provider, wherein a point of contact serves as an intermediary between a client browser and the identity provider, comprising:
-
providing an external authentication interface through which the identity provider authenticates a user associated with the client browser using information communicated between the point of contact and the identity provider in a first request-response exchange; and extending the external authentication interface to enable the point of contact to terminate the user session using information passed in a second request-response exchange. - View Dependent Claims (16)
-
-
17. A method, operative within a federated environment comprising at least one identity provider, and one service provider, and wherein a point of contact serves as an intermediary between a client browser and the identity provider, comprising:
-
issuing a first request to the identity provider using a first HTTP request-response exchange, wherein a response header associated with the first HTTP request-response exchange includes a session identifier; using the session identifier to create a user session; issuing a second request to the identity provider using a second HTTP request-response exchange, wherein a response header associated with the second HTTP request-response exchange includes the session identifier; based on the session identifier, destroying the user session. - View Dependent Claims (18, 19, 20, 21)
-
-
22. Apparatus, comprising:
-
a component that serves as an intermediary between a client browser and one or more back end applications; and a computer readable medium having program code executable by a processor to perform the following method steps; issuing a first request to the identity provider using a first HTTP request-response exchange, wherein a response header associated with the first HTTP request-response exchange includes a session identifier; using the session identifier to create a user session; issuing a second request to the identity provider using a second HTTP request-response exchange, wherein a response header associated with the second HTTP request-response exchange includes the session identifier; based on the session identifier, destroying the user session; and - View Dependent Claims (23, 24, 25, 26)
-
Specification