EXTERNAL USER LIFECYCLE MANAGEMENT FOR FEDERATED ENVIRONMENTS

US 20080271121A1
Filed: 04/27/2007
Published: 10/30/2008
Est. Priority Date: 04/27/2007
Status: Abandoned Application

First Claim

Patent Images

1. A method, operative within a federated environment in which a point of contact serves as an intermediary between a client browser and an authentication service, comprising:

providing an external authentication interface through which the authentication service authenticates a user associated with the client browser using information communicated in a first HTTP request-response exchange; and

extending the external authentication interface to enable the point of contact to terminate the user session using information passed in a second HTTP request-response exchange.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a generic technique that externalizes the management of a user session, particularly in the context of a federated environment. The invention obviates any requirement to design and implement special software (or any requirement to modify a previously installed plug-in) to enable third party SSOp-aware applications to manage the lifecycle of a user session. In an illustrative embodiment, the user session lifecycle is managed externally through an external authentication interface (EAI) that has been extended to enable any POC (or SSOp-aware application) to interface to a federated identity provider component using a simple HTTP transport mechanism. In the inventive approach, HTTP request and response headers carry the information that is used by the POC to initiate and later destroy a user session, and such information is provided by a federated entity without requiring use of a special authentication API.

35 Citations

View as Search Results

26 Claims

1. A method, operative within a federated environment in which a point of contact serves as an intermediary between a client browser and an authentication service, comprising:
- providing an external authentication interface through which the authentication service authenticates a user associated with the client browser using information communicated in a first HTTP request-response exchange; and
  
  extending the external authentication interface to enable the point of contact to terminate the user session using information passed in a second HTTP request-response exchange.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method as described in claim 1 wherein the authentication service is an authentication service that is independent from the point of contact.
  - 3. The method as described in claim 2 wherein the authentication service is an identity provider that provides identity management in the federated environment.
  - 4. The method as described in claim 1 wherein the first HTTP request-response exchange comprises a request having a header, the header including a name, and at least one value.
  - 5. The method as described in claim 4 wherein the name is associated with a first user session lifecycle operation.
  - 6. The method as described in claim 5 wherein the first user session lifecycle operation is a log in or a sign on.
  - 7. The method as described in claim 6 wherein the sign on is a federated single sign on.
  - 8. The method as described in claim 1 wherein the second HTTP request-response exchange comprises a request having a header, the header including a name, and at least one value.
  - 9. The method as described in claim 8 wherein the name is associated with a second user session lifecycle operation.
  - 10. The method as described in claim 9 wherein the second user session lifecycle operation is a log out or single sign out.
  - 11. The method as described in claim 10 wherein the sign out is a federated single sign out.
  - 12. The method as described in claim 1 wherein the point of contact is one of:
    - a proxy, and a web server plug-in.
  - 13. A computer-readable medium having computer-executable instructions for performing the method steps of claim 1.
  - 14. Apparatus comprising a processor, and a computer-readable medium, the computer-readable medium having processor-executable instructions for performing the method steps of claim 1.

15. A method, operative in a federated environment comprising at least one identity provider, and one service provider, wherein a point of contact serves as an intermediary between a client browser and the identity provider, comprising:
- providing an external authentication interface through which the identity provider authenticates a user associated with the client browser using information communicated between the point of contact and the identity provider in a first request-response exchange; and
  
  extending the external authentication interface to enable the point of contact to terminate the user session using information passed in a second request-response exchange.
- View Dependent Claims (16)
- - 16. The method as described in claim 15 wherein at least the first or the second request-response exchange is an HTTP request-response exchange.

17. A method, operative within a federated environment comprising at least one identity provider, and one service provider, and wherein a point of contact serves as an intermediary between a client browser and the identity provider, comprising:
- issuing a first request to the identity provider using a first HTTP request-response exchange, wherein a response header associated with the first HTTP request-response exchange includes a session identifier;
  
  using the session identifier to create a user session;
  
  issuing a second request to the identity provider using a second HTTP request-response exchange, wherein a response header associated with the second HTTP request-response exchange includes the session identifier;
  
  based on the session identifier, destroying the user session.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The method as described in claim 17 wherein the first request is one of:
    - a log in or sign in.
  - 19. The method as described in claim 17 wherein the second request is one of:
    - a log out or sign out.
  - 20. The method as described in claim 17 wherein the user session is created by populating a point of contact session cache with an entry associated with the session identifier.
  - 21. The method as described in claim 20 wherein the step of destroying the user session includes deleting the entry in the point of contact session cache.

22. Apparatus, comprising:
- a component that serves as an intermediary between a client browser and one or more back end applications; and
  
  a computer readable medium having program code executable by a processor to perform the following method steps;
  
  issuing a first request to the identity provider using a first HTTP request-response exchange, wherein a response header associated with the first HTTP request-response exchange includes a session identifier;
  
  using the session identifier to create a user session;
  
  issuing a second request to the identity provider using a second HTTP request-response exchange, wherein a response header associated with the second HTTP request-response exchange includes the session identifier;
  
  based on the session identifier, destroying the user session; and
- View Dependent Claims (23, 24, 25, 26)
- - 23. The apparatus as described in claim 22 wherein the component performs an authentication function.
  - 24. The apparatus as described in claim 22 wherein the component performs an authorization function.
  - 25. The apparatus as described in claim 22 wherein the program code executes in a reverse proxy.
  - 26. The apparatus as described in claim 22 wherein the program code executes in a server plug-in.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Wardrop, Patrick Ryan, Hinton, Heather Maria, Moran, Anthony Scott

Application Number

US11/740,956
Publication Number

US 20080271121A1
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

EXTERNAL USER LIFECYCLE MANAGEMENT FOR FEDERATED ENVIRONMENTS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

35 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

EXTERNAL USER LIFECYCLE MANAGEMENT FOR FEDERATED ENVIRONMENTS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links