SYSTEM AND METHOD FOR SINGLE SIGN-ON TO RESOURCES ACROSS A NETWORK

US 20090249439A1
Filed: 03/25/2009
Published: 10/01/2009
Est. Priority Date: 03/30/2008
Status: Active Grant

First Claim

Patent Images

1. A system for providing single sign on across a plurality of resources, comprising:

an authentication connector configured to communicate with at least one authentication subsystem to authenticate a user;

at least one adaptor, each adaptor is configured to receive a credential set from a credential data store and, utilizing information from the credential set, communicate with the resource corresponding to the received credential set to authenticate the user to the resource; and

an SSO engine configured, responsive to a request from a user, to access a resource and detect whether the user was previously authenticated within a time window, and if not, authenticate the users with the authentication connector, and if the users was previously authenticated, the SSO engine is configured to retrieve the credential set corresponding to the resource requested by the user and provide the credential set to the adaptor to enable the adaptor authenticate the user to the resource without requiring the user to perform additional authentication for that resource.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods and apparatus for providing single sign on across a plurality of resources is disclosed. An exemplary method includes receiving a request from a user to access a particular one of the plurality of resources; establishing an SSO session for the user if an SSO session has not been established; determining if the user has been authenticated to the particular resource, and if not, retrieving credentials for the user that are specific to the resource; presenting the credentials to the resource so as to create a session with the resource; and presenting a user interface for a customer to configure which of the plurality of resources can be accessed by users.

171 Citations

20 Claims

1. A system for providing single sign on across a plurality of resources, comprising:
- an authentication connector configured to communicate with at least one authentication subsystem to authenticate a user;
  
  at least one adaptor, each adaptor is configured to receive a credential set from a credential data store and, utilizing information from the credential set, communicate with the resource corresponding to the received credential set to authenticate the user to the resource; and
  
  an SSO engine configured, responsive to a request from a user, to access a resource and detect whether the user was previously authenticated within a time window, and if not, authenticate the users with the authentication connector, and if the users was previously authenticated, the SSO engine is configured to retrieve the credential set corresponding to the resource requested by the user and provide the credential set to the adaptor to enable the adaptor authenticate the user to the resource without requiring the user to perform additional authentication for that resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, including an admin server remotely located from an administrator and configured to present an interface, via the Internet to the administrator, so as to enable the administrator to configure which of the plurality of resources can be accessed by the user.
  - 3. The system of claim 2, wherein the authentication connector, the at least one adaptor, and the SSO engine are remotely located, and communicate via the Internet, with the plurality of resources, and the authentication connector, the at least one adaptor, and the SSO engine are remotely located, and communicate via the Internet, with a plurality of users.
  - 4. The system of claim 1, including a request interceptor configured to receive the request from the user as a proxy address that differs from the actual address of the resource.
  - 5. The system of claim 4, including a discovery portion configured to enable the at least one adaptor to communicate with the resource.
  - 6. The system of claim 1, including a second credential data store that is remote from the credential store.
  - 7. The system of claim 1, wherein the credential data store is encrypted so a to limit access to the credential store data.
  - 8. The system of claim 1, wherein the at least one authentication subsystem includes an LDAP directory.
  - 9. The system of claim 1, wherein the at least one authentication subsystem is a Windows Domain Controller and the authentication connector engages the user'"'"'s web browser in a Windows Authentication NTLM Challenge, which after a series of challenges and responses, may validate the user.

10. A method for providing single sign on across a plurality of resources, comprising:
- receiving a request from a user to access a particular one of the plurality of resources;
  
  establishing an SSO session for the user if an SSO session has not been established;
  
  determining if the user has been authenticated to the particular resource, and if not, retrieving credentials for the user that are specific to the particular resource;
  
  presenting the credentials to the particular resource so as to create a session with the particular resource; and
  
  presenting a user interface for a customer to configure which of the plurality of resources can be accessed by users.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The method of claim 10, including presenting another user interface to allow the user to set credentials relative to at least one of the plurality of resources.
  - 12. The method of claim 10, including programmatically setting credentials relative to at least one of the plurality of resources.
  - 13. The method of claim 10, including receiving the request from the user as a proxy address that differs from the actual address of the particular resource.
  - 14. The method of claim 13, including automatically discovering how to communicate with the particular resource.
  - 15. The method of claim 13, including creating the session with the particular resource utilizing the SAML protocol.
  - 16. The method of claim 15, including:
    - defining access policies relative to attributes and resources;
      
      receiving, from a remote location, the access policies;
      
      communicating with at least one authentication subsystem to authenticate the user;
      
      connecting to one or more user stores to retrieve attributes relating to the user; and
      
      utilizing the attributes to evaluate the access policies to determine whether or not the user should be granted access to the resources.
  - 17. The method of claim 10, including name-space-mapping to map the user'"'"'s identity across user stores.
  - 18. The method of claim 10, including dropping cookies for multiple domains so that subsequent requests from the user are recognized as coming from the user, even if the user requests resources from different domains, so as to allow the session to span multiple domains.
  - 19. The method of claim 18, defining access policies relative to attributes and resources;
    - receiving, from a remote location, the access policies;
      
      communicating with at least one authentication subsystem to authenticate the user;
      
      connecting to one or more user stores to retrieve attributes relating to the user;
      
      utilizing the attributes to evaluate the access policies to determine whether or not the user should be granted access to the resources;
      
      receiving the request from the user as a proxy address that differs from the actual address of the particular resource; and
      
      presenting another user interface to allow the user to set credentials relative to at least one of the plurality of resources.

20. A system for providing single sign on across a plurality of resources, comprising:
- an authentication connector configured to communicate with at least one authentication subsystem to authenticate a user;
  
  at least one adaptor, each adaptor is configured to receive a credential set from a credential data store and, utilizing information from the credential set, communicate with the resource corresponding to the received credential set to authenticate the user to the resource; and
  
  an SSO engine configured to receive a request from a user to access resources and detect whether the user was previously authenticated within a time window, and if not, authenticate the user with the authentication connector, and if the user was previously authenticated, the SSO engine is configured to retrieve the credential set corresponding to the resource requested by the user and provide the credential set to the adaptor to enable the adaptor authenticate the user to the resource without requiring the user to perform additional authentication for that resource;
  
  an admin server remotely located from an administrator and configured to present an interface, via the Internet to the administrator, so as to enable the administrator to configure which of the plurality of resources can be accessed by the user.an update handler that is configured to install software updates while the system conyinues to manage access to a plurality of resources.a user store connector configured to connect to one or more user stores to retrieve attributes;
  
  a policy engine configured to retrieve attributes corresponding to the user and use the attributes to evaluate access policies which are defined for protection of resources, to determine whether or not the user should be granted access to the resource;
  
  a request interceptor configured to receive the request from the user as a proxy address that differs from the actual address of the resource;

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Royer, Coby, Olden, Eric, Wallingford, Joseph H. III, Berg, Keshava, Platt, Darren C.

Granted Patent

US 8,990,911 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

SYSTEM AND METHOD FOR SINGLE SIGN-ON TO RESOURCES ACROSS A NETWORK

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

171 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR SINGLE SIGN-ON TO RESOURCES ACROSS A NETWORK

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

171 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links