SYSTEM, METHOD AND PROGRAM PRODUCT FOR CONSOLIDATED AUTHENTICATION

US 20090282239A1
Filed: 05/07/2008
Published: 11/12/2009
Est. Priority Date: 05/07/2008
Status: Active Grant

First Claim

Patent Images

1. A method for authentication of a user at a first computer to an application at a second computer, said method comprising the steps of:

said first computer sending a request to said second computer to access said application, and in response, said second computer determining that said user has not yet been authenticated to said application, and in response, said second computer redirecting said request to a third computer, and in response, said third computer determining that said user has been authenticated to said third computer, and in response, said third computer authenticating said user to said application and in response, said second computer returning a session key to said third computer for a session between said application and said user, said session have a scope of said second computer or said application but not a scope of a domain; and

in response to said authentication of said user to said second application and receipt by said third computer of said session key from said second computer for a session between said user and said second computer or said application, said third computer generating another session key with a scope of the domain and sending the domain-scope session key to said first computer; and

said first computer sending another request to said application with said domain-scope session key, and in response, said application recognizing a valid session between said user and said application based on said domain-scope session key and responding to said first computer in compliance with said other request; and

whereinsaid domain is a group of applications including said application in said second computer, or a group of computers including said second computer, which are owned or operated by a same entity or have a same domain name URL component.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first computer sends a request to the second computer to access the application. In response, the second computer determines that the user has not yet been authenticated to the application. In response, the second computer redirects the request to a third computer. In response, the third computer determines that the user has been authenticated to the third computer. In response, the third computer authenticates the user to the application. In response, the second computer returns a session key to the third computer for a session between the application and the user. The session has a scope of the second computer or the application but not a scope of a domain. In response to the authentication of the user to the second application and receipt by the third computer of the session key from the second computer for a session between the user and the second computer or the application, the third computer generates another session key with a scope of the domain and sends the domain-scope session key to the first computer. The first computer sends another request to the application with the domain-scope session key.

46 Citations

View as Search Results

13 Claims

1. A method for authentication of a user at a first computer to an application at a second computer, said method comprising the steps of:
- said first computer sending a request to said second computer to access said application, and in response, said second computer determining that said user has not yet been authenticated to said application, and in response, said second computer redirecting said request to a third computer, and in response, said third computer determining that said user has been authenticated to said third computer, and in response, said third computer authenticating said user to said application and in response, said second computer returning a session key to said third computer for a session between said application and said user, said session have a scope of said second computer or said application but not a scope of a domain; and
  
  in response to said authentication of said user to said second application and receipt by said third computer of said session key from said second computer for a session between said user and said second computer or said application, said third computer generating another session key with a scope of the domain and sending the domain-scope session key to said first computer; and
  
  said first computer sending another request to said application with said domain-scope session key, and in response, said application recognizing a valid session between said user and said application based on said domain-scope session key and responding to said first computer in compliance with said other request; and
  
  whereinsaid domain is a group of applications including said application in said second computer, or a group of computers including said second computer, which are owned or operated by a same entity or have a same domain name URL component.
- View Dependent Claims (2, 3)
- - 2. A method as set forth in claim 1 further comprising the step of said user registering with said third computer by supplying a valid combination of userID and password.
  - 3. A method as set forth in claim 1 further comprising the subsequent steps of:
    - said first computer sending a third request to a fourth computer in said domain to access a second application in said fourth computer, and in response, said fourth computer determining that said user has not yet been authenticated to said second application, and in response, said fourth computer redirecting said third request to said third computer, and in response, said third computer determining that said user has been authenticated to said third computer, and in response, said third computer authenticating said user to said second application and in response, said fourth computer returning a session key to said third computer for a session between said second application and said user, said session have a scope of said fourth computer or said second application but not a scope of said domain; and
      
      in response to said authentication of said user to said second application and receipt by said third computer of said session key from said fourth computer for a session between said user and said fourth computer or said application, said third computer generating another session key with said domain-scope and sending the domain-scope session key to said first computer; and
      
      said first computer sending another request to said second application with said domain-scope session key, and in response, said second application recognizing a valid session between said user and said second application based on said domain-scope session key and responding to said first computer in compliance with said other request sent to said second application.

4. A computer program product for authenticating a user at a first computer to an application at a second computer, said computer program product comprising:
- a computer readable media;
  
  first program instructions for execution in said second computer, responsive to a request from said first computer to access said application, to determine whether said user has been authenticated to said application, and if not, redirect said request to a third computer;
  
  second program instructions, for execution in said third computer, responsive to said redirected request from said third computer, to determine if said user has been authenticated to said third computer, and if so, authenticate said user to said application;
  
  third program instructions, for execution in said second computer, responsive to said authentication of said user by said third computer, to initiate return of a session key to said third computer for a session between said application and said user, said session have a scope of said second computer or said application but not a scope of a domain; and
  
  fourth program instructions, for execution in said third computer, responsive to said authentication of said user to said second application and receipt by said third computer of said session key from said second computer for a session between said user and said second computer or said application, to generate another session key with a scope of said domain and initiate sending of the domain-scope session key to said first computer; and
  
  fifth program instructions, for execution in said second computer, responsive to another request from said first computer to access said application, said other request including said domain-scope session key, to recognize a valid session between said user and said application based on said domain-scope session key and initiate a response by said application to said first computer in compliance with said other request; and
  
  whereinsaid domain is a group of applications including said application in said second computer and/or a group of computers including said second computer, which are owned or operated by a same entity or have a same domain name URL component; and
  
  said first, second, third, fourth and fifth program instructions are stored on said computer readable storage media.
- View Dependent Claims (5, 6, 7, 8)
- - 5. A computer program product as set forth in claim 4 further comprising seventh program instructions, for execution in said third computer, to enable said user to register with said third computer by supplying a valid combination of userID and password;
    - and wherein said seventh program instructions are stored on said computer readable storage media.
  - 6. A computer program product as set forth in claim 4 further comprising:
    - seventh program instructions, for execution in a fourth computer in said domain, to receive a third request from said first computer to access a second application in said fourth computer, and in response, determine if said user has been authenticated to said second application, and if not, redirect said third request to said third computer;
      
      whereinsaid second program instructions, responsive to the redirected third request, determines whether said user has been authenticated to said third computer, and if so, authenticate said user to said second application;
      
      further comprisingeighth program instructions, for execution in said fourth computer, responsive to said authentication of said user by said third computer, to initiate return or a session key to said third computer for a session between said second application and said user having a scope of said fourth computer or said second application but not a scope of said domain; and
      
      whereinsaid fourth program instructions, responsive to said authentication of said user to said second application and receipt by said third computer of said session key from said fourth computer for a session between said user and said fourth computer or said application, generates another session key with said domain-scope and initiate sending of the domain-scope session key to said first computer;
      
      said seventh program instructions, responsive to another request by said first computer to access said second application with said domain-scope session key, recognizes a valid session between said user and said second application based on said domain-scope session key and responds to said first computer in compliance with said other request sent to said second application; and
      
      said seventh and eighth program instructions are stored on said computer readable storage media.
  - 7. A computer program product as set forth in claim 6 wherein said seventh and eighth program instructions are part of said second application.
  - 8. A computer program product as set forth in claim 4 wherein said first, third and fifth program instructions are part of said application.

9. A computer system for authenticating a user at a first computer to an application at a second computer, said computer system comprising:
- said second computer with a first central processing unit;
  
  a third computer with a second central processing unit;
  
  first program instructions, stored in said second computer for execution by said first central processing unit, responsive to a request from said first computer to access said application, to determine whether said user has been authenticated to said application, and if not, redirect said request to a third computer;
  
  second program instructions, stored in said third computer for execution by said second central processing unit, responsive to said redirected request from said third computer, to determine if said user has been authenticated to said third computer, and if so, authenticate said user to said application;
  
  third program instructions, stored in said second computer for execution by said first central processing unit, responsive to said authentication of said user by said third computer, to initiate return of a session key to said third computer for a session between said application and said user, said session have a scope of said second computer or said application but not a scope of a domain; and
  
  fourth program instructions, stored in said third computer for execution by said second central processing unit, responsive to said authentication of said user to said second application and receipt by said third computer of said session key from said second computer for a session between said user and said second computer or said application, to generate another session key with a scope of said domain and initiate sending of the domain-scope session key to said first computer; and
  
  fifth program instructions, stored in said second computer for execution by said first central processing unit, responsive to another request from said first computer to access said application, said other request including said domain-scope session key, to recognize a valid session between said user and said application based on said domain-scope session key and initiate a response by said application to said first computer in compliance with said other request; and
  
  whereinsaid domain is a group of applications including said application in said second computer and/or a group of computers including said second computer, which are owned or operated by a same entity or have a same domain name URL component.
- View Dependent Claims (10, 11, 12, 13)
- - 10. A computer system as set forth in claim 9 further comprising seventh program instructions, stored in said third computer for execution by said second processing unit, to enable said user to register with said third computer by supplying a valid combination of userID and password.
  - 11. A computer system as set forth in claim 9 further comprising:
    - a fourth computer with a third central processing unit, said fourth computer in said domain;
      
      seventh program instructions, stored in said fourth computer for execution by said third central processing unit, to receive a third request from said first computer to access a second application in said fourth computer, and in response, determine if said user has been authenticated to said second application, and if not, redirect said third request to said third computer;
      
      whereinsaid second program instructions, responsive to the redirected third request, determines whether said user has been authenticated to said third computer, and if so, authenticate said user to said second application;
      
      further comprisingeighth program instructions, stored in said fourth computer for execution by said third central processing unit, responsive to said authentication of said user by said third computer, to initiate return or a session key to said third computer for a session between said second application and said user having a scope of said fourth computer or said second application but not a scope of said domain; and
      
      whereinsaid fourth program instructions, responsive to said authentication of said user to said second application and receipt by said third computer of said session key from said fourth computer for a session between said user and said fourth computer or said application, generates another session key with said domain-scope and initiate sending of the domain-scope session key to said first computer; and
      
      said seventh program instructions, responsive to another request by said first computer to access said second application with said domain-scope session key, recognizes a valid session between said user and said second application based on said domain-scope session key and responds to said first computer in compliance with said other request sent to said second application.
  - 12. A computer system as set forth in claim 11 wherein said seventh and eighth program instructions are part of said second application.
  - 13. A computer system as set forth in claim 9 wherein said first, third and fifth program instructions are part of said application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Doleh, Yaser K.

Granted Patent

US 8,219,802 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

G06F 21/1012   to domains

G06F 21/335   for accessing specific reso...

G06F 21/41   where a single sign-on prov...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2115   Third party

G06F 2221/2119   Authenticating web pages, e...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

SYSTEM, METHOD AND PROGRAM PRODUCT FOR CONSOLIDATED AUTHENTICATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

46 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM, METHOD AND PROGRAM PRODUCT FOR CONSOLIDATED AUTHENTICATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links