SYSTEM, METHOD AND PROGRAM FOR USER AUTHENTICATION, AND RECORDING MEDIUM ON WHICH THE PROGRAM IS RECORDED

US 20100212000A1
Filed: 04/27/2010
Published: 08/19/2010
Est. Priority Date: 03/30/2004
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a user, comprising:

a first server of a plurality of servers receiving an access request from the user to access a federated computing environment that comprises the plurality of servers, wherein the first server comprises an authentication policy table, wherein the authentication policy table of the first server comprises an authentication policy of each server of the plurality of servers registered therein, and wherein an authentication policy for each server of the plurality of servers is defined as at least one rule of each server for authenticating users of the federated computing environment;

after said receiving the access request, said first server receiving input authentication information from the user;

said first server obtaining a server address of a second server having an authentication policy that matches an authentication policy of the first server;

said first server transmitting the input authentication information to a second server via the server address of the second server;

after said transmitting the input authentication information to the second server, said first server receiving from the second server a notification that the second server has successfully authorized the user; and

after said receiving the notification that the second server has successfully authorized the user, said first server permitting the user to access the federated computing environment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, and system, and computer program product for authenticating a user. A first server of a plurality of servers receives an access request from the user to access a federated computing environment that comprises multiple servers. After receiving the access request, the first server: receives input authentication information from the user, obtains a server address of a second server having an authentication policy that matches an authentication policy of the first server, transmits the input authentication information to the second server via the server address of the second server, receives from the second server a notification that the second server has successfully authorized the user, and permits the user to access the federated computing environment.

Citations

18 Claims

1. A method for authenticating a user, comprising:
- a first server of a plurality of servers receiving an access request from the user to access a federated computing environment that comprises the plurality of servers, wherein the first server comprises an authentication policy table, wherein the authentication policy table of the first server comprises an authentication policy of each server of the plurality of servers registered therein, and wherein an authentication policy for each server of the plurality of servers is defined as at least one rule of each server for authenticating users of the federated computing environment;
  
  after said receiving the access request, said first server receiving input authentication information from the user;
  
  said first server obtaining a server address of a second server having an authentication policy that matches an authentication policy of the first server;
  
  said first server transmitting the input authentication information to a second server via the server address of the second server;
  
  after said transmitting the input authentication information to the second server, said first server receiving from the second server a notification that the second server has successfully authorized the user; and
  
  after said receiving the notification that the second server has successfully authorized the user, said first server permitting the user to access the federated computing environment.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein at least one additional server has an authentication policy that matches an authentication policy of the first server, wherein said obtaining the server address of the second server comprises selecting the second server rather than selecting any server of the at least one additional server because a relative priority of the second server in the authentication policy table of the first server is a higher relative priority than is a relative priority of each server of at least one additional server in the authentication policy table of the first server.
  - 3. The method of claim 1, wherein before said transmitting the input authentication information to the second server, the method further comprises:
    - said first server determining that a user identification (ID) of the user is not in an exceptional ID table of the first server, wherein the exceptional ID table of the first server stores common user IDs and an indication of one or more servers associated with each common user ID stored in the exceptional ID table of the first server.
  - 4. The method of claim 1, wherein after said transmitting the input authentication information to the second server and before said permitting the user to access the federated computing environment, the method further comprises:
    - said first server receiving from the second server a token that may be used by the user to access the federated computing environment; and
      
      said first server sending the token to the user.
  - 5. The method of claim 4, wherein the token is a credential and a cookie.
  - 6. The method of claim 4, wherein the token is a Security Assertion Markup Language (SAML) token.

7. A computer system comprising a processor and a non-transitory computer readable memory unit coupled to the processor, said memory unit containing program code configured to be executed by the processor to implement a method for authenticating a user, said method comprising:
- a first server of a plurality of servers receiving an access request from the user to access a federated computing environment that comprises the plurality of servers, wherein the first server comprises an authentication policy table, wherein the authentication policy table of the first server comprises an authentication policy of each server of the plurality of servers registered therein, and wherein an authentication policy for each server of the plurality of servers is defined as at least one rule of each server for authenticating users of the federated computing environment;
  
  after said receiving the access request, said first server receiving input authentication information from the user;
  
  said first server obtaining a server address of a second server having an authentication policy that matches an authentication policy of the first server;
  
  said first server transmitting the input authentication information to a second server via the server address of the second server;
  
  after said transmitting the input authentication information to the second server, said first server receiving from the second server a notification that the second server has successfully authorized the user; and
  
  after said receiving the notification that the second server has successfully authorized the user, said first server permitting the user to access the federated computing environment.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer system of claim 7, wherein at least one additional server has an authentication policy that matches an authentication policy of the first server, wherein said obtaining the server address of the second server comprises selecting the second server rather than selecting any server of the at least one additional server because a relative priority of the second server in the authentication policy table of the first server is a higher relative priority than is a relative priority of each server of at least one additional server in the authentication policy table of the first server.
  - 9. The computer system of claim 7, wherein before said transmitting the input authentication information to the second server, the method further comprises:
    - said first server determining that a user identification (ID) of the user is not in an exceptional ID table of the first server, wherein the exceptional ID table of the first server stores common user IDs and an indication of one or more servers associated with each common user ID stored in the exceptional ID table of the first server.
  - 10. The computer system of claim 7, wherein after said transmitting the input authentication information to the second server and before said permitting the user to access the federated computing environment, the method further comprises:
    - said first server receiving from the second server a token that may be used by the user to access the federated computing environment; and
      
      said first server sending the token to the user.
  - 11. The computer system of claim 10, wherein the token is a credential and a cookie.
  - 12. The computer system of claim 10, wherein the token is a Security Assertion Markup Language (SAML) token.

13. A computer program product, comprising a non-transitory computer readable storage medium having program code stored therein, said program code configured to be executed by a computer processor to perform a method for authenticating a user, said method comprising:
- a first server of a plurality of servers receiving an access request from the user to access a federated computing environment that comprises the plurality of servers, wherein the first server comprises an authentication policy table, wherein the authentication policy table of the first server comprises an authentication policy of each server of the plurality of servers registered therein, and wherein an authentication policy for each server of the plurality of servers is defined as at least one rule of each server for authenticating users of the federated computing environment;
  
  after said receiving the access request, said first server receiving input authentication information from the user;
  
  said first server obtaining a server address of a second server having an authentication policy that matches an authentication policy of the first server;
  
  said first server transmitting the input authentication information to a second server via the server address of the second server;
  
  after said transmitting the input authentication information to the second server, said first server receiving from the second server a notification that the second server has successfully authorized the user; and
  
  after said receiving the notification that the second server has successfully authorized the user, said first server permitting the user to access the federated computing environment.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer program product of claim 13, wherein at least one additional server has an authentication policy that matches an authentication policy of the first server, wherein said obtaining the server address of the second server comprises selecting the second server rather than selecting any server of the at least one additional server because a relative priority of the second server in the authentication policy table of the first server is a higher relative priority than is a relative priority of each server of at least one additional server in the authentication policy table of the first server.
  - 15. The computer program product of claim 13, wherein before said transmitting the input authentication information to the second server, the method further comprises:
    - said first server determining that a user identification (ID) of the user is not in an exceptional ID table of the first server, wherein the exceptional ID table of the first server stores common user IDs and an indication of one or more servers associated with each common user ID stored in the exceptional ID table of the first server.
  - 16. The computer program product of claim 13, wherein after said transmitting the input authentication information to the second server and before said permitting the user to access the federated computing environment, the method further comprises:
    - said first server receiving from the second server a token that may be used by the user to access the federated computing environment; and
      
      said first server sending the token to the user.
  - 17. The computer program product of claim 16, wherein the token is a credential and a cookie.
  - 18. The computer program product of claim 16, wherein the token is a Security Assertion Markup Language (SAML) token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AirBNB Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Takehi, Masahiro

Granted Patent

US 8,689,302 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

G06F 21/31   User authentication

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

SYSTEM, METHOD AND PROGRAM FOR USER AUTHENTICATION, AND RECORDING MEDIUM ON WHICH THE PROGRAM IS RECORDED

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM, METHOD AND PROGRAM FOR USER AUTHENTICATION, AND RECORDING MEDIUM ON WHICH THE PROGRAM IS RECORDED

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links