METHOD AND APPARATUS FOR INTERWORKING WITH SINGLE SIGN-ON AUTHENTICATION ARCHITECTURE
First Claim
1. A method for use in interworking a single sign-on authentication architecture and a further authentication architecture in a split terminal scenario where authentication under the single sign-on authentication architecture is required of a browsing agent being used to access a relying party and in response, due to the interworking in the split terminal scenario, an associated authentication under the further authentication architecture is performed in relation to a separate authentication agent, the method comprising, at a controlling agent:
- sending a token to the authentication agent;
sending a request to the browsing agent to return a token;
receiving the token from the browsing agent, the authentication agent or a user of the authentication agent having communicated the received token to the browsing agent via a secure and/or trusted channel and the browsing agent, in response to the earlier received request, having forwarded the token to the controlling agent;
comparing the received token with the token sent to the authentication agent to determine whether the authentication agent is authorised to perform authentication on behalf of the browsing agent and/or whether the browsing agent is authorised to act as a representative for the authentication agent; and
authenticating the browsing agent to the relying party based on the associated authentication performed in relation to the authentication agent if it is determined in the comparing step that the authentication agent and/or browsing agent is so authorised.
1 Assignment
0 Petitions
Accused Products
Abstract
A method is provided for use in interworking a single sign-on authentication architecture and a further authentication architecture in a split terminal scenario. The split terminal scenario is one in which authentication under the single sign-on authentication architecture is required of a browsing agent (8) being used to access a relying party and in response, due to the interworking in the split terminal scenario, an associated authentication under the further authentication architecture is performed in relation to a separate authentication agent (7). A controlling agent (4) sends (C3) a token to the authentication agent (7). The controlling agent (4) sends (C4) a request to the browsing agent (8) to return a token for comparing with the token sent to the authentication agent (7). The controlling agent (4) waits (06) for the authentication agent (7) or a user of the authentication agent (7) to communicate (A2) the received token to the browsing agent (8) via a secure and/or trusted channel and for the browsing agent (8), in response to the earlier received request, to forward (B4) the token to the controlling agent (4). The controlling agent (4) receives (C7) the token from the browsing agent (8). The controlling agent (4) compares (C10) the received token with the token sent to the authentication agent (7) to determine whether the authentication agent (7) is authorised to perform authentication on behalf of the browsing agent (8) and/or whether the browsing agent (8) is authorised to act as a representative for the authentication agent (7). The controlling agent (4) authenticates (C11) the browsing agent (8) to the relying party based on the associated authentication performed in relation to the authentication agent (7) if it is determined in the comparing step (C10) that the authentication agent (7) and/or browsing agent (8) is so authorised.
75 Citations
51 Claims
-
1. A method for use in interworking a single sign-on authentication architecture and a further authentication architecture in a split terminal scenario where authentication under the single sign-on authentication architecture is required of a browsing agent being used to access a relying party and in response, due to the interworking in the split terminal scenario, an associated authentication under the further authentication architecture is performed in relation to a separate authentication agent, the method comprising, at a controlling agent:
-
sending a token to the authentication agent; sending a request to the browsing agent to return a token; receiving the token from the browsing agent, the authentication agent or a user of the authentication agent having communicated the received token to the browsing agent via a secure and/or trusted channel and the browsing agent, in response to the earlier received request, having forwarded the token to the controlling agent; comparing the received token with the token sent to the authentication agent to determine whether the authentication agent is authorised to perform authentication on behalf of the browsing agent and/or whether the browsing agent is authorised to act as a representative for the authentication agent; and authenticating the browsing agent to the relying party based on the associated authentication performed in relation to the authentication agent if it is determined in the comparing step that the authentication agent and/or browsing agent is so authorised. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 48, 49)
-
-
17. An apparatus for use by a controlling agent in interworking a single sign-on authentication architecture and a further authentication architecture in a split terminal scenario where authentication under the single sign-on authentication architecture is required of a browsing agent being used to access a relying party and in response, due to the interworking in the split terminal scenario, an associated authentication under the further authentication architecture is performed in relation to a separate authentication agent, the apparatus comprising:
-
means for sending a token to the authentication agent; means for sending a request to the browsing agent to return a token; means for receiving the requested token from the browsing agent, the authentication agent or a user of the authentication agent having communicated the received token to the browsing agent via a secure and/or trusted channel and the browsing agent, in response to the earlier received request, having forwarded the token to the controlling agent; means for comparing the received token with the token sent to the authentication agent to determine whether the authentication agent is authorised to perform authentication on behalf of the browsing agent and/or whether the browsing agent is authorised to act as a representative for the authentication agent; and means for authenticating the browsing agent to the relying party based on the associated authentication performed in relation to the authentication agent if it is determined by the comparing means that the authentication agent and/or browsing agent is so authorised. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A cryptographic method for enabling a second device of first, second and third devices to determine whether a user consents for the third device to represent the first device as the user'"'"'s proxy, and the method comprising:
- passing a cryptographic secret or token from the second device to the first device;
passing a piece of the internal state of the second device to the third device;
receiving the piece of internal state and the token from the third device, the token having been passed from the first device to the third device as the user'"'"'s consent for the third device to represent the first device as the user'"'"'s proxy, and the piece of internal state and the token having subsequently been passed from the third device to the second device;
reconstructing the internal state of the second device using the piece of internal state received from the third device; and
comparing the token received from the third device with the token previously sent to the first device to determine whether the user has consented to the third device representing the first device as the user'"'"'s proxy. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 50, 51)
- passing a cryptographic secret or token from the second device to the first device;
-
41. An apparatus for enabling a second device of first, second and third devices to determine whether a user consents for the third device to represent the first device as the user'"'"'s proxy, and the apparatus comprising:
-
means for passing a cryptographic secret or token from the second device to the first device; means for passing a piece of the internal state of the second device to the third device; means for receiving the piece of internal state and the token from the third device, the token having been passed from the first device to the third device as the user'"'"'s consent for the third device to represent the first device as the user'"'"'s proxy, and the piece of internal state and the token having subsequently been passed from the third device to the second device; means for reconstructing the internal state of the second device using the piece of internal state received from the third device; and means for comparing the token received from the third device with the token previously sent to the first device to determine whether the user has consented to the third device representing the first device as the user'"'"'s proxy. - View Dependent Claims (42, 43, 44, 45, 46, 47)
-
Specification