IDENTITY PROVIDER SERVER CONFIGURED TO VALIDATE AUTHENTICATION REQUESTS FROM IDENTITY BROKER

US 20110314532A1
Filed: 06/17/2010
Published: 12/22/2011
Est. Priority Date: 06/17/2010
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented method for facilitating a user request for access to a computing resource, the method comprising:

generating, in response to authenticating an identity of the user, a token value;

passing the token value to a client application, wherein the client application is configured to pass the token value, as a password, to the computing resource, and wherein the computing resource is configured to pass the token value to an identity broker server in a message formatted according to a user authentication protocol understood by the computing resource;

receiving, from the identity broker server, a request to authenticate a copy of the token value; and

upon determining a match between the generated token value and the copy of the token value received from the identity broker server, passing a validation message to the identity broker server indicating that the token has been authenticated.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for an identity broker to authenticate users to a network device, system, or hosted application that uses certain legacy protocols for user authentication. For example, the identity broker may be configured to respond to a user authentication request from a network device formatted as a RADIUS or LDAP message. The identity broker may operate in conjunction with an identity provider to authenticate a user requesting access to a computing resource (e.g., to the network device, system, or hosted application).

Citations

29 Claims

1. A computer-implemented method for facilitating a user request for access to a computing resource, the method comprising:
- generating, in response to authenticating an identity of the user, a token value;
  
  passing the token value to a client application, wherein the client application is configured to pass the token value, as a password, to the computing resource, and wherein the computing resource is configured to pass the token value to an identity broker server in a message formatted according to a user authentication protocol understood by the computing resource;
  
  receiving, from the identity broker server, a request to authenticate a copy of the token value; and
  
  upon determining a match between the generated token value and the copy of the token value received from the identity broker server, passing a validation message to the identity broker server indicating that the token has been authenticated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the validation message passed to the identity broker server further indicates a username and one or more attributes associated with the user requesting access to the computing resource.
  - 3. The method of claim 1, wherein the request to authenticate the copy of the token value includes a recipient ID identifying the computing resource.
  - 4. The method of claim 1, further comprising, upon determining the match between the generated token value and the copy of the token value, invalidating the token value.
  - 5. The method of claim 1, wherein the identity broker is further configured to, in response to authenticating the copy of the token value, generate a response passed to the computing resource, wherein the response is formatted according to the user authentication protocol, and wherein the response indicates the copy of the token value valid as the password for the user.
  - 6. The method of claim 1, wherein the user authentication protocol comprises the Remote Authentication Dial In User Service (RADIUS) protocol.
  - 7. The method of claim 1, wherein the user authentication protocol comprises the lightweight directory access protocol (LDAP).
  - 8. The method of claim 1, wherein authenticating an identity of the user comprises:
    - receiving a user authentication request;
      
      prompting for authentication credentials; and
      
      validating the authentication credentials.
  - 9. The method of claim 8, wherein the authentication credentials include a message cryptographically signed using a private key associated with the user identified in a public key certificate.
  - 10. The method of claim 8, wherein the authentication credentials include a biometric identifier associated with the user.
  - 11. The method of claim 8, wherein the authentication credentials include a username and password combination.
  - 12. The method of claim 1, wherein the token comprises a random number generated by the identity provider server.
  - 13. The method of claim 1, further comprising, generating, in response to authenticating the identity of the user, a single sign-on session associated with the user.

14. A computer-readable storage medium containing a program which, when executed by a processor, performs an operation for facilitating a user request for access to a computing resource, the operation comprising:
- generating, in response to authenticating an identity of the user, a token value;
  
  passing the token value to a client application, wherein the client application is configured to pass the token value, as a password, to the computing resource, and wherein the computing resource is configured to pass the token value to an identity broker server in a message formatted according to a user authentication protocol understood by the computing resource;
  
  receiving, from the identity broker server, a request to authenticate a copy of the token value; and
  
  upon determining a match between the generated token value and the copy of the token value received from the identity broker server, passing a validation message to the identity broker server indicating that the token has been authenticated.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The computer-readable storage medium of claim 14, wherein the validation message passed to the identity broker server further indicates a username and one or more attributes associated with the user requesting access to the computing resource.
  - 16. The computer-readable storage medium of claim 14, wherein the request to authenticate the copy of the token value includes a recipient ID identifying the computing resource.
  - 17. The computer-readable storage medium of claim 14, wherein the operation further comprises, upon determining the match between the generated token value and the copy of the token value, invalidating the token value.
  - 18. The computer-readable storage medium of claim 14, wherein the identity broker is further configured to, in response to authenticating the copy of the token value, generate a response passed to the computing resource, wherein the response is formatted according to the user authentication protocol, and wherein the response indicates the copy of the token value valid as the password for the user.
  - 19. The computer-readable storage medium of claim 14, wherein the user authentication protocol comprises one of the Remote Authentication Dial In User Service (RADIUS) protocol and the lightweight directory access protocol (LDAP).
  - 20. The computer-readable storage medium of claim 14, wherein authenticating an identity of the user comprises:
    - receiving a user authentication request;
      
      prompting for authentication credentials; and
      
      validating the authentication credentials.
  - 21. The computer-readable storage medium of claim 20, wherein the authentication credentials comprise one of a message cryptographically signed using a private key associated with the user identified in a public key certificate, a biometric identifier associated with the user.

22. A system, comprising:
- one or more computer processors; and
  
  a memory containing a program, which when executed by the one or more computer processors performs an operation for facilitating a user request for access to a computing resource, the operation comprising;
  
  generating, in response to authenticating an identity of the user, a token value,passing the token value to a client application, wherein the client application is configured to pass the token value, as a password, to the computing resource, and wherein the computing resource is configured to pass the token value to an identity broker server in a message formatted according to a user authentication protocol understood by the computing resource,receiving, from the identity broker server, a request to authenticate a copy of the token value, andupon determining a match between the generated token value and the copy of the token value received from the identity broker server, passing a validation message to the identity broker server indicating that the token has been authenticated.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
- - 23. The system of claim 22, wherein the validation message passed to the identity broker server further indicates a username and one or more attributes associated with the user requesting access to the computing resource.
  - 24. The system of claim 22, wherein the request to authenticate the copy of the token value includes a recipient ID identifying the computing resource.
  - 25. The system of claim 22, wherein the operation further comprises, upon determining the match between the generated token value and the copy of the token value, invalidating the token value.
  - 26. The system of claim 22, wherein the identity broker is further configured to, in response to authenticating the copy of the token value, generate a response passed to the computing resource, wherein the response is formatted according to the user authentication protocol, and wherein the response indicates the copy of the token value valid as the password for the user.
  - 27. The system of claim 22, wherein the user authentication protocol comprises one of the Remote Authentication Dial In User Service (RADIUS) protocol and the lightweight directory access protocol (LDAP).
  - 28. The system of claim 22, wherein authenticating an identity of the user comprises:
    - receiving a user authentication request;
      
      prompting for authentication credentials; and
      
      validating the authentication credentials.
  - 29. The system of claim 28, wherein the authentication credentials comprise one of a message cryptographically signed using a private key associated with the user identified in a public key certificate, a biometric identifier associated with the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VMware, Inc. (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Schoppert, Brett Jason, AUSTIN, KYLE DEAN, Almond, Michael

Application Number

US12/817,985
Publication Number

US 20110314532A1
Time in Patent Office

Days
Field of Search
US Class Current

726/8
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/0892   by using authentication-aut...

H04L 9/3213   using tickets or tokens, e....

IDENTITY PROVIDER SERVER CONFIGURED TO VALIDATE AUTHENTICATION REQUESTS FROM IDENTITY BROKER

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTITY PROVIDER SERVER CONFIGURED TO VALIDATE AUTHENTICATION REQUESTS FROM IDENTITY BROKER

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links