IDENTITY BROKER CONFIGURED TO AUTHENTICATE USERS TO HOST SERVICES

US 20110314533A1
Filed: 06/17/2010
Published: 12/22/2011
Est. Priority Date: 06/17/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for authenticating a user requesting access to a computing resource, the method comprising:

receiving, from the computing resource, a request to authenticate the user, wherein the request includes a token and a username, and wherein the request is formatted according to a user authentication protocol understood by the computing resource;

invoking, on an identity provider server, a token validation process, wherein the token is passed as a parameter to the token validation process;

receiving, from the identity provider server, an authentication message; and

generating, in response to the request received from the computing resource, a validation response formatted according to the user authentication protocol, wherein the response indicates whether the authentication message indicates the token was successfully validated by the identity provider server.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for an identity broker to authenticate users to a network device, system, or hosted application that uses certain legacy protocols for user authentication. For example, the identity broker may be configured to respond to a user authentication request from a network device formatted as a RADIUS or LDAP message. The identity broker may operate in conjunction with an identity provider to authenticate a user requesting access to a computing resource (e.g., to the network device, system, or hosted application).

78 Citations

View as Search Results

25 Claims

1. A computer-implemented method for authenticating a user requesting access to a computing resource, the method comprising:
- receiving, from the computing resource, a request to authenticate the user, wherein the request includes a token and a username, and wherein the request is formatted according to a user authentication protocol understood by the computing resource;
  
  invoking, on an identity provider server, a token validation process, wherein the token is passed as a parameter to the token validation process;
  
  receiving, from the identity provider server, an authentication message; and
  
  generating, in response to the request received from the computing resource, a validation response formatted according to the user authentication protocol, wherein the response indicates whether the authentication message indicates the token was successfully validated by the identity provider server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the authentication message further comprises an indication of one or more attributes associated with the user requesting access to the computing resources stored on the identity provider server.
  - 3. The method of claim 2, wherein the user authentication protocol comprises the Remote Authentication Dial In User Service (RADIUS) protocol.
  - 4. The method of claim 2, wherein the user authentication protocol comprises the lightweight directory access protocol (LDAP).
  - 5. The method of claim 4, further comprising:
    - receiving an LDAP message requesting a list of groups to which the user is a member; and
      
      generating a response formatted according to the LDAP protocol which includes at least the one or more attributes, wherein the one or more attributes comprise the groups which the user is a member.
  - 6. The method of claim 1, wherein a recipient ID identifying the computing resource is also passed as a parameter to the token validation process.
  - 7. The method of claim 1, wherein the token comprises a random alpha-numeric string generated by the identity provider server.
  - 8. The method of claim 1, wherein the identity provider server is configured to authenticate the user and to provide the token to a client, and wherein the client is configured to pass the token to the computing resource.
  - 9. The method of claim 8, wherein the identity provider server is further configured to generate a single sign-on session associated with the user once the user is authenticated by the identity provider.
  - 10. The method of claim 1, wherein the computing resource is one of a network device, system, and hosted application.

11. A computer-readable storage medium containing a program which, when executed by a processor, performs an operation for authenticating a user requesting access to a computing resource, the operation comprising:
- receiving, from the computing resource, a request to authenticate the user, wherein the request includes a token and a username, and wherein the request is formatted according to a user authentication protocol understood by the computing resource;
  
  invoking, on an identity provider server, a token validation process, wherein the token is passed as a parameter to the token validation process;
  
  receiving, from the identity provider server, an authentication message; and
  
  generating, in response to the request received from the computing resource, a validation response formatted according to the user authentication protocol, wherein the response indicates whether the authentication message indicates the token was successfully validated by the identity provider server.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The computer-readable storage medium of claim 11, wherein the authentication message further comprises an indication of one or more attributes associated with the user requesting access to the computing resources stored on the identity provider server.
  - 13. The computer-readable storage medium of claim 12, wherein the user authentication protocol comprises the Remote Authentication Dial In User Service (RADIUS) protocol.
  - 14. The computer-readable storage medium of claim 12, wherein the user authentication protocol comprises the lightweight directory access protocol (LDAP).
  - 15. The computer-readable storage medium of claim 14, wherein the operation further comprises:
    - receiving an LDAP message requesting a list of groups to which the user is a member; and
      
      generating a response formatted according to the LDAP protocol which includes at least the one or more attributes, wherein the one or more attributes comprise the groups which the user is a member.
  - 16. The computer-readable storage medium of claim 11, wherein a recipient ID identifying the computing resource is also passed as a parameter to the token validation process.
  - 17. The computer-readable storage medium of claim 11, wherein the token comprises a random alpha-numeric string generated by the identity provider server.
  - 18. The computer-readable storage medium of claim 11, wherein the identity provider server is configured to authenticate the user and to provide the token to a client, and wherein the client is configured to pass the token to the computing resource.
  - 19. The computer-readable storage medium of claim 18, wherein the identity provider server is further configured to generate a single sign-on session associated with the user once the user is authenticated by the identity provider.

20. A system, comprising:
- one or more computer processors; and
  
  a memory containing a program, which when executed by the one or more computer processors is configured to perform an operation for authenticating a user requesting access to a computing resource, the operation comprising;
  
  receiving, from the computing resource, a request to authenticate the user, wherein the request includes a token and a username, and wherein the request is formatted according to a user authentication protocol understood by the computing resource,invoking, on an identity provider server, a token validation process, wherein the token is passed as a parameter to the token validation process,receiving, from the identity provider server, an authentication message, andgenerating, in response to the request received from the computing resource, a validation response formatted according to the user authentication protocol, wherein the response indicates whether the authentication message indicates the token was successfully validated by the identity provider server.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The system of claim 20, wherein the authentication message further comprises an indication of one or more attributes associated with the user requesting access to the computing resources stored on the identity provider server.
  - 22. The system of claim 21, wherein the user authentication protocol comprises one of the Remote Authentication Dial In User Service (RADIUS) protocol and the lightweight directory access protocol (LDAP).
  - 23. The system of claim 20, wherein a recipient ID identifying the computing resource is also passed as a parameter to the token validation process and wherein the token comprises a random alpha-numeric string generated by the identity provider server.
  - 24. The system of claim 20, wherein the identity provider server is configured to authenticate the user and to provide the token to a client, and wherein the client is configured to pass the token to the computing resource.
  - 25. The system of claim 20, wherein the identity provider server is further configured to generate a single sign-on session associated with the user once the user is authenticated by the identity provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
AUSTIN, KYLE DEAN, Schoppert, Brett Jason, Almond, Michael

Granted Patent

US 8,402,527 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/0815 providing single-sign-on or...

IDENTITY BROKER CONFIGURED TO AUTHENTICATE USERS TO HOST SERVICES

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

78 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTITY BROKER CONFIGURED TO AUTHENTICATE USERS TO HOST SERVICES

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links