SINGLE SIGN-ON BETWEEN APPLICATIONS
First Claim
1. A method of authenticating a user accredited in an application (app A) to another application (app B), the method comprising:
- receiving at an SSO service a request from app A to create an SSO request, the request including a a user identifier and an application identifier;
generating a request identifier at the SSO service;
providing the request identifier to app A for use by app A in contacting app B;
receiving, at the SSO service, from app B the request identifier provided to app A;
verifying at the SSO service that a mapping exists for app B;
providing a mapping token to app B, the mapping token corresponding to a previous registration of the user by app B with the SSO service;
extracting login information from the mapping token at app B; and
accepting the login information when the login information meets a local security policy at app B.
1 Assignment
0 Petitions
Accused Products
Abstract
A single sign-on (SSO) system uses simple one-to-one trust relationships between individual applications and an SSO service to extend log in services from one application to another. Each application retains its own login policies and can separately make a decision whether to trust the SSO request or challenge the user for login credentials. By structuring the SSO system to use simple identity mapping, there is no requirement for consolidating user identity records from multiple applications into a single database with its attendant overhead and dependency risks.
202 Citations
20 Claims
-
1. A method of authenticating a user accredited in an application (app A) to another application (app B), the method comprising:
-
receiving at an SSO service a request from app A to create an SSO request, the request including a a user identifier and an application identifier; generating a request identifier at the SSO service; providing the request identifier to app A for use by app A in contacting app B; receiving, at the SSO service, from app B the request identifier provided to app A; verifying at the SSO service that a mapping exists for app B; providing a mapping token to app B, the mapping token corresponding to a previous registration of the user by app B with the SSO service; extracting login information from the mapping token at app B; and accepting the login information when the login information meets a local security policy at app B. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system of one or more computers coupled by a network comprising:
-
i) an SSO service embodied as a web service on a computer server, the computer server comprising; a hardware communication service coupled to a physical network that supports communication between the computer server and at least one other physical computer; and a secure storage facility that holds authentication-related data from a plurality of applications external to the computer server; a request identifier module that provides a request identifier responsive to a message from a first application, the message requesting access to a second application; a mapping module that stores mapping tokens with information related to a relationship between user identities in the first application and the second application and provides the mapping token responsive to a second message received from the second application, the second message including the request identifier previously sent to the first application and forwarded to the second application by the first application; ii) the first application running on a computing device coupled to the network supporting the first application, the first application comprising; an interface module that accepts a request to access the second application; and a communications module that generates a communication session with the SSO service that forwards the request to the SSO service and that receives the request identifier from the SSO service responsive to the request; iii) the second application running on the computing device or another computing device, the second application comprising; a second interface module that receives the request identifier from the first application; and a security module that sends the request identifier in the second message via the second interface module to the SSO service over the network, that when the mapping token is present at the SSO service, receives the mapping token from the SSO service, the mapping token including login information previously stored by the second application corresponding to a previous login at the second application via the first application, wherein the security module applies information in the mapping token to a login process, and when the information in the mapping token satisfies a login requirement, provides the user access to the second application. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A computer-readable storage media having computer executable instructions for executing on a processor of a computer a method of performing authentication of a user logged in to a first application requesting access to a second application, the method comprising:
-
challenging the user for authentication credentials when a mapping token that stores login information associated with the first application and that was previously received from the second application is not available from a single sign-on service; logging the user into the second application when the authentication credentials are satisfactory; and sending user information and application information to the single sign-on service for use in generating the mapping token for subsequent sign-on access by the user of the first application when accessing the second application. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification