MULTI-DOMAIN APPLICATIONS WITH AUTHORIZATION AND AUTHENTICATION IN CLOUD ENVIRONMENT
First Claim
1. A computer implemented method comprising:
- receiving a request from a user via a Web browser to access a multi-domain application, wherein the request is a single sign-on (SSO) request or a single logout (SLO) request;
redirecting the Web browser to request a multi-domain service (MDS) endpoint with one or more parameters signed by a service provider, wherein the service provider issues an MDS cookie that includes a multi-domain application URL;
redirecting the Web browser to request an identity provider, wherein the SSO request includes a login assertion parameter and the SLO request includes a logout assertion parameter, and wherein the identity provider request includes a name of an original URL cookie (OUC) comprising the multi-domain application URL;
receiving an assertion response from the identity provider; and
redirecting the Web browser to request the multi-domain application with the received assertion response.
2 Assignments
0 Petitions
Accused Products
Abstract
A multi-domain application requiring SSO and SLO operations in cloud environment is presented. The computing system of the multi-domain application includes a multi-domain service (MDS) to redirect the calls for the multi-domain application to an identity provider to authenticate the user or to invoke the single logout services (SLOs) on the domains of the multi-domain application and to invalidate the user sessions on the domains. A cookie that includes the multi-domain application URL is generated to reach the assertion consumer service (ASC) and the single logout service (SLO) that receive an identity assertion response from the identity provider. Domain specific SLOs are provided. A trust between these domain specific SLOs and the SLO is provided based on service provider keys. The SAML mechanism for a logout scenario is reused for communication between the SLO and the domain specific SLOs, where the SLO plays a role of a local IDP.
39 Citations
20 Claims
-
1. A computer implemented method comprising:
-
receiving a request from a user via a Web browser to access a multi-domain application, wherein the request is a single sign-on (SSO) request or a single logout (SLO) request; redirecting the Web browser to request a multi-domain service (MDS) endpoint with one or more parameters signed by a service provider, wherein the service provider issues an MDS cookie that includes a multi-domain application URL; redirecting the Web browser to request an identity provider, wherein the SSO request includes a login assertion parameter and the SLO request includes a logout assertion parameter, and wherein the identity provider request includes a name of an original URL cookie (OUC) comprising the multi-domain application URL; receiving an assertion response from the identity provider; and redirecting the Web browser to request the multi-domain application with the received assertion response. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer system providing bundle-to-bundle authentication in modular systems, comprising:
-
a processor; a memory in communication with the processor, the memory storing instructions related to; a service provider to receive a request from a user via a Web browser to access a multi-domain application, wherein the request is a single sign-on (SSO) request or a single logout (SLO) request; a multi-domain service (MDS) to verify the request by one or more request parameters signed by the service provider, to generate an original URL cookie (OUC) comprising the multi-domain application URL, and to create a login assertion parameter for the SSO request and a logout assertion parameter for the SLO request; an assertion consumer service (ACS) to receive an assertion response that the user is authenticated with an identity provider; and a single logout service (SLO) to receive an assertion response from the identity provider, to send a logout request from the SLO to a domain specific SLO of a domain from the multi-domain application where the user is logged in, and to receive a logout response from the domain specific SLO that the user is logged out of the domain by invalidating the user session for the domain. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A non-transitory computer-readable medium storing instructions, which when executed cause a computer system to:
-
receive a request from a user via a Web browser to access a multi-domain application, wherein the request is a single sign-on (SSO) request or a single logout (SLO) request; redirect the Web browser to request a multi-domain service (MDS) endpoint with one or more parameters signed by a service provider, wherein the service provider issues an MDS cookie that includes a multi-domain application URL; redirect the Web browser to request an identity provider, wherein the SSO request includes a login assertion parameter and the SLO request includes a logout assertion parameter, and wherein the identity provider request includes an original URL cookie (OUC) comprising the multi-domain application URL; receive an assertion response from the identity provider; and redirect the Web browser to request the multi-domain application with the received assertion response. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification