HTTP distributed remote user authentication system

US 6,092,196 A
Filed: 11/25/1997
Issued: 07/18/2000
Est. Priority Date: 11/25/1997
Status: Expired due to Term

First Claim

Patent Images

1. An authentication server for use in a data network that includes a plurality of nodes connected to one another by data transmission pathways, comprising:

a database for holding user identification data on a plurality of users that may potentially seek access to a resource at a first node accessible through the data network;

said authentication server being operable for issuing a message in the data network for prompting a user residing at a second node of the data network to enter at the second node a user identification data element;

said authentication server being operable to process the user identification data element entered by the user at the second node to determine if an access right should be granted to the user;

said authentication server being operable to direct to the first node a communication containing data permitting the first node to generate and transmit to the second node an access grant mark, the access grant mark being retained by the second node and subsequently recognizable by the first node as indication of past occurrence of access grant by said authentication server.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to the field of data and computer network security. Data and computer network security is of the utmost importance to most organizations that possess such networks. One of the difficulties that users and managers of these networks face is that the users have to provide a user ID and password every time they wish to access one of the organization'"'"'s secured HTTP servers or URLs. This creates a problem for users and managers since lists of numerous user IDs and passwords need to be maintained and therefore can easily be lost or their confidentiality compromised. This invention addresses these problems by providing a transparent, scalable, single point of authentication for remote users across any number of HTTP servers anywhere on a data network, such as an Intranet, using any user ID and password scheme implemented by a main authentication HTTP server.

889 Citations

30 Claims

1. An authentication server for use in a data network that includes a plurality of nodes connected to one another by data transmission pathways, comprising:
- a database for holding user identification data on a plurality of users that may potentially seek access to a resource at a first node accessible through the data network;
  
  said authentication server being operable for issuing a message in the data network for prompting a user residing at a second node of the data network to enter at the second node a user identification data element;
  
  said authentication server being operable to process the user identification data element entered by the user at the second node to determine if an access right should be granted to the user;
  
  said authentication server being operable to direct to the first node a communication containing data permitting the first node to generate and transmit to the second node an access grant mark, the access grant mark being retained by the second node and subsequently recognizable by the first node as indication of past occurrence of access grant by said authentication server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. An authentication server as defined in claim 1, wherein said authentication server includes a database holding a list of individual user identification data elements, each of said user identification data elements characterizing a user that may potentially seek an access right.
  - 3. An authentication server as defined in claim 2, wherein said authentication server is also operable in response to a query from the first node to grant a resource access right to a particular user in dependence of the user identification data elements in said database characterizing the particular user.
  - 4. An authentication server as defined in claim 3, wherein each individual user identification data element includes a user ID portion.
  - 5. An authentication server as defined in claim 4, wherein each individual user identification data element includes a password portion.
  - 6. An authentication server as defined in claim 5, wherein the access grant mark is a cookie.
  - 7. An authentication server as defined in claim 6, wherein the communication directed from said authentication server to the first node includes a status code indicative of whether said verification unit has granted an access right to the user.
  - 8. An authentication server as defined in claim 5, wherein said authentication server is responsive to a communication received from the second node including a URL string, a portion of the URL string containing transaction ID data, to issue a message in the data network for prompting the user residing at the second node of the data network to enter at the second node the user identification data element.
  - 9. An authentication server as defined in claim 8, wherein said server is responsive to the communication including the URL string to create a record of data indicative of the transaction ID data.
  - 10. An authentication server as defined in claim 9, wherein said verification unit is responsive to an access grant inquiry message containing data corresponding to said record to direct to the first node the communication containing data permitting the first node to generate and transmit to the second node an access grant mark.
  - 11. An authentication server as defined in claim 10, wherein said authentication server is responsive to an access grant inquiry message containing data corresponding to said record to delete said record.

12. A data network, comprising:
- a plurality of nodes connected to one another by data transmission pathways;
  
  an authentication server residing at one of said nodes;
  
  a customer server residing at another one of said nodes, said customer server supporting a certain resource;
  
  said customer server being responsive to a first message from a user at a certain node of said network requesting access to the certain resource to issue a response message to the certain node, said response message causing the certain node to initiate an access grant control transaction with said authentication server, said access grant control transaction characterised by requesting the user to provide a user identification data element;
  
  said authentication server capable to direct to the customer server a communication containing data permitting the customer server to generate and transmit to the certain node an access grant mark, the access grant mark being retained by the certain node and recognizable by the customer server as indication of past occurrence of access grant by said authentication server.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. A data network as defined in claim 12, wherein said user identification data element includes a user ID.
  - 14. A data network as defined in claim 13, wherein said user identification data element includes a password.
  - 15. A data network as defined in claim 14, wherein said authentication server is responsive to said identification data element provided by the user during said access grant control transaction to verify a right of the user to access said customer server.
  - 16. A data network as defined in claim 15, wherein said authentication server includes a database holding a list of individual user identification data elements, each of said user identification data elements characterizing a user that may potentially seek access to said customer server.
  - 17. A data network as defined in claim 16, wherein said authentication server is operable to create a transaction ID record indicative of said access grant control transaction.
  - 18. A data network as defined in claim 17, wherein the access grant mark is a cookie.
  - 19. A data network as defined in claim 18, wherein said customer server is responsive to said first message to create a transaction ID record and issue a redirect command toward said certain node for causing the certain node to establish said access grant control transaction with said authentication server.
  - 20. A data network as defined in claim 19, wherein said customer server appends to said redirect command data indicative of said transaction ID record.

21. A customer server for use in a network including an authentication server, said customer server capable to support a certain resource potentially sought by a user from a certain node of the network, said customer server:
- being responsive to a first message issued from the certain node requesting access to the certain resource to issue a response message to the certain node, the response message causing the certain node to initiate an access grant control transaction with said authentication server; and
  
  being responsive at least in part to a second message issued from the authentication server containing data permitting the customer server to generate and transmit to the certain node an access grant mark, the access grant mark being retained by thecertain node and recognizable by the customer server as indication of pastoccurrences of access grant by said authentication server.
- View Dependent Claims (22)
- - 22. A customer server as defined in claim 21, wherein said second message is a cookie.

23. A method for access control in a data network, said data network including:
- a plurality of nodes connected to one another by data transmission pathways;
  
  an authentication server residing at one of said nodes;
  
  a customer server residing at another one of said nodes, said customer server supporting a certain resource, said method comprising the steps of;
  
  a) receiving at said customer server a request for access by a user residing at a certain node of the data network to the certain resource;
  
  b) issuing a control message toward the certain node to cause initiation of an access grant control transaction with said authentication server, said access grant control transaction characterised by requesting the user to provide a user identification data element;
  
  c) forwarding from said authentication server to the customer server data permitting the customer server to generate and transmit to the certain node an access grant mark, the access grant mark being retained by the certain node and recognizable by the customer server as indication of past occurrence of access grant by said authentication server.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. A method as defined in claim 23, comprising the step of generating a transaction ID record at said customer server and including data in said control message toward the certain node indicative of the transaction ID record.
  - 25. A method as defined in claim 24, comprising said authentication server issuing a message toward the certain node during said access grant control transaction to request entry by the user of a user identification data element.
  - 26. A method as defined in claim 25, wherein said user identification data element is selected from the group consisting of user ID and password.
  - 27. A method as defined in claim 26, including the step of receiving the user identification data element at said authentication server and searching a database holding a list of individual user identification data elements, each of said user identification data elements characterizing a user that may potentially seek an access grant, to determine if the user at the certain node is permitted to access said customer server.
  - 28. A method as defined in claim 27, comprising the step of transmitting from the certain node to said authentication server during said access grant control transaction the data indicative of the transaction ID record.
  - 29. A method as defined in claim 28, comprising the step of issuing from said authentication server toward the certain node a redirect message causing the certain node to request access to the certain resource and including in the redirect message the data indicative of the transaction ID.
  - 30. A method as defined in claim 29, comprising the step of comparing the transaction ID data received at said customer server in the response to the request to access the certain resource by the certain node with the transaction ID record at said customer server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Clearinghouse LLC (RPX Corporation)
Original Assignee
Nortel Networks Limited (Nortel Networks Corporation)
Inventors
Reiche, Albert
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US08/977,811
Time in Patent Office

966 Days
Field of Search

713/202, 713/201, 713/200, 713/155, 713/156, 713/159, 709/218, 709/225, 709/229, 709/227, 709/228, 705/52, 705/53, 705/64, 705/65
US Class Current

726/6
CPC Class Codes

G06F 21/41 where a single sign-on prov...

HTTP distributed remote user authentication system

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

889 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

HTTP distributed remote user authentication system

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

889 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links