Single sign-on (SSO) mechanism personal key manager

US 6,243,816 B1
Filed: 04/30/1998
Issued: 06/05/2001
Est. Priority Date: 04/30/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method of managing passwords of users desiring access to multiple target resources in a computer enterprise environment, comprising the steps of:

for each given user, associating each of a set of id/password pairs to each of a set of one or more respective targets, wherein each id/password pair is required to access a respective target resource;

storing the targets of each given user in a globally-accessible database; and

in response to a given event, accessing the globally-accessible database to retrieve the targets of a given user;

wherein the retrieved targets are used in conjunction with locally-accessible logon information to access the respective target resources.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of managing passwords of users desiring access to multiple target resources in a computer enterprise environment. For each given user, each of a set of id/password pairs is associated to each of a set of one or more respective targets. Each id/password pair is normally required to access a respective target resource. The targets of each given user are stored in a globally-accessible database. In response to entry by a given user at a client machine of a single-sign on (SSO) id/password, the globally-accessible database is accessed from a personal key manager (PKM) server to retrieve the targets of the given user. The targets are returned to the PKM server, which then uses data therein to access the respective target resources on behalf of the given user at the client machine.

481 Citations

31 Claims

1. A method of managing passwords of users desiring access to multiple target resources in a computer enterprise environment, comprising the steps of:
- for each given user, associating each of a set of id/password pairs to each of a set of one or more respective targets, wherein each id/password pair is required to access a respective target resource;
  
  storing the targets of each given user in a globally-accessible database; and
  
  in response to a given event, accessing the globally-accessible database to retrieve the targets of a given user;
  
  wherein the retrieved targets are used in conjunction with locally-accessible logon information to access the respective target resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of managing passwords as described in claim 1 wherein the given event is entry of a single sign-on id/password of the given user.
  - 3. The method of managing passwords as described in claim 2 further including using data in the targets to access the respective target resources.
  - 4. The method of managing passwords as described in claim 1 wherein each target includes a target name, a set of target attributes, and key information.
  - 5. The method of managing passwords as described in claim 4 wherein the set of target attributes includes attributes selected from the set of attributes consisting essentially of target type, domain name, host name, application name and target user name.
  - 6. The method of managing passwords as described in claim 4 wherein the key information includes the password of the user for the target resource.
  - 7. The method of managing passwords as described in claim 4 wherein each target further includes a user configuration identifying the user'"'"'s target resource configuration logon/logoff preference.
  - 8. The method of managing passwords as described in claim 4 wherein each target further includes a target class defining additional security restrictions, if any, associated with the target resource.
  - 9. The method of managing passwords as described in claim 1 wherein the globally-accessible database is a DCE registry.
  - 10. The method of managing passwords as described in claim 1 wherein the globally-accessible database is accessed from a client machine using a remote procedure call mechanism.

11. A method of managing passwords of users desiring access to multiple target resources in a computer enterprise environment, comprising the steps of:
- for each given user, associating each of a set of id/password pairs to each of a set of one or more respective targets, wherein each id/password pair is required to access a respective target resource;
  
  storing the targets of each given user in a globally-accessible database; and
  
  in response to entry by a given user at a client machine of a single-sign on id/password, accessing the globally-accessible database to retrieve the targets of the given user;
  
  wherein the retrieved targets are used in conjunction with locally-accessible logon information to access the respective target resources.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of managing passwords as described in claim 11 wherein the globally-accessible database is accessed from a server using a remote procedure call.
  - 13. The method of managing passwords as described in claim 12 further including the steps of:
14. The method of managing passwords as described in claim 11 wherein each target includes a target name, a set of target attributes, and key information.
15. The method of managing passwords as described in claim 14 wherein the set of target attributes includes attributes selected from the set of attributes consisting essentially of target type, domain name, host name, application name and target user name.
16. The method of managing passwords as described in claim 14 wherein the key information includes the password of the user for the target resource.
17. The method of managing passwords as described in claim 14 wherein each target further includes a user configuration identifying the user'"'"'s target resource configuration logon/logoff preference.
18. The method of managing passwords as described in claim 14 wherein each target further includes a target class defining additional security restrictions, if any, associated with the target resource.
19. The method of managing passwords as described in claim 12 wherein the step of accessing the globally-accessible database includes accessing a protected server to obtain information necessary to generate a passticket associated with the target.
20. The method of managing passwords as described in claim 19 wherein the information is a secret key shared by the server and the protected server.

21. A method of managing passwords of users desiring access to multiple target resources in a computer enterprise environment, comprising the steps of:
- for each given user, associating each of a set of id/password pairs to each of a set of one or more respective targets, wherein each id/password pair is required to access a respective target resource;
  
  storing the targets of each given user in a globally-accessible database;
  
  in response to entry by a given user at a client machine of a single-sign on id/password, accessing the globally-accessible database from a server to retrieve the targets of the given user; and
  
  returning the targets to the server from the globally-accessible database;
  
  wherein the retrieved targets are used in conjunction with locally-accessible logon information to access the respective target resources.
- View Dependent Claims (22, 23, 24)
- - 22. The method of managing passwords as described in claim 21 further including the step of:
23. The method of managing passwords as described in claim 21 wherein the step of accessing the globally-accessible database includes accessing a protected server to obtain information necessary to generate a passticket associated with the target.
24. The method of managing passwords as described in claim 23 wherein the information is a secret key shared by the server and the protected server.

25. Personal key manager framework for managing passwords of users desiring access to multiple target resources in a computer enterprise environment, comprising:
- a globally-accessible database for storing, for each given user, a set of targets, each target having associated therewith an id/password pair required to access a respective target resource;
  
  a first program executed on a client machine in response to entry of a single sign-on (SSO) id/password by a given user for issuing a request to obtain access to the target resources identified in the given user'"'"'s set of targets; and
  
  a second program executed on a server machine and responsive to the request for retrieving the targets from the globally-accessible database and using data in the retrieved targets to access the respective target resources on behalf of the given user at the client machine;
  
  wherein the retrieved targets are used in conjunction with locally-accessible logon information to access the respective target resources.
- View Dependent Claims (26, 27, 28)
- - 26. The personal key manager framework as described in claim 25 further including a protected server for storing necessary to generate a passticket associated with a given target.
  - 27. The personal key manager framework as described in claim 26 wherein the information is a secret key shared by the server and the protected server.
  - 28. The personal key manager framework as described in claim 25 wherein the request is issued to the second program using a remote procedure call service.

29. A computer program product in a computer-readable media for use in a server that manages passwords of users desiring access to multiple target resources in a computer enterprise environment, wherein, for each given user, a set of targets is stored in a globally-accessible database, each target having associated therewith an id/password pair required to access a respective target resource, the computer program product comprising:
- means responsive to a given request for retrieving targets of a given user from the globally-accessible database; and
  
  means responsive to the retrieving means for using data in the retrieved targets to access the respective target resources on behalf of the given user;
  
  wherein the retrieved targets are used in conjunction with locally-accessible logon information to access the respective target resources.
- View Dependent Claims (30, 31)
- - 30. The computer oprogram product fast described in claim 29 wherein the given request is received from a client machine via a remote procedure call service.
  - 31. The computer program product as described in claim 29 wherein the given request is an operation selected from a set of operations consisting essentially of create, update, delete and query.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cloud Software Group Switzerland GmbH
Original Assignee
International Business Machines Corporation
Inventors
Fang, Yi, Milman, Ivan Matthew, Kao, I-Lung, Wilson, George Conerly
Primary Examiner(s)
Beausoleil, Robert
Assistant Examiner(s)
Baderman, Scott T.

Application Number

US09/070,512
Time in Patent Office

1,132 Days
Field of Search

713/201, 713/153, 713/155, 713/183, 713/202, 709/229, 707/9
US Class Current

726/5
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/0815   providing single-sign-on or...

Y10S 707/99939   Privileged access

Single sign-on (SSO) mechanism personal key manager

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

481 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Single sign-on (SSO) mechanism personal key manager

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

481 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links