Method and system for single sign-on user access to multiple web servers

US 7,137,006 B1
Filed: 09/22/2000
Issued: 11/14/2006
Est. Priority Date: 09/24/1999
Status: Expired due to Term

First Claim

Patent Images

1. A computer-implemented method of single sign-on user access to multiple web servers, comprising:

authenticating a user by a first web server, the first web server also providing a first type of service session functionality for the user in addition to and different from authenticating the user, creating an encrypted authentication token, and redirecting a web browser of the user to transmit the encrypted authentication token, which first type of service session functionality is also different from a second type of service session functionality provided for the user by a second web server that is not provided by the first web server, which second type of service session functionality is also in addition to and different from authenticating the user, creating an encrypted authentication token and redirecting a web browser of the user to transmit the encrypted authentication token, each of said web servers containing information identifying the type of service session functionality provided by the other of said web servers and an address for the other of said web servers;

detecting a client request for the second type of service session functionality for the user at said first web server that is not provided by the first web server, said first web server, for determining the second web server providing the second type of service session functionality for the user and in response thereto creating an encrypted authentication token related to the user and redirecting a web browser of the user to the second web server;

transmitting the encrypted token from the first web server to the second web server via the user'"'"'s web browser, wherein the authentication token comprises an expiration time and is digitally signed by the first web server;

authenticating the authentication token by the second web server; and

providing the second type of service session functionality for the user to conduct a session by the second web server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for single sign-on user access to multiple web servers are provided. A user is authenticated at a first web server (e.g., by user name and password). The first web server provides a web page to the user having a service selector (e.g., a hyperlink comprising the URL of a second web server offering the service indicated by the selector). When the user activates the service selector, the first web server constructs and transmits an encrypted authentication token (e.g., a cookie) from the first web server to a second web server via the user client. The first and second web servers share a sub-domain. The authentication token comprises an expiration time and is digitally signed by the first web server and is authenticated at the second web server. Upon authentication, the second web server allows the user to conduct a session at the second web server.

304 Citations

38 Claims

1. A computer-implemented method of single sign-on user access to multiple web servers, comprising:
- authenticating a user by a first web server, the first web server also providing a first type of service session functionality for the user in addition to and different from authenticating the user, creating an encrypted authentication token, and redirecting a web browser of the user to transmit the encrypted authentication token, which first type of service session functionality is also different from a second type of service session functionality provided for the user by a second web server that is not provided by the first web server, which second type of service session functionality is also in addition to and different from authenticating the user, creating an encrypted authentication token and redirecting a web browser of the user to transmit the encrypted authentication token, each of said web servers containing information identifying the type of service session functionality provided by the other of said web servers and an address for the other of said web servers;
  
  detecting a client request for the second type of service session functionality for the user at said first web server that is not provided by the first web server, said first web server, for determining the second web server providing the second type of service session functionality for the user and in response thereto creating an encrypted authentication token related to the user and redirecting a web browser of the user to the second web server;
  
  transmitting the encrypted token from the first web server to the second web server via the user'"'"'s web browser, wherein the authentication token comprises an expiration time and is digitally signed by the first web server;
  
  authenticating the authentication token by the second web server; and
  
  providing the second type of service session functionality for the user to conduct a session by the second web server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1 wherein the first web server and the second web server share a sub-domain.
  - 3. The method of claim 2 further comprising examining the expiration time of the authentication token at the second web server and allowing the user to conduct a session at the second web server only if the expiration time has not passed.
  - 4. The method of claim 3 wherein the authentication token comprises a cookie.
  - 5. The method of claim 4 wherein transmitting the encrypted authentication token from the first web server to the second web server comprises transmitting the encrypted authentication token from the first web server to the user, and then from the user to the second web server.
  - 6. The method of claim 5 wherein authenticating the user at the first web server comprises receiving a user name and password.
  - 7. The method of claim 6 wherein transmitting the encrypted authentication token from the first web server to a second web server comprises transmitting the authentication token from the first web server to a computer of the user;
    - and transmitting the authentication token from the computer of the user to the second web server.
  - 8. The method of claim 7 wherein the first web server and the second web server comprise a federation of web servers.
  - 9. The method of claim 8 wherein authenticating the authentication token at the second web server comprises examining the cookie.
  - 10. The method of claim 9 further comprising URL encoding the authentication token.
  - 11. The method of claim 10 further comprising URL decoding the authentication token at the second web server.
  - 12. The method of claim 11 further comprising providing a web page to the user having a service selector.
  - 13. The method of claim 12 wherein the service selector comprises a hyperlink.
  - 14. The method of claim 13 wherein the hyperlink comprises a URL for the second web server.
  - 15. The method of claim 7, further comprising:
    - sending the digitally signed authentication token to the web browser of the computing device by the first web server; and
      
      sending the authentication token to the second web server by the web browser.
  - 16. The method of claim 15 further comprising allowing the user to conduct a session with the first web server.
  - 17. The method of claim 16 wherein the second web server shares a sub-domain with the first web server.
  - 18. The method of claim 17 further comprising digitally signing the authentication token using public key encryption.
  - 19. The method of claim 18 further comprising confirming a match with the digital signature.

20. A system for single sign-on user access to multiple web servers, comprising:
- a means for authenticating a user by a first web server, the first web server also providing a first type of service session functionality for the user in addition to and different from authenticating the user, creating an encrypted authentication token, and redirecting a web browser of the user to transmit the encrypted authentication token, which first type of service session functionality is also different from a second type of service session functionality provided for the user by a second web server that is not provided by the first web server, which second type of service session functionality is also in addition to and different from authenticating the user, creating an encrypted authentication token and redirecting a web browser of the user to transmit the encrypted authentication token, each of said web servers containing information identifying the type of service session functionality provided by the other of said web servers and an address for the other of said web servers;
  
  means for detecting a client request for the second type of service session functionality for the user at said first web server, said first web server that is not provided by the first web server, said first web server, for determining the second web server providing the second type of service session functionality for the user and in response thereto creating an encrypted authentication token related to the user and redirecting a web browser of the user to the second web server;
  
  a means for transmitting the encrypted token from the first web server to the second web server via the user'"'"'s web browser, wherein the authentication token comprises an expiration time and is digitally signed by the first web server;
  
  a means for authenticating the authentication token at the second web server; and
  
  a means for providing the second type of service session functionality for the user to conduct a session by the second web server.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 21. The system of claim 20 wherein the first web server and the second web server share a sub-domain.
  - 22. The system of claim 21 further comprising a means for examining the expiration time of the authentication token at the second web server.
  - 23. The system of claim 22 wherein the authentication token comprises a cookie.
  - 24. The system of claim 23 wherein the means for transmitting the encrypted authentication token from the first web server to the second web server comprises means for transmitting the encrypted authentication token from the first web server to the user, and then from the user to the second web server.
  - 25. The system of claim 24 wherein the means for authenticating the user at the first web server comprises means for receiving a user name and password.
  - 26. The system of claim 25 wherein the means for transmitting the encrypted authentication token from the first web server to a second web server comprises means for transmitting the authentication token from the first web server to a computer of the user and means for transmitting the authentication token from the computer of the user to the second web server.
  - 27. The system of claim 26 wherein the first web server and the second web server comprise a federation of web servers.
  - 28. The system of claim 27 wherein the means for authenticating the authentication token at the second web server comprises means for examining the cookie.
  - 29. The system of claim 28 further comprising a means for URL encoding the authentication token.
  - 30. The system of claim 29 further comprising a means for URL decoding the authentication token at the second web server.
  - 31. The system of claim 30 further comprising a means for providing a web page to the user having a service selector.
  - 32. The system of claim 31 wherein the service selector comprises a hyperlink.
  - 33. The system of claim 32 wherein the hyperlink comprises a URL for the second web server.
  - 34. The system of claim 20, further comprising:
    - a means for sending the digitally signed authentication token to the web browser of the computing device by the first web server; and
      
      a means for sending the authentication token to the second web server by the web browser.
  - 35. The system of claim 34 further comprising a means for allowing the user to conduct a session with the first web server.
  - 36. The system of claim 35 wherein the second web server shares a sub-domain with the first web server.
  - 37. The system of claim 36 further comprising means for digitally signing the authentication token using public key encryption.
  - 38. The system of claim 37 further comprising a means for confirming a match with the digital signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citicorp Credit Services Incorporated (Citigroup Incorporated)
Original Assignee
Citicorp Development Center Incorporated (Citigroup Incorporated)
Inventors
Williams, Michael, Pan, Jack, Law, France, Merschen, Toni, Jang, Yeona, Doshi, Ashwin, Grandcolas, Michael L.
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
Parthasarathy, Pramila

Application Number

US09/668,112
Time in Patent Office

2,244 Days
Field of Search

713/202
US Class Current

713/180
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2149   Restricted operating enviro...

H04L 63/0815   providing single-sign-on or...

Method and system for single sign-on user access to multiple web servers

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

304 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for single sign-on user access to multiple web servers

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

304 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links