System and method for unified sign-on

US 7,275,259 B2
Filed: 06/18/2003
Issued: 09/25/2007
Est. Priority Date: 06/18/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method of permitting a first domain to access a second domain comprising:

receiving, at the second domain, a request from the first domain, the request indicating an action to be performed in the second domain and further indicating a first user in the first domain on whose behalf the action is to be performed;

looking up a second user in the second domain who corresponds to the first user;

issuing an access token for the second user; and

using the access token to perform the action under a persona of the second user,wherein the request is received at an adapter that operates in the second domain, the adapter requesting the access token and using the access token to perform said action, and wherein the adapter runs as a third user different from the first user and the second user, wherein the adapter uses the access token to perform said action by impersonating the second user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system that allows a user of a first domain to access a second domain. A request originates in the first domain to perform an action in the second domain. The request indicates a user of the first domain on whose behalf the request was originated. The access request is received by an adapter in the second domain. The adapter requests an access token for a user of the second domain who corresponds to the user of the first domain. A mapping table is used to identify which user in the second domain corresponds to the user in the first domain. Once the correct user of the second domain is identified, an access token for that user is returned to the adapter. The adapter then carries out the requested action by using the access token to impersonate the user of the second domain.

74 Citations

View as Search Results

25 Claims

1. A method of permitting a first domain to access a second domain comprising:
- receiving, at the second domain, a request from the first domain, the request indicating an action to be performed in the second domain and further indicating a first user in the first domain on whose behalf the action is to be performed;
  
  looking up a second user in the second domain who corresponds to the first user;
  
  issuing an access token for the second user; and
  
  using the access token to perform the action under a persona of the second user,wherein the request is received at an adapter that operates in the second domain, the adapter requesting the access token and using the access token to perform said action, and wherein the adapter runs as a third user different from the first user and the second user, wherein the adapter uses the access token to perform said action by impersonating the second user.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the adapter requests the access token from a service, the service looking up the second user and issuing the access token to the adapter.
  - 3. The method of claim 2, wherein the service operates in the second domain.
  - 4. The method of claim 1, further comprising:
    - determining that said third user is a member of an affiliate admin group corresponding to the first domain, members of said affiliate admin group being permitted to obtain access tokens to perform actions on behalf of users in said first domain.
  - 5. The method of claim 1, wherein the act of looking up the second user comprising consulting a database that correlates the first user with the second user.
  - 6. The method of claim 5, wherein the database stores a table that correlates users in the first domain with users in the second domain, there being a row of the table that specifies the first user in a first column and the second user in a second column.
  - 7. The method of claim 1, wherein said third user is reserved for running a set of one or more adapters that includes said adapter.

8. A method of using a first domain to access a second domain comprising:
- generating, in the first domain, a request for a resource or service that is located in the second domain, the request being generated by a process that runs as a first user in the first domain;
  
  sending the request to the second domain, whereupon the request is carried out in the second domain, by an adapter, on behalf of a second user in the second domain who corresponds to the first user, wherein the adapter runs as a third user different from the first user and the second user, wherein the adapter uses an access token to perform said action by impersonating the second user; and
  
  receiving a result of the access request from the second domain.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The method of claim 8, further comprising:
    - establishing a correspondence between the first user and the second user.
  - 10. The method of claim 9, wherein the first user and the second user represent personas in the first domain and second domain, respectively, for the same person.
  - 11. The method of claim 8, wherein the request is made to an adapter that operates in the second domain, and wherein the adapter carries out the request.
  - 12. The method of claim 8, wherein the request is generated by a process that operates in the first domain and passes from the process to the second domain through one or more components of the second domain.
  - 13. The method of claim 8, wherein the second domain comprises a database manager, and wherein the request for a resource or service in the second domain comprises a request to lookup information in the database.
  - 14. The method of claim 8, wherein the second domain stores a password for the second user, and wherein the second domain does not reveal the password to the first domain.
  - 15. The method of claim 8, wherein said third user is reserved for running a set of one or more adapters that includes said adapter.

16. A system that performs actions on behalf of a first domain, the system comprising:
- a service that receives, from a component, a first request for an access token, the first request identifying a first user in the first domain, the service further looking up a second user who corresponds to the first user and issuing to the component the access token, the access token permitting the component to impersonate the second user while carrying out an action,wherein the service and the component operate in a second domain different from the first domain, and wherein the second user is a user of the second domain,wherein the component comprises an adapter that receives a second request to perform the action, the second request being received by the adapter from the first domain, and wherein the adapter runs in the second domain as a third user, the third user being different from the first user and from the second user.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein the first user and the second user are personas, in the first domain and second domain respectively, for the same person.
  - 18. The system of claim 16, further comprising:
    - a database that stores information that correlates the first user with the second user.
  - 19. The system of claim 18, wherein the database stores a table that comprises a plurality of rows, each of the rows comprising:
    - a first column that identifies a user in the first domain; and
      
      a second column that identifies a user in the second domain;
20. The system of claim 16, wherein said third user is reserved for running a set of one or more adapters that includes said adapter.

21. A computer-readable storage medium having encoded thereon computer-executable instructions to perform acts comprising:
- receiving a first request from a component for an access token;
  
  looking up, based on a first user of a first domain, a second user of a second domain who corresponds to the first user; and
  
  issuing the access token to the component, wherein the access token permits the component to carry out an action by impersonating the second user,wherein the component comprises an adapter that runs in the second domain as a third user, the third user being different from the first user and the second user.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The computer-readable storage medium of claim 21, wherein the act of lookup of a second user comprises:
    - consulting a database that correlates the first user with the second user.
  - 23. The computer-readable storage medium of claim 22, wherein the database comprises a plurality of rows, each of the rows comprising:
    - a first column that identifies a user of the first domain; and
      
      a second column that identifies a user of the second domain;
24. The computer-readable storage medium of claim 21, wherein the component receives a second request to perform the action, and wherein the component carries out the action under the persona of the second user by using the access token to impersonate the second user.
25. The computer-readable storage medium of claim 21, wherein said third user is reserved for running a set of one or more adapters that includes said adapter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Jamieson, Steve, Torres, Rex George, Sharp, Joseph W., Balakrishnan, Anil, Carrell, Douglas R., Houser, Christopher Robert, Larsen, Guy Paul
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US10/463,911
Publication Number

US 20040260942A1
Time in Patent Office

1,560 Days
Field of Search

None
US Class Current

726/8
CPC Class Codes

G06F 21/41 where a single sign-on prov...

System and method for unified sign-on

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

74 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for unified sign-on

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

74 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links