System and method for single session sign-on with cryptography
First Claim
1. In a computer system including a server system, a session authority and a plurality of content servers, a single sign-on method for enabling a client to access the plurality of content servers by single sign-on during a session, comprising:
- (a) receiving a request for content contained within one of a plurality of content servers from a browser, acting on behalf of a client;
(b) determining by the content server whether the request comprises a valid session credential; and
(d) transmitting the content to the browser if the request comprises a valid session credential,wherein if the request does not comprise a valid session credential, the method further comprises;
(d) transmitting by the content server to the browser a challenge, the challenge comprising the name of a session authority that is used by the content server and the type of authentication required by the content server;
(e) receiving by the session authority a request for the session credential from the browser, the request comprising a certificate request identification; and
(f) checking by the session authority for a valid session certificate from an authenticating authority in the request for the session credential;
wherein if the request received by the session authority for the session credential comprises a valid session certificate from the authenticating authority, the session authority creates and transmits to the browser for storage in non-persistent memory a session credential,wherein further if the request received by the session authority for the session credential does not comprise a valid session certificate from the authenticating authority, the method further comprises;
(g) generating a second random piece of data by the session authority;
(h) transmitting to the browser the second random piece of data generated by the session authority, a challenge for a session certificate and the name of the authentication authority;
(i) receiving by the session authority from the browser a session certificate generated by the authentication authority, a third random piece of data generated by the browser, a signature created using a private session key that was generated by the browser as part of a public/private session key pair and applied to the second random piece of data and the third random piece of data and a request for a session credential, where the session certificate comprises the public session key, wherein further the public session key was transmitted to the authentication authority by the browser along with a request for the session certificate;
(j) verifying by the session authority that the signature received from the browser is valid by using the public session key included in the session certificate;
(k) extracting the identity of the user of the browser from the session certificate and creating a session credential comprising the user identity and a message authenticity code;
(l) transmitting the session credential from the session authority to the browser;
(m) receiving by the content server from the browser a request for the requested resource;
(n) determining by the content server whether the request comprises a session credential; and
(o) transmitting the content to the browser if the request comprises the session credential,wherein the session credential and session certificate are valid for a predetermined length of time.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system for single session sign-on across multiple content servers using public/private key cryptography. Session certificates are issued by an authentication authority and stored or held in volatile memory by a browser. Session certificates are used by browsers to obtain session credentials from a session authority and stored or held in volatile memory by the browser. Use of public and private keys supports authentication and non-repudiation, and eliminates some of the disadvantages of permanent certificates and PKI.
-
Citations
18 Claims
-
1. In a computer system including a server system, a session authority and a plurality of content servers, a single sign-on method for enabling a client to access the plurality of content servers by single sign-on during a session, comprising:
-
(a) receiving a request for content contained within one of a plurality of content servers from a browser, acting on behalf of a client; (b) determining by the content server whether the request comprises a valid session credential; and (d) transmitting the content to the browser if the request comprises a valid session credential, wherein if the request does not comprise a valid session credential, the method further comprises; (d) transmitting by the content server to the browser a challenge, the challenge comprising the name of a session authority that is used by the content server and the type of authentication required by the content server; (e) receiving by the session authority a request for the session credential from the browser, the request comprising a certificate request identification; and (f) checking by the session authority for a valid session certificate from an authenticating authority in the request for the session credential; wherein if the request received by the session authority for the session credential comprises a valid session certificate from the authenticating authority, the session authority creates and transmits to the browser for storage in non-persistent memory a session credential, wherein further if the request received by the session authority for the session credential does not comprise a valid session certificate from the authenticating authority, the method further comprises; (g) generating a second random piece of data by the session authority; (h) transmitting to the browser the second random piece of data generated by the session authority, a challenge for a session certificate and the name of the authentication authority; (i) receiving by the session authority from the browser a session certificate generated by the authentication authority, a third random piece of data generated by the browser, a signature created using a private session key that was generated by the browser as part of a public/private session key pair and applied to the second random piece of data and the third random piece of data and a request for a session credential, where the session certificate comprises the public session key, wherein further the public session key was transmitted to the authentication authority by the browser along with a request for the session certificate; (j) verifying by the session authority that the signature received from the browser is valid by using the public session key included in the session certificate; (k) extracting the identity of the user of the browser from the session certificate and creating a session credential comprising the user identity and a message authenticity code; (l) transmitting the session credential from the session authority to the browser; (m) receiving by the content server from the browser a request for the requested resource; (n) determining by the content server whether the request comprises a session credential; and (o) transmitting the content to the browser if the request comprises the session credential, wherein the session credential and session certificate are valid for a predetermined length of time. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer system configured to permit a client to access a plurality of content servers through a single sign-on during a session, comprising:
-
a server system in communication with a plurality of content servers; a plurality of content servers in communication with one or more session authorities; and one or more session authorities, wherein the server system is configured to receive a request for content contained within one of a plurality of content servers from a browser acting on behalf of a client and to transmit the request to the content server from which the content is requested, wherein each content server is configured to determine whether the request for content comprises a valid session credential and transmit the content to the browser if the request comprises a valid session credential, wherein if the request does not comprise a valid session credential, each content server is configured to transmit a challenge to the browser, the challenge comprising the name of a session authority that is in communication with the content server and die type of authentication required by the content server; wherein each session authority is configured to receive a request for a session credential from the browser, the request comprising a certificate request identification, and check for a valid session certificate from an authenticating authority in the request for the session credential; wherein if the request received by the session authority for the session credential comprises a valid session certificate from the authenticating authority, the session authority is configured to create and transmit to the browser for storage in non-persistent memory a session credential that can be transmitted to the content server in a request for access to the content contained in the content server, wherein further if the request received by the session authority for the session credential does not comprise a valid session certificate from the authenticating authority, the session authority is configured to; generate a second random piece of data; transmit to the browser the second random piece of data, a challenge for a session certificate and the name of the authentication authority; receive from the browser a session certificate generated by the authentication authority, a third random piece of data generated by the browser, a signature created using a private session key that was generated by the browser as part of a public/private session key pair and applied to the second random piece of data and the third random piece of data and a request for a session credential, where the session certificate comprises the public session key, wherein further the public session key was transmitted to the authentication authority by the browser along with a request for the session certificate; verify that the signature received from the browser is valid by using the public session key included in the session certificate; extract the identity of the user of the browser from the session certificate and creating a session credential comprising the user identity and a message authenticity code; and transmit the session credential to the browser, wherein the session credential can be transmitted to a content server in a request for access to the content contained in the content server. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification