Single sign-on system and method

US 7,496,954 B1
Filed: 11/22/2004
Issued: 02/24/2009
Est. Priority Date: 11/22/2004
Status: Active Grant

First Claim

Patent Images

1. A system for single sign-on for enterprise applications, comprising:

a plurality of enterprise applications;

a policy server that receives a user'"'"'s single sign-on information regarding access to a first enterprise application and promotes communication of authentication and authorization information for the first enterprise application to determine the user'"'"'s access to the first enterprise application, the policy server, regarding the user accessing a second enterprise application, authenticates the user based on the user'"'"'s single sign-on information and uses the single sign-on information to obtain authorization information for the second enterprise application to determine the user'"'"'s access to the second enterprise application;

an authentication data store maintaining the authentication information used by the policy server related to user authentication for at least some of the plurality of enterprise applications;

a first internal authorization data store maintaining internal authorization information related to internal user;

a second external authorization data store maintaining external authorization information related to external user;

a consolidated data store maintaining consolidated authorization information including both the internal and external user authorization information used by the policy server related to user authorization for at least some of the plurality of enterprise applications; and

a synchronization component that synchronizes the internal and external authorization information from the first internal and second external authorization data stores, respectively, to the consolidated data store.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for single sign-on to a plurality of computing applications is provided. The system includes a plurality of enterprise applications, a policy server, and an authentication data store maintaining authentication information for the enterprise applications. The system also includes internal and external user authorization data stores that maintain user authorization information for the enterprise applications. A synchronization component synchronizes to a consolidated data store information from the internal and external authorization data stores and eliminates duplicate user information. To access a first enterprise application, the user'"'"'s information is authenticated against the authentication data store and authorized against the consolidated authorization data store. To access a second enterprise application, the user is not required to sign on again since the previously entered user information is used to authenticate the user, and the consolidated data store is automatically checked to determine the user'"'"'s authorization level for the second enterprise application.

138 Citations

22 Claims

1. A system for single sign-on for enterprise applications, comprising:
- a plurality of enterprise applications;
  
  a policy server that receives a user'"'"'s single sign-on information regarding access to a first enterprise application and promotes communication of authentication and authorization information for the first enterprise application to determine the user'"'"'s access to the first enterprise application, the policy server, regarding the user accessing a second enterprise application, authenticates the user based on the user'"'"'s single sign-on information and uses the single sign-on information to obtain authorization information for the second enterprise application to determine the user'"'"'s access to the second enterprise application;
  
  an authentication data store maintaining the authentication information used by the policy server related to user authentication for at least some of the plurality of enterprise applications;
  
  a first internal authorization data store maintaining internal authorization information related to internal user;
  
  a second external authorization data store maintaining external authorization information related to external user;
  
  a consolidated data store maintaining consolidated authorization information including both the internal and external user authorization information used by the policy server related to user authorization for at least some of the plurality of enterprise applications; and
  
  a synchronization component that synchronizes the internal and external authorization information from the first internal and second external authorization data stores, respectively, to the consolidated data store.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The system of claim 1, wherein the authentication data store includes a first data store of maintaining internal user authentication information and a second data store maintaining external user authentication information.
  - 3. The system of claim 1, wherein internal user authorization information includes employee information and the external user authorization information includes contractor information.
  - 4. The system of claim 3, wherein the synchronization component synchronizes the internal and external user authorization information to the consolidated data store such that user information duplicated in both the first internal and second external authorization data stores is consolidated in the consolidated data store.
  - 5. The system of claim 4, wherein the authentication information includes a user name and password.
  - 6. The system of claim 4, wherein the internal and external user authorization information includes role information.
  - 7. The system of claim 6, wherein the role information is used by the enterprise applications to determine access levels within the enterprise applications.
  - 8. The system of claim 1, wherein the first internal authorization data store is further defined as a Microsoft Metadirectory Services LDAP, wherein the second external authorization data store is further defined as an Oracle database, and wherein the consolidated data store is further defined as Siemens DirX LDAP.
  - 9. The system of claim 8, wherein the synchronization component includes a Java Naming and Directory Interface application programming interface to promote communication between the Microsoft Metadirectory Services LDAP and the Siemens, and wherein a Java Database Connectivity connection is established between the Oracle database and the Siemens DirX LDAP and communication of data is accomplished via Structured Query Language.
  - 10. The system of claim 1, wherein the first internal and second external authorization data stores are periodically updated from a human resource system.
  - 11. The system of claim 1, further comprising a security agent on a user system that communicates with the plurality of enterprise applications and provides authentication information to the enterprise applications.
  - 12. The system of claim 11, wherein the security agent stores at least some authentication information locally on the user system, such that upon selection by the user of the second enterprise application, the security agent determines, via the locally stored at least some authentication information, whether the user has been authenticated.
  - 13. The system of claim 12, wherein the authentication information is stored in a cookie on the user system.
  - 14. The system of claim 12, above wherein the policy server uses the authentication information stored locally on the user system and communicates with the consolidated data store to obtain internal and external authorization information related to the user, the second enterprise application using at least one of the internal and external authorization information obtained by the policy server to determine the user'"'"'s authorization of the second enterprise application.
  - 15. The system of claim 1, wherein the policy server is further defined as a Siteminder policy server.
  - 16. The system of claim 1, wherein the plurality of enterprise applications are further defined as web-based applications.

17. A method for providing a single sign-on capability for a plurality of computing applications comprising:
- providing a first data store containing information on a first user of a first computing application;
  
  providing a second data store containing information on a second user of a second computing application;
  
  extracting information from the first and second data stores;
  
  translating the information from a format of the first data store and a format of the second data store into a format of a third data store;
  
  when a duplication exists between an identifying attribute for a record from the first data store and an identifying attribute for a record from the second data store, assigning a new identifying attribute to the record from the first data store;
  
  loading the translated information into the third data store;
  
  a user providing identifying information when the user attempts to gain access to the first computing application;
  
  comparing the identifying information provided by the user with authorization information in the third data store and authentication information in a fourth data store regarding the user'"'"'s authority to access the first computing application;
  
  authorizing the user for access to the first computing application;
  
  when a user attempts to gain access to the second computing application, retrieving, without further action from the user, the identifying information provided by the user and comparing the identifying information provided by the user with authorization information in the third data store regarding the user'"'"'s authority to access the second computing application; and
  
  authorizing the user for access to the second computing application.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein a policy server promoted retrieval of the authorization information in the third data store and authentication information in a fourth data store.
  - 19. The method of claim 18, wherein the policy server is further defined as a Siteminder policy server.
  - 20. The method of claim 17, wherein the first and second computing applications are further defined as web-based enterprise applications.

21. A system for allowing access to a plurality of web applications through a single sign-on comprising:
- a first data store that contains authorization information on a first user of at least one computing application;
  
  a second data store that contains authorization information on a second user of the at least one computing application;
  
  a third data store that contains authorization information on the first and second users;
  
  a fourth data store that maintains authentication information related to access to the computing applications;
  
  a synchronization component that translates information from a format of the first data store and a format of the second data store into a format of a third data store, and, when a duplication exists between an identifying attribute for a record from the first data store and an identifying attribute for a record from the second data store, the synchronization component assigns a single identifying attribute to the record and promotes loading the translated information into the third data store; and
  
  a policy server component using identifying information provided by a user signing on to a first computing application to compare to authorization information in the third data store and to compare to authentication information in the fourth data store to determine the user'"'"'s access to the first computing application, and, when the user attempts to gain access to a second computing application, the policy server compares the identifying information to authorization information in the third data store without further action from the user to determine the user'"'"'s access to the second computing application.
- View Dependent Claims (22)
- - 22. The system of claim 21, further comprising a security agent provided on a user computer to communicate with the computing applications and the policy server, the security agent stores a token based on the prior authentication information and accesses the token to authenticate the user for the second computing application instead of the authentication information stored maintained in the fourth data store.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
T-Mobile Innovations LLC (Deutsche Telekom AG)
Original Assignee
Sprint Communications Company LP (Deutsche Telekom AG)
Inventors
Kuruvalli, Bharath N., Himawan, Rudi
Primary Examiner(s)
Moise; Emmanuel L.
Assistant Examiner(s)
Abyaneh; Ali S

Application Number

US10/994,997
Time in Patent Office

1,555 Days
Field of Search

726/2, 726/8
US Class Current

726/8
CPC Class Codes

G06F 21/41 where a single sign-on prov...

H04L 63/0815 providing single-sign-on or...

Single sign-on system and method

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

138 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

Single sign-on system and method

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

138 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others