Implementing single sign-on across a heterogeneous collection of client/server and web-based applications

US 7,500,262 B1
Filed: 04/29/2003
Issued: 03/03/2009
Est. Priority Date: 04/29/2002
Status: Active Grant

First Claim

Patent Images

1. A method of leveraging an established authenticated session in obtaining authentication to a client application, the method comprising:

receiving, at a client system, a first access request from a user to access a first client application selected from among a plurality of client applications;

in response to the first access request, presenting a graphical user interface to the user to solicit entry by the user of authentication credentials for the first client application;

receiving authentication credentials for the first client application entered by the user;

creating a first authentication request for access to the first client application based on the authentication credentials for the first client application entered by the user;

sending the first authentication request for access to the first client application to an intermediary system;

receiving, at the client system from the intermediary system, a master token and a first application token in response to the first authentication request for access to the first client application;

communicating the first application token from the client system to the first client application for authentication by the first client application;

storing, in electronic storage accessible by the client system, the master token received from the intermediary system;

receiving, at the client system, a second access request from the user to access a second client application selected from among the plurality of client applications, the second client application being different from the first client application;

in response to the second access request, accessing, from the electronic storage accessible by the client system, the master token;

creating a second authentication request for access to the second client application based on the accessed master token;

sending the second authentication request for access to the second client application to the intermediary system;

receiving, at the client system from the intermediary system, a second application token in response to the second authentication request for access to the second client application; and

communicating the second application token from the client system to the second client application for authentication by the second client application,wherein the first application token is different from the second application token;

wherein sending the first authentication request for access to the first client application to the intermediary system includes sending, over a network, the first authentication request for access to the first client application to a remote intermediary system that is remote from the client system;

wherein receiving, at the client system from the intermediary system, the master token and the first application token in response to the first authentication request for access to the first client application includes receiving, at the client system from the remote intermediary system over the network, the master token and the first application token in response to the first authentication request for access to the first client application;

wherein communicating the first application token from the client system to the first client application for authentication by the first client application includes communicating, over the network, the first application token from the client system to a first remote client application being run by a first remote system that is remote from the client system and different than the remote intermediary system;

wherein sending the second authentication request for access to the second client application to the intermediary system includes sending, over the network, the second authentication request for access to the second client application to the remote intermediary system;

wherein receiving, at the client system from the intermediary system, the second application token in response to the second authentication request for access to the second client application includes receiving, at the client system from the remote intermediary system over the network, the second application token in response to the second authentication request for access to the second client application; and

wherein communicating the second application token from the client system to the second client application for authentication by the second client application includes communicating, over the network, the second application token from the client system to a second remote client application being run by a second remote system that is remote from the client system and different than the remote intermediary system and the first remote system.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Leveraging an established authenticated session in obtaining authentication to a client application includes receiving a request for access to a client application requiring authentication of a requestor and determining whether there exist characteristics of leverageable authentications corresponding to established sessions having an authenticated state at a time of the determination. When the determination reveals characteristics of at least one leverageable authentication corresponding to an established session, and attempt is made to obtain access for the requester to the client application based on the at least one leverageable authentication, and the requestor is provided with a notification related to the attempt to obtain access for the requester to the client application.

Citations

43 Claims

1. A method of leveraging an established authenticated session in obtaining authentication to a client application, the method comprising:
- receiving, at a client system, a first access request from a user to access a first client application selected from among a plurality of client applications;
  
  in response to the first access request, presenting a graphical user interface to the user to solicit entry by the user of authentication credentials for the first client application;
  
  receiving authentication credentials for the first client application entered by the user;
  
  creating a first authentication request for access to the first client application based on the authentication credentials for the first client application entered by the user;
  
  sending the first authentication request for access to the first client application to an intermediary system;
  
  receiving, at the client system from the intermediary system, a master token and a first application token in response to the first authentication request for access to the first client application;
  
  communicating the first application token from the client system to the first client application for authentication by the first client application;
  
  storing, in electronic storage accessible by the client system, the master token received from the intermediary system;
  
  receiving, at the client system, a second access request from the user to access a second client application selected from among the plurality of client applications, the second client application being different from the first client application;
  
  in response to the second access request, accessing, from the electronic storage accessible by the client system, the master token;
  
  creating a second authentication request for access to the second client application based on the accessed master token;
  
  sending the second authentication request for access to the second client application to the intermediary system;
  
  receiving, at the client system from the intermediary system, a second application token in response to the second authentication request for access to the second client application; and
  
  communicating the second application token from the client system to the second client application for authentication by the second client application,wherein the first application token is different from the second application token;
  
  wherein sending the first authentication request for access to the first client application to the intermediary system includes sending, over a network, the first authentication request for access to the first client application to a remote intermediary system that is remote from the client system;
  
  wherein receiving, at the client system from the intermediary system, the master token and the first application token in response to the first authentication request for access to the first client application includes receiving, at the client system from the remote intermediary system over the network, the master token and the first application token in response to the first authentication request for access to the first client application;
  
  wherein communicating the first application token from the client system to the first client application for authentication by the first client application includes communicating, over the network, the first application token from the client system to a first remote client application being run by a first remote system that is remote from the client system and different than the remote intermediary system;
  
  wherein sending the second authentication request for access to the second client application to the intermediary system includes sending, over the network, the second authentication request for access to the second client application to the remote intermediary system;
  
  wherein receiving, at the client system from the intermediary system, the second application token in response to the second authentication request for access to the second client application includes receiving, at the client system from the remote intermediary system over the network, the second application token in response to the second authentication request for access to the second client application; and
  
  wherein communicating the second application token from the client system to the second client application for authentication by the second client application includes communicating, over the network, the second application token from the client system to a second remote client application being run by a second remote system that is remote from the client system and different than the remote intermediary system and the first remote system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1 further comprising:
    - establishing, between the client system and the first remote system running the first remote client application, a first authenticated communication session based on the first remote client application authenticating the first application token received from the client system; and
      
      establishing, between the client system and the second remote system running the second remote client application, a second authenticated communication session based on the second remote client application authenticating the second application token received from the client system.
  - 3. The method of claim 1 wherein:
    - communicating, over the network, the first application token from the client system to the first remote client application being run by the first remote system that is remote from the client system and different than the remote intermediary system includes communicating, over the network, the first application token from the client system to a remote non-browser client application being run by a first remote server; and
      
      communicating, over the network, the second application token from the client system to the second remote client application being run by the second remote system that is remote from the client system and different than the remote intermediary system the first remote system includes communicating, over the network, the second application token from the client system to a remote browser client application being run by a second remote server.
  - 4. The method of claim 3 wherein:
    - communicating, over the network, the first application token from the client system to the remote non-browser client application being ran by the first remote server includes communicating, over the network, the first application token from the client system to an instant messaging application being run by an instant messaging server; and
      
      communicating, over the network, the second application token from the client system to the remote browser client application being run by the second remote server includes communicating, over the network, the second application token from the client system to a web site application being run by a remote web server.
  - 5. The method of claim 1 wherein creating the second authentication request for access to the second client application based on the accessed master token includes creating a second authentication request that includes the accessed master token.
  - 6. The method of claim 5 wherein creating the second authentication request that includes the accessed master token includes creating a second authentication request that includes the accessed master token and an application identifier for the second client application.
  - 7. The method of claim 1 wherein creating the first authentication request for access to the first client application based on the authentication credentials for the first client application entered by the user includes creating a first authentication request that includes the authentication credentials for the first client application entered by the user.
  - 8. The method of claim 7 wherein creating the first authentication request that includes the authentication credentials for the first client application entered by the user includes creating a first authentication request that includes the authentication credentials for the first client application entered by the user and an application identifier for the first client application.
  - 9. The method of claim 1 further comprising:
    - in response to the first access request, determining that an authenticated session between the client system and another application included in the plurality of client applications does not currently exist.
  - 10. The method of claim 9 further comprising:
    - in response to the second access request, determining that an authenticated session between the client system and another application included in the plurality of client applications currently exists.
  - 11. The method of claim 10 wherein:
    - determining that an authenticated session between the client system and another application included in the plurality of client applications does not currently exist includes determining that a common local authentication client is not running on the client system; and
      
      determining that an authenticated session between the client system and another application included in the plurality of client applications currently exists includes determining that the common local authentication client is running on the client system.
  - 12. The method of claim 1 wherein accessing, from the electronic storage accessible by the client system, the master token and creating the second authentication request for access to the second client application based on the accessed master token are transparent to the user.
  - 13. The method of claim 1 wherein accessing, from the electronic storage accessible by the client system, the master token and creating the second authentication request for access to the second client application based on the accessed master token are initiated without user input.
  - 14. The method of claim 1 wherein receiving, at the client system, the first access request from the user to access the first client application selected from among the plurality of client applications includes receiving a selection by the user of an item that represents the first client application, the item including at least one of text, an image, or an animation.
  - 15. The method of claim 1 wherein the first client application and the second client application are configured to perform functions other than those related to authentication.
  - 16. The method of claim 15 wherein the functions other than those related to authentication include functions associated with at least one of email, instant messaging, word processing, games, or the Internet.
  - 17. The method of claim 1 wherein the second client application receives no indication of the first authentication request associated with the first client application and the first client application receives no indication of the second authentication request associated with the second client application.
  - 18. The method of claim 1 wherein electronic communications related to the first authentication request associated with the first client application are not exchanged with the second client application and electronic communications related to the second authentication request associated with the second client application are not exchanged with the first client application.
  - 19. The method of claim 1 wherein each of the first remote client application and the second remote client application leverage an independent process to authenticate submitted application tokens.
  - 20. The method of claim 1 wherein the first application token is associated with only the first remote client application and the second application token is associated with only the second remote client application.
  - 21. The method of claim 1 wherein each of the first remote client application and the second remote client application are configured to authenticate application tokens without communicating, after receipt of the applications tokens, with the remote intermediary system from which the client system received the applications tokens.

22. A system including one or more devices that are controlled by but distinguished from software, the system comprising:
- a client device;
  
  an intermediary system that is remote from the client device;
  
  a first remote server that is configured to run a first remote client application; and
  
  a second remote server that is configured to run a second remote client application, wherein;
  
  the client device receives a first access request from a user to access a first client application selected from among a plurality of client applications;
  
  in response to the first access request, the client device presents a graphical user interface to the user to solicit entry by the user of authentication credentials for the first client application;
  
  the client device receives authentication credentials for the first client application entered by the user;
  
  the client device creates a first authentication request for access to the first client application based on the authentication credentials for the first client application entered by the user;
  
  the client device sends the first authentication request for access to the first client application to the intermediary system;
  
  the client device receives receiving, at the client system from the intermediary system, a master token and a first application token in response to the first authentication request for access to the first client application;
  
  the client device communicates the first application token to the first client application for authentication by the first client application;
  
  the client device stores, in electronic storage accessible by the client device, the master token received from the intermediary system;
  
  the client device receives a second access request from the user to access a second client application selected from among the plurality of client applications, the second client application being different from the first client application;
  
  in response to the second access request, the client device accesses, from the electronic storage accessible by the client device, the master token;
  
  the client device creates a second authentication request for access to the second client application based on the accessed master token;
  
  the client device sends the second authentication request for access to the second client application to the intermediary system;
  
  the client device receives, from the intermediary system, a second application token in response to the second authentication request for access to the second client application; and
  
  the client device communicates the second application token to the second client application for authentication by the second client application,wherein the first application token is different from the second application token;
  
  wherein the client device sends the first authentication request for access to the first client application to the intermediary system by sending, over a network, the first authentication request for access to the first client application to a remote intermediary system that is remote from the client device;
  
  wherein the client device receives, from the intermediary system, the master token and the first application token in response to the first authentication request for access to the first client application receiving, at the client device from the remote intermediary system over the network, the master token and the first application token in response to the first authentication request for access to the first client application;
  
  wherein the client device communicates the first application token to the first client application for authentication by the first client application by communicating, over the network, the first application token from the client device to the first remote client application being run by the first remote system that is remote from the client device and different than the remote intermediary system;
  
  wherein the client device sends the second authentication request for access to the second client application to the intermediary system by sending, over the network, the second authentication request for access to the second client application to the remote intermediary system;
  
  wherein the client device receives, from the intermediary system, the second application token in response to the second authentication request for access to the second client application by receiving, at the client device from the remote intermediary system over the network, the second application token in response to the second authentication request for access to the second client application; and
  
  wherein the client device communicates the second application token to the second client application for authentication by the second client application by communicating, over the network, the second application token from the client device to the second remote client application being run by the second remote system that is remote from the client device and different than the remote intermediary system and the first remote system.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 23. The system of claim 22, wherein:
    - the client device establishes, between the client device and the first remote system running the first remote client application, a first authenticated communication session based on the first remote client application authenticating the first application token received from the client device; and
      
      the client device establishes, between the client device and the second remote system running the second remote client application, a second authenticated communication session based on the second remote client application authenticating the second application token received from the client device.
  - 24. The system of claim 22 wherein:
    - the client device communicates, over the network, the first application token from the client device to the first remote client application being run by the first remote system that is remote from the client device and different than the remote intermediary system by communicating, over the network, the first application token from the client device to a remote non-browser client application being run by a first remote server; and
      
      the client device communicates, over the network, the second application token from the client device to the second remote client application being run by the second remote system that is remote from the client device and different than the remote intermediary system and the first remote system by communicating, over the network, the second application token from the client device to a remote browser client application being run by a second remote server.
  - 25. The system of claim 24 wherein:
    - the client device communicates, over the network, the first application token from the client device to the remote non-browser client application being run by the first remote server by communicating, over the network, the first application token from the client device to an instant messaging application being run by an instant messaging server; and
      
      the client device communicates, over the network, the second application token from the client device to the remote browser client application being run by the second remote server by communicating, over the network, the second application token from the client device to a web site application being run by a remote web server.
  - 26. The system of claim 22 wherein the client device creates the second authentication request for access to the second client application based on the accessed master token by creating a second authentication request that includes the accessed master token.
  - 27. The system of claim 26 wherein the client device creates the second authentication request that includes the accessed master token by creating a second authentication request that includes the accessed master token and an application identifier for the second client application.
  - 28. The system of claim 22 wherein the client device creates the first authentication request for access to the first client application based on the authentication credentials for the first client application entered by the user by creating a first authentication request that includes the authentication credentials for the first client application entered by the user.
  - 29. The system of claim 28 wherein the client device creates the first authentication request that includes the authentication credentials for the first client application entered by the user by creating a first authentication request that includes the authentication credentials for the first client application entered by the user and an application identifier for the first client application.
  - 30. The system of claim 22, wherein:
    - in response to the first access request, the client device determines that an authenticated session between the client device and another application included in the plurality of client applications does not currently exist.
  - 31. The system of claim 30, wherein:
    - in response to the second access request, the client device determines that an authenticated session between the client device and another application included in the plurality of client applications currently exists.
  - 32. The system of claim 31 wherein:
    - the client device determines that an authenticated session between the client device and another application included in the plurality of client applications does not currently exist by determining that a common local authentication client is not running on the client device; and
      
      the client device determines that an authenticated session between the client device and another application included in the plurality of client applications currently exists by determining that the common local authentication client is running on the client device.
  - 33. The system of claim 22 wherein accessing, from the electronic storage accessible by the client device, the master token and creating the second authentication request for access to the second client application based on the accessed master token are transparent to the user.
  - 34. The system of claim 22 wherein accessing, from the electronic storage accessible by the client device, the master token and creating the second authentication request for access to the second client application based on the accessed master token are initiated without user input.
  - 35. The system of claim 22 wherein the client device receives the first access request from the user to access the first client application selected from among the plurality of client applications by receiving a selection by the user of an item that represents the first client application, the item including at least one of text, an image, or an animation.
  - 36. The system of claim 22 wherein the first client application and the second client application are configured to perform functions other than those related to authentication.
  - 37. The system of claim 36 wherein the functions other than those related to authentication include functions associated with at least one of email, instant messaging, word processing, games, or the Internet.
  - 38. The system of claim 22 wherein the second client application receives no indication of the first authentication request associated with the first client application and the first client application receives no indication of the second authentication request associated with the second client application.
  - 39. The system of claim 22 wherein electronic communications related to the first authentication request associated with the first client application are not exchanged with the second client application and electronic communications related to the second authentication request associated with the second client application are not exchanged with the first client application.
  - 40. The system of claim 22 wherein each of the first remote client application and the second remote client application leverage an independent process to authenticate submitted application tokens.
  - 41. The system of claim 22 wherein the first application token is associated with only the first remote client application and the second application token is associated with only the second remote client application.
  - 42. The system of claim 22 wherein each of the first remote client application and the second remote client application are configured to authenticate application tokens without communicating, after receipt of the applications tokens, with the remote intermediary system from which the client device received the applications tokens.

43. A system comprising:
- a client device configured to run a common local authentication client, a non-browser client, and a browser client;
  
  a common authorization web server that is remote from the client device;
  
  a non-browser remote server that is configured to interact with the non-browser client and that is remote from the client device and the common authorization web server; and
  
  a web remote server that is configured to interact with the browser client and that is remote from the client device, the common authorization web server, and the non-browser remote server, wherein;
  
  the client device is configured to receive, from a user, a first command to launch the non-browser client and, in response to the first command, launch the non-browser client;
  
  the common local authentication client is configured to, based on the first command to launch the non-browser client, determine that an active authentication session is not available and send, to the non-browser client, a message indicating that an active authentication session is not available;
  
  the non-browser client is configured to;
  
  receive, from the common local authentication client, the message indicating that an active authentication session is not available,in response to the message indicating that an active authentication session is not available, present a login form to the user,receive login credentials entered by the user using the login form, andsubmit, to the common local authentication client, the login credentials and a non-browser client application identifier, the non-browser client application identifier being an application identifier associated with the non-browser client;
  
  the common local authentication client is further configured to receive, from the non-browser client, the login credentials and the non-browser client application identifier and send, to the common authorization web server, the login credentials and the non-browser client application identifier;
  
  the common authorization web server is configured to;
  
  receive, from the common local authentication client, the login credentials and the non-browser client application identifier,validate the login credentials and the non-browser client application identifier,generate a common local authentication client master token and a non-browser application token, andsend, to the common local authentication client, the common local authentication client master token and the non-browser application token;
  
  the common local authentication client is further configured to;
  
  receive, from the common authorization web server, the common local authentication client master token and the non-browser application token,store, in electronic storage accessible by the common local authentication client, the common local authentication client master token, andsend, to the non-browser client, the non-browser application token;
  
  the non-browser client is further configured to receive, from the common local authentication client, the non-browser application token and send, to the non-browser remote server, the non-browser application token;
  
  the non-browser remote server is configured to;
  
  receive, from the non-browser client, the non-browser application token,validate the non-browser client based on the non-browser application token, andestablish, with the non-browser client, a non-browser client authenticated session;
  
  the client device is further configured to receive, from the user, a second command to launch the browser client and, in response to the second command, launch the browser client;
  
  the common local authentication client is further configured to, based on the second command to launch the browser client, determine that an active authentication session is available and send, to the browser client, a message indicating that an active authentication session is available;
  
  the browser client is configured to receive, from the common local authentication client, the message indicating that an active authentication session is available and, in response to the message indicating that an active authentication session is available, submit, to the common local authentication client, a browser client application identifier, the browser client application identifier being an application identifier associated with the browser client;
  
  the common local authentication client is further configured to;
  
  receive, from the browser client, the browser client application identifier,access, from the electronic storage accessible by the common local authentication client, the common local authentication client master token, andsend, to the common authorization web server, the common local authentication client master token and the browser client application identifier;
  
  the common authorization web server is further configured to;
  
  receive, from the common local authentication client, the common local authentication client master token and the browser client application identifier,verify the common local authentication client master token and the browser client application identifier,generate a browser application token, andsend, to the common local authentication client, the browser application token;
  
  the common local authentication client is further configured to receive, from the common authorization web server, the browser application token, and send, to the browser client, the browser application token;
  
  the browser client is further configured to receive, from the common local authentication client, the browser application token and send, to the web remote server, the browser application token; and
  
  the web remote server is configured to;
  
  receive, from the browser client, the browser application token,validate the browser client based on the browser application token, andestablish, with the browser client, a browser client authenticated session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
AOL LLC (Apollo Global Management, Inc.)
Inventors
Richards, Russell, Eaves, Donald, Watkins, Robert, Toomey, Christopher, Zhang, Xiaopeng, Keister, Alan, Sanin, Aleksey, Wick, Andrew L.
Primary Examiner(s)
Moise; Emmanuel L.
Assistant Examiner(s)
GERGISO, TECHANE

Application Number

US10/424,995
Time in Patent Office

2,135 Days
Field of Search

726/2, 726/26, 726/16, 726/8, 705/67, 709/227
US Class Current

726/2
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06Q 20/3674   involving authentication

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 9/3234   involving additional secure...

H04L 9/3271   using challenge-response

H04W 12/06   Authentication

Implementing single sign-on across a heterogeneous collection of client/server and web-based applications

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

Implementing single sign-on across a heterogeneous collection of client/server and web-based applications

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links