Implementing single sign-on across a heterogeneous collection of client/server and web-based applications
First Claim
1. A method of leveraging an established authenticated session in obtaining authentication to a client application, the method comprising:
- receiving, at a client system, a first access request from a user to access a first client application selected from among a plurality of client applications;
in response to the first access request, presenting a graphical user interface to the user to solicit entry by the user of authentication credentials for the first client application;
receiving authentication credentials for the first client application entered by the user;
creating a first authentication request for access to the first client application based on the authentication credentials for the first client application entered by the user;
sending the first authentication request for access to the first client application to an intermediary system;
receiving, at the client system from the intermediary system, a master token and a first application token in response to the first authentication request for access to the first client application;
communicating the first application token from the client system to the first client application for authentication by the first client application;
storing, in electronic storage accessible by the client system, the master token received from the intermediary system;
receiving, at the client system, a second access request from the user to access a second client application selected from among the plurality of client applications, the second client application being different from the first client application;
in response to the second access request, accessing, from the electronic storage accessible by the client system, the master token;
creating a second authentication request for access to the second client application based on the accessed master token;
sending the second authentication request for access to the second client application to the intermediary system;
receiving, at the client system from the intermediary system, a second application token in response to the second authentication request for access to the second client application; and
communicating the second application token from the client system to the second client application for authentication by the second client application,wherein the first application token is different from the second application token;
wherein sending the first authentication request for access to the first client application to the intermediary system includes sending, over a network, the first authentication request for access to the first client application to a remote intermediary system that is remote from the client system;
wherein receiving, at the client system from the intermediary system, the master token and the first application token in response to the first authentication request for access to the first client application includes receiving, at the client system from the remote intermediary system over the network, the master token and the first application token in response to the first authentication request for access to the first client application;
wherein communicating the first application token from the client system to the first client application for authentication by the first client application includes communicating, over the network, the first application token from the client system to a first remote client application being run by a first remote system that is remote from the client system and different than the remote intermediary system;
wherein sending the second authentication request for access to the second client application to the intermediary system includes sending, over the network, the second authentication request for access to the second client application to the remote intermediary system;
wherein receiving, at the client system from the intermediary system, the second application token in response to the second authentication request for access to the second client application includes receiving, at the client system from the remote intermediary system over the network, the second application token in response to the second authentication request for access to the second client application; and
wherein communicating the second application token from the client system to the second client application for authentication by the second client application includes communicating, over the network, the second application token from the client system to a second remote client application being run by a second remote system that is remote from the client system and different than the remote intermediary system and the first remote system.
15 Assignments
0 Petitions
Accused Products
Abstract
Leveraging an established authenticated session in obtaining authentication to a client application includes receiving a request for access to a client application requiring authentication of a requestor and determining whether there exist characteristics of leverageable authentications corresponding to established sessions having an authenticated state at a time of the determination. When the determination reveals characteristics of at least one leverageable authentication corresponding to an established session, and attempt is made to obtain access for the requester to the client application based on the at least one leverageable authentication, and the requestor is provided with a notification related to the attempt to obtain access for the requester to the client application.
-
Citations
43 Claims
-
1. A method of leveraging an established authenticated session in obtaining authentication to a client application, the method comprising:
-
receiving, at a client system, a first access request from a user to access a first client application selected from among a plurality of client applications; in response to the first access request, presenting a graphical user interface to the user to solicit entry by the user of authentication credentials for the first client application; receiving authentication credentials for the first client application entered by the user; creating a first authentication request for access to the first client application based on the authentication credentials for the first client application entered by the user; sending the first authentication request for access to the first client application to an intermediary system; receiving, at the client system from the intermediary system, a master token and a first application token in response to the first authentication request for access to the first client application; communicating the first application token from the client system to the first client application for authentication by the first client application; storing, in electronic storage accessible by the client system, the master token received from the intermediary system; receiving, at the client system, a second access request from the user to access a second client application selected from among the plurality of client applications, the second client application being different from the first client application; in response to the second access request, accessing, from the electronic storage accessible by the client system, the master token; creating a second authentication request for access to the second client application based on the accessed master token; sending the second authentication request for access to the second client application to the intermediary system; receiving, at the client system from the intermediary system, a second application token in response to the second authentication request for access to the second client application; and communicating the second application token from the client system to the second client application for authentication by the second client application, wherein the first application token is different from the second application token; wherein sending the first authentication request for access to the first client application to the intermediary system includes sending, over a network, the first authentication request for access to the first client application to a remote intermediary system that is remote from the client system; wherein receiving, at the client system from the intermediary system, the master token and the first application token in response to the first authentication request for access to the first client application includes receiving, at the client system from the remote intermediary system over the network, the master token and the first application token in response to the first authentication request for access to the first client application; wherein communicating the first application token from the client system to the first client application for authentication by the first client application includes communicating, over the network, the first application token from the client system to a first remote client application being run by a first remote system that is remote from the client system and different than the remote intermediary system; wherein sending the second authentication request for access to the second client application to the intermediary system includes sending, over the network, the second authentication request for access to the second client application to the remote intermediary system; wherein receiving, at the client system from the intermediary system, the second application token in response to the second authentication request for access to the second client application includes receiving, at the client system from the remote intermediary system over the network, the second application token in response to the second authentication request for access to the second client application; and wherein communicating the second application token from the client system to the second client application for authentication by the second client application includes communicating, over the network, the second application token from the client system to a second remote client application being run by a second remote system that is remote from the client system and different than the remote intermediary system and the first remote system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A system including one or more devices that are controlled by but distinguished from software, the system comprising:
-
a client device; an intermediary system that is remote from the client device; a first remote server that is configured to run a first remote client application; and a second remote server that is configured to run a second remote client application, wherein; the client device receives a first access request from a user to access a first client application selected from among a plurality of client applications; in response to the first access request, the client device presents a graphical user interface to the user to solicit entry by the user of authentication credentials for the first client application; the client device receives authentication credentials for the first client application entered by the user; the client device creates a first authentication request for access to the first client application based on the authentication credentials for the first client application entered by the user; the client device sends the first authentication request for access to the first client application to the intermediary system; the client device receives receiving, at the client system from the intermediary system, a master token and a first application token in response to the first authentication request for access to the first client application; the client device communicates the first application token to the first client application for authentication by the first client application; the client device stores, in electronic storage accessible by the client device, the master token received from the intermediary system; the client device receives a second access request from the user to access a second client application selected from among the plurality of client applications, the second client application being different from the first client application; in response to the second access request, the client device accesses, from the electronic storage accessible by the client device, the master token; the client device creates a second authentication request for access to the second client application based on the accessed master token; the client device sends the second authentication request for access to the second client application to the intermediary system; the client device receives, from the intermediary system, a second application token in response to the second authentication request for access to the second client application; and the client device communicates the second application token to the second client application for authentication by the second client application, wherein the first application token is different from the second application token; wherein the client device sends the first authentication request for access to the first client application to the intermediary system by sending, over a network, the first authentication request for access to the first client application to a remote intermediary system that is remote from the client device; wherein the client device receives, from the intermediary system, the master token and the first application token in response to the first authentication request for access to the first client application receiving, at the client device from the remote intermediary system over the network, the master token and the first application token in response to the first authentication request for access to the first client application; wherein the client device communicates the first application token to the first client application for authentication by the first client application by communicating, over the network, the first application token from the client device to the first remote client application being run by the first remote system that is remote from the client device and different than the remote intermediary system; wherein the client device sends the second authentication request for access to the second client application to the intermediary system by sending, over the network, the second authentication request for access to the second client application to the remote intermediary system; wherein the client device receives, from the intermediary system, the second application token in response to the second authentication request for access to the second client application by receiving, at the client device from the remote intermediary system over the network, the second application token in response to the second authentication request for access to the second client application; and wherein the client device communicates the second application token to the second client application for authentication by the second client application by communicating, over the network, the second application token from the client device to the second remote client application being run by the second remote system that is remote from the client device and different than the remote intermediary system and the first remote system. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
-
43. A system comprising:
-
a client device configured to run a common local authentication client, a non-browser client, and a browser client; a common authorization web server that is remote from the client device; a non-browser remote server that is configured to interact with the non-browser client and that is remote from the client device and the common authorization web server; and a web remote server that is configured to interact with the browser client and that is remote from the client device, the common authorization web server, and the non-browser remote server, wherein; the client device is configured to receive, from a user, a first command to launch the non-browser client and, in response to the first command, launch the non-browser client; the common local authentication client is configured to, based on the first command to launch the non-browser client, determine that an active authentication session is not available and send, to the non-browser client, a message indicating that an active authentication session is not available; the non-browser client is configured to; receive, from the common local authentication client, the message indicating that an active authentication session is not available, in response to the message indicating that an active authentication session is not available, present a login form to the user, receive login credentials entered by the user using the login form, and submit, to the common local authentication client, the login credentials and a non-browser client application identifier, the non-browser client application identifier being an application identifier associated with the non-browser client; the common local authentication client is further configured to receive, from the non-browser client, the login credentials and the non-browser client application identifier and send, to the common authorization web server, the login credentials and the non-browser client application identifier; the common authorization web server is configured to; receive, from the common local authentication client, the login credentials and the non-browser client application identifier, validate the login credentials and the non-browser client application identifier, generate a common local authentication client master token and a non-browser application token, and send, to the common local authentication client, the common local authentication client master token and the non-browser application token; the common local authentication client is further configured to; receive, from the common authorization web server, the common local authentication client master token and the non-browser application token, store, in electronic storage accessible by the common local authentication client, the common local authentication client master token, and send, to the non-browser client, the non-browser application token; the non-browser client is further configured to receive, from the common local authentication client, the non-browser application token and send, to the non-browser remote server, the non-browser application token; the non-browser remote server is configured to; receive, from the non-browser client, the non-browser application token, validate the non-browser client based on the non-browser application token, and establish, with the non-browser client, a non-browser client authenticated session; the client device is further configured to receive, from the user, a second command to launch the browser client and, in response to the second command, launch the browser client; the common local authentication client is further configured to, based on the second command to launch the browser client, determine that an active authentication session is available and send, to the browser client, a message indicating that an active authentication session is available; the browser client is configured to receive, from the common local authentication client, the message indicating that an active authentication session is available and, in response to the message indicating that an active authentication session is available, submit, to the common local authentication client, a browser client application identifier, the browser client application identifier being an application identifier associated with the browser client; the common local authentication client is further configured to; receive, from the browser client, the browser client application identifier, access, from the electronic storage accessible by the common local authentication client, the common local authentication client master token, and send, to the common authorization web server, the common local authentication client master token and the browser client application identifier; the common authorization web server is further configured to; receive, from the common local authentication client, the common local authentication client master token and the browser client application identifier, verify the common local authentication client master token and the browser client application identifier, generate a browser application token, and send, to the common local authentication client, the browser application token; the common local authentication client is further configured to receive, from the common authorization web server, the browser application token, and send, to the browser client, the browser application token; the browser client is further configured to receive, from the common local authentication client, the browser application token and send, to the web remote server, the browser application token; and the web remote server is configured to; receive, from the browser client, the browser application token, validate the browser client based on the browser application token, and establish, with the browser client, a browser client authenticated session.
-
Specification