Methods for more flexible SAML session
First Claim
1. A method, comprising:
- receiving by a second server at a second site a first request from a first server at a first site to access a resource on the second site, wherein a first user has authenticated with the first site;
receiving from the first site a first assertion comprising an identifier indicating the first site as a source of the first assertion, an indication that the first user is authorized to access the resource on the second site and a first set of attributes associated with a first account on the first site;
determining, based upon the first assertion and a mapping, a subset of the first set of attributes to be used for mapping accounts on the first site to accounts on the second site, wherein the subset of the first set of attributes does not include an account identifier for the first account on the first site;
mapping the first account on the first site to a particular account on the second site based upon the subset of the first set of attributes;
receiving at the second site a second request from the first site to access the resource on the second site, wherein a second user has authenticated with the first site, the second user differing from the first user;
receiving from the first site a second assertion comprising an identifier indicating the first site as a source of the second assertion, an indication that the second user is authorized to access the resource on the second site, and a second set of attributes associated with a second account on the first site;
determining, based upon the second assertion and a mapping, a subset of the second set of attributes to be used for mapping accounts on the first site to accounts on the second site, wherein the subset of the second set of attributes does not include an account identifier for the second account on the first site, and wherein the subset of the second set of attributes includes at least one attribute in common with the subset of the first set of attributes; and
mapping the second account on the first site to the same particular account on the second site based upon the subset of the second set of attributes, thereby mapping a plurality of accounts on the first site to the same particular account on the second site.
2 Assignments
0 Petitions
Accused Products
Abstract
In accordance with one embodiment of the present invention, there is provided a mechanism for implementing navigation seamlessly between sites in a computing environment in order to access resources without having to require users or user agents to re-authenticate. In one embodiment, there is provided the ability to determine different attribute sets for use with different resources on a target site for a user or user agent authenticated with a first site seeking to access one or more resources of the second site without re-authenticating. In one embodiment, there is provided the ability to map accounts on a first site to accounts on the second site using a set of attributes selected from among attributes provided by an application on the first site. With this mechanism, it is possible for applications or other resources to share information about a user or a user agent across disparate web sites seamlessly.
-
Citations
9 Claims
-
1. A method, comprising:
-
receiving by a second server at a second site a first request from a first server at a first site to access a resource on the second site, wherein a first user has authenticated with the first site; receiving from the first site a first assertion comprising an identifier indicating the first site as a source of the first assertion, an indication that the first user is authorized to access the resource on the second site and a first set of attributes associated with a first account on the first site; determining, based upon the first assertion and a mapping, a subset of the first set of attributes to be used for mapping accounts on the first site to accounts on the second site, wherein the subset of the first set of attributes does not include an account identifier for the first account on the first site; mapping the first account on the first site to a particular account on the second site based upon the subset of the first set of attributes; receiving at the second site a second request from the first site to access the resource on the second site, wherein a second user has authenticated with the first site, the second user differing from the first user; receiving from the first site a second assertion comprising an identifier indicating the first site as a source of the second assertion, an indication that the second user is authorized to access the resource on the second site, and a second set of attributes associated with a second account on the first site; determining, based upon the second assertion and a mapping, a subset of the second set of attributes to be used for mapping accounts on the first site to accounts on the second site, wherein the subset of the second set of attributes does not include an account identifier for the second account on the first site, and wherein the subset of the second set of attributes includes at least one attribute in common with the subset of the first set of attributes; and mapping the second account on the first site to the same particular account on the second site based upon the subset of the second set of attributes, thereby mapping a plurality of accounts on the first site to the same particular account on the second site. - View Dependent Claims (2, 3, 4)
-
-
5. A machine readable storage medium, carrying one or more sequences of instructions for mapping accounts within a single sign-on computing environment, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
-
receiving at a second site a first request from a first site to access a resource on the second site, wherein a first user has authenticated with the first site; receiving from the first site a first assertion comprising an identifier indicating the first site as a source of the first assertion, an indication that the first user is authorized to access the resource on the second site and a first set of attributes associated with a first account on the first site; determining, based upon the first assertion and a mapping, a subset of the first set of attributes to be used for mapping accounts on the first site to accounts on the second site, wherein the subset of the first set of attributes does not include an account identifier for the first account on the first site; mapping the first account on the first site to a particular account on the second site based upon the subset of the first set of attributes; receiving at the second site a second request from the first site to access the resource on the second site, wherein a second user has authenticated with the first site, the second user differing from the first user; receiving from the first site a second assertion comprising an identifier indicating the first site as a source of the second assertion, an indication that the second user is authorized to access the resource on the second site, and a second set of attributes associated with a second account on the first site; determining, based upon the second assertion and a mapping, a subset of the second set of attributes to be used for mapping accounts on the first site to accounts on the second site, wherein the subset of the second set of attributes does not include an account identifier for the second account on the first site, and wherein the subset of the second set of attributes includes at least one attribute in common with the subset of the first set of attributes; and mapping the second account on the first site to the same particular account on the second site based upon the subset of the second set of attributes, thereby mapping a plurality of accounts on the first site to the same particular account on the second site. - View Dependent Claims (6, 7, 8)
-
-
9. An apparatus, comprising:
-
one or more processors configured to implement; a mechanism for receiving by a second server at a second site a first request from a first server at a first site to access a resource on the second site, wherein a first user has authenticated with the first site; a mechanism for receiving from the first site a first assertion comprising an identifier indicating the first site as a source of the first assertion, an indication that the first user is authorized to access the resource on the second site and a first set of attributes associated with a first account on the first site; a mechanism for determining, based upon the first assertion and a mapping, a subset of the first set of attributes to be used for mapping accounts on the first site to accounts on the second site, wherein the subset of the first set of attributes does not include an account identifier for the first account on the first site; a mechanism for mapping the first account on the first site to a particular account on the second site based upon the subset of the first set of attributes; a mechanism for receiving at the second site a second request from the first site to access the resource on the second site, wherein a second user has authenticated with the first site, the second user differing from the first user; a mechanism for receiving from the first site a second assertion comprising an identifier indicating the first site as a source of the second assertion, an indication that the second user is authorized to access the resource on the second site, and a second set of attributes associated with a second account on the first site; a mechanism for determining, based upon the second assertion and a mapping, a subset of the second set of attributes to be used for mapping accounts on the first site to accounts on the second site, wherein the subset of the second set of attributes does not include an account identifier for the second account on the first site, and wherein the subset of the second set of attributes includes at least one attribute in common with the subset of the first set of attributes; and a mechanism for mapping the second account on the first site to the same particular account on the second site based upon the subset of the second set of attributes, thereby mapping a plurality of accounts on the first site to the same particular account on the second site.
-
Specification