Method and apparatus for facilitating single sign-on to applications

US 7,540,020 B1
Filed: 02/19/2003
Issued: 05/26/2009
Est. Priority Date: 02/19/2003
Status: Active Grant

First Claim

Patent Images

1. A method for performing single sign-on to web applications on a website host computer using dynamic directives, comprising:

receiving a first request at a web application from a user to access public content;

providing the public content to the user;

receiving a second request from the user to access private content;

sending a first dynamic directive to a web module, wherein the first dynamic directive specifies that an authentication credential is required from the user, and wherein the web module can access a single sign-on server on behalf of the application;

allowing the web module to request the authentication credential from the single sign-on server on behalf of the application;

when a token is received from the single sign-on server at the application, wherein the token includes the authentication credential and an access time,providing private content to the user;

when a logout request is sent by the user to the application and the logout request is received from the user at the application,sending a second dynamic directive to the web module from the application, wherein the second dynamic directive requests a logout;

upon examining the second dynamic directive in the web module and discovering that the logout is requested,requesting that the single sign-on server log out the user, and informing partner applications that the user has logged out,wherein the user is logged out only with respect to receiving private content from the partner applications, wherein the partner applications are related applications that also make use of the single sign on server; and

wherein if the access time within the token indicates that a specified timeout period has elapsed;

sending a third dynamic directive to the web module from the application, wherein the third dynamic directive requests a logout; and

allowing the web module to,discover that the logout is requested,request that the single sign-on server log out the user, andinform all partner applications that the user has logged out, wherein the user is logged out only with respect to receiving private content from the partner applications.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system that performs single sign-on to web applications using dynamic directives. The system operates by first receiving a request at an application to provide content to a user. In response to the request, the application provides public content to the user. Upon receiving a request from the user to access private content, the application sends a dynamic directive to a web module that can access a single sign-on server on behalf of the application, wherein the dynamic directive specifies that an authentication credential is required from the user. Next, the application allows the web module to request the authentication credential from the single sign-on server on behalf of the application. When the authentication credential is received from the single sign-on server, the application provides the private content to the user.

40 Citations

View as Search Results

18 Claims

1. A method for performing single sign-on to web applications on a website host computer using dynamic directives, comprising:
- receiving a first request at a web application from a user to access public content;
  
  providing the public content to the user;
  
  receiving a second request from the user to access private content;
  
  sending a first dynamic directive to a web module, wherein the first dynamic directive specifies that an authentication credential is required from the user, and wherein the web module can access a single sign-on server on behalf of the application;
  
  allowing the web module to request the authentication credential from the single sign-on server on behalf of the application;
  
  when a token is received from the single sign-on server at the application, wherein the token includes the authentication credential and an access time,providing private content to the user;
  
  when a logout request is sent by the user to the application and the logout request is received from the user at the application,sending a second dynamic directive to the web module from the application, wherein the second dynamic directive requests a logout;
  
  upon examining the second dynamic directive in the web module and discovering that the logout is requested,requesting that the single sign-on server log out the user, and informing partner applications that the user has logged out,wherein the user is logged out only with respect to receiving private content from the partner applications, wherein the partner applications are related applications that also make use of the single sign on server; and
  
  wherein if the access time within the token indicates that a specified timeout period has elapsed;
  
  sending a third dynamic directive to the web module from the application, wherein the third dynamic directive requests a logout; and
  
  allowing the web module to,discover that the logout is requested,request that the single sign-on server log out the user, andinform all partner applications that the user has logged out, wherein the user is logged out only with respect to receiving private content from the partner applications.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein if the single sign-on server currently has the token for the user, the method further comprises:
    - updating the access time within the token; and
      
      supplying the token to the web module, wherein the token includes the authentication credential.
  - 3. The method of claim 2, wherein if the single sign-on server does not currently have the token for the user, the method further comprises:
    - requesting the authentication credential from the user;
      
      receiving the authentication credential from the user;
      
      creating the token, wherein the token includes the authentication credential and the access time; and
      
      supplying the token to the web module.
  - 4. The method of claim 1, wherein the web module intercepts requests sent to and responses received from the application.
  - 5. The method of claim 1, wherein the authentication credential includes a user name and a password.
  - 6. The method of claim 1, wherein a protocol code in the first dynamic directive includes a hypertext transfer protocol (HTTP) transaction code.

7. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for performing single sign-on to web applications on a website host computer using dynamic directives, the method comprising:
- receiving a first request at a web application from a user to access public content;
  
  providing the public content to the user;
  
  receiving a second request from the user to access private content;
  
  sending a first dynamic directive to a web module, wherein the first dynamic directive specifies that an authentication credential is required from the user, and wherein the web module can access a single sign-on server on behalf of the application;
  
  allowing the web module to request the authentication credential from the single sign-on server on behalf of the application;
  
  when a token is received from the single sign-on server at the application wherein the token includes the authentication credential and an access time,providing private content to the user;
  
  when a logout request is sent by the user to the application and the logout request is received from the user at the application,sending a second dynamic directive to the web module from the application, wherein the second dynamic directive requests a logout;
  
  upon examining the second dynamic directive in the web module and discovering that the logout is requested,requesting that the single sign-on server log out the user, and informing partner applications that the user has logged out,wherein the user is logged out only with respect to receiving private content from the partner applications, wherein the partner applications are related applications that also make use of the single sign on server; and
  
  wherein if the access time within the token indicates that a specified timeout period has elapsed;
  
  sending a third dynamic directive to the web module from the application, wherein the third dynamic directive requests a logout; and
  
  allowing the web module to,discover that the logout is requested,request that the single sign-on server log out the user, andinform all partner applications that the user has logged out, wherein the user is logged out only with respect to receiving private content from the partner applications, wherein the partner applications are related applications that also make use of the single sign on server.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer-readable storage medium of claim 7, wherein if the single sign-on server currently has the token for the user, the method further comprises:
    - updating the access time within the token; and
      
      supplying the token to the web module, wherein the token includes the authentication credential.
  - 9. The computer-readable storage medium of claim 8, wherein if the single sign-on server does not currently have the token for the user, the method further comprises:
    - requesting the authentication credential from the user;
      
      receiving the authentication credential from the user;
      
      creating the token, wherein the token includes the authentication credential and the access time; and
      
      supplying the token to the web module.
  - 10. The computer-readable storage medium of claim 7, wherein the web module intercepts requests sent to and responses received from the application.
  - 11. The computer-readable storage medium of claim 7, wherein the authentication credential includes a user name and a password.
  - 12. The computer-readable storage medium of claim 7, wherein a protocol code in the first dynamic directive includes a hypertext transfer protocol (HTTP) transaction code.

13. An apparatus for performing single sign-on to web applications on a website host computer using dynamic directives, comprising:
- a receiving mechanism configured to receive a first request at a web application from a user to access public content;
  
  a providing mechanism configured to provide the public content to the user;
  
  wherein the receiving mechanism is further configured to receive a second request from the user to access private content;
  
  a sending mechanism configured to send a first dynamic directive to a web module, wherein the first dynamic directive specifies that an authentication credential is required from the user, and wherein the web module can access a single sign-on server on behalf of the application;
  
  a requesting mechanism configured to request the authentication credential from the single sign-on server;
  
  wherein the providing mechanism is further configured to provide private content to the user when a token is received from the single sign-on server at the application, wherein the token includes the authentication credential and an access time;
  
  wherein the receiving mechanism is further configured to receive a logout request from the user at the application, wherein the logout request is sent by the user to the application;
  
  wherein the sending mechanism is further configured to send a second dynamic directive to the web module from the application, wherein the protocol code in the second dynamic directive requests a logout;
  
  an examining mechanism configured to examine the protocol code in the web module to discover that the logout is requested;
  
  wherein the requesting mechanism is further configured to request the single sign-on server to log out the user;
  
  wherein if the access time within the token indicates that a specified timeout period has elapsed;
  
  the sending mechanism is further configured to send a third dynamic directive to the web module from the application, wherein the third dynamic directive requests a logout;
  
  a discovering mechanism configured to discover that the logout is requested;
  
  wherein the requesting mechanism is further configured to request the single sign-on server to log out the user; and
  
  a logout mechanism configured to inform all partner applications that the user has logged out, wherein the user is logged out only with respect to receiving private content from the partner applications, wherein the partner applications are related applications that also make use of the single sign on server.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The apparatus of claim 13, further comprising:
    - an updating mechanism configured to update the access time within the token; and
      
      a token supplying mechanism configured to supply the token to the web module, wherein the token includes the authentication credential.
  - 15. The apparatus of claim 14,wherein the requesting mechanism is further configured to request the authentication credential from the user if the single sign-on server does not currently have the token for the user;
    - and wherein the apparatus further comprises;
      
      a credential receiving mechanism configured to receive the authentication credential from the usera creating mechanism configured to create the token, wherein the token includes the authentication credential and the access time; and
      
      a token supplying mechanism configured to supply the token to the web module.
  - 16. The apparatus of claim 13, further comprising an intercept mechanism within the web module that is configured to intercept requests sent to and responses received from the application.
  - 17. The apparatus of claim 13, wherein the authentication credential includes a user name and a password.
  - 18. The apparatus of claim 13, wherein a protocol code in the first dynamic directive includes a hypertext transfer protocol (HTTP) transaction code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Biswas, Kamalendu, Bhatia, Gaurav, Swaminathan, Arun
Primary Examiner(s)
Nalven; Andrew L

Application Number

US10/370,970
Time in Patent Office

2,288 Days
Field of Search

726/29, 726/6
US Class Current

726/6
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

Method and apparatus for facilitating single sign-on to applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

40 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for facilitating single sign-on to applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others