Providing tokens to access extranet resources
First Claim
Patent Images
1. A system for authenticating computer users comprising:
- a first login server disposed in an intranet and adapted to;
receive and validate a first user'"'"'s credentials;
collect at least a first security identifier (“
SID”
) associated with the first user; and
create a first Security Association Markup Language (“
SAML”
) token, wherein the first SAML token includes the first SID;
a second login server, disposed in a demilitarized zone (“
DMZ”
) associated with the intranet and adapted to;
receive the first SAML token;
validate the first SAML token; and
transform the first SAML token into a second SAML token, wherein the second SAML token includes the first SID and wherein there exists a trust relationship between the first login server and the second login server; and
a web server disposed in the DMZ and adapted to;
receive a request from a web client for access to an application hosted by the web server, wherein the application authenticates users by comparing SIDs to an access control list;
receive the second SAML token from the second login server;
construct a third token at least in part from the first SID; and
provide the third token to the application for authentication of the first user.
2 Assignments
0 Petitions
Accused Products
Abstract
A system for authenticating computer users comprising a single active directory disposed in an intranet, a web server disposed in a DMZ associated with the intranet, and a web client coupled to the web server through an internet connection that is capable of signing on to the web server.
70 Citations
18 Claims
-
1. A system for authenticating computer users comprising:
-
a first login server disposed in an intranet and adapted to; receive and validate a first user'"'"'s credentials; collect at least a first security identifier (“
SID”
) associated with the first user; andcreate a first Security Association Markup Language (“
SAML”
) token, wherein the first SAML token includes the first SID;a second login server, disposed in a demilitarized zone (“
DMZ”
) associated with the intranet and adapted to;receive the first SAML token; validate the first SAML token; and transform the first SAML token into a second SAML token, wherein the second SAML token includes the first SID and wherein there exists a trust relationship between the first login server and the second login server; and a web server disposed in the DMZ and adapted to; receive a request from a web client for access to an application hosted by the web server, wherein the application authenticates users by comparing SIDs to an access control list; receive the second SAML token from the second login server; construct a third token at least in part from the first SID; and provide the third token to the application for authentication of the first user. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for validating a user attempting to access an application hosted on a web server computing device, wherein the web server computing device is located in a demilitarized zone (“
- DMZ”
) associated with an intranet, the method comprising the following steps;receiving, by the web server computing device located in the DMZ, a request from a web client to access the application, wherein the request is received over an internet connection between the web client and the web server computing device and the web client is not located in the DMZ; redirecting the request to a login server located in the DMZ; receiving, by the web server computing device, a Security Association Markup Language (“
SAML”
) token, wherein the SAML token includes an assertion containing at least a first security identifier (“
SID”
) associated with the user;extracting the SID from the SAML token; constructing, by the web server computing device, a second token, wherein the second token is constructed at least in part using the SID and the second token is adapted to allow the application hosted on the web server to compare the SID to an access control list. - View Dependent Claims (8, 9, 10, 11, 12)
- DMZ”
-
13. A system for validating a user attempting to access an application hosted on a web server computing device, wherein the web server computing device is located in a demilitarized zone (“
- DMZ”
) associated with an intranet, the web server computing device comprising;at least one processor; a memory, communicatively coupled to the at least one processor and containing instructions that, when executed by the at least one processor, perform the following steps; receiving, by the web server computing device located in the DMZ, a request from a web client to access the application, wherein the request is received over an internet connection between the web client and the web server computing device and the web client is not located in the DMZ; redirecting the request to a login server located in the DMZ; receiving, by the web server computing device, a Security Association Markup Language (“
SAML”
) token, wherein the SAML token includes an assertion containing at least a first security identifier (“
SID”
) associated with the user;extracting the SID from the SAML token; constructing, by the web server computing device, a second token, wherein the second token is constructed at least in part using the SID and the second token is adapted to allow the application hosted on the web server to compare the SID to an access control list. - View Dependent Claims (14, 15, 16, 17, 18)
- DMZ”
Specification