Providing tokens to access extranet resources

US 7,603,555 B2
Filed: 06/30/2005
Issued: 10/13/2009
Est. Priority Date: 12/07/2004
Status: Active Grant

First Claim

Patent Images

1. A system for authenticating computer users comprising:

a first login server disposed in an intranet and adapted to;

receive and validate a first user'"'"'s credentials;

collect at least a first security identifier (“

SID”

) associated with the first user; and

create a first Security Association Markup Language (“

SAML”

) token, wherein the first SAML token includes the first SID;

a second login server, disposed in a demilitarized zone (“

DMZ”

) associated with the intranet and adapted to;

receive the first SAML token;

validate the first SAML token; and

transform the first SAML token into a second SAML token, wherein the second SAML token includes the first SID and wherein there exists a trust relationship between the first login server and the second login server; and

a web server disposed in the DMZ and adapted to;

receive a request from a web client for access to an application hosted by the web server, wherein the application authenticates users by comparing SIDs to an access control list;

receive the second SAML token from the second login server;

construct a third token at least in part from the first SID; and

provide the third token to the application for authentication of the first user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for authenticating computer users comprising a single active directory disposed in an intranet, a web server disposed in a DMZ associated with the intranet, and a web client coupled to the web server through an internet connection that is capable of signing on to the web server.

70 Citations

View as Search Results

18 Claims

1. A system for authenticating computer users comprising:
- a first login server disposed in an intranet and adapted to;
  
  receive and validate a first user'"'"'s credentials;
  
  collect at least a first security identifier (“
  
  SID”
  
  ) associated with the first user; and
  
  create a first Security Association Markup Language (“
  
  SAML”
  
  ) token, wherein the first SAML token includes the first SID;
  
  a second login server, disposed in a demilitarized zone (“
  
  DMZ”
  
  ) associated with the intranet and adapted to;
  
  receive the first SAML token;
  
  validate the first SAML token; and
  
  transform the first SAML token into a second SAML token, wherein the second SAML token includes the first SID and wherein there exists a trust relationship between the first login server and the second login server; and
  
  a web server disposed in the DMZ and adapted to;
  
  receive a request from a web client for access to an application hosted by the web server, wherein the application authenticates users by comparing SIDs to an access control list;
  
  receive the second SAML token from the second login server;
  
  construct a third token at least in part from the first SID; and
  
  provide the third token to the application for authentication of the first user.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system for authenticating computer users of claim 1, in which the second SAML token an ADFS token.
  - 3. The system for authenticating computer users of claim 1, in which the first and second SAML tokens further include a group SID for the first user.
  - 4. The system for authenticating computer users of claim 1, further comprising a web client, wherein the web client receives the first SAML token as a cookie and sends the first SAML token to the second login server.
  - 5. The system for authenticating computer users of claim 4, in which the cookie is expressed in XML.
  - 6. The system for authenticating computer users of claim 1, wherein the second login server filters the first SID prior to creating the second SAML token.

7. A method for validating a user attempting to access an application hosted on a web server computing device, wherein the web server computing device is located in a demilitarized zone (“
- DMZ”
  
  ) associated with an intranet, the method comprising the following steps;
  
  receiving, by the web server computing device located in the DMZ, a request from a web client to access the application, wherein the request is received over an internet connection between the web client and the web server computing device and the web client is not located in the DMZ;
  
  redirecting the request to a login server located in the DMZ;
  
  receiving, by the web server computing device, a Security Association Markup Language (“
  
  SAML”
  
  ) token, wherein the SAML token includes an assertion containing at least a first security identifier (“
  
  SID”
  
  ) associated with the user;
  
  extracting the SID from the SAML token;
  
  constructing, by the web server computing device, a second token, wherein the second token is constructed at least in part using the SID and the second token is adapted to allow the application hosted on the web server to compare the SID to an access control list.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein the SAML token is contained in a cookie received from the web client.
  - 9. The method of claim 8, wherein the SAML token is created by the login server and wherein the login server directs the web client to store the SAML token in the cookie.
  - 10. The method of claim 7, wherein the SAML token includes a group SID for the user.
  - 11. The method of claim 7, wherein the SAML token is received from the login server.
  - 12. The method of claim 7, wherein the SID is inserted into an advice element of the SAML token.

13. A system for validating a user attempting to access an application hosted on a web server computing device, wherein the web server computing device is located in a demilitarized zone (“
- DMZ”
  
  ) associated with an intranet, the web server computing device comprising;
  
  at least one processor;
  
  a memory, communicatively coupled to the at least one processor and containing instructions that, when executed by the at least one processor, perform the following steps;
  
  receiving, by the web server computing device located in the DMZ, a request from a web client to access the application, wherein the request is received over an internet connection between the web client and the web server computing device and the web client is not located in the DMZ;
  
  redirecting the request to a login server located in the DMZ;
  
  receiving, by the web server computing device, a Security Association Markup Language (“
  
  SAML”
  
  ) token, wherein the SAML token includes an assertion containing at least a first security identifier (“
  
  SID”
  
  ) associated with the user;
  
  extracting the SID from the SAML token;
  
  constructing, by the web server computing device, a second token, wherein the second token is constructed at least in part using the SID and the second token is adapted to allow the application hosted on the web server to compare the SID to an access control list.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method of claim 13, wherein the SAML token is contained in a cookie received from the web client.
  - 15. The method of claim 14, wherein the SAML token is created by the login server and wherein the login server directs the web client to store the SAML token in the cookie.
  - 16. The method of claim 13, wherein the SAML token includes a group SID for the user.
  - 17. The method of claim 13, wherein the SAML token is received from the login server.
  - 18. The method of claim 13, wherein the SID is inserted into an advice element of the SAML token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Raghavan, Harini, Shenoy, Krishnanand, Mowers, David R., Johnson, Ryan D., Tevosyan, Kahren, Hur, Matthew, Schmidt, Donald E., Spelman, Jeffrey F.
Primary Examiner(s)
JUNG, DAVID YIUK

Application Number

US11/173,004
Publication Number

US 20060123234A1
Time in Patent Office

1,566 Days
Field of Search

713/168, 713/150, 713/151
US Class Current

713/168
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0815   providing single-sign-on or...

H04L 63/168   above the transport layer

Providing tokens to access extranet resources

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

70 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Providing tokens to access extranet resources

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links