Session ticket authentication scheme

US 7,747,856 B2
Filed: 07/24/2003
Issued: 06/29/2010
Est. Priority Date: 07/26/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

intercepting at an agent residing on a processor-controlled server a first request to grant a web service customer access to a first web service, the agent residing between the web service customer and the first web service and between the web service customer and a second web service;

collecting at the agent one or more authentication credentials of the web service customer;

determining at the agent whether the web service customer is authenticated and authorized;

if the web service customer is authenticated and authorized, at the agent;

granting the first request;

initiating creation of a session and a session ticket;

obtaining a session ticket ID for the session ticket; and

encrypting the session ticket ID and a public key into an assertion;

intercepting at the agent a second request to grant the web service customer access to the second web service, the second request comprising the assertion and a signature associated with a private key; and

if the private key matches the public key in the assertion, granting at the agent the second request without reauthenticating or reauthorizing the web service customer.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of propagating a user'"'"'s authentication/session information between different requests to Web services in a network includes a web server receiving a request for access to a first web service. The request is intercepted with an agent and authentication credentials are collected. A determination is made whether the web service customer is authenticated and authorized. If the web service customer is authenticated and authorized, a session and session ticket are created. An ID and the session ticket are returned to the web server. The session ticket ID and a public key are encrypted into an assertion. The assertion is sent to the first web service. The assertion is then returned to the web service customer for use with future requests. The assertion can be in the form of a SAML assertion.

Citations

24 Claims

1. A method comprising:
- intercepting at an agent residing on a processor-controlled server a first request to grant a web service customer access to a first web service, the agent residing between the web service customer and the first web service and between the web service customer and a second web service;
  
  collecting at the agent one or more authentication credentials of the web service customer;
  
  determining at the agent whether the web service customer is authenticated and authorized;
  
  if the web service customer is authenticated and authorized, at the agent;
  
  granting the first request;
  
  initiating creation of a session and a session ticket;
  
  obtaining a session ticket ID for the session ticket; and
  
  encrypting the session ticket ID and a public key into an assertion;
  
  intercepting at the agent a second request to grant the web service customer access to the second web service, the second request comprising the assertion and a signature associated with a private key; and
  
  if the private key matches the public key in the assertion, granting at the agent the second request without reauthenticating or reauthorizing the web service customer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the assertion comprises a Security Assertions Markup Language (SAML) assertion.
  - 3. The method of claim 1, wherein the agent comprises an Extensible Markup Language (XML) agent.
  - 4. The method of claim 1, wherein determining whether the web service customer is authenticated and authorized comprises comparing the web service customer with a database containing authentication and authorization data.
  - 5. The method of claim 1:
    - wherein the first request and the second request both originate at the web service customer; and
      
      the method further comprising communicating the assertion to the web service customer to enable the web service customer to access the second web service without reauthentication or reauthorization after the web service customer accesses the first web service.
  - 6. The method of claim 1:
    - wherein the first request originates at the web service customer and the second request originates at the first web service; and
      
      the method further comprising communicating the assertion to the first web service to enable the web service customer to access the second web service without reauthentication or reauthorization after the web service customer accesses the first web service.
  - 7. The method of claim 6, wherein the second request is intercepted at the agent before reaching the second web service.
  - 8. The method of claim 6, wherein the second request originates at the first web service independent of the web service customer requesting access to the second web service.
  - 9. The method of claim 1, further comprisingat the agent, placing the assertion into a header;
    - sending the assertion to the first web service;
      
      returning the assertion to the web service consumer.
  - 10. The method of claim 1, wherein the second request comprises an XML document containing the assertion;
    - andwherein the web service customer has signed the XML document with the private key.
  - 11. The method of claim 1, wherein granting at the agent the second request without reauthenticating or reauthorizing the web service customer further comprises:
    - using, at the agent, the session ticket ID with the assertion to determine if the web service customer is authenticated to access the second web service; and
      
      if the user is authenticated, granting at the agent the second request without reauthenticating or reauthorizing the web service customer.
  - 12. The method of claim 1, wherein the second request is intercepted at the agent before reaching the second web service.
  - 13. The method of claim 1, further comprising determining at the agent whether the public key matches the private key.

14. A method comprising:
- intercepting at an agent residing on a processor-controlled server a request to grant a web service customer access to a first web service, the agent residing between the web service customer and the first web service and between the web service customer and a second web service, the request comprising an encrypted assertion and a signature associated with a private key, the encrypted assertion comprising a public key and a session ticket ID for a session ticket obtained prior to the request and in response to authentication and authorization of the web service customer for access to the second web service; and
  
  if the private key matches the public key in the assertion, granting at the agent the second request without reauthenticating or reauthorizing the web service customer.
- View Dependent Claims (15, 16, 17)
- - 15. The method of claim 14, wherein the assertion comprises a Security Assertions Markup Language (SAML) assertion.
  - 16. The method of claim 14, wherein the request originates at the web service customer.
  - 17. The method of claim 14, wherein request originates at the second web service.

18. An apparatus comprising:
- one or more processors residing between a web service customer and a first web service and between the web service customer and a second web service; and
  
  a memory coupled to the processors comprising one or more instructions executable at the processors, the processors operable when executing the instructions to;
  
  intercept a first request to grant the web service customer access to the first web service;
  
  collect one or more authentication credentials of the web service customer;
  
  determine whether the web service customer is authenticated and authorized;
  
  if the web service customer is authenticated and authorized;
  
  grant the first request;
  
  initiate creation of a session and a session ticket;
  
  obtain a session ticket ID for the session ticket; and
  
  encrypt the session ticket ID and a public key into an assertion;
  
  intercept a second request to grant the web service customer access to the second web service, the second request comprising the assertion and a signature associated with a private key; and
  
  if the private key matches the public key in the assertion, grant the second request without reauthenticating or reauthorizing the web service customer.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The apparatus of claim 18, wherein the assertion comprises a Security Assertions Markup Language (SAML) assertion.
  - 20. The apparatus of claim 18, wherein the agent comprises an Extensible Markup Language (XML) agent.
  - 21. The apparatus of claim 18, wherein the processors are further operable when executing the instructions to determine whether the web service customer is authenticated and authorized by comparing the web service customer with a database containing authentication and authorization data.
  - 22. The apparatus of claim 18, wherein:
    - the first request and the second request both originate at the web service customer; and
      
      the processors are further operable when executing the instructions to communicate the assertion to the web service customer to enable the web service customer to access the second web service without reauthentication or reauthorization after the web service customer accesses the first web service.
  - 23. The apparatus of claim 18, wherein:
    - the first request originates at the web service customer and the second request originates at the first web service; and
      
      the processors are further operable when executing the instructions to communicate the assertion to the first web service to enable the web service customer to access the second web service without reauthentication or reauthorization after the web service customer accesses the first web service.

24. A system comprising:
- a first web service;
  
  a second web service; and
  
  an agent residing between a web service customer and the first web service and between the web service customer and the second web service, the agent residing on a processor-controlled server and operable to;
  
  intercept a first request to grant the web service customer access to the first web service;
  
  collect one or more authentication credentials of the web service customer;
  
  determine whether the web service customer is authenticated and authorized, and if the web service customer is authenticated and authorized;
  
  grant the first request;
  
  initiate creation of a session and a session ticket;
  
  obtain a session ticket ID for the session ticket; and
  
  encrypt the session ticket ID and a public key into an assertion;
  
  intercept a second request to grant the web service customer access to the second web service, the second request comprising the assertion and a signature associated with a private key; and
  
  if the private key matches the public key in the assertion, grant the second request without reauthenticating or reauthorizing the web service customer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Original Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Inventors
Mishra, Prateek, Ducharme, James, Favazza, John, Levinson, Rich
Primary Examiner(s)
Smithers; Matthew B
Assistant Examiner(s)
Gelagay; Shewaye

Application Number

US10/626,208
Publication Number

US 20040139319A1
Time in Patent Office

2,532 Days
Field of Search

713/168, 726/30
US Class Current

713/168
CPC Class Codes

H04L 63/0442   wherein the sending and rec...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

Session ticket authentication scheme

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Session ticket authentication scheme

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links