Session ticket authentication scheme
First Claim
1. A method comprising:
- intercepting at an agent residing on a processor-controlled server a first request to grant a web service customer access to a first web service, the agent residing between the web service customer and the first web service and between the web service customer and a second web service;
collecting at the agent one or more authentication credentials of the web service customer;
determining at the agent whether the web service customer is authenticated and authorized;
if the web service customer is authenticated and authorized, at the agent;
granting the first request;
initiating creation of a session and a session ticket;
obtaining a session ticket ID for the session ticket; and
encrypting the session ticket ID and a public key into an assertion;
intercepting at the agent a second request to grant the web service customer access to the second web service, the second request comprising the assertion and a signature associated with a private key; and
if the private key matches the public key in the assertion, granting at the agent the second request without reauthenticating or reauthorizing the web service customer.
3 Assignments
0 Petitions
Accused Products
Abstract
A method of propagating a user'"'"'s authentication/session information between different requests to Web services in a network includes a web server receiving a request for access to a first web service. The request is intercepted with an agent and authentication credentials are collected. A determination is made whether the web service customer is authenticated and authorized. If the web service customer is authenticated and authorized, a session and session ticket are created. An ID and the session ticket are returned to the web server. The session ticket ID and a public key are encrypted into an assertion. The assertion is sent to the first web service. The assertion is then returned to the web service customer for use with future requests. The assertion can be in the form of a SAML assertion.
-
Citations
24 Claims
-
1. A method comprising:
-
intercepting at an agent residing on a processor-controlled server a first request to grant a web service customer access to a first web service, the agent residing between the web service customer and the first web service and between the web service customer and a second web service; collecting at the agent one or more authentication credentials of the web service customer; determining at the agent whether the web service customer is authenticated and authorized; if the web service customer is authenticated and authorized, at the agent;
granting the first request;
initiating creation of a session and a session ticket;
obtaining a session ticket ID for the session ticket; andencrypting the session ticket ID and a public key into an assertion;
intercepting at the agent a second request to grant the web service customer access to the second web service, the second request comprising the assertion and a signature associated with a private key; andif the private key matches the public key in the assertion, granting at the agent the second request without reauthenticating or reauthorizing the web service customer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method comprising:
-
intercepting at an agent residing on a processor-controlled server a request to grant a web service customer access to a first web service, the agent residing between the web service customer and the first web service and between the web service customer and a second web service, the request comprising an encrypted assertion and a signature associated with a private key, the encrypted assertion comprising a public key and a session ticket ID for a session ticket obtained prior to the request and in response to authentication and authorization of the web service customer for access to the second web service; and if the private key matches the public key in the assertion, granting at the agent the second request without reauthenticating or reauthorizing the web service customer. - View Dependent Claims (15, 16, 17)
-
-
18. An apparatus comprising:
-
one or more processors residing between a web service customer and a first web service and between the web service customer and a second web service; and a memory coupled to the processors comprising one or more instructions executable at the processors, the processors operable when executing the instructions to; intercept a first request to grant the web service customer access to the first web service; collect one or more authentication credentials of the web service customer; determine whether the web service customer is authenticated and authorized; if the web service customer is authenticated and authorized; grant the first request; initiate creation of a session and a session ticket; obtain a session ticket ID for the session ticket; and encrypt the session ticket ID and a public key into an assertion; intercept a second request to grant the web service customer access to the second web service, the second request comprising the assertion and a signature associated with a private key; and if the private key matches the public key in the assertion, grant the second request without reauthenticating or reauthorizing the web service customer. - View Dependent Claims (19, 20, 21, 22, 23)
-
-
24. A system comprising:
-
a first web service; a second web service; and an agent residing between a web service customer and the first web service and between the web service customer and the second web service, the agent residing on a processor-controlled server and operable to; intercept a first request to grant the web service customer access to the first web service; collect one or more authentication credentials of the web service customer; determine whether the web service customer is authenticated and authorized, and if the web service customer is authenticated and authorized; grant the first request; initiate creation of a session and a session ticket; obtain a session ticket ID for the session ticket; and encrypt the session ticket ID and a public key into an assertion; intercept a second request to grant the web service customer access to the second web service, the second request comprising the assertion and a signature associated with a private key; and if the private key matches the public key in the assertion, grant the second request without reauthenticating or reauthorizing the web service customer.
-
Specification