Method and apparatus for facilitating single sign-on
First Claim
1. A method for preventing unauthorized access to a cookie during a single sign-on of a client, the method comprising:
- receiving a domain cookie from the client forwarded by an application server at a single sign-on server, wherein the domain cookie includes a domain identifier and encrypted secret path information which is encrypted using a key known only to the single sign-on server, and wherein the secret path information indicates a network path that terminates at the single sign-on server;
decrypting the encrypted secret path information using the key to reveal the network path;
sending a request to the client requesting a domain-token cookie, wherein the request indicates the decrypted network path; and
receiving the domain-token cookie from the client forwarded by the application server at the single sign-on server,wherein the domain-token cookie comprises the domain identifier, clear secret path information which indicates the network path, and user credential encrypted using the key known only to the single sign-on server, andwherein the network path derived from the clear secret path information in the domain-token cookie matches the decrypted network path in the request.
1 Assignment
0 Petitions
Accused Products
Abstract
One embodiment of the present invention provides a system that facilitates single sign-on of a client, wherein single sign-on allows the client to provide authentication credentials once during a computing session and to access multiple resources without re-authenticating. The system operates by receiving a domain cookie forwarded from the client by an application server at a single sign-on server, wherein the domain cookie includes a domain identifier and an encrypted secret path, and wherein the domain cookie can only be retrieved by servers whose domain matches the domain identifier in the domain cookie. The system then decrypts the encrypted secret path to reveal an unencrypted secret path. Next, the system redirects the client to the unencrypted secret path, wherein the unencrypted secret path is a path that terminates on the single sign-on server. Upon redirection, the system sends a request to the client from the single sign-on server requesting a domain-token cookie, wherein the domain-token cookie includes the domain identifier, a clear secret path, and encrypted information, wherein the request includes the clear secret path, and wherein the domain-token cookie can only be retrieved from the client if the client determines that the unencrypted secret path and the clear secret path match. Finally, upon receiving the domain-token cookie from the client at the single sign-on server, the system authenticates the client.
-
Citations
20 Claims
-
1. A method for preventing unauthorized access to a cookie during a single sign-on of a client, the method comprising:
-
receiving a domain cookie from the client forwarded by an application server at a single sign-on server, wherein the domain cookie includes a domain identifier and encrypted secret path information which is encrypted using a key known only to the single sign-on server, and wherein the secret path information indicates a network path that terminates at the single sign-on server; decrypting the encrypted secret path information using the key to reveal the network path; sending a request to the client requesting a domain-token cookie, wherein the request indicates the decrypted network path; and receiving the domain-token cookie from the client forwarded by the application server at the single sign-on server, wherein the domain-token cookie comprises the domain identifier, clear secret path information which indicates the network path, and user credential encrypted using the key known only to the single sign-on server, and wherein the network path derived from the clear secret path information in the domain-token cookie matches the decrypted network path in the request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for preventing unauthorized access to a cookie during a single sign-on of a client, the method comprising:
-
receiving a domain cookie from the client forwarded by an application server at a single sign-on server, wherein the domain cookie includes a domain identifier and encrypted secret path information which is encrypted using a key known only to the single sign-on server, and wherein the secret path information indicates a network path that terminates at the single sign-on server; decrypting the encrypted secret path information using the key to reveal the network path; sending a request to the client requesting a domain-token cookie, wherein the request indicates the decrypted network path; and receiving the domain-token cookie from the client forwarded by the application server at the single sign-on server, wherein the domain-token cookie comprises the domain identifier, clear secret path information which indicates the network path, and user credential encrypted using the key known only to the single sign-on server, and wherein the network path derived from the clear secret path information in the domain-token cookie matches the decrypted network path in the request. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. An apparatus for preventing unauthorized access to a cookie during a single sign-on of a client, the apparatus comprising:
-
a receiving mechanism configured to receive a domain cookie from the client forwarded by an application server at a single sign-on server, wherein the domain cookie includes a domain identifier and encrypted secret path information which is encrypted using a key known only to the single sign-on server, and wherein the secret path information indicates a network path that terminates at the single sign-on server; a decryption mechanism configured to decrypt the encrypted secret path information using the key to reveal the network path; a request mechanism configured to send a request to the client requesting a domain-token cookie, wherein the request indicates the decrypted network path; and wherein the receiving mechanism is further configured to receive the domain-token cookie from the client forwarded by the application server at the single sign-on server, wherein the domain-token cookie comprises the domain identifier, clear secret path information which comprises the network path, and an encrypted user credential which is encrypted using the key known only to the single sign-on server, and wherein the network path derived from the clear secret path information in the domain-token cookie matches the decrypted network path in the request. - View Dependent Claims (20)
-
Specification