Method and apparatus for facilitating single sign-on

US 7,761,911 B2
Filed: 11/21/2005
Issued: 07/20/2010
Est. Priority Date: 11/21/2005
Status: Active Grant

First Claim

Patent Images

1. A method for preventing unauthorized access to a cookie during a single sign-on of a client, the method comprising:

receiving a domain cookie from the client forwarded by an application server at a single sign-on server, wherein the domain cookie includes a domain identifier and encrypted secret path information which is encrypted using a key known only to the single sign-on server, and wherein the secret path information indicates a network path that terminates at the single sign-on server;

decrypting the encrypted secret path information using the key to reveal the network path;

sending a request to the client requesting a domain-token cookie, wherein the request indicates the decrypted network path; and

receiving the domain-token cookie from the client forwarded by the application server at the single sign-on server,wherein the domain-token cookie comprises the domain identifier, clear secret path information which indicates the network path, and user credential encrypted using the key known only to the single sign-on server, andwherein the network path derived from the clear secret path information in the domain-token cookie matches the decrypted network path in the request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system that facilitates single sign-on of a client, wherein single sign-on allows the client to provide authentication credentials once during a computing session and to access multiple resources without re-authenticating. The system operates by receiving a domain cookie forwarded from the client by an application server at a single sign-on server, wherein the domain cookie includes a domain identifier and an encrypted secret path, and wherein the domain cookie can only be retrieved by servers whose domain matches the domain identifier in the domain cookie. The system then decrypts the encrypted secret path to reveal an unencrypted secret path. Next, the system redirects the client to the unencrypted secret path, wherein the unencrypted secret path is a path that terminates on the single sign-on server. Upon redirection, the system sends a request to the client from the single sign-on server requesting a domain-token cookie, wherein the domain-token cookie includes the domain identifier, a clear secret path, and encrypted information, wherein the request includes the clear secret path, and wherein the domain-token cookie can only be retrieved from the client if the client determines that the unencrypted secret path and the clear secret path match. Finally, upon receiving the domain-token cookie from the client at the single sign-on server, the system authenticates the client.

Citations

20 Claims

1. A method for preventing unauthorized access to a cookie during a single sign-on of a client, the method comprising:
- receiving a domain cookie from the client forwarded by an application server at a single sign-on server, wherein the domain cookie includes a domain identifier and encrypted secret path information which is encrypted using a key known only to the single sign-on server, and wherein the secret path information indicates a network path that terminates at the single sign-on server;
  
  decrypting the encrypted secret path information using the key to reveal the network path;
  
  sending a request to the client requesting a domain-token cookie, wherein the request indicates the decrypted network path; and
  
  receiving the domain-token cookie from the client forwarded by the application server at the single sign-on server,wherein the domain-token cookie comprises the domain identifier, clear secret path information which indicates the network path, and user credential encrypted using the key known only to the single sign-on server, andwherein the network path derived from the clear secret path information in the domain-token cookie matches the decrypted network path in the request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein prior to receiving the domain cookie, the method further comprises:
    - receiving an operation request from the client at an application server that requires authentication of the client;
      
      in response to the operation request, sending a second request to the client for a domain cookie;
      
      in response to the second request, receiving the domain cookie at the application server; and
      
      forwarding the domain cookie to the single sign-on server.
  - 3. The method of claim 2, wherein the second request includes a request for a host cookie, wherein the host cookie includes encrypted user identification information;
    - and wherein the method further comprises;
      
      receiving the host cookie at the application server; and
      
      authenticating the client.
  - 4. The method of claim 3, wherein upon authenticating the client, the method further comprises:
    - creating a new host cookie;
      
      creating a new secret path on the single sign-on server;
      
      encrypting the new secret path to create a new encrypted secret path;
      
      creating a new domain cookie including the new encrypted secret path;
      
      creating a new domain-token cookie including the new secret path; and
      
      issuing the new host cookie, the new domain cookie, and the new domain-token cookie to the client.
  - 5. The method of claim 1, wherein upon each successful authentication, the encrypted secret path information and the clear secret path information are changed.
  - 6. The method of claim 1, wherein the encrypted secret path information and the clear secret path information are created from a random value.
  - 7. The method of claim 1, wherein the client is a browser.
  - 8. The method of claim 1, wherein the single sign-on server is an Oracle Single Sign-On Server.
  - 9. The method of claim 1, wherein the application server is an Oracle Application Server.

10. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for preventing unauthorized access to a cookie during a single sign-on of a client, the method comprising:
- receiving a domain cookie from the client forwarded by an application server at a single sign-on server, wherein the domain cookie includes a domain identifier and encrypted secret path information which is encrypted using a key known only to the single sign-on server, and wherein the secret path information indicates a network path that terminates at the single sign-on server;
  
  decrypting the encrypted secret path information using the key to reveal the network path;
  
  sending a request to the client requesting a domain-token cookie, wherein the request indicates the decrypted network path; and
  
  receiving the domain-token cookie from the client forwarded by the application server at the single sign-on server,wherein the domain-token cookie comprises the domain identifier, clear secret path information which indicates the network path, and user credential encrypted using the key known only to the single sign-on server, andwherein the network path derived from the clear secret path information in the domain-token cookie matches the decrypted network path in the request.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer-readable storage medium of claim 10, wherein prior to receiving the domain cookie, the method further comprises:
    - receiving an operation request from the client at an application server that requires authentication of the client;
      
      in response to the operation request, sending a second request to the client for a domain cookie;
      
      in response to the second request, receiving the domain cookie at the application server; and
      
      forwarding the domain cookie to the single sign-on server.
  - 12. The computer-readable storage medium of claim 11, wherein the second request includes a request for a host cookie, wherein the host cookie includes encrypted user identification information;
    - and wherein the method further comprises;
      
      receiving the host cookie at the application server; and
      
      authenticating the client.
  - 13. The computer-readable storage medium of claim 12, wherein upon authenticating the client, the method further comprises:
    - creating a new host cookie;
      
      creating a new secret path on the single sign-on server;
      
      encrypting the new secret path to create a new encrypted secret path;
      
      creating a new domain cookie including the new encrypted secret path;
      
      creating a new domain-token cookie including the new secret path; and
      
      issuing the new host cookie, the new domain cookie, and the new domain-token cookie to the client.
  - 14. The computer-readable storage medium of claim 10, wherein upon each successful authentication, the encrypted secret path information and the clear secret path information are changed.
  - 15. The computer-readable storage medium of claim 10, wherein the encrypted secret path information and the clear secret path information are created from a random value.
  - 16. The computer-readable storage medium of claim 10, wherein the client is a browser.
  - 17. The computer-readable storage medium of claim 10, wherein the single sign-on server is an Oracle Single Sign-On Server.
  - 18. The computer-readable storage medium of claim 10, wherein the application server is an Oracle Application Server.

19. An apparatus for preventing unauthorized access to a cookie during a single sign-on of a client, the apparatus comprising:
- a receiving mechanism configured to receive a domain cookie from the client forwarded by an application server at a single sign-on server, wherein the domain cookie includes a domain identifier and encrypted secret path information which is encrypted using a key known only to the single sign-on server, and wherein the secret path information indicates a network path that terminates at the single sign-on server;
  
  a decryption mechanism configured to decrypt the encrypted secret path information using the key to reveal the network path;
  
  a request mechanism configured to send a request to the client requesting a domain-token cookie, wherein the request indicates the decrypted network path; and
  
  wherein the receiving mechanism is further configured to receive the domain-token cookie from the client forwarded by the application server at the single sign-on server,wherein the domain-token cookie comprises the domain identifier, clear secret path information which comprises the network path, and an encrypted user credential which is encrypted using the key known only to the single sign-on server, andwherein the network path derived from the clear secret path information in the domain-token cookie matches the decrypted network path in the request.
- View Dependent Claims (20)
- - 20. The apparatus of claim 19, further comprising:
    - a receiving mechanism configured to receive an operation request from the client at an application server that requires authentication of the client, prior to the apparatus receiving the domain cookie;
      
      wherein the request mechanism is further configured to send a second request to the client for a domain cookie, in response to the operation request;
      
      wherein the cookie receiving mechanism is further configured to receive the domain cookie at the application server in response to the second request; and
      
      a forwarding mechanism configured to forward the domain cookie to the single sign-on server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Song, Baogang
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Sanders; Stephen

Application Number

US11/285,642
Publication Number

US 20070118890A1
Time in Patent Office

1,702 Days
Field of Search

726/9
US Class Current

726/9
CPC Class Codes

G06F 16/958   Organisation or management ...

H04L 63/0815   providing single-sign-on or...

H04L 63/168   above the transport layer

H04L 9/3213   using tickets or tokens, e....

Method and apparatus for facilitating single sign-on

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for facilitating single sign-on

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links