System and method for single sign-on session management without central server
First Claim
Patent Images
1. A method for single sign-on session management, the method comprising:
- receiving, at a first server, a list of authorized users from a global repository, other servers also receiving the list of authorized users from the global repository, the first server and the other servers each having protected resources;
establishing a session credential at the first server using the list of authorized users, the other servers also capable of establishing session credentials;
sending the session credential from the first server to a client;
receiving a protected resource request from the client at the first server, the protected resource request including the session credential established by the first server;
responsive to receiving the session credential at the first server from the client, validating the session credential entirely within the first server, and upon validation of the session credential, granting the client access to a first protected resource at the first server;
sending the session credential from the client to one of the other servers;
receiving the session credential at the one of the other servers; and
allowing the client access to a second protected resource at the one of the other servers based on the session credential that was established by the first server.
3 Assignments
0 Petitions
Accused Products
Abstract
A method and system for single sign-on session management. Functions of session management and client log-in, normally handled by separate system servers, are incorporated as plug-in modules on individual web content servers. In this manner, network traffic to grant and validate client user credentials is reduced or minimized.
-
Citations
42 Claims
-
1. A method for single sign-on session management, the method comprising:
-
receiving, at a first server, a list of authorized users from a global repository, other servers also receiving the list of authorized users from the global repository, the first server and the other servers each having protected resources; establishing a session credential at the first server using the list of authorized users, the other servers also capable of establishing session credentials; sending the session credential from the first server to a client; receiving a protected resource request from the client at the first server, the protected resource request including the session credential established by the first server; responsive to receiving the session credential at the first server from the client, validating the session credential entirely within the first server, and upon validation of the session credential, granting the client access to a first protected resource at the first server; sending the session credential from the client to one of the other servers; receiving the session credential at the one of the other servers; and allowing the client access to a second protected resource at the one of the other servers based on the session credential that was established by the first server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 39, 40, 41)
-
-
12. A method for single sign-on session management, the method comprising:
-
providing a list of authorized users to a first server and second server from a global repository, the list of authorized users being sent from the global repository to the first server and the second server; establishing a cryptographically generated first cookie at the first server using the list of authorized users; sending the first cookie to a client browser as a session credential; receiving the session credential from the client browser at the first server; decrypting the first cookie at the first server; validating the session credential entirely within the first server; responsive to validating the session credential entirely within the first server, granting the client browser access to a first protected resource of the first server; updating a timeout value contained within the session credential; cryptographically generating a new session credential as a second cookie containing the updated timeout value; sending the new session credential to the client browser; sending the new session credential from the client browser to the second server; receiving the new session credential at the second server; decrypting the second cookie at the second server; validating the new session credential within the second server; and responsive to validating the session credential entirely at the second server, granting access to a second protected resource of the second server.
-
-
13. A computer readable medium having computer executable code stored thereon, the code for single sign-on session management, the code comprising:
-
code to provide a list of authorized users to a first server and a second server, the list received from a global repository; code to establish a session credential at the first server using the list of authorized users; code to send the session credential from the client to the first server; code to receive the session credential at the first server; code to validate the session credential entirely within the first server, responsive to validating the session credential entirely at the first server, code to grant access to a first resource of the first server; code to send the session credential from the client to the second server; code to receive the session credential at the second server; code to validate the session credential entirely within the second server; and responsive to validating the session credential entirely at the second server, code to grant access to a second resource of the second server.
-
-
14. A method for single sign-on session management, the method comprising:
-
providing a list of authorized users to a first server and a second server, the list of authorized users being input from a global repository to the first server and the second server, both the first server and the second server having protected resources for access by the client; establishing a session credential at the first server using the list of authorized users; sending the session credential to a client; sending the session credential from the client to the first server; receiving, at the first server, the session credential from the client; validating the session credential entirely within the first server, the validating being performed by a log-in plug-in running on the first server; sending the session credential from the client to the second server; receiving, at the second server, the session credential from the client; validating the session credential entirely within the second server; providing an update to the list of authorized users to the first server and to the second server, the update received from the global repository; and changing, at the first server and the second server, the session credential based on the update to the list. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A system for single-sign-on session management, the system comprising:
-
a global repository that generates a list of authorized users; a first server with a first resource, the first server inputting the list of authorized users from the global repository; a session management plug-in running on the first server that uses the list of authorized users to validate a session credential; a second server with a second resource, the second server inputting the list of authorized users from the global repository; a session management plug-in running on the second server that uses the list of authorized users to validate the session credential; a first network providing a connection between the global repository, the second server and the first server; and a client holding the session credential, the client connectable to the first server and to the second server by the first network, wherein; the first server entirely validates the session credential using only the session management plug-in running on the first server; and the second server entirely validates the session credential using only the session management plug-in running on the second server. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
-
-
42. A system for single-sign-on session management, the system comprising:
-
a global repository that generates a list of authorized users; multiple servers, each of the multiple servers inputting the list of authorized users from the global repository; protected resources residing on each of the multiple servers; multiple log-in plug-ins, each of the multiple servers running one of the multiple log-in plug-ins, wherein each of the log-in plug-ins uses the list of authorized users to establish session credentials, such that each of the multiple servers is capable of independently establishing the session credentials; and multiple session management plug-ins, each of the multiple servers running one of the session management plug-ins, wherein each of the session management plug-ins processes the session credentials established by any one of the multiple log-in plug-ins in order to validate a user session, thereby enabling user access to a requested protected resource on any of the multiple servers.
-
Specification