System and method for single session sign-on
First Claim
Patent Images
1. A method for validating credentials comprising:
- inputting, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus, the protected resource on the first apparatus being accessible by the client only after successful authentication of the client at the first apparatus;
determining, at the first apparatus that a client does not have a valid session credential granted by the first apparatus;
after the determining, retrieving, at the first apparatus, information from a session token held by the client, the information being retrieved from the client, the information corresponding to a session credential for a second apparatus, the second apparatus (1) grants session credentials based on successful authentication at the second apparatus, and (2) includes a protected resource on the second apparatus that is accessible by the client;
the protected resource on the second apparatus being accessible by the client only after successful authentication of the client at the second apparatus;
the first apparatus presenting at least some of the information from the session token to the second apparatus;
the first apparatus inputting a determination from the second apparatus that the client has a valid session credential with the second apparatus;
the first apparatus effecting successful authentication to the client so as to grant access, to the protected resource on the first apparatus, to the client based on the determination from the second apparatus that the client has a valid session credential with the second apparatus; and
directing the client to the first apparatus to establish a session credential based on successful authentication at the first apparatus, after determining that the client does not have a valid session credential granted by the second apparatus.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system for cross-system authentication or credentialing of clients. Credentials from one system (e.g., system 2) are placed on a client, such as with a cookie on a browser, and the credentials are then extracted by another system (e.g., system 1), and used by system 1 to impersonate the client to system 2. If the client'"'"'s credentials with system 2 are valid, system 2 provides that information to system 1 (which is impersonating the client), and system 1 uses the validity of the credentials from system 2 to grant the client access to protected resources on system 1.
1529 Citations
24 Claims
-
1. A method for validating credentials comprising:
-
inputting, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus, the protected resource on the first apparatus being accessible by the client only after successful authentication of the client at the first apparatus; determining, at the first apparatus that a client does not have a valid session credential granted by the first apparatus; after the determining, retrieving, at the first apparatus, information from a session token held by the client, the information being retrieved from the client, the information corresponding to a session credential for a second apparatus, the second apparatus (1) grants session credentials based on successful authentication at the second apparatus, and (2) includes a protected resource on the second apparatus that is accessible by the client;
the protected resource on the second apparatus being accessible by the client only after successful authentication of the client at the second apparatus;the first apparatus presenting at least some of the information from the session token to the second apparatus; the first apparatus inputting a determination from the second apparatus that the client has a valid session credential with the second apparatus; the first apparatus effecting successful authentication to the client so as to grant access, to the protected resource on the first apparatus, to the client based on the determination from the second apparatus that the client has a valid session credential with the second apparatus; and directing the client to the first apparatus to establish a session credential based on successful authentication at the first apparatus, after determining that the client does not have a valid session credential granted by the second apparatus. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for validating session credentials of a client comprising:
-
inputting, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus, the protected resource on the first apparatus being accessible by the client only after successful authentication of the client at the first apparatus; determining, at the first apparatus that a client does not have a valid session credential granted by the first system; after the determining, retrieving, at the first apparatus, information from a session token held by the client, the information being retrieved from the client, the information corresponding to a session credential for a second apparatus that grants session credentials based on successful authentication at the second apparatus, and the second apparatus including a protected resource that is accessible by the client, the retrieving information from the session token held by the client comprises receiving a session token from the client corresponding to the second apparatus, and the protected resource on the second apparatus being accessible by the client only after successful authentication of the client at the second apparatus; presenting at least some of the information from the session token to the second apparatus; determining whether the client has a valid session credential granted by the second apparatus, the determining whether the client has a valid session credential granted by the second apparatus is at least partially from presenting information from the session token; the first apparatus inputting a determination from the second apparatus that the client has a valid session credential with the second apparatus; granting a session credential to the client on the first apparatus, after determining that the client has a valid session credential granted by the second apparatus; sending a session token to the client, the session token corresponding to the session credential granted by the first apparatus, the session token allowing the client access to protected resources on the first apparatus, so as to provide successful authentication to the client; and maintaining the client session credential; and the first apparatus inputting information from the second apparatus, and in response, the first apparatus outputting, to the second apparatus, a determination that the first apparatus has a valid session credential for the client at the first apparatus, and the second apparatus effecting successful authentication so as to grant access, to the further protected resource on the second apparatus, to the client based on the determination from the first apparatus that the client has a valid session credential with the first apparatus.
-
-
8. Computer executable software code stored on a non-transitory computer-readable storage medium and transmitted as an information signal, the code for validating credentials, the code comprising:
-
code to input, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus, the protected resource on the first apparatus being accessible by the client only after successful authentication of the client at the first apparatus; code to determine, at the first apparatus, that a client does not have a valid session credential granted by the first apparatus; code to retrieve, after the determining that the client does not have a valid session credential granted by the first apparatus, at the first apparatus, information from a session token held by the client, the information corresponding to a session credential for a second apparatus that grants session credentials based on successful authentication at the second apparatus, the second apparatus including a protected resource that is accessible by the client, and the protected resource on the second apparatus being accessible by the client only after successful authentication of the client at the second apparatus; code to present at least some of the information from the session token to the second apparatus; and code to input, from the second apparatus to the first apparatus, a determination whether the client has a valid session credential granted by the second apparatus; and code to effect successful authentication so as to grant access to the protected resource on the first apparatus, to the client based on the determination from the second apparatus that the client has a valid session credential with the second apparatus; and code to direct the client to the first apparatus to establish a session credential based on successful authentication at the first apparatus, after determining that the client does not have a valid session credential granted by the second apparatus.
-
-
9. A non-transitory computer readable storage medium having computer executable code stored thereon, the code for validating credentials, the code comprising:
-
code to input, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus, the protected resource on the first apparatus being accessible by the client only after successful authentication of the client at the first apparatus; code to determine, at the first apparatus that the client does not have a valid session credential granted by the first apparatus; code to retrieve from the client, at the first apparatus and after the determining that the client does not have a valid session credential granted by the first apparatus, information from a session token held by the client, the information corresponding to a possible session credential for a second apparatus that grants session credentials based on successful authentication at the second apparatus and that has a protected resource that is accessible by the client, the protected resource on the second apparatus being accessible by the client only after successful authentication of the client at the second apparatus; code to present at least some of the information from the session token to the second apparatus; and code to input, from the apparatus system to the first apparatus, a determination whether the client has a valid session credential granted by the second apparatus; and code to effect successful authentication to the client so as to grant access to the protected resource on the first apparatus, to the client based on the determination from the second apparatus that the client has a valid session credential with the second apparatus.
-
-
10. A programmed computer for validating credentials, comprising:
-
a memory having at least one region for storing computer executable program code; and a processor for executing the program code stored in the memory, wherein the program code comprises; code to input, at a first system that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first system, the protected resource on the first system being accessible by the client only after successful authentication of the client at the first system; code to determine, at the first system that the client does not have a valid session credential granted by the first system; code to retrieve, at the first system and after the determining that the client does not have a valid session credential granted by the first system, information from a session token held by the client, the information corresponding to a session credential for a second system that grants session credentials based on successful authentication at the second system, the second system including a protected resource that is accessible by the client, the protected resource on the second system being accessible by the client only after successful authentication of the client at the second system; code to present at least some of the information from the session token to the second system; and code to input, from the second system to the first system, a determination whether the client has a valid session credential granted by the second system and code to effect successful authentication so as to grant access to the protected resource on the first system, to the client based on the determination from the second system that the client has a valid session credential with the second system; code to direct the client to the first system to establish a session credential based on successful authentication at the first system, after determining that the client does not have a valid session credential granted by the second system; code to input into the first system information from the second system, and in response, output from the first system, to the second system, a determination that the first system has a valid session credential for the client at the first system, and code to effect successful authentication with the second system so as to grant access, to the further protected resource on the second system, to the client based on the determination from the first system that the client has a valid session credential with the first system.
-
-
11. A method for establishing session credentials comprising:
-
inputting, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus, the protected resource on the first apparatus being accessible by the client only after successful authentication of the client at the first apparatus; determining at the first apparatus that the client does not have a valid session credential granted by the first apparatus; determining that the client does not have a valid session credential granted by a second apparatus based on successful authentication at the second apparatus; sending, from the first apparatus to the client, a log in page; receiving, at the first apparatus from the client, log in information; sending, from the first apparatus to the second apparatus, the log in information; and after the determining at the first apparatus that the client does not have a valid session credential granted by a first apparatus, receiving, at the first apparatus from the second apparatus, information corresponding to a session credential granted by the second apparatus, the session credential granted by the second apparatus based at least in part on the log in information and successful authentication at the second apparatus, the second apparatus being one that (1) grants session credentials based on successful authentication at the second apparatus, and (2) includes a protected resource on the second apparatus that is accessible by the client, the protected resource on the second apparatus being accessible by the client only after successful authentication of the client at the second apparatus; and the first apparatus effecting successful authentication so as to grant access, to a protected resource on the first apparatus, to the client based on the determination from the second apparatus that the client has a valid session credential with the second apparatus; the first apparatus inputting information from the second apparatus, and in response, the first apparatus outputting, to the second apparatus, a determination that the first apparatus has a valid session credential for the client at the first apparatus, and the second apparatus effecting successful authentication so as to grant access, to the further protected resource on the second apparatus, to the client based on the determination from the first apparatus that the client has a valid session credential with the first apparatus. - View Dependent Claims (12, 13, 14)
-
-
15. A method for establishing session credentials for a client, the method comprising:
-
inputting, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus, the protected resource on the first apparatus being accessible by the client only after successful authentication of the client at the first apparatus; determining that the client does not have a valid session credential granted by the first apparatus; after the determining, retrieving, at the first apparatus, information from a session token held by the client, the information being retrieved from the client, the information corresponding to a session credential for a second apparatus inputting information at the first apparatus, from the second apparatus, that the client does not have a valid session credential granted by the second apparatus, the second apparatus including a protected resource, the protected resource on the second apparatus being accessible by the client only after successful authentication of the client at the second apparatus; sending, from the second apparatus to the client, a log in page; receiving, at the second apparatus from the client, log in information; and sending, from the second apparatus to the first apparatus, information corresponding to a session credential granted by the second apparatus, the session credential granted by the second apparatus based at least in part on the log in information and successful authentication at the second apparatus; and granting a session credential to the client for the first apparatus so as to provide successful authentication, such that the client is granted access to a protected resource on the first apparatus; the first apparatus inputting information from the second apparatus, and in response, the first apparatus outputting, to the second apparatus, a determination that the first apparatus has a valid session credential for the client at the first apparatus, and the second apparatus effecting successful authentication so as to grant access, to the further protected resource on the second apparatus, to the client based on the determination from the first apparatus that the client has a valid session credential with the first apparatus. - View Dependent Claims (16, 17)
-
-
18. A method for validating credentials comprising:
-
inputting, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus determining, at the first apparatus that a client does not have a valid session credential granted by the first apparatus; redirecting the client to a second apparatus that grants session credentials based on successful authentication at the second apparatus, the second apparatus having a protected resource that is accessible by the client; sending, from the second apparatus to the first apparatus, session credentials granted by the second apparatus; sending, from the first apparatus to the second apparatus, the session credentials granted by the second apparatus; determining, at the second apparatus, that the session credentials granted by the second apparatus, and received from the first apparatus, are valid; and sending, from the second apparatus to the first apparatus, information indicating that the session credentials granted by the second apparatus are valid; and inputting, at the second apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the second apparatus; determining, at the second apparatus that a client does not have a valid session credential granted by the second apparatus; after such determining, retrieving, at the second apparatus, information from a session token held by the client, the information being retrieved from the client, the information corresponding to a session credential for the first apparatus; redirecting the client to the first apparatus that grants session credentials based on successful authentication at the first apparatus; sending, from the first apparatus to the second apparatus, session credentials granted by the first apparatus; sending, from the second apparatus to the first apparatus, the session credentials granted by the first apparatus; determining, at the first apparatus, that the session credentials granted by the first apparatus, and received from the second apparatus, are valid; and sending, from the first apparatus to the second apparatus, information indicating that the session credentials granted by the first apparatus are valid.
-
-
19. A method for validating credentials comprising:
-
inputting, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus, the protected resource being accessible upon successful authentication of the client at the first apparatus; determining, at the first apparatus that the client does not have a valid session credential granted by the first apparatus, so as to allow the client access to the protected resource on the first apparatus; after the determining, retrieving, at the first apparatus, information from a session token held by the client, the information being retrieved from the client, the information corresponding to a session credential for a second apparatus; the first system communicating with the second apparatus, the second apparatus having a further protected resource on the second apparatus, the further protected resource being accessible upon successful authentication of the client at the second apparatus; the first apparatus presenting information to the second apparatus; the first apparatus inputting a determination from the second apparatus that the client has a valid session credential with the second apparatus; the first apparatus effecting successful authentication so as to grant access, to the protected resource on the first apparatus, to the client, based on the determination from the second apparatus that the client has a valid session credential with the second apparatus; the first apparatus inputting information from the second apparatus, and in response, the first apparatus outputting, to the second apparatus, a determination that the first apparatus has a valid session credential for the client at the first apparatus; and the second apparatus effecting successful authentication so as to grant access, to the further protected resource on the second apparatus, to the client based on the determination from the first apparatus that the client has a valid session credential with the first apparatus. - View Dependent Claims (20, 21)
-
-
22. A method for validating credentials comprising:
-
inputting, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus, the protected resource on the first apparatus being accessible by the client only after successful authentication of the client at the first apparatus; determining, at the first apparatus whether a client have a valid session credential granted by the first apparatus; retrieving, at the first apparatus, information from a session token held by the client if the client does not have a valid session credential granted by the first apparatus, wherein the information is retrieved from the client and the information corresponds to a session credential for a second apparatus, the second apparatus (1) grants session credentials based on successful authentication at the second apparatus, and (2) includes a protected resource on the second apparatus that is accessible by the client;
the protected resource on the second apparatus being accessible by the client only after successful authentication of the client at the second apparatus;transmitting, at the first apparatus, at least some of the information from the session token to the second apparatus; receiving and inputting, at the first apparatus, information associated with a determination from the second apparatus whether the client has a valid session credential with the second apparatus, wherein the client'"'"'s session credential with the second apparatus is periodically renewed via the first apparatus; effecting, at the first apparatus, successful authentication to the client so as to grant access, to the protected resource on the first apparatus, to the client based on the information associated with the determination from the second apparatus that the client has a valid session credential with the second apparatus; and directing the client to the first apparatus to establish a session credential, after the determination from the second apparatus that the client does not have a valid session credential granted by the second apparatus.
-
-
23. A method for validating credentials comprising:
-
inputting, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus, the protected resource on the first apparatus being accessible by the client only after successful authentication of the client at the first apparatus; determining, at the first apparatus whether a client have a valid session credential granted by the first apparatus; retrieving, at the first apparatus, information from a first session token held by the client if the client does not have a valid session credential granted by the first apparatus, wherein the information is retrieved from the client and the information corresponds to a session credential for a second apparatus, the second apparatus (1) grants session credentials based on successful authentication at the second v, and (2) includes a protected resource on the second apparatus that is accessible by the client;
the protected resource on the second apparatus being accessible by the client only after successful authentication of the client at the second apparatus;transmitting, at the first apparatus, at least some of the information from the first session token to the second apparatus; receiving and inputting, at the first apparatus, information associated with a determination from the second apparatus whether the client has a valid session credential with the second apparatus, wherein the client'"'"'s session credential with the second apparatus is periodically renewed via the first apparatus; effecting, at the first apparatus, successful authentication to the client so as to grant access, to the protected resource on the first apparatus, to the client based on the information associated with the determination from the second apparatus that the client has a valid session credential with the second apparatus; and directing the client to the first apparatus to establish a session credential, after the determination from the second apparatus that the client does not have a valid session credential granted by the second apparatus, wherein the step of directing the client to the first v to establish a session credential further comprises; receiving, at the first apparatus, a redirect code in response to the determination from the second apparatus that the client does not have a valid session credential granted by the second apparatus; directing the client to a log in page provided by the second apparatus based on the redirect code; receiving, at the first apparatus from the client, log in information; sending, from the first apparatus to the second apparatus, the log in information; and receiving, at the client, a second session token if the second apparatus determines that the log in information is valid.
-
-
24. A method for validating credentials comprising:
-
inputting, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus, the protected resource on the first apparatus being accessible by the client only after successful authentication of the client at the first apparatus; determining, at the first system apparatus whether a client have a valid session credential granted by the first apparatus; generating a log in page at the first apparatus and present the log in page to the client, wherein the log in page corresponds to a second apparatus, the second apparatus (1) grants session credentials based on successful authentication at the second apparatus, wherein the session credentials of the second apparatus is periodically renewed via the first apparatus, and (2) includes a protected resource on the second apparatus that is accessible by the client;
the protected resource on the second apparatus being accessible by the client only after successful authentication of the client at the second apparatus;receiving, at the first apparatus from the client, authentication credentials required by the log in page; transmitting, from the first apparatus to the second apparatus, the authentication credentials required by the log in page; and generating, at the first apparatus, one or more session tokens for the first apparatus and the second apparatus if the second apparatus determines that the authentication credential required by the log in page is valid, wherein the one or more session tokens for the first apparatus and the second apparatus grant access, to the protected resource on the first apparatus and to the protected resource on the second apparatus.
-
Specification