System and method for single session sign-on

US 7,987,501 B2
Filed: 12/21/2001
Issued: 07/26/2011
Est. Priority Date: 12/04/2001
Status: Active Grant

First Claim

Patent Images

1. A method for validating credentials comprising:

inputting, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus, the protected resource on the first apparatus being accessible by the client only after successful authentication of the client at the first apparatus;

determining, at the first apparatus that a client does not have a valid session credential granted by the first apparatus;

after the determining, retrieving, at the first apparatus, information from a session token held by the client, the information being retrieved from the client, the information corresponding to a session credential for a second apparatus, the second apparatus (1) grants session credentials based on successful authentication at the second apparatus, and (2) includes a protected resource on the second apparatus that is accessible by the client;

the protected resource on the second apparatus being accessible by the client only after successful authentication of the client at the second apparatus;

the first apparatus presenting at least some of the information from the session token to the second apparatus;

the first apparatus inputting a determination from the second apparatus that the client has a valid session credential with the second apparatus;

the first apparatus effecting successful authentication to the client so as to grant access, to the protected resource on the first apparatus, to the client based on the determination from the second apparatus that the client has a valid session credential with the second apparatus; and

directing the client to the first apparatus to establish a session credential based on successful authentication at the first apparatus, after determining that the client does not have a valid session credential granted by the second apparatus.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for cross-system authentication or credentialing of clients. Credentials from one system (e.g., system 2) are placed on a client, such as with a cookie on a browser, and the credentials are then extracted by another system (e.g., system 1), and used by system 1 to impersonate the client to system 2. If the client'"'"'s credentials with system 2 are valid, system 2 provides that information to system 1 (which is impersonating the client), and system 1 uses the validity of the credentials from system 2 to grant the client access to protected resources on system 1.

1529 Citations

24 Claims

1. A method for validating credentials comprising:
- inputting, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus, the protected resource on the first apparatus being accessible by the client only after successful authentication of the client at the first apparatus;
  
  determining, at the first apparatus that a client does not have a valid session credential granted by the first apparatus;
  
  after the determining, retrieving, at the first apparatus, information from a session token held by the client, the information being retrieved from the client, the information corresponding to a session credential for a second apparatus, the second apparatus (1) grants session credentials based on successful authentication at the second apparatus, and (2) includes a protected resource on the second apparatus that is accessible by the client;
  
  the protected resource on the second apparatus being accessible by the client only after successful authentication of the client at the second apparatus;
  
  the first apparatus presenting at least some of the information from the session token to the second apparatus;
  
  the first apparatus inputting a determination from the second apparatus that the client has a valid session credential with the second apparatus;
  
  the first apparatus effecting successful authentication to the client so as to grant access, to the protected resource on the first apparatus, to the client based on the determination from the second apparatus that the client has a valid session credential with the second apparatus; and
  
  directing the client to the first apparatus to establish a session credential based on successful authentication at the first apparatus, after determining that the client does not have a valid session credential granted by the second apparatus.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A method according to claim 1, further comprising granting a session credential to the client by the first apparatus, after determining that the client has a valid session credential granted by the second apparatus.
  - 3. A method according to claim 1, further comprising sending a session token to the client, the token corresponding to a session credential granted by the first apparatus.
  - 4. A method according to claim 1, further comprising directing the client to the second apparatus to establish a session credential based on successful authentication at the second apparatus, after determining that the client does not have a valid session credential granted by the second apparatus.
  - 5. A method according to claim 1, further comprising maintaining the client session credential granted by the second apparatus.
  - 6. A method according to claim 1, wherein retrieving information from the session token held by the client comprises:
    - sending a query to the client from the first apparatus, the query including identification as originating from a domain name corresponding to the second apparatus; and
      
      receiving a response to the query.

7. A method for validating session credentials of a client comprising:
- inputting, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus, the protected resource on the first apparatus being accessible by the client only after successful authentication of the client at the first apparatus;
  
  determining, at the first apparatus that a client does not have a valid session credential granted by the first system;
  
  after the determining, retrieving, at the first apparatus, information from a session token held by the client, the information being retrieved from the client, the information corresponding to a session credential for a second apparatus that grants session credentials based on successful authentication at the second apparatus, and the second apparatus including a protected resource that is accessible by the client, the retrieving information from the session token held by the client comprises receiving a session token from the client corresponding to the second apparatus, and the protected resource on the second apparatus being accessible by the client only after successful authentication of the client at the second apparatus;
  
  presenting at least some of the information from the session token to the second apparatus;
  
  determining whether the client has a valid session credential granted by the second apparatus, the determining whether the client has a valid session credential granted by the second apparatus is at least partially from presenting information from the session token;
  
  the first apparatus inputting a determination from the second apparatus that the client has a valid session credential with the second apparatus;
  
  granting a session credential to the client on the first apparatus, after determining that the client has a valid session credential granted by the second apparatus;
  
  sending a session token to the client, the session token corresponding to the session credential granted by the first apparatus, the session token allowing the client access to protected resources on the first apparatus, so as to provide successful authentication to the client; and
  
  maintaining the client session credential; and
  
  the first apparatus inputting information from the second apparatus, and in response, the first apparatus outputting, to the second apparatus, a determination that the first apparatus has a valid session credential for the client at the first apparatus, andthe second apparatus effecting successful authentication so as to grant access, to the further protected resource on the second apparatus, to the client based on the determination from the first apparatus that the client has a valid session credential with the first apparatus.

8. Computer executable software code stored on a non-transitory computer-readable storage medium and transmitted as an information signal, the code for validating credentials, the code comprising:
- code to input, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus, the protected resource on the first apparatus being accessible by the client only after successful authentication of the client at the first apparatus;
  
  code to determine, at the first apparatus, that a client does not have a valid session credential granted by the first apparatus;
  
  code to retrieve, after the determining that the client does not have a valid session credential granted by the first apparatus, at the first apparatus, information from a session token held by the client, the information corresponding to a session credential for a second apparatus that grants session credentials based on successful authentication at the second apparatus, the second apparatus including a protected resource that is accessible by the client, and the protected resource on the second apparatus being accessible by the client only after successful authentication of the client at the second apparatus;
  
  code to present at least some of the information from the session token to the second apparatus; and
  
  code to input, from the second apparatus to the first apparatus, a determination whether the client has a valid session credential granted by the second apparatus; and
  
  code to effect successful authentication so as to grant access to the protected resource on the first apparatus, to the client based on the determination from the second apparatus that the client has a valid session credential with the second apparatus; and
  
  code to direct the client to the first apparatus to establish a session credential based on successful authentication at the first apparatus, after determining that the client does not have a valid session credential granted by the second apparatus.

9. A non-transitory computer readable storage medium having computer executable code stored thereon, the code for validating credentials, the code comprising:
- code to input, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus, the protected resource on the first apparatus being accessible by the client only after successful authentication of the client at the first apparatus;
  
  code to determine, at the first apparatus that the client does not have a valid session credential granted by the first apparatus;
  
  code to retrieve from the client, at the first apparatus and after the determining that the client does not have a valid session credential granted by the first apparatus, information from a session token held by the client, the information corresponding to a possible session credential for a second apparatus that grants session credentials based on successful authentication at the second apparatus and that has a protected resource that is accessible by the client, the protected resource on the second apparatus being accessible by the client only after successful authentication of the client at the second apparatus;
  
  code to present at least some of the information from the session token to the second apparatus; and
  
  code to input, from the apparatus system to the first apparatus, a determination whether the client has a valid session credential granted by the second apparatus; and
  
  code to effect successful authentication to the client so as to grant access to the protected resource on the first apparatus, to the client based on the determination from the second apparatus that the client has a valid session credential with the second apparatus.

10. A programmed computer for validating credentials, comprising:
- a memory having at least one region for storing computer executable program code; and
  
  a processor for executing the program code stored in the memory, wherein the program code comprises;
  
  code to input, at a first system that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first system, the protected resource on the first system being accessible by the client only after successful authentication of the client at the first system;
  
  code to determine, at the first system that the client does not have a valid session credential granted by the first system;
  
  code to retrieve, at the first system and after the determining that the client does not have a valid session credential granted by the first system, information from a session token held by the client, the information corresponding to a session credential for a second system that grants session credentials based on successful authentication at the second system, the second system including a protected resource that is accessible by the client, the protected resource on the second system being accessible by the client only after successful authentication of the client at the second system;
  
  code to present at least some of the information from the session token to the second system; and
  
  code to input, from the second system to the first system, a determination whether the client has a valid session credential granted by the second system and code to effect successful authentication so as to grant access to the protected resource on the first system, to the client based on the determination from the second system that the client has a valid session credential with the second system;
  
  code to direct the client to the first system to establish a session credential based on successful authentication at the first system, after determining that the client does not have a valid session credential granted by the second system;
  
  code to input into the first system information from the second system, and in response, output from the first system, to the second system, a determination that the first system has a valid session credential for the client at the first system, andcode to effect successful authentication with the second system so as to grant access, to the further protected resource on the second system, to the client based on the determination from the first system that the client has a valid session credential with the first system.

11. A method for establishing session credentials comprising:
- inputting, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus, the protected resource on the first apparatus being accessible by the client only after successful authentication of the client at the first apparatus;
  
  determining at the first apparatus that the client does not have a valid session credential granted by the first apparatus;
  
  determining that the client does not have a valid session credential granted by a second apparatus based on successful authentication at the second apparatus;
  
  sending, from the first apparatus to the client, a log in page;
  
  receiving, at the first apparatus from the client, log in information;
  
  sending, from the first apparatus to the second apparatus, the log in information; and
  
  after the determining at the first apparatus that the client does not have a valid session credential granted by a first apparatus, receiving, at the first apparatus from the second apparatus, information corresponding to a session credential granted by the second apparatus, the session credential granted by the second apparatus based at least in part on the log in information and successful authentication at the second apparatus, the second apparatus being one that (1) grants session credentials based on successful authentication at the second apparatus, and (2) includes a protected resource on the second apparatus that is accessible by the client, the protected resource on the second apparatus being accessible by the client only after successful authentication of the client at the second apparatus; and
  
  the first apparatus effecting successful authentication so as to grant access, to a protected resource on the first apparatus, to the client based on the determination from the second apparatus that the client has a valid session credential with the second apparatus;
  
  the first apparatus inputting information from the second apparatus, and in response, the first apparatus outputting, to the second apparatus, a determination that the first apparatus has a valid session credential for the client at the first apparatus, andthe second apparatus effecting successful authentication so as to grant access, to the further protected resource on the second apparatus, to the client based on the determination from the first apparatus that the client has a valid session credential with the first apparatus.
- View Dependent Claims (12, 13, 14)
- - 12. A method according to claim 11, further comprising granting a session credential for the first apparatus.
  - 13. A method according to claim 11, further comprising granting a session credential for the second apparatus.
  - 14. A method according to claim 11, further comprising associating session credentials for the first apparatus and the second apparatus with the client.

15. A method for establishing session credentials for a client, the method comprising:
- inputting, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus, the protected resource on the first apparatus being accessible by the client only after successful authentication of the client at the first apparatus;
  
  determining that the client does not have a valid session credential granted by the first apparatus;
  
  after the determining, retrieving, at the first apparatus, information from a session token held by the client, the information being retrieved from the client, the information corresponding to a session credential for a second apparatusinputting information at the first apparatus, from the second apparatus, that the client does not have a valid session credential granted by the second apparatus, the second apparatus including a protected resource, the protected resource on the second apparatus being accessible by the client only after successful authentication of the client at the second apparatus;
  
  sending, from the second apparatus to the client, a log in page;
  
  receiving, at the second apparatus from the client, log in information; and
  
  sending, from the second apparatus to the first apparatus, information corresponding to a session credential granted by the second apparatus, the session credential granted by the second apparatus based at least in part on the log in information and successful authentication at the second apparatus; and
  
  granting a session credential to the client for the first apparatus so as to provide successful authentication, such that the client is granted access to a protected resource on the first apparatus;
  
  the first apparatus inputting information from the second apparatus, and in response, the first apparatus outputting, to the second apparatus, a determination that the first apparatus has a valid session credential for the client at the first apparatus, andthe second apparatus effecting successful authentication so as to grant access, to the further protected resource on the second apparatus, to the client based on the determination from the first apparatus that the client has a valid session credential with the first apparatus.
- View Dependent Claims (16, 17)
- - 16. A method according to claim 15, further comprising granting a session credential for the second apparatus.
  - 17. A method according to claim 15, further comprising associating session credentials for the first apparatus and the second apparatus with the client.

18. A method for validating credentials comprising:
- inputting, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatusdetermining, at the first apparatus that a client does not have a valid session credential granted by the first apparatus;
  
  redirecting the client to a second apparatus that grants session credentials based on successful authentication at the second apparatus, the second apparatus having a protected resource that is accessible by the client;
  
  sending, from the second apparatus to the first apparatus, session credentials granted by the second apparatus;
  
  sending, from the first apparatus to the second apparatus, the session credentials granted by the second apparatus;
  
  determining, at the second apparatus, that the session credentials granted by the second apparatus, and received from the first apparatus, are valid; and
  
  sending, from the second apparatus to the first apparatus, information indicating that the session credentials granted by the second apparatus are valid; and
  
  inputting, at the second apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the second apparatus;
  
  determining, at the second apparatus that a client does not have a valid session credential granted by the second apparatus;
  
  after such determining, retrieving, at the second apparatus, information from a session token held by the client, the information being retrieved from the client, the information corresponding to a session credential for the first apparatus;
  
  redirecting the client to the first apparatus that grants session credentials based on successful authentication at the first apparatus;
  
  sending, from the first apparatus to the second apparatus, session credentials granted by the first apparatus;
  
  sending, from the second apparatus to the first apparatus, the session credentials granted by the first apparatus;
  
  determining, at the first apparatus, that the session credentials granted by the first apparatus, and received from the second apparatus, are valid; and
  
  sending, from the first apparatus to the second apparatus, information indicating that the session credentials granted by the first apparatus are valid.

19. A method for validating credentials comprising:
- inputting, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus, the protected resource being accessible upon successful authentication of the client at the first apparatus;
  
  determining, at the first apparatus that the client does not have a valid session credential granted by the first apparatus, so as to allow the client access to the protected resource on the first apparatus;
  
  after the determining, retrieving, at the first apparatus, information from a session token held by the client, the information being retrieved from the client, the information corresponding to a session credential for a second apparatus;
  
  the first system communicating with the second apparatus, the second apparatus having a further protected resource on the second apparatus, the further protected resource being accessible upon successful authentication of the client at the second apparatus;
  
  the first apparatus presenting information to the second apparatus;
  
  the first apparatus inputting a determination from the second apparatus that the client has a valid session credential with the second apparatus;
  
  the first apparatus effecting successful authentication so as to grant access, to the protected resource on the first apparatus, to the client, based on the determination from the second apparatus that the client has a valid session credential with the second apparatus;
  
  the first apparatus inputting information from the second apparatus, and in response, the first apparatus outputting, to the second apparatus, a determination that the first apparatus has a valid session credential for the client at the first apparatus; and
  
  the second apparatus effecting successful authentication so as to grant access, to the further protected resource on the second apparatus, to the client based on the determination from the first apparatus that the client has a valid session credential with the first apparatus.
- View Dependent Claims (20, 21)
- - 20. The method of claim 19, wherein the protected resource in the first apparatus includes content provided on a pay-per-use basis, and wherein the protected resource in the second apparatus includes content provided on a pay-per-use basis.
  - 21. The method of claim 19, wherein the protected resource in the first apparatus includes content provided on a subscription basis, and wherein the protected resource in the second apparatus includes content provided on a subscription basis.

22. A method for validating credentials comprising:
- inputting, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus, the protected resource on the first apparatus being accessible by the client only after successful authentication of the client at the first apparatus;
  
  determining, at the first apparatus whether a client have a valid session credential granted by the first apparatus;
  
  retrieving, at the first apparatus, information from a session token held by the client if the client does not have a valid session credential granted by the first apparatus, wherein the information is retrieved from the client and the information corresponds to a session credential for a second apparatus, the second apparatus (1) grants session credentials based on successful authentication at the second apparatus, and (2) includes a protected resource on the second apparatus that is accessible by the client;
  
  the protected resource on the second apparatus being accessible by the client only after successful authentication of the client at the second apparatus;
  
  transmitting, at the first apparatus, at least some of the information from the session token to the second apparatus;
  
  receiving and inputting, at the first apparatus, information associated with a determination from the second apparatus whether the client has a valid session credential with the second apparatus, wherein the client'"'"'s session credential with the second apparatus is periodically renewed via the first apparatus;
  
  effecting, at the first apparatus, successful authentication to the client so as to grant access, to the protected resource on the first apparatus, to the client based on the information associated with the determination from the second apparatus that the client has a valid session credential with the second apparatus; and
  
  directing the client to the first apparatus to establish a session credential, after the determination from the second apparatus that the client does not have a valid session credential granted by the second apparatus.

23. A method for validating credentials comprising:
- inputting, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus, the protected resource on the first apparatus being accessible by the client only after successful authentication of the client at the first apparatus;
  
  determining, at the first apparatus whether a client have a valid session credential granted by the first apparatus;
  
  retrieving, at the first apparatus, information from a first session token held by the client if the client does not have a valid session credential granted by the first apparatus, wherein the information is retrieved from the client and the information corresponds to a session credential for a second apparatus, the second apparatus (1) grants session credentials based on successful authentication at the second v, and (2) includes a protected resource on the second apparatus that is accessible by the client;
  
  the protected resource on the second apparatus being accessible by the client only after successful authentication of the client at the second apparatus;
  
  transmitting, at the first apparatus, at least some of the information from the first session token to the second apparatus;
  
  receiving and inputting, at the first apparatus, information associated with a determination from the second apparatus whether the client has a valid session credential with the second apparatus, wherein the client'"'"'s session credential with the second apparatus is periodically renewed via the first apparatus;
  
  effecting, at the first apparatus, successful authentication to the client so as to grant access, to the protected resource on the first apparatus, to the client based on the information associated with the determination from the second apparatus that the client has a valid session credential with the second apparatus; and
  
  directing the client to the first apparatus to establish a session credential, after the determination from the second apparatus that the client does not have a valid session credential granted by the second apparatus, wherein the step of directing the client to the first v to establish a session credential further comprises;
  
  receiving, at the first apparatus, a redirect code in response to the determination from the second apparatus that the client does not have a valid session credential granted by the second apparatus;
  
  directing the client to a log in page provided by the second apparatus based on the redirect code;
  
  receiving, at the first apparatus from the client, log in information;
  
  sending, from the first apparatus to the second apparatus, the log in information; and
  
  receiving, at the client, a second session token if the second apparatus determines that the log in information is valid.

24. A method for validating credentials comprising:
- inputting, at a first apparatus that grants session credentials based on successful authentication, a request from a client to access a protected resource on the first apparatus, the protected resource on the first apparatus being accessible by the client only after successful authentication of the client at the first apparatus;
  
  determining, at the first system apparatus whether a client have a valid session credential granted by the first apparatus;
  
  generating a log in page at the first apparatus and present the log in page to the client, wherein the log in page corresponds to a second apparatus, the second apparatus (1) grants session credentials based on successful authentication at the second apparatus, wherein the session credentials of the second apparatus is periodically renewed via the first apparatus, and (2) includes a protected resource on the second apparatus that is accessible by the client;
  
  the protected resource on the second apparatus being accessible by the client only after successful authentication of the client at the second apparatus;
  
  receiving, at the first apparatus from the client, authentication credentials required by the log in page;
  
  transmitting, from the first apparatus to the second apparatus, the authentication credentials required by the log in page; and
  
  generating, at the first apparatus, one or more session tokens for the first apparatus and the second apparatus if the second apparatus determines that the authentication credential required by the log in page is valid, wherein the one or more session tokens for the first apparatus and the second apparatus grant access, to the protected resource on the first apparatus and to the protected resource on the second apparatus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Original Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Inventors
Trenholm, Martin J., Miller, Lawrence R
Primary Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US10/026,403
Publication Number

US 20030105981A1
Time in Patent Office

3,504 Days
Field of Search

713/201, 713/159, 713/172, 713/182, 713/185, 709/225, 709/223, 726/8
US Class Current

726/8
CPC Class Codes

G06F 21/41 where a single sign-on prov...

H04L 63/0815 providing single-sign-on or...

System and method for single session sign-on

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

1529 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for single session sign-on

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

1529 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links