Passive client single sign-on for web applications

US 8,108,920 B2
Filed: 05/12/2003
Issued: 01/31/2012
Est. Priority Date: 05/12/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

under control of one or more processors configured with executable instructions;

receiving at a resource security token service module of a resource realm, a resource challenge from a resource server of the resource realm through a Web-based client of an account realm, the resource challenge being generated by the resource server responsive to a request from a client of the account realm for access to a Web application provided by the resource server, and the resource realm sharing a trust policy in a federation with the account realm;

responsive to receiving the resource challenge, sending by the resource security token service module, a security token service challenge through the Web-based client to an account security token service module of the account realm, the security token service challenge including parameters indicating a requested action, a name of the resource realm, resource information as a pass-through parameter, and a trust policy uniform resource identifier (URI) that identifies preferences for a token to be issued to the resource security token service;

receiving by the resource security token service module, an account security token, the account security token being formatted in accordance with the trust policy in the federation;

verifying whether a format of the account security token is correct by the resource security token service module;

responsive to verifying that the format of the account security token is correct, generating by the resource security token service module, a resource security token, the resource security token;

formatting the resource security token based on whether the resource realm and the account realm are the same, whereinthe resource security token service module formats the resource security token based on account credentials of the client in response to determining that the resource realm and the account realm are the same; and

the resource security token service module formats the resource security token based on the account security token in response to determining that the resource realm and the account realm are not the same;

sending by the resource security token service module, the resource security token through the Web-based client to the resource server, the resource security token enabling the resource server to authenticate the client for access to the Web application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system provides single sign-on capabilities for accessing a Web application through a passive client across multiple realms within a federation. A federation refers to different organizations or realms that have employed agreements, standards, and/or cooperative technologies to make user identity and entitlements portable between the organizations. Communications are redirected through a client in one realm to obtain a security token that can allow the resource server in the other realm to authenticate the user for access to the Web application.

63 Citations

View as Search Results

28 Claims

1. A method comprising:
- under control of one or more processors configured with executable instructions;
  
  receiving at a resource security token service module of a resource realm, a resource challenge from a resource server of the resource realm through a Web-based client of an account realm, the resource challenge being generated by the resource server responsive to a request from a client of the account realm for access to a Web application provided by the resource server, and the resource realm sharing a trust policy in a federation with the account realm;
  
  responsive to receiving the resource challenge, sending by the resource security token service module, a security token service challenge through the Web-based client to an account security token service module of the account realm, the security token service challenge including parameters indicating a requested action, a name of the resource realm, resource information as a pass-through parameter, and a trust policy uniform resource identifier (URI) that identifies preferences for a token to be issued to the resource security token service;
  
  receiving by the resource security token service module, an account security token, the account security token being formatted in accordance with the trust policy in the federation;
  
  verifying whether a format of the account security token is correct by the resource security token service module;
  
  responsive to verifying that the format of the account security token is correct, generating by the resource security token service module, a resource security token, the resource security token;
  
  formatting the resource security token based on whether the resource realm and the account realm are the same, whereinthe resource security token service module formats the resource security token based on account credentials of the client in response to determining that the resource realm and the account realm are the same; and
  
  the resource security token service module formats the resource security token based on the account security token in response to determining that the resource realm and the account realm are not the same;
  
  sending by the resource security token service module, the resource security token through the Web-based client to the resource server, the resource security token enabling the resource server to authenticate the client for access to the Web application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein the security token service challenge has a format that is dependent upon the trust policy in the federation.
  - 3. The method of claim 1 wherein content of the account security token is a base64 encoded XML document.
  - 4. The method of claim 1 wherein content of the security token service challenge is dependent upon the trust policy in the federation.
  - 5. The method of claim 1 wherein the resource challenge has a format that is dependent upon a trust policy in the resource realm.
  - 6. The method of claim 1 wherein the resource security token has a format that is dependent upon a trust policy in the resource realm.
  - 7. The method of claim 1 further comprising:
    - determining a realm in which the client is a member, the realm representing the account realm.
  - 8. The method of claim 1 further comprising:
    - receiving the resource challenge from the resource server by a redirection through a passive client in the account realm.
  - 9. The method of claim 1 further comprising:
    - redirecting the security token service challenge to the account security token service module of the account realm through a passive client in the account realm.
  - 10. The method of claim 1 further comprising:
    - receiving the account security token from the account security token service module by a redirection through a passive client in the account realm.
  - 11. The method of claim 1, wherein the security token service challenge is performed using a POST through the Web-based client, and the resource challenge POST includes parameters indicating:
    - a return uniform resource locator (URL); and
      
      a policy uniform resource identifier (URI) that identifies a policy to be used for authentication.

12. A method comprising:
- under control of one or more processors configured with executable instructions;
  
  receiving a resource challenge from a resource server of a resource realm through a Web-based client of an account realm, the resource challenge being generated responsive to a request for access to a Web application provided by the resource server, and the resource realm and the account realm sharing a trust policy in a federation;
  
  sending a security token service challenge to an account security token service module of the account realm through the Web-based client, responsive to receiving the resource challenge, the security token service challenge including parameters indicating a requested action, a name of the resource realm, resource information as a pass-through parameter, and a trust policy uniform resource identifier (URI) that identifies preferences for a token to be issued to the resource security token service;
  
  verifying whether an account security token received from the account security token service module through the Web-based client is correctly formatted in accordance with the trust policy in the federation;
  
  responsive to verifying that the account security token is correctly formatted in accordance with the trust policy in the federation, generating by the resource security token service module, a resource security token;
  
  formatting the resource security token based on whether the resource realm and the account realm are the same, whereinthe resource security token service module formats the resource security token based on account credentials of the client in response to determining that the resource realm and the account realm are the same; and
  
  the resource security token service module formats the resource security token based on the account security token in response to determining that the resource realm and the account realm are not the same; and
  
  sending the resource security token generated by the resource security token service module through the Web-based client to the resource server, the resource security token enabling the resource server to authenticate the client for access to the Web application.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 13. The method of claim 12 wherein the account security token has a format that is dependent upon the trust policy in the federation.
  - 14. The method of claim 12 wherein the security token service challenge has a format that is dependent upon the trust policy in the federation.
  - 15. The method of claim 12 wherein content of the account security token is dependent upon the trust policy in the federation.
  - 16. The method of claim 12 wherein content of the security token service challenge is dependent upon the trust policy in the federation.
  - 17. The method of claim 12 wherein the resource challenge has a format that is dependent upon a trust policy in the resource realm.
  - 18. The method of claim 12 wherein the resource security token has a format that is dependent upon a trust policy in the resource realm.
  - 19. The method of claim 12 wherein the computer process further comprises:
    - determining a realm in which the client is a member, the realm representing the account realm.
  - 20. The method of claim 12 wherein the computer process further comprises:
    - receiving the resource challenge from the resource server by a redirection through a passive client in the account realm.
  - 21. The method of claim 12 wherein the computer process further comprises:
    - redirecting the security token service challenge to the account security token service module of the account realm through a passive client in the account realm.
  - 22. The method of claim 12 wherein the computer process further comprises:
    - receiving the account security token from the account security token service module by a redirection through a passive client in the account realm.
  - 23. The method of claim 12, wherein the account security token contains a signature of an issuing authority.
  - 24. The method of claim 12, wherein the account security token contains a subject identifier that uniquely identifies the account for which the account security token was granted.
  - 25. The method of claim 12, wherein the account security token contains a recipient identifier.
  - 26. The method of claim 12, wherein the account security token comprises:
    - a time of initial authentication;
      
      a validity interval; and
      
      a indication of type of authentication that was performed.
  - 27. The method of claim 12, wherein the account security token is sent over a secure connection.

28. A system comprising:
- a resource realm, the resource realm comprising;
  
  a resource realm processor; and
  
  a resource security token service module, executed by the resource realm processor, the resource security token service module sharing with a resource server hosting a Web application, a symmetric key or trusted signatures created with a resource security token private key;
  
  wherein;
  
  responsive to receiving a resource challenge from the resource server through a Web-based client of an account realm of a client which sends a request to access the Web application of the resource server, the resource security token service module is configured to generate a security token service challenge, and transmit the security token service challenge through the Web-based client to an account security token service module of the account realm, the account realm sharing a trust policy in a federation with the resource realm, and the security token service challenge including parameters indicating a requested action, a name of the resource realm, resource information as a pass-through parameter, and a trust policy uniform resource identifier (URI) that identifies preferences for a token to be issued to the resource security token service;
  
  responsive to receiving an account security token from the account security token service module upon authenticating the client, the resource security token service module is further configured to;
  
  verify the account security token by determining whether a format of the account security token is correctly formatted in accordance with the trust policy in the federation;
  
  generate a resource security token responsive to determining that the format of the account security token is correctly formatted in accordance with the trust policy in the federation, the resource security token enabling the resource server to authenticate the user for access to the Web application;
  
  format the resource security token based on whether the resource realm and the account realm are the same, whereinthe resource security token service module formats the resource security token based on account credentials of the user in response to determining that the resource realm and the account realm are the same; and
  
  the resource security token service module formats the resource security token based on the account security token in response to determining that the resource realm and the account realm are not the same; and
  
  transmit the resource security token to the resource server, the resource security token enabling the resource server to authenticate the client for access to the Web application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Spelman, Jeffrey F., Rouskov, Yordan, Dixon, Brendan W., Hur, Matthew, Gray, Josh Thomas, Dusche, Michael S., Johnson, Ryan D., Tevosyan, John Kahren
Primary Examiner(s)
Patel, Nirav B.

Application Number

US10/436,880
Publication Number

US 20040230831A1
Time in Patent Office

3,186 Days
Field of Search

726/1, 726/2, 726 8- 10, 713/150, 713/168, 713/175, 713/176, 380/255, 709/229, 709/223, 709/225
US Class Current

726/8
CPC Class Codes

G06F 21/33   using certificates

H04L 63/0428   wherein the data content is...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

Passive client single sign-on for web applications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Passive client single sign-on for web applications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links