Passive client single sign-on for web applications
First Claim
Patent Images
1. A method comprising:
- under control of one or more processors configured with executable instructions;
receiving at a resource security token service module of a resource realm, a resource challenge from a resource server of the resource realm through a Web-based client of an account realm, the resource challenge being generated by the resource server responsive to a request from a client of the account realm for access to a Web application provided by the resource server, and the resource realm sharing a trust policy in a federation with the account realm;
responsive to receiving the resource challenge, sending by the resource security token service module, a security token service challenge through the Web-based client to an account security token service module of the account realm, the security token service challenge including parameters indicating a requested action, a name of the resource realm, resource information as a pass-through parameter, and a trust policy uniform resource identifier (URI) that identifies preferences for a token to be issued to the resource security token service;
receiving by the resource security token service module, an account security token, the account security token being formatted in accordance with the trust policy in the federation;
verifying whether a format of the account security token is correct by the resource security token service module;
responsive to verifying that the format of the account security token is correct, generating by the resource security token service module, a resource security token, the resource security token;
formatting the resource security token based on whether the resource realm and the account realm are the same, whereinthe resource security token service module formats the resource security token based on account credentials of the client in response to determining that the resource realm and the account realm are the same; and
the resource security token service module formats the resource security token based on the account security token in response to determining that the resource realm and the account realm are not the same;
sending by the resource security token service module, the resource security token through the Web-based client to the resource server, the resource security token enabling the resource server to authenticate the client for access to the Web application.
2 Assignments
0 Petitions
Accused Products
Abstract
A system provides single sign-on capabilities for accessing a Web application through a passive client across multiple realms within a federation. A federation refers to different organizations or realms that have employed agreements, standards, and/or cooperative technologies to make user identity and entitlements portable between the organizations. Communications are redirected through a client in one realm to obtain a security token that can allow the resource server in the other realm to authenticate the user for access to the Web application.
63 Citations
28 Claims
-
1. A method comprising:
-
under control of one or more processors configured with executable instructions; receiving at a resource security token service module of a resource realm, a resource challenge from a resource server of the resource realm through a Web-based client of an account realm, the resource challenge being generated by the resource server responsive to a request from a client of the account realm for access to a Web application provided by the resource server, and the resource realm sharing a trust policy in a federation with the account realm; responsive to receiving the resource challenge, sending by the resource security token service module, a security token service challenge through the Web-based client to an account security token service module of the account realm, the security token service challenge including parameters indicating a requested action, a name of the resource realm, resource information as a pass-through parameter, and a trust policy uniform resource identifier (URI) that identifies preferences for a token to be issued to the resource security token service; receiving by the resource security token service module, an account security token, the account security token being formatted in accordance with the trust policy in the federation; verifying whether a format of the account security token is correct by the resource security token service module; responsive to verifying that the format of the account security token is correct, generating by the resource security token service module, a resource security token, the resource security token; formatting the resource security token based on whether the resource realm and the account realm are the same, wherein the resource security token service module formats the resource security token based on account credentials of the client in response to determining that the resource realm and the account realm are the same; and the resource security token service module formats the resource security token based on the account security token in response to determining that the resource realm and the account realm are not the same; sending by the resource security token service module, the resource security token through the Web-based client to the resource server, the resource security token enabling the resource server to authenticate the client for access to the Web application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method comprising:
-
under control of one or more processors configured with executable instructions; receiving a resource challenge from a resource server of a resource realm through a Web-based client of an account realm, the resource challenge being generated responsive to a request for access to a Web application provided by the resource server, and the resource realm and the account realm sharing a trust policy in a federation; sending a security token service challenge to an account security token service module of the account realm through the Web-based client, responsive to receiving the resource challenge, the security token service challenge including parameters indicating a requested action, a name of the resource realm, resource information as a pass-through parameter, and a trust policy uniform resource identifier (URI) that identifies preferences for a token to be issued to the resource security token service; verifying whether an account security token received from the account security token service module through the Web-based client is correctly formatted in accordance with the trust policy in the federation; responsive to verifying that the account security token is correctly formatted in accordance with the trust policy in the federation, generating by the resource security token service module, a resource security token; formatting the resource security token based on whether the resource realm and the account realm are the same, wherein the resource security token service module formats the resource security token based on account credentials of the client in response to determining that the resource realm and the account realm are the same; and the resource security token service module formats the resource security token based on the account security token in response to determining that the resource realm and the account realm are not the same; and sending the resource security token generated by the resource security token service module through the Web-based client to the resource server, the resource security token enabling the resource server to authenticate the client for access to the Web application. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A system comprising:
-
a resource realm, the resource realm comprising; a resource realm processor; and a resource security token service module, executed by the resource realm processor, the resource security token service module sharing with a resource server hosting a Web application, a symmetric key or trusted signatures created with a resource security token private key; wherein; responsive to receiving a resource challenge from the resource server through a Web-based client of an account realm of a client which sends a request to access the Web application of the resource server, the resource security token service module is configured to generate a security token service challenge, and transmit the security token service challenge through the Web-based client to an account security token service module of the account realm, the account realm sharing a trust policy in a federation with the resource realm, and the security token service challenge including parameters indicating a requested action, a name of the resource realm, resource information as a pass-through parameter, and a trust policy uniform resource identifier (URI) that identifies preferences for a token to be issued to the resource security token service; responsive to receiving an account security token from the account security token service module upon authenticating the client, the resource security token service module is further configured to; verify the account security token by determining whether a format of the account security token is correctly formatted in accordance with the trust policy in the federation; generate a resource security token responsive to determining that the format of the account security token is correctly formatted in accordance with the trust policy in the federation, the resource security token enabling the resource server to authenticate the user for access to the Web application; format the resource security token based on whether the resource realm and the account realm are the same, wherein the resource security token service module formats the resource security token based on account credentials of the user in response to determining that the resource realm and the account realm are the same; and the resource security token service module formats the resource security token based on the account security token in response to determining that the resource realm and the account realm are not the same; and transmit the resource security token to the resource server, the resource security token enabling the resource server to authenticate the client for access to the Web application.
-
Specification