System, method and program product for consolidated authentication

US 8,219,802 B2
Filed: 05/07/2008
Issued: 07/10/2012
Est. Priority Date: 05/07/2008
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a user at a first computer to first and second applications installed in a second computer, the method comprising the steps of:

a third computer receiving from the user a valid combination of userID and password;

the second computer receiving from the user of the first computer a request to access the first application, and in response, the second computer determining that the user has not yet been authenticated to the first application, and in response, the second computer redirecting the request to the third computer, and in response, the third computer determining that the user has been authenticated to the third computer based on the userlD and password, and in response, the third computer notifying the second computer that the user is authentic, and in response, the second computer returning a session key to the third computer for a session between the first application and the user, the session key having a scope of the first application but not a scope of a domain; and

in response to the third computer receiving the session key from the second computer for the session between the user and the first application the third computer generating another session key with a scope of the domain, and the third computer sending the domain-scope session key to the first computer; and

subsequently, the second computer receiving from the user of the first computer another request with the domain-scope session key to the first application, and in response to the domain-scope session key received with the request, the second computer determining that the user is authentic and notifying the first application that the user is authentic so that the first application can respond to the first computer to the other request; and

whereinthe domain is a group of two or more applications, including the first application and the second application, which are licensed to a same entity or have a same domain name URL component, and the scope of the session key with the scope of the first application does not include the second application such that the session key with scope of the first application does not directly grant access to the second application; and

subsequently, the second computer receiving from the user of the first computer another request with the domain-scope session key to the second application, and in response to the domain-scope session key received with the request, the second computer determining that the user is authentic and notifying the second application that the user is authentic so that the second application can respond to the first computer to the other request to the second application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first computer sends a request to the second computer to access the application. In response, the second computer determines that the user has not yet been authenticated to the application. In response, the second computer redirects the request to a third computer. In response, the third computer determines that the user has been authenticated to the third computer. In response, the third computer authenticates the user to the application. In response, the second computer returns a session key to the third computer for a session between the application and the user. The session has a scope of the second computer or the application but not a scope of a domain. In response to the authentication of the user to the second application and receipt by the third computer of the session key from the second computer for a session between the user and the second computer or the application, the third computer generates another session key with a scope of the domain and sends the domain-scope session key to the first computer. The first computer sends another request to the application with the domain-scope session key.

Citations

6 Claims

1. A method for authenticating a user at a first computer to first and second applications installed in a second computer, the method comprising the steps of:
- a third computer receiving from the user a valid combination of userID and password;
  
  the second computer receiving from the user of the first computer a request to access the first application, and in response, the second computer determining that the user has not yet been authenticated to the first application, and in response, the second computer redirecting the request to the third computer, and in response, the third computer determining that the user has been authenticated to the third computer based on the userlD and password, and in response, the third computer notifying the second computer that the user is authentic, and in response, the second computer returning a session key to the third computer for a session between the first application and the user, the session key having a scope of the first application but not a scope of a domain; and
  
  in response to the third computer receiving the session key from the second computer for the session between the user and the first application the third computer generating another session key with a scope of the domain, and the third computer sending the domain-scope session key to the first computer; and
  
  subsequently, the second computer receiving from the user of the first computer another request with the domain-scope session key to the first application, and in response to the domain-scope session key received with the request, the second computer determining that the user is authentic and notifying the first application that the user is authentic so that the first application can respond to the first computer to the other request; and
  
  whereinthe domain is a group of two or more applications, including the first application and the second application, which are licensed to a same entity or have a same domain name URL component, and the scope of the session key with the scope of the first application does not include the second application such that the session key with scope of the first application does not directly grant access to the second application; and
  
  subsequently, the second computer receiving from the user of the first computer another request with the domain-scope session key to the second application, and in response to the domain-scope session key received with the request, the second computer determining that the user is authentic and notifying the second application that the user is authentic so that the second application can respond to the first computer to the other request to the second application.
- View Dependent Claims (2, 3)
- - 2. The method according to claim 1 wherein the step of the third computer receiving from the user a valid combination of userlD and password occurs during registration of the user with the third computer.
  - 3. The method according to claim 1 further comprising the subsequent steps of:
    - a fourth computer, having an application in the domain, receiving a request including the domain-scope session key from the user of the first computer to access the application in the fourth computer, and in response to the domain-scope session key, the fourth computer determining that the user is authentic and notifying the application in the fourth computer that the user is authentic so that the application in the fourth computer can respond to the first computer to the request to the application in the fourth computer.

4. A computer program product for authenticating a user at a first computer to first and second applications installed in a second computer, the computer program product comprising:
- one or more computer-readable tangible storage devices and program instructions stored on at least one of the one or more storage devices, the program instructions comprising;
  
  first program instructions for execution in the second computer to receive from the user of the first computer a request to access the first application, and in response, the first program instructions determine that the user has not yet been authenticated to the first application, and in response, the first program instructions redirect the request to a third computer;
  
  second program instructions for execution in the third computer, to receive from the user a valid combination of userlD and password, and responsive to the redirected request from the first program instructions, to determine that the user has been authenticated to the third computer based on the userlD and password, and in response, the second program instructions notify the first program instructions that the user is authentic; and
  
  whereinthe first program instructions, responsive to the notification from the second program instructions, return a session key to the second program instructions for a session between the first application and the user, the session key having a scope of the first application but not a scope of a domain; and
  
  the second program instructions, responsive to receipt of the session key from the first program instructions for the session between the user and the first application, generate another session key with a scope of the domain, and the second program instructions send the domain-scope session key to the first computer; and
  
  the first program instructions, responsive to subsequent receipt from the user of the first computer of another request with the domain-scope session key to the first application, determine that the user is authentic and notify the first application that the user is authentic so that the first application can respond to the other request; and
  
  whereinthe domain is a group of two or more applications, including the first application and the second application, which are licensed to a same entity or have a same domain name URL component, and the scope of the session key with the scope of the first application does not include the second application such that the session key with the scope of the first application does not directly grant access to the second application; and
  
  the first program instructions, responsive to subsequent receipt from the user of the first computer of another request with the domain-scope session key to the second application, determine that the user is authentic and notify the second application that the user is authentic so that the second application can respond to the first computer to the other request to the second application.
- View Dependent Claims (5, 6)
- - 5. The computer program product according to claim 4 wherein the second program instructions receive from the user the valid combination of userlD and password during a registration of the user with the third computer.
  - 6. The computer program product according to claim 4 further comprising:
    - third program instructions, stored on at least one of the one or more storage devices, for execution in a fourth computer having an application in the domain, to receive a request including the domain-scope session key from the user of the first computer to access the application in the fourth computer, and in response to the domain-scope session key, the third program instructions determine that the user is authentic and notify the application in the fourth computer that the user is authentic so that the application in the fourth computer can respond to the first computer to the request to the application in the fourth computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Doleh, Yaser K., Marzorati, Mauro, Kalamaras, Christopher G.
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
LANE, GREGORY A

Application Number

US12/116,616
Publication Number

US 20090282239A1
Time in Patent Office

1,525 Days
Field of Search

726/8, 713/155
US Class Current

713/155
CPC Class Codes

G06F 21/1012   to domains

G06F 21/335   for accessing specific reso...

G06F 21/41   where a single sign-on prov...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2115   Third party

G06F 2221/2119   Authenticating web pages, e...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

System, method and program product for consolidated authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

6 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and program product for consolidated authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

6 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links