Single sign-on system for shared resource environments

US 8,255,984 B1
Filed: 07/01/2010
Issued: 08/28/2012
Est. Priority Date: 07/01/2009
Status: Active Grant

First Claim

Patent Images

1. A method of employing single sign-on in shared services environments, the method comprising:

by a broker server system comprising computer hardware;

receiving credentials from a client system, the credentials corresponding to a user of the client system;

authenticating, using the credentials, an identity of the user with an authentication server;

storing the credentials in a security cookie;

communicating to the client a list of one or more authorized resources that the client system is permitted to access;

receiving a request from the client system to access a target resource from the one or more authorized resources, the target resource comprising one of a virtual desktop and a terminal server;

generating a ticket comprising an identifier of the security cookie and network connectivity information for the target resource;

providing to the client system an identifier of the ticket;

providing to the client system the network connectivity information for the target resource;

receiving the ticket from the target resource, the ticket having been provided to the target resource from the client system; and

sending the credentials to the target resource in response to receiving the ticket from the target resource to thereby enable the target resource to authenticate the client system, wherein the ticket enables the client system to authenticate to the target resource without storing the user credentials and connection information on the client system.

View all claims

18 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for enhancing security of single sign-on are described. These systems and methods can reduce the amount of sensitive information stored on a client device while still providing single sign-on access to shared resources such as virtual desktops or Terminal Servers. For example, storage of authentication information on client devices can be avoided while still allowing client devices to connect to the shared resources. Instead, such information can be stored at a broker server that brokers connections from client devices to the shared resources. The broker server can facilitate more secure single sign-on by providing a single-use ticket to a client device that authenticates with the broker server. The client device can use this single-use ticket to authenticate with a shared resource.

Citations

18 Claims

1. A method of employing single sign-on in shared services environments, the method comprising:
- by a broker server system comprising computer hardware;
  
  receiving credentials from a client system, the credentials corresponding to a user of the client system;
  
  authenticating, using the credentials, an identity of the user with an authentication server;
  
  storing the credentials in a security cookie;
  
  communicating to the client a list of one or more authorized resources that the client system is permitted to access;
  
  receiving a request from the client system to access a target resource from the one or more authorized resources, the target resource comprising one of a virtual desktop and a terminal server;
  
  generating a ticket comprising an identifier of the security cookie and network connectivity information for the target resource;
  
  providing to the client system an identifier of the ticket;
  
  providing to the client system the network connectivity information for the target resource;
  
  receiving the ticket from the target resource, the ticket having been provided to the target resource from the client system; and
  
  sending the credentials to the target resource in response to receiving the ticket from the target resource to thereby enable the target resource to authenticate the client system, wherein the ticket enables the client system to authenticate to the target resource without storing the user credentials and connection information on the client system.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, further comprising deleting the ticket, such that the ticket is valid for a single use by the client system.
  - 3. The method of claim 1, wherein the authentication server comprises an active directory server.

4. A method of employing single sign-on in shared services environments, the method comprising:
- by a broker server comprising computer hardware;
  
  receiving authentication information of a user from a client system;
  
  authenticating, using the authentication information, an identity of the user with an authentication server;
  
  communicating to the client system a list of one or more authorized resources that the client system is permitted to access;
  
  receiving a request from the client system to access a target resource from the one or more authorized resources, wherein the target resource comprises one of a virtual desktop and a terminal server;
  
  generating a ticket comprising a reference to the authentication information;
  
  providing the ticket to the client system, wherein the client system is enabled to provide the ticket to the target resource to obtain access to the target resource;
  
  subsequent to the ticket being sent from the client system to the target resource, receiving the ticket from the target resource; and
  
  sending the authentication information to the target resource in response to receiving the ticket from the target resource, wherein the ticket enables the client system to authenticate to the target resource without storing user credentials and connection information on the client system.
- View Dependent Claims (5, 6, 7, 8, 9)
- - 5. The method of claim 4, wherein the ticket further comprises connection information for the target resource.
  - 6. The method of claim 5, wherein the authentication information comprises one or more of the following:
    - credentials, a Kerberos ticket, and NT Lan Manager (NTLM) authentication information.
  - 7. The method of claim 6, wherein the credentials comprise a username, a password, and a domain name associated with the client system.
  - 8. The method of claim 4, wherein the ticket is valid for a single use by the client system.
  - 9. The method of claim 4, wherein the ticket is configured to expire beyond a specified time frame.

10. A method of employing single sign-on in shared services environments, the method comprising:
- by a client system comprising computer hardware;
  
  requesting access to a shared resource comprising one of a virtual desktop and a terminal server, said requesting comprising sending authentication information of a user to a broker server configured to allocate the target resource to the client system;
  
  receiving from the broker server a list of one or more authorized shared resources that the client system is permitted to access;
  
  sending a request to the broker server for access to a target resource from the list of one or more authorized shared resources;
  
  receiving a single-use ticket comprising an identifier to a security cookie created by the broker server, the security cookie comprising the user credentials and connection information for the target resource;
  
  initiating a connection with the broker server to obtain connectivity information for the target resource without storing the single-use ticket at the client system; and
  
  in response to receiving the connectivity information for the target resource, communicating the single-use ticket to the target resource to obtain access to the target resource.
- View Dependent Claims (11, 12, 13)
- - 11. The method of claim 10, wherein the single-use ticket is configured to expire after a single authentication to the target server by the client system.
  - 12. The method of claim 10, wherein the method enables the client system to have single sign-on access to the target resource from outside a network domain associated with the broker server.
  - 13. The method of claim 12, wherein the authentication information comprises one or more of the following:
    - credentials, a Kerberos ticket, and NT Lan Manager (NTLM) authentication information.

14. A system for employing single sign-on in shared services environments, the system comprising:
- a broker server comprising computer hardware, the broker server programmed to implement;
  
  a credential manager configured to;
  
  receive authentication information from a client system, the authentication information corresponding to a user of the client system, andauthenticate an identity of the user with an authentication server using the authentication information;
  
  a resource manager configured to communicate to the client system a list of one or more authorized resources that the client system is permitted to access; and
  
  a ticket manager configured to;
  
  receive a request from the client system to access a target resource from the one or more authorized resources, wherein the target resource comprises one of a virtual desktop and a terminal server, andprovide to the client system a ticket comprising a reference to the authentication information, wherein the ticket enables the client system to authenticate to the target resource without storing user credentials and connection information on the client system.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The system of claim 14, wherein the ticket manager is further configured to negotiate a connection with the target resource and receive the ticket from the target resource, the ticket having been provided to the target resource from the client system.
  - 16. The system of claim 15, wherein the credentials manager is further configured to send the credentials to the target resource in response to the ticket manager receiving the ticket from the target resource to thereby enable the target resource to authenticate the client system.
  - 17. The system of claim 14, wherein the ticket manager is further configured to destroy the ticket after a single use of the ticket by the client system.
  - 18. The system of claim 14, wherein the ticket manager is further configured to establish an expiration time for the ticket.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dell Products LP (Dell Technologies Inc.)
Original Assignee
Quest Software, Inc.
Inventors
Ghostine, Peter E., McDonald, Michael
Primary Examiner(s)
Gergiso, Techane

Application Number

US12/829,239
Time in Patent Office

789 Days
Field of Search

726/8, 713/168, 709/217
US Class Current

726/8
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 21/62   Protecting access to data v...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

H04L 63/30   for supporting lawful inter...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3228   One-time or temporary data,...

Single sign-on system for shared resource environments

First Claim

18 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Single sign-on system for shared resource environments

First Claim

18 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links