Propagation of principal authentication data in a mediated communication scenario

US 8,316,422 B2
Filed: 10/17/2006
Issued: 11/20/2012
Est. Priority Date: 10/17/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by an intermediary component that includes a processor to execute program code, a message including first authentication data and second authentication data from a sender computing system, the first authentication data being associated with a first user, the second authentication data being associated with a second user different than the first user;

performing, by the intermediary component, an authentication action based on the second authentication data received from the computing system;

mapping, by the intermediary component, the first authentication data that is from the sender computing system and associated with the first user to third authentication data that is associated with the first user but different from the first authentication data;

creating an assertion including the third authentication data and an attester certificate; and

transmitting, by the intermediary component, the assertion to a receiver computing system after performing the authentication action and without transmitting the second authentication data to the receiver computing system;

wherein the transmitting the assertion to a receiver computing system comprises;

transmitting the assertion to a receiver computing system configured to use the third authentication data to log the first user into the receiver computing system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system may include a sender computing system, an intermediary component, and a receiver computing system. The sender computing system may transmit first authentication data and second authentication data, and the intermediary component may receive the first authentication data and second authentication data from the sender computing system, perform an authentication action based on the second authentication data, and transmit the first authentication data. The receiver computing system may receive the first authentication data.

Citations

22 Claims

1. A method comprising:
- receiving, by an intermediary component that includes a processor to execute program code, a message including first authentication data and second authentication data from a sender computing system, the first authentication data being associated with a first user, the second authentication data being associated with a second user different than the first user;
  
  performing, by the intermediary component, an authentication action based on the second authentication data received from the computing system;
  
  mapping, by the intermediary component, the first authentication data that is from the sender computing system and associated with the first user to third authentication data that is associated with the first user but different from the first authentication data;
  
  creating an assertion including the third authentication data and an attester certificate; and
  
  transmitting, by the intermediary component, the assertion to a receiver computing system after performing the authentication action and without transmitting the second authentication data to the receiver computing system;
  
  wherein the transmitting the assertion to a receiver computing system comprises;
  
  transmitting the assertion to a receiver computing system configured to use the third authentication data to log the first user into the receiver computing system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method according to claim 1, wherein receiving a message including the first authentication data and the second authentication data comprises:
    - receiving a message including the second authentication data and an assertion including the first authentication data, an attester'"'"'s signature of the message and an attester certificate.
  - 3. A method according to claim 2, the method further comprising:
    - determining whether the attester'"'"'s signature is valid; and
      
      determining whether the attester certificate of the assertion that includes the first authentication data is trusted.
  - 4. A method according to claim 3, wherein transmitting the assertion to a receiver computing system after performing the authentication action comprises:
    - transmitting the assertion to a receiver computing system only if the authentication action based on the second authentication data is successful, the attester'"'"'s signature of the assertion that includes the first authentication data is valid and the attester certificate of the assertion that includes the first authentication data is trusted.
  - 5. A method according to claim 1, the method further comprising:
    - processing the message prior to creating the assertion,wherein transmitting the assertion comprises transmitting the processed messages and the assertion to the receiver computing system.
  - 6. A method according to claim 1, wherein the first authentication data associated with the first user includes a username and password and wherein the second authentication data associated with the second user different than the first user includes a username and password.
  - 7. A method according to claim 1, wherein the transmitting the assertion to a receiver computing system configured to use the assertion to log the first user into the receiver computing system comprises:
    - transmitting the assertion to a receiver computing system configured to use the assertion to log the first user into the receiver computing system and to execute an application under the first user.
  - 8. A method according to claim 1, further comprising not using the first authentication data for authentication between the receiving of the message and the transmitting the assertion to the receiver computing system.

9. A non-transitory medium storing processor-executable program code, the program code comprising:
- code to receive, by an intermediary component, a message including first authentication data and second authentication data from a sender computing system, the first authentication data being associated with a first user, the second authentication data being associated with a second user different than the first user;
  
  code to perform, by the intermediary component, an authentication action based on the second authentication data received from the sender computing system;
  
  code to map, by the intermediary component, the first authentication data that is from the sender computing system and associated with the first user to third authentication data that is associated with the first user but different from the first authentication data;
  
  code to create an assertion including the third authentication data and an attester certificate; and
  
  code to transmit, by the intermediary component, the assertion to a receiver computing system after performance of the authentication action and without transmission of the second authentication data to the receiver computing system;
  
  wherein the code to transmit the assertion to a receiver computing system comprises;
  
  code to transmit the assertion to a receiver computing system configured to use the third authentication data to log the first user into the receiver computing system.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. A medium according to claim 9, wherein the code to receive a message including the first authentication data and the second authentication data comprises:
    - code to receive a message including the second authentication data and an assertion including the first authentication data, an attester'"'"'s signature of the message, and an attester certificate.
  - 11. A medium according to claim 10, the program code further comprising:
    - code to determine whether the attester'"'"'s signature is valid; and
      
      code to determine whether the attester certificate of the assertion that includes the first authentication data is trusted.
  - 12. A medium according to claim 9, the program code further comprising:
    - code to process the message prior to creating the assertion, wherein the code to transmit the assertion comprises code to transmit the processed message and the assertion to the receiver computing system.
  - 13. A medium according to claim 9, wherein the first authentication data associated with the first user includes a username and password and wherein the second authentication data associated with the second user different than the first user includes a username and password.
  - 14. A medium according to claim 9, wherein the code to transmit the assertion to a receiver computing system configured to use the assertion to log the first user into the receiver computing system comprises:
    - code to transmit the assertion to a receiver computing system configured to use the assertion to log the first user into the receiver computing system and to execute an application under the first user.
  - 15. A medium according to claim 9, the program code not comprising code to use the first authentication data for authentication between the receiving of the message and the transmitting the assertion to the receiver computing system.

16. A system comprising:
- a sender computing system to transmit a message including first authentication data and second authentication data, the first authentication data being associated with a first user, the second authentication data being associated with a second user different than the first user;
  
  an intermediary component to execute program code to receive the message including the first authentication data and second authentication data from the sender computing system, to perform an authentication action based on the second authentication data, to map the first authentication data that is from the sender computing system and associated with the first user to third authentication data that is associated with the first user but different from the first authentication data, to create an assertion including the third authentication data, an attester'"'"'s signature and an attester certificate and to transmit the assertion after performance of the authentication action and without transmission of the second authentication data; and
  
  a receiver computing system to receive the assertion transmitted by the intermediary component without transmission of the second authentication data and to use the third authentication data to log the first user into the receiver computing system.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. A system according to claim 16, wherein reception of a message including the first authentication data and second authentication data from the sender computing system comprises:
    - reception of a message including the second authentication data and an assertion including the first authentication data, an attester'"'"'s signature of the message, and an attester certificate.
  - 18. A system according to claim 17, wherein the intermediary component is to determine whether the attester'"'"'s signature of the assertion that includes the first authentication data is valid and to determine whether the attester certificate of the assertion that includes the first authentication data is trusted.
  - 19. A system according to claim 16, wherein the intermediary component is to process the message prior to creating the assertion, andwherein transmission of the assertion comprises transmission of the processed message and the assertion to the receiver computing system.
  - 20. A system according to claim 16, wherein the receiver computing system is further to execute an application under the first user.
  - 21. A system according to claim 16, wherein the intermediary component is not to use the first authentication data for authentication between the receiving of the message and the transmitting the assertion to the receiver computing system.
  - 22. A system according to claim 16, wherein the first authentication data associated with the first user includes a username and password and wherein the second authentication data associated with the second user different than the first user includes a username and password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP AG (SAP SE)
Inventors
Hofmann, Christoph H., De Boer, Martijn
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
SIMS, JING F

Application Number

US11/582,036
Publication Number

US 20080091948A1
Time in Patent Office

2,226 Days
Field of Search

713155-159, 713168-180, 713182-186, 713/202, 709/229, 709/225, 726/8, 726 2- 6, 726/10
US Class Current

726/5
CPC Class Codes

H04L 2209/42   Anonymization, e.g. involvi...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

Propagation of principal authentication data in a mediated communication scenario

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Propagation of principal authentication data in a mediated communication scenario

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links