Single sign on with proxy services
First Claim
1. A machine-implemented method to execute on a machine, comprising:
- receiving, by the machine, an authentication request from a principal, the request directed by the principal to an external service and intercepted by the method for receipt;
authenticating, by the machine, the principal; and
supplying, by the machine, an authentication message for use by an identity service on behalf of the principal, the authentication message serves as a new authentication request and as a new authentication response for single sign-on access of the principal to the identity service and other services external or internal to the identity service, the identity service acts as a proxy for access sessions to the other services on behalf of the principal, the principal'"'"'s access sessions occur indirectly through the identity service and transparently to the principal, wherein the authentication message includes the new authentication request made on behalf of the principal and the authentication message also includes a new authentication response that satisfies the new authentication request, that response vouches for authentication of the principal to the identity service for the single sign-on access of the principal, the principal believing interactions are with the external service, which is one of the other services that the identity service controls access to, and a determination as to whether to use a single interaction or multiple interactions for authentication of the principal to the other services is automatically communicated in the new authentication response.
11 Assignments
0 Petitions
Accused Products
Abstract
Techniques for proxing services with a single sign on are provided. A principal authenticates to a first identity service. The first identity service is in a trusted relationship with a second identity service. An authentication request is sent to the second identity service and the request includes an authentication response supplied by the first identity service in response to successful authentication of the principal to the first identity service. In response to the authentication request and the accompanying response, the principal is authenticated for access to the second identity service. Furthermore, targeted services accessible to the second identity service are proxied from and to the principal during interactions between the principal and an external service of that principal.
27 Citations
17 Claims
-
1. A machine-implemented method to execute on a machine, comprising:
-
receiving, by the machine, an authentication request from a principal, the request directed by the principal to an external service and intercepted by the method for receipt; authenticating, by the machine, the principal; and supplying, by the machine, an authentication message for use by an identity service on behalf of the principal, the authentication message serves as a new authentication request and as a new authentication response for single sign-on access of the principal to the identity service and other services external or internal to the identity service, the identity service acts as a proxy for access sessions to the other services on behalf of the principal, the principal'"'"'s access sessions occur indirectly through the identity service and transparently to the principal, wherein the authentication message includes the new authentication request made on behalf of the principal and the authentication message also includes a new authentication response that satisfies the new authentication request, that response vouches for authentication of the principal to the identity service for the single sign-on access of the principal, the principal believing interactions are with the external service, which is one of the other services that the identity service controls access to, and a determination as to whether to use a single interaction or multiple interactions for authentication of the principal to the other services is automatically communicated in the new authentication response. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A machine-implemented method to execute on a machine, comprising:
-
receiving, by the machine, an authentication request and an authentication response as a single sign-on transaction from a principal, the authentication request and the authentication response are received indirectly from the principal via an original identity service acting as a proxy on behalf of the principal and actions of that original identity service are transparent to the principal and the authentication response produced by that original identity service to authenticate the principal for the single sign-on transaction, the authentication request and the authentication response produced by the original identity service are different from that which was originally provided by the principal to the original identity service and the authentication request and the authentication response are made on behalf of the principal once the principal is authenticated by the original identity service; detecting, by a machine and from an identity service, an instruction, which is represented in the authentication response, the identity service is different from the original identity service, and the identity service and the original identity service are in a secure relationship with one another; and taking, by the machine, an action in response to the instruction to authenticate the principal for access to targeted services, access to the target services occur via proxied sessions through the identity service and transparent to the principal, wherein the action taken is dynamic and a real-time evaluation of policies processed by the identity service. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A machine-implemented method to execute on a machine, comprising:
-
receiving, by the machine, a request for access from a principal, the request includes a first authentication token, the first authentication token indicating the principal is currently already authenticated to a first identity service and a second authentication token indicating the principal is also currently also already authenticated to a second identity service, the principal authenticates to the second identity service via the first authentication token because the first identity service is in a secure relationship with the second identity service and the second identity service relies on the first authentication token to automatically issue the second authentication token, and the second authentication token identifies the principal indicating that the first identity service can permissibly designate the principal for access to a targeted service controlled by the second identity service; acquiring, by the machine, a service token for the targeted service that can be made accessible to the first identity service; and supplying, by the machine, the first identity service with the service token for accessing the targeted service, the first identity service passes the service token to the principal thereby making the targeted service accessible from and to the principal from the first identity service acting as a proxy for features of the target service and using the service token, the first identity service proxies the target service to the principal while the principal believes that the principal is directly interacting with the target service, the target service was originally just accessible from an environment associated with the second identity service but is made available outside that environment by the second identity service providing proxy services to the first identity service and the first identity service provides to the principal. - View Dependent Claims (15, 16, 17)
-
Specification