System and method of providing credentials in a network

US 8,364,957 B2
Filed: 03/02/2004
Issued: 01/29/2013
Est. Priority Date: 03/02/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method for authentication in a network, the method comprising:

creating a credential string on a portal server, the credential string being an encrypted hash of a session ID;

sending a UserID associated with the session ID and the credential string to a software application from the portal server, while maintaining the user password on the portal server and avoiding exposing the user password to network resources beyond the portal server;

receiving a confirmation request from the software application to an LDAP proxy while maintaining the user password on the portal server such that the user password is not required to authenticate the User ID, the confirmation request including the credential string; and

sending a response from the LDAP proxy in reply to the confirmation request to validate the credential string to authenticate the UserID, wherein;

user access to the software application is linked to the portal server without re-entering software application information including a username and password during a session initiated by a successful authentication; and

a new credential string is generated by the portal server for each request to access the software application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system is provided to provide single sign on (SSO) functionality in a network that avoids storing a user'"'"'s credentials in persistent storage. A session may be initiated with a portal which sends a session ID derivative as a credential string instead of a user'"'"'s password to a target application. When the target application attempts to authenticate the user, by sending a request to a LDAP directory, the request is intercepted by a LDAP proxy that instead validates the UserID with the LDAP directory and the password is validated by a credential validator component which verifies with the portal that the credential string presented as the user password has been produced from the active session ID. In an embodiment, the credential string validator validates each short-living credential only once and upon detecting a second validation request for the same string, initiates a security breech process. A target application proxy may also be employed to terminate all sessions with the UserID when duplicate session requests occur.

Citations

21 Claims

1. A method for authentication in a network, the method comprising:
- creating a credential string on a portal server, the credential string being an encrypted hash of a session ID;
  
  sending a UserID associated with the session ID and the credential string to a software application from the portal server, while maintaining the user password on the portal server and avoiding exposing the user password to network resources beyond the portal server;
  
  receiving a confirmation request from the software application to an LDAP proxy while maintaining the user password on the portal server such that the user password is not required to authenticate the User ID, the confirmation request including the credential string; and
  
  sending a response from the LDAP proxy in reply to the confirmation request to validate the credential string to authenticate the UserID, wherein;
  
  user access to the software application is linked to the portal server without re-entering software application information including a username and password during a session initiated by a successful authentication; and
  
  a new credential string is generated by the portal server for each request to access the software application.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the encrypted hash of the session ID is a derivate of the session ID.
  - 3. The method of claim 1, further comprising the steps of:
    - performing a lightweight directory access protocol (LDAP) lookup using the UserID; and
      
      if the LDAP lookup confirms the UserID and the response validates the credential string, returning a successful authentication reply to the software application for establishing a session associated with the session ID, otherwise sending an unsuccessful authentication reply to the software application.
  - 4. The method of claim 1, wherein the sending of a UserID and the credential string avoids at least one of sending a user'"'"'s password outside of a portal server and storing the password in persistent memory.
  - 5. The method of claim 1, further comprising the steps of:
    - sending the UserID associated with the session ID and the credential string to a software application proxy;
      
      checking whether the session ID and the credential string have been previously received within a predetermined time period; and
      
      if affirmative, initiating a security breach procedure.
  - 6. The method of claim 5, wherein the security breach procedure causes the termination of any session associated with the UserID.
  - 7. The method of claim 1, wherein the receiving step and sending a response step is performed by an authentication proxy.

8. A method for authenticating a user request for a software application, the method comprising:
- receiving a UserID and a credential string at an authentication proxy server, the credential string being an encrypted hash of a session ID, which is created at a portal;
  
  sending a confirmation request from the authentication proxy to the portal while maintaining the user password on the portal and avoiding exposing the user password to network resources beyond the portal, the confirmation request includes the credential string;
  
  receiving a response at the authentication proxy for the confirmation request while maintaining the user password on the portal such that the user password is not required to authenticate the User ID; and
  
  validating the UserID using a light weight directory access protocol (LDAP) lookup request and the response, wherein;
  
  user access to a software application is linked to the portal without re-entering software application information including a username and password during a session initiated by a successful authentication; and
  
  a new credential string is generated by the portal for each request to access the software application.
- View Dependent Claims (9, 10, 11)
- - 9. The method of claim 8, further comprising providing a confirmation to the software application if the response is affirmative and the UserID is authenticated by the LDAP lookup.
  - 10. The method of claim 9, further comprising validating the confirmation request by assuring that the credential string has been received only once for confirmation at the portal, otherwise, if presented more than once, performing at least one of initiating a security breach procedure and notifying a software application proxy.
  - 11. The method of claim 8, further comprising receiving the UserID and the user password during a logon to the portal, wherein the UserID is validated in the validating step and the user password is maintained at the portal and used to process the confirmation request.

12. A system for authenticating a session stored on a computer readable storage memory device, comprising computer readable program code, comprising:
- an authentication proxy which receives requests to authenticate a UserID and a credential string, the credential string being an encrypted hash of a session ID and created on a portal; and
  
  a credential string validation component which receives requests to validate the credential string while maintaining a user password on the portal such that the user password is not required to validate the credential string,wherein;
  
  the credential string validation component checks whether the credential string has been previously received for validation within a predetermined time period while maintaining the user password on the portal and avoiding exposing the user password to network resources beyond the portal;
  
  user access to a software application is linked to the portal without re-entering software application information including a username and password during a session initiated by a successful authentication; and
  
  a new credential string is generated by the portal for each request to access the software application.
- View Dependent Claims (13, 14, 15, 16, 17, 19, 20, 21)
- - 13. The system of claim 12, wherein the authentication proxy performs lightweight directory access protocol (LDAP) lookups using the UserID and sends the credential string to the credential string validation component and receives a validation reply.
  - 14. The system of claim 13, wherein the authentication proxy sends an affirmative authentication reply to a software application when both the LDAP lookup is successful and the validation reply indicates a valid credential string.
  - 15. The system of claim 14, wherein the authentication proxy receives the UserID and credential string from a software application.
  - 16. The system of claim 12, further comprising a software application proxy which receives the UserID and the credential string and detects whether the UserID and the credential string have been previously received within a predetermined time period.
  - 17. The system of claim 12, further comprising:
    - a lightweight directory access protocol (LDAP) directory for authenticating the UserlDs and which is accessible by the authentication proxy; and
      
      a software application proxy for intercepting the UserID and the credential string sent by the portal for monitoring duplicate occurrences of the UserID and the credential string.
  - 19. The system of claim 12, wherein the UserID and the credential string are sent to a software application when the predetermined time period has elapsed.
  - 20. The system of claim 19, wherein a network security breach is initiated when a second request to validate the credential string occurs within the predetermined time period of a first request to validate the credential string.
  - 21. The system of claim 20, wherein the portal is configured to accept a logon by a user and create the credential string from an associated session ID.

18. A computer program product comprising a computer usable memory device having readable program code embodied in the memory device, the computer program product including at least one program code to:
- create a credential string on a portal server, the credential string being an encrypted hash of a session ID;
  
  send a UserID associated with the session ID and the credential string to a software application from the portal server, while maintaining the user password on the portal server and avoiding exposing the user password to network resources beyond the portal server;
  
  receive a confirmation request from the software application to an LDAP proxy while maintaining the user password on the portal server such that the user password is not required to authenticate the User ID, the confirmation request including the credential string; and
  
  send a response from the LDAP proxy in reply to the confirmation request to validate the credential string to authenticate the UserID, wherein;
  
  user access to the software application is linked to the portal server without re-entering software application information including a username and password during a session initiated by a successful authentication; and
  
  a new credential string is generated by the portal server for each request to access the software application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Andreev, Dmitry, Vilshansky, Gregory, Vishnevsky, Boris
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Tabor, Amare F

Application Number

US10/791,322
Publication Number

US 20050198501A1
Time in Patent Office

3,255 Days
Field of Search

713/168, 713/172, 713/175, 713/182, 713/185
US Class Current

713/168
CPC Class Codes

H04L 61/4523   using lightweight directory...

H04L 63/0815   providing single-sign-on or...

H04L 63/0846   using time-dependent-passwo...

System and method of providing credentials in a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of providing credentials in a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links