System and method of providing credentials in a network
First Claim
1. A method for authentication in a network, the method comprising:
- creating a credential string on a portal server, the credential string being an encrypted hash of a session ID;
sending a UserID associated with the session ID and the credential string to a software application from the portal server, while maintaining the user password on the portal server and avoiding exposing the user password to network resources beyond the portal server;
receiving a confirmation request from the software application to an LDAP proxy while maintaining the user password on the portal server such that the user password is not required to authenticate the User ID, the confirmation request including the credential string; and
sending a response from the LDAP proxy in reply to the confirmation request to validate the credential string to authenticate the UserID, wherein;
user access to the software application is linked to the portal server without re-entering software application information including a username and password during a session initiated by a successful authentication; and
a new credential string is generated by the portal server for each request to access the software application.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system is provided to provide single sign on (SSO) functionality in a network that avoids storing a user'"'"'s credentials in persistent storage. A session may be initiated with a portal which sends a session ID derivative as a credential string instead of a user'"'"'s password to a target application. When the target application attempts to authenticate the user, by sending a request to a LDAP directory, the request is intercepted by a LDAP proxy that instead validates the UserID with the LDAP directory and the password is validated by a credential validator component which verifies with the portal that the credential string presented as the user password has been produced from the active session ID. In an embodiment, the credential string validator validates each short-living credential only once and upon detecting a second validation request for the same string, initiates a security breech process. A target application proxy may also be employed to terminate all sessions with the UserID when duplicate session requests occur.
-
Citations
21 Claims
-
1. A method for authentication in a network, the method comprising:
-
creating a credential string on a portal server, the credential string being an encrypted hash of a session ID; sending a UserID associated with the session ID and the credential string to a software application from the portal server, while maintaining the user password on the portal server and avoiding exposing the user password to network resources beyond the portal server; receiving a confirmation request from the software application to an LDAP proxy while maintaining the user password on the portal server such that the user password is not required to authenticate the User ID, the confirmation request including the credential string; and sending a response from the LDAP proxy in reply to the confirmation request to validate the credential string to authenticate the UserID, wherein; user access to the software application is linked to the portal server without re-entering software application information including a username and password during a session initiated by a successful authentication; and a new credential string is generated by the portal server for each request to access the software application. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for authenticating a user request for a software application, the method comprising:
-
receiving a UserID and a credential string at an authentication proxy server, the credential string being an encrypted hash of a session ID, which is created at a portal; sending a confirmation request from the authentication proxy to the portal while maintaining the user password on the portal and avoiding exposing the user password to network resources beyond the portal, the confirmation request includes the credential string; receiving a response at the authentication proxy for the confirmation request while maintaining the user password on the portal such that the user password is not required to authenticate the User ID; and validating the UserID using a light weight directory access protocol (LDAP) lookup request and the response, wherein; user access to a software application is linked to the portal without re-entering software application information including a username and password during a session initiated by a successful authentication; and a new credential string is generated by the portal for each request to access the software application. - View Dependent Claims (9, 10, 11)
-
-
12. A system for authenticating a session stored on a computer readable storage memory device, comprising computer readable program code, comprising:
-
an authentication proxy which receives requests to authenticate a UserID and a credential string, the credential string being an encrypted hash of a session ID and created on a portal; and a credential string validation component which receives requests to validate the credential string while maintaining a user password on the portal such that the user password is not required to validate the credential string, wherein; the credential string validation component checks whether the credential string has been previously received for validation within a predetermined time period while maintaining the user password on the portal and avoiding exposing the user password to network resources beyond the portal; user access to a software application is linked to the portal without re-entering software application information including a username and password during a session initiated by a successful authentication; and a new credential string is generated by the portal for each request to access the software application. - View Dependent Claims (13, 14, 15, 16, 17, 19, 20, 21)
-
-
18. A computer program product comprising a computer usable memory device having readable program code embodied in the memory device, the computer program product including at least one program code to:
-
create a credential string on a portal server, the credential string being an encrypted hash of a session ID; send a UserID associated with the session ID and the credential string to a software application from the portal server, while maintaining the user password on the portal server and avoiding exposing the user password to network resources beyond the portal server; receive a confirmation request from the software application to an LDAP proxy while maintaining the user password on the portal server such that the user password is not required to authenticate the User ID, the confirmation request including the credential string; and send a response from the LDAP proxy in reply to the confirmation request to validate the credential string to authenticate the UserID, wherein; user access to the software application is linked to the portal server without re-entering software application information including a username and password during a session initiated by a successful authentication; and a new credential string is generated by the portal server for each request to access the software application.
-
Specification