Authenticating and communicating verifiable authorization between disparate network domains

US 8,499,339 B2
Filed: 08/17/2007
Issued: 07/30/2013
Est. Priority Date: 08/28/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method for a user to access a secure Internet site of a specified vendor, utilizing user credential data and other user data and without passing a user ID and password to the secure Internet site, the method comprising the steps of:

receiving a request from a user computer system via an intranet, to an authentication server for access to a secure Internet site for a specified transaction with a specified vendor;

maintaining in a database, an ID for the specified vendor and specific requirements of the specified vendor;

the authentication server creating a web page for the specified vendor using said specific requirements, and sending said web page to the user computer system;

receiving, by the authentication server, from said user computer system via the intranet, said web page, said web page comprising user provided user credential data;

the authentication server checking the user credential data of the user including a user ID and password according to a first predetermined plan to determine that the user is permitted access to said secure Internet site;

said authentication server authorizing said user to access the secure Internet site to transmit the specified transaction thereat based on said user credential data permitting said access;

said authentication server creating a digitally signed request comprising said other user data for said authorized user according to a second predetermined plan;

transmitting said digitally signed request over the intranet from the authentication server to the user computer system, for forwarding, by said user computer system, to a vendor server at said secure internet site, said digitally signed request over the Internet;

verifying the validity of said digitally signed request including receiving said digitally signed request from the vendor server at the secure Internet site, at a third, verification service, separate from the vendor server;

said verification service determining whether said digitally signed request is valid and thereby determining whether said specified transaction is authorized; and

based on said digitally signed request being valid, the verification service informing the vendor server that the user is authorized for the specified transaction, and the authorized user obtains access to the secure Internet site for the authorized specified transaction without passing the user credential data to the secure Internet site and without giving the secure Internet site access to the authentication server.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Verifiable authentication credentials are provided to foreign systems without passing an id and password to the protected resource. A user wishing to access a secure remote site is prompted for credentials, the credentials are authenticated locally and a digitally signed token is created. The token is redirected to the secure remote site by the user'"'"'s browser using HTTP redirection. The digital signature is verified by the secure remote site preferably by a digital signature web service. The remote site establishes communications with the user if the digital signature is valid.

75 Citations

View as Search Results

20 Claims

1. A method for a user to access a secure Internet site of a specified vendor, utilizing user credential data and other user data and without passing a user ID and password to the secure Internet site, the method comprising the steps of:
- receiving a request from a user computer system via an intranet, to an authentication server for access to a secure Internet site for a specified transaction with a specified vendor;
  
  maintaining in a database, an ID for the specified vendor and specific requirements of the specified vendor;
  
  the authentication server creating a web page for the specified vendor using said specific requirements, and sending said web page to the user computer system;
  
  receiving, by the authentication server, from said user computer system via the intranet, said web page, said web page comprising user provided user credential data;
  
  the authentication server checking the user credential data of the user including a user ID and password according to a first predetermined plan to determine that the user is permitted access to said secure Internet site;
  
  said authentication server authorizing said user to access the secure Internet site to transmit the specified transaction thereat based on said user credential data permitting said access;
  
  said authentication server creating a digitally signed request comprising said other user data for said authorized user according to a second predetermined plan;
  
  transmitting said digitally signed request over the intranet from the authentication server to the user computer system, for forwarding, by said user computer system, to a vendor server at said secure internet site, said digitally signed request over the Internet;
  
  verifying the validity of said digitally signed request including receiving said digitally signed request from the vendor server at the secure Internet site, at a third, verification service, separate from the vendor server;
  
  said verification service determining whether said digitally signed request is valid and thereby determining whether said specified transaction is authorized; and
  
  based on said digitally signed request being valid, the verification service informing the vendor server that the user is authorized for the specified transaction, and the authorized user obtains access to the secure Internet site for the authorized specified transaction without passing the user credential data to the secure Internet site and without giving the secure Internet site access to the authentication server.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1 wherein said Internet site comprises world wide web pages.
  - 3. A method according to claim 1, further comprising the step of:
    - said vendor server establishing a communication session with said user computer system based on said digitally signed request being valid.
  - 4. The method according to claim 3 wherein a given digital signature is used to create said digitally signed request, and said verifying step comprises the further steps of:
    - sending said digital signature to the verification service at a verification Internet site; and
      
      the vendor server receiving an indication of the validity of said digital signature from said verification Internet site.
  - 5. The method according to claim 1 wherein said checking user credential data step further comprises the steps of:
    - checking said user credential data against data in a common directory;
      
      creating a token message;
      
      creating a redirect URL to the secure Internet site; and
      
      communicating the redirect URL to a user browser.
  - 6. The method according to claim 5 wherein said token message comprises any one of XML data, an expiration field or unique user information.
  - 7. The method according to claim 5 wherein said redirect URL is digitally signed.

8. A system for a user to access a secure Internet site, the system utilizing user credential data and other user data, the system comprising:
- an authentication server for receiving from a user at a user computer system, via an intranet, a request for access to a secure Internet site for a specified transaction with a specified vendor;
  
  a database holding an ID for the specified vendor and specific requirements of the specified vendor;
  
  said authentication server creating a web page for the vendor using said specific requirements, and sending said web page to the user computer system;
  
  wherein user credential data is added to said web page and said web page is sent, with said user credential data, to the authentication server via said intranet;
  
  the authentication server checking the user credential data according to a first predetermined plan, and authorizing said user to access the secure Internet site to transact a specified transaction thereat based on said user credentials permitting said access;
  
  said authentication server creating a digitally signed request comprising said other user data for said authorized user according to a second predetermined plan;
  
  transmitting said digitally signed request over the intranet from the authentication server to the user computer system for forwarding, by said user computer system, to a vendor server at said secure internet site, said digitally signed request over the Internet;
  
  a verification service, separate from the vendor server, receiving the digitally signed request from the vendor server at the secure Internet site to determine whether said digitally signed request is valid and thereby to determine whether said specified transaction is authorized; and
  
  wherein;
  
  based on said digitally signed request being valid, the verification service informs the vendor server that the user is authorized for the specified transaction, and the authorized user obtains access to the secure Internet site for the authorized specified transaction without passing the user credential data to the secure Internet site and without giving the secure Internet site access to the authentication server.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system according to claim 8 wherein said Internet site comprises world wide web pages.
  - 10. The system according to claim 8, wherein:
    - the vendor server establishes a communication session with said user computer system based on said digitally signed request being valid.
  - 11. The system according to claim 10 wherein a given digital signature is used to create the digitally signed request, and wherein:
    - the vendor server sends said digital signature to the verification service at a verification Internet site; and
      
      the vendor server receives an indication of the validity of said digital signature from said verification Internet site.
  - 12. The system according to claim 8 wherein said authentication server comprises:
    - a user checker checking said user credentials against data in a common directory;
      
      a token generator creating a token message;
      
      a redirection creator creating a redirect URL to the secure Internet site; and
      
      a redirect communicator communicating the redirect URL to a user browser.
  - 13. The system according to claim 12 wherein said token message comprises any one of XML data, an expiration field or unique user information.
  - 14. The system according to claim 12 wherein said redirect URL is digitally signed.

15. A computer program product for a user to access a secure Internet site, the computer program product utilizing user credential data and other user data, the computer program product comprising a tangible computer readable device having computer readable program code tangibly embodied therein, the computer program product comprising:
- computer readable program code for using an authentication server for receiving from a user computer system, a request from a user, via an intranet, for access to a secure Internet site for a specified transaction with a specified vendor;
  
  computer readable program code for using the authentication server for creating a web page for the specified vendor using specific requirements of said specified vendor, and sending said web page to the user computer system;
  
  computer readable program code for receiving, by the authentication server, from said user computer system via the intranet, said web page, said web page comprising user provided user credential data;
  
  computer readable program code for using the authentication server for authorizing said user to access the secure Internet site to transact the specified transaction thereat based on said user credentials permitting said access;
  
  computer readable program code for using the authentication server for creating a digitally signed request comprising said other user data for said authorized user according to a second predetermined plan;
  
  computer readable program code for transmitting said digitally signed request over the intranet from the authentication server to the user computer system, for forwarding, by said user computer system, to a vendor server at said secure internet site, said digitally signed request over the Internet;
  
  computer readable program code for receiving said request from the vendor server at the secure Internet site, at a verification service separate from the vendor server, to determine whether said digitally signed request is valid and thereby to determine whether said specified transaction is authorized; and
  
  computer readable program code for informing the vendor server, based on said digitally signed request being valid, that the user is authorized for the specified transaction, and the authorized user obtains access to the secure Internet site for the authorized specified transaction without passing the user credential data to the secure Internet site and without giving the secure Internet site access to the authentication server.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product according to claim 15 wherein said Internet site comprises world wide web pages.
  - 17. A computer program product according to claim 15, further comprising:
    - computer readable program code for establishing a communication session between the vendor server and said user computer system based on said digitally signed request being valid.
  - 18. The computer program product according to claim 17 wherein a given digital signature is used to create the digitally signed request, and the computer program product further comprises:
    - computer readable program code for sending said digital signature to the verification service at a verification Internet site; and
      
      computer readable program code for enabling the vendor server to receive an indication of the validity of said digital signature from said verification Internet site.
  - 19. The computer program product according to claim 15, further comprising:
    - computer readable program code for checking said user credentials against data in a common directory;
      
      computer readable program code for creating a token message;
      
      computer readable program code for creating a redirect URL to the secure Internet site; and
      
      computer readable program code for communicating the redirect URL to a user browser.
  - 20. The computer program product according to claim 19 wherein said redirect URL is digitally signed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Chao, Li-Lung, Goodman, Brian D., Kebinger, James K.
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Ho, Virginia T

Application Number

US11/840,684
Publication Number

US 20070289004A1
Time in Patent Office

2,174 Days
Field of Search

726/2, 726/4, 726/5, 726/10, 726/8, 705/75, 705/77, 705/78
US Class Current

726/5
CPC Class Codes

H04L 2209/68   Special signature format, e...

H04L 63/08   for authentication of entit...

H04L 63/12   Applying verification of th...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3247   involving digital signatures

Authenticating and communicating verifiable authorization between disparate network domains

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

75 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Authenticating and communicating verifiable authorization between disparate network domains

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

75 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others