Secure authentication in browser redirection authentication schemes
First Claim
Patent Images
1. A computer-implemented method for authenticating a client, the method comprising:
- issuing a digital certificate from an identity provider server of a single sign on scheme that is signed by the identity provider server to the client,authenticating, by the identity provider server, the client redirected from a relying party server of the single sign on scheme by;
requesting the digital certificate issued to the client from the client;
sending a second digital certificate by the identity provider server to the client, wherein the second digital certificate allows the client to authenticate the identity provider server;
receiving the digital certificate from the client;
authenticating the client using the received digital certificate;
andtransmitting a token of authentication to the client by the identity provider server upon authentication of the client.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for authenticating a client is described. In one embodiment, an identity provider server authenticates the client that is redirected from a relying party server. The identity provider server authenticates the client without receiving a replayable credential from the client. Upon authentication of the client, the identity provider server transmits a token of authentication to the client.
14 Citations
21 Claims
-
1. A computer-implemented method for authenticating a client, the method comprising:
-
issuing a digital certificate from an identity provider server of a single sign on scheme that is signed by the identity provider server to the client, authenticating, by the identity provider server, the client redirected from a relying party server of the single sign on scheme by; requesting the digital certificate issued to the client from the client; sending a second digital certificate by the identity provider server to the client, wherein the second digital certificate allows the client to authenticate the identity provider server; receiving the digital certificate from the client; authenticating the client using the received digital certificate; and transmitting a token of authentication to the client by the identity provider server upon authentication of the client. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus comprising:
-
an identity provider server of a single sign on scheme to authenticate a client redirected from a relying party server, wherein the identity provider server is authenticates the client by; issuing a digital certificate from the identity provider server that is signed by the identity provider server to the client; requesting the digital certificate issued to the client from the client; sending a second digital certificate by the identity provider server to the client, wherein the second digital certificate allows the client to authenticate the identity provider server; receiving the digital certificate from the client; authenticating the client using the received digital certificate; and transmitting a token of authentication to the client by the identity provider server upon authentication of the client. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A non-transitory machine-accessible storage medium including data that, when accessed by a machine, cause the machine to perform a method comprising:
-
issuing a digital certificate from an identity provider server of a single sign on scheme that is signed by the identity provider server to a client, authenticating, by the identity provider server, the client redirected from a relying party server of the single sign on scheme by; requesting the digital certificate issued to the client from the client; sending a second digital certificate by the identity provider server to the client, wherein the second digital certificate allows the client to authenticate the identity provider server; receiving the digital certificate from the client; authenticating the client using the received digital certificate; and transmitting a token of authentication to the client by the identity provider server upon authentication of the client. - View Dependent Claims (17, 18, 19, 20, 21)
-
Specification