Secure authentication in browser redirection authentication schemes

US 8,590,027 B2
Filed: 02/05/2007
Issued: 11/19/2013
Est. Priority Date: 02/05/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for authenticating a client, the method comprising:

issuing a digital certificate from an identity provider server of a single sign on scheme that is signed by the identity provider server to the client,authenticating, by the identity provider server, the client redirected from a relying party server of the single sign on scheme by;

requesting the digital certificate issued to the client from the client;

sending a second digital certificate by the identity provider server to the client, wherein the second digital certificate allows the client to authenticate the identity provider server;

receiving the digital certificate from the client;

authenticating the client using the received digital certificate;

andtransmitting a token of authentication to the client by the identity provider server upon authentication of the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for authenticating a client is described. In one embodiment, an identity provider server authenticates the client that is redirected from a relying party server. The identity provider server authenticates the client without receiving a replayable credential from the client. Upon authentication of the client, the identity provider server transmits a token of authentication to the client.

14 Citations

View as Search Results

21 Claims

1. A computer-implemented method for authenticating a client, the method comprising:
- issuing a digital certificate from an identity provider server of a single sign on scheme that is signed by the identity provider server to the client,authenticating, by the identity provider server, the client redirected from a relying party server of the single sign on scheme by;
  
  requesting the digital certificate issued to the client from the client;
  
  sending a second digital certificate by the identity provider server to the client, wherein the second digital certificate allows the client to authenticate the identity provider server;
  
  receiving the digital certificate from the client;
  
  authenticating the client using the received digital certificate;
  
  andtransmitting a token of authentication to the client by the identity provider server upon authentication of the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 further comprising:
    - generating a key pair, prior to the authenticating the client redirected from the relying party server;
      
      providing a public key of the key pair to the client prior to the authenticating the client redirected from the relying party server, wherein the client encrypts the digital certificate using the public key;
      
      receiving the encrypted digital certificate from the client; and
      
      decrypting the encrypted digital certificate using a private key of the key pair.
  - 3. The method of claim 1 wherein the relying party server receives the token of authentication from the client, and accepts the authentication of the client by the identity provider server.
  - 4. The method of claim 1 wherein authenticating further comprises authenticating the client without receiving a password associated with a username from the client.
  - 5. The method of claim 1 further comprising upon authenticating, receiving a profile configuration for the relying party server from the client, the profile configuration including selected user data to be communicated to the relying party server.
  - 6. The method of claim 5 further comprising transmitting through the client selected user data to the relying party server.
  - 7. The method of claim 1 wherein the client includes a web browser, the web browser communicating with the relying party server and the identity provider server through a network.
  - 8. The method of claim 1 wherein the client initiates a login process with the relying party server.
  - 9. The method of claim 8 wherein the login process includes submitting a Uniform Resource Locator (URL) of the identity provider server.

10. An apparatus comprising:
- an identity provider server of a single sign on scheme to authenticate a client redirected from a relying party server, wherein the identity provider server is authenticates the client by;
  
  issuing a digital certificate from the identity provider server that is signed by the identity provider server to the client;
  
  requesting the digital certificate issued to the client from the client;
  
  sending a second digital certificate by the identity provider server to the client, wherein the second digital certificate allows the client to authenticate the identity provider server;
  
  receiving the digital certificate from the client;
  
  authenticating the client using the received digital certificate;
  
  andtransmitting a token of authentication to the client by the identity provider server upon authentication of the client.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The apparatus of claim 10 wherein the identity provider server further performs:
    - generating a key pair, prior to the identity provider server authenticating the client redirected from the relying party server;
      
      providing a public key of the key pair to the client prior to the authenticating the client redirected from the relying party server, wherein the client encrypts the digital certificate using the public key;
      
      receiving the encrypted digital certificate from the client; and
      
      decrypting the encrypted digital certificate using a private key of the key pair.
  - 12. The apparatus of claim 10 wherein the relying party server receives the token of authentication from the client, and accepts the authentication of the client by the identity provider server.
  - 13. The apparatus of claim 10 wherein the identity provider server to authenticate the client without receiving a password associated with a username from the client.
  - 14. The apparatus of claim 10 wherein the identity provider server upon authenticating the client, to receive a profile configuration for the relying party server from the client, the profile configuration including selected user data to be communicated to the relying party server.
  - 15. The apparatus of claim 14 wherein the identity provider server to transmit through the client the selected user data to the relying party server.

16. A non-transitory machine-accessible storage medium including data that, when accessed by a machine, cause the machine to perform a method comprising:
- issuing a digital certificate from an identity provider server of a single sign on scheme that is signed by the identity provider server to a client,authenticating, by the identity provider server, the client redirected from a relying party server of the single sign on scheme by;
  
  requesting the digital certificate issued to the client from the client;
  
  sending a second digital certificate by the identity provider server to the client, wherein the second digital certificate allows the client to authenticate the identity provider server;
  
  receiving the digital certificate from the client;
  
  authenticating the client using the received digital certificate;
  
  andtransmitting a token of authentication to the client by the identity provider server upon authentication of the client.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The storage medium of claim 16 wherein the method further comprises generating a key pair, prior to the authenticating the client redirected from the relying party server;
    - providing a public key of the key pair to the client prior to the authenticating the client redirected from the relying party server, wherein the client encrypts the digital certificate using the public key;
      
      receiving the encrypted digital certificate from the client; and
      
      decrypting the encrypted digital certificate using a private key of the key pair.
  - 18. The storage medium of claim 16 wherein the relying party server receives the token of authentication from the client, and accepts the authentication of the client by the identity provider server.
  - 19. The storage medium of claim 16 wherein authenticating further comprises authenticating the client without receiving a password associated with a username from the client.
  - 20. The storage medium of claim 16 wherein the method further comprises upon authenticating, receiving a profile configuration for the relying party server from the client, the profile configuration including selected user data to be communicated to the relying party server.
  - 21. The storage medium of claim 16 wherein the method further comprises transmitting through the client the selected user data to the to the relying party server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Rowley, Peter Andrew
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Anderson, Michael D

Application Number

US11/702,773
Publication Number

US 20080189778A1
Time in Patent Office

2,479 Days
Field of Search

None
US Class Current

726/9
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3263   involving certificates, e.g...

H04L 9/3271   using challenge-response

Secure authentication in browser redirection authentication schemes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

14 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Secure authentication in browser redirection authentication schemes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others