Authentication

US 8,683,565 B2
Filed: 05/02/2007
Issued: 03/25/2014
Est. Priority Date: 05/03/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

obtaining access for a user to an external service in a networked environment, wherein the user has access to a client that is capable of communicating with a home server of an organization in a first domain and with a foreign server in a second domain, the second domain being different from the first domain by;

detecting a request of the client in the home server;

maintaining in the home server, a shared secret common to the organization in the first domain and the external service, and an authentication script;

identifying in the home server, a pointer to the authentication script in the request;

responsive to the request, performing, in the home server, by the authentication script;

obtaining at least one detail related to the user, comprising an identifier that specifies the user within the organization;

passing, without intervention from the client, the at least one detail and the shared secret or a derivative of the shared secret from the home server to the foreign server;

receiving in the home server, without intervention from the client, redirecting information from the foreign server;

forming in the home server, based on the request and the redirecting information, a response to the client, the response being configured to redirect the client to a temporary address at which the client can obtain access data to the external service; and

sending the response from the home server to the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

User authentication is based on a home network user database that authenticates users to external service providers. A user logs into home network and starts accessing the external service by clicking on a link labelled for the external service provider. The link is directed to script at a home server. The script causes the home server to obtain details related to the user from a home network user database. The home server passes information related to the user to a foreign server associated with the service provider. Based on the passed information, the foreign server grants or denies authentication of the user to the external service. If granting, the foreign server provides the home server with access data and the home server forwards the access data to the user so that the user can initialize an authorized external service session using the access data.

26 Citations

View as Search Results

27 Claims

1. A method comprising:
- obtaining access for a user to an external service in a networked environment, wherein the user has access to a client that is capable of communicating with a home server of an organization in a first domain and with a foreign server in a second domain, the second domain being different from the first domain by;
  
  detecting a request of the client in the home server;
  
  maintaining in the home server, a shared secret common to the organization in the first domain and the external service, and an authentication script;
  
  identifying in the home server, a pointer to the authentication script in the request;
  
  responsive to the request, performing, in the home server, by the authentication script;
  
  obtaining at least one detail related to the user, comprising an identifier that specifies the user within the organization;
  
  passing, without intervention from the client, the at least one detail and the shared secret or a derivative of the shared secret from the home server to the foreign server;
  
  receiving in the home server, without intervention from the client, redirecting information from the foreign server;
  
  forming in the home server, based on the request and the redirecting information, a response to the client, the response being configured to redirect the client to a temporary address at which the client can obtain access data to the external service; and
  
  sending the response from the home server to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method according to claim 1, wherein the at least one detail comprises one or more particulars from a user profile of the home server.
  - 3. A method according to claim 2, wherein the request comprises a Universal Resource Indicator (URI) or a Universal Resource Locator (URL).
  - 4. A method according to claim 2, wherein the foreign server creates and maintains user profiles based on the at least one detail.
  - 5. A method according to claim 2, wherein the obtaining of the at least one detail comprises accessing a database of personnel or members.
  - 6. A method according to claim 2, wherein the redirection information comprises an address to the foreign server.
  - 7. A method according to claim 1, wherein the access data is configured to enable the client to access the external service without intervention of the home server.

8. A home server of an organization, wherein the home server is in a first domain and configured for obtaining access for a user to an external service in a networked environment wherein the user has access to a client, the client being configured to communicate with the home server and with a foreign server in a second domain, the first domain being different from the second domain, the home server comprising:
- a processor configured to detect a request of the client;
  
  a memory for storing a shared secret common to the organization and the external service, and an authentication script;
  
  the processor being configured to identify in the request, a pointer to the authentication script; and
  
  , responsive to the request, to perform by the authentication script;
  
  obtaining at least one detail related to the user, comprising an identifier that specifies the user within the organization;
  
  passing from the home server, without intervention from the client, the at least one detail and the shared secret or a derivative of the shared secret to the foreign server;
  
  receiving from the foreign server, in the home server without intervention from the client, redirecting information;
  
  forming in the home server, based on the request and the redirecting information, a response to the client, the response being configured to redirect the client to a temporary address at which the client can obtain access data to the external service; and
  
  sending the response from the home server to the client.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. A home server according to claim 8, wherein the at least one detail comprises hashed derivative information.
  - 10. A home server according to claim 8, wherein the request comprises a Universal Resource Indicator (URI) or a Universal Resource Locator (URL).
  - 11. A home server according to claim 8, wherein the obtaining of the at least one detail comprises accessing a database of personnel or members.
  - 12. A home server according to claim 11, wherein the redirection information comprises an address to the foreign server.
  - 13. A home server according to claim 8, wherein the access data is configured to enable the client to access the external service without intervention of the home server.

14. A method wherein access is provided for a user to an external service in a networked environment wherein the user has access to a client that is capable of communicating with a home server in a first domain and with a foreign server in a second domain, the first domain being different from the second domain, wherein the home server is associated with a given organization, the method comprising:
- receiving from the home server without intervention from the client, in a memory of the foreign server, triggered by a request from the client to the home server;
  
  a) a shared secret common to the organization and the external service or a derivative of the shared secret; and
  
  b) at least one detail related to the user, comprising an identifier that specifies the user within the organization;
  
  responsive to the receiving of the shared secret and the at least one detail,determining in a processor of the foreign server the organization associated with the home server, based on the shared secret; and
  
  responsively to a positive determination, the foreign server;
  
  providing the home server with redirecting information configured to enable the home server to provide the client with a response configured to redirect the client to a temporary address;
  
  establishing access data that enables the client to access the external service; and
  
  responsively to the client accessing the temporary address, providing the client with the access data.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. A method according to claim 14, further comprising generating a temporary address for the user and containing the temporary address in the redirecting information.
  - 16. A method according to claim 15, further comprising detecting an access communication from the client to the temporary address and responsively performing the establishing of the access data and of an authenticated session with the client.
  - 17. A method according to claim 14, wherein the foreign server creates and maintains user profiles based on the at least one detail.
  - 18. A method according to claim 17, wherein the foreign server derives the user profiles based on the at least one detail using a rule specific to the organization of the user.
  - 19. A method according to claim 14, wherein the access data is configured to enable the client to access the external service without intervention of the home server.

20. A foreign server configured for providing access for a user to an external service in a networked environment wherein the user has access to a client that is capable of communicating with a home server in a first domain and with the foreign server in a second domain, the first domain being different from the second domain, wherein the home server is associated with a given organization, the foreign server comprising:
- an input and an output configured to respectively receive and output data;
  
  a processor configured to receive using the input from the home server, without intervention from the client;
  
  a) a shared secret common to the organization and the external service or a derivative of the shared secret; and
  
  b) at least one detail related to the user, comprising an identifier that specifies the user within the organization;
  
  responsive to the receiving of the shared secret and the at least one detail,the processor being further configured to determine the organization associated with the home server, based on the shared secret; and
  
  the processor being further configured to provide the home server with redirecting information configured to enable the home server to provide the client with a response configured to redirect the client to a temporary address;
  
  the processor being further configured to establish access data that enables the client to access the external service, responsively to a positive determination; and
  
  the processor being further configured to, responsively to the client accessing the temporary address, provide the client with the access data.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. A foreign server according to claim 20, the processor being further configured to generate a temporary address for the user and to contain the temporary address in the redirecting information.
  - 22. A foreign server according to claim 21, the processor being further configured to detect an access communication from the client to the temporary address and to responsively perform the establishing of the access data and of an authenticated session with the client.
  - 23. A foreign server according to claim 20, the processor being further configured to create and maintain user profiles based on the at least one detail.
  - 24. A foreign server according to claim 23, the processor being further configured to derive the user profiles based on the at least one detail using a rule specific to the organization of the user.
  - 25. A foreign server according to claim 20, wherein the access data is configured to enable the client to access the external service without intervention of the home server.

26. A computer program comprising computer executable program code stored in a non-transitory computer readable medium, the computer executable program code, when executed in a processor, being configured to control a home server of an organization in a first domain to obtain access for a user to an external service in a networked environment wherein the user has access to a client that is capable of communicating with the home server and with a foreign server in a second domain, the first domain being different from the second domain, the computer program comprising computer executable program code configured when run by the home server to:
- detect a request of the client;
  
  maintain a shared secret common to the organization and the external service, and an authentication script;
  
  identify in the request a pointer to an authentication script; and
  
  responsive to the request, execute the authentication script to;
  
  obtain at least one detail related to the user, comprising an identifier that specifies the user within the organization;
  
  pass the at least one detail and the shared secret or a derivative of the shared secret from the home server to the foreign server, without intervention from the client;
  
  receive in the home server, without intervention from the client, redirecting information from the foreign server;
  
  form in the home server, based on the request and the redirecting information, a response to the client, the response being configured to redirect the client to a temporary address at which the client can obtain access data to the external service; and
  
  send the response from the home server to the client.

27. A computer program comprising computer executable program code stored in a non-transitory computer readable medium, the computer executable program code, when executed in a processor, being configured to control a foreign server in a first domain to provide access for a user to an external service in a networked environment wherein the user has access to a client that is capable of communicating with a home server and with the foreign server, wherein the home server is associated with a given organization in a second domain, the first domain being different from the second domain, the computer program comprising computer executable program code configured when run by the foreign server to:
- receive in the foreign server from the home server, without intervention from the client, triggered by a request from the client to the home server;
  
  a) a shared secret common to the organization and the external service or a derivative of the shared secret; and
  
  b) at least one detail related to the user, comprising an identifier that specifies the user within the organization;
  
  responsive to the receiving of the shared secret and the at least one detail,determine the organization associated with the home server, based on the shared secret; and
  
  responsively to a positive determination;
  
  provide the home server with redirecting information configured to enable the home server to provide the client with a response configured to redirect the client to a temporary address;
  
  establish access data from the foreign server that enables the client to access the external service; and
  
  responsively to the client accessing the temporary address, provide the client with the access data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emillion Oy
Original Assignee
Emillion Oy
Inventors
Backlund, Kjell
Primary Examiner(s)
Colin, Carl
Assistant Examiner(s)
ZAIDI, SYED A

Application Number

US12/299,021
Publication Number

US 20100024019A1
Time in Patent Office

2,519 Days
Field of Search

726/7
US Class Current

726/7
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/41   where a single sign-on prov...

H04L 63/083   using passwords cryptograph...

H04L 63/107   wherein the security polici...

Authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links