Cross-domain authentication

US 8,689,311 B2
Filed: 03/30/2011
Issued: 04/01/2014
Est. Priority Date: 03/10/2004
Status: Active Grant

First Claim

Patent Images

1. A method for providing a first service and a second service to a user via a client being coupled to a data communication network, said first service being provided by a first network server also being coupled to the data communication network, said second service being provided by a second network server also being coupled to the data communication network, said method comprising:

receiving a first request from the first network server to provide the first service in a first domain to the user, said user not authenticated for the first service and not authenticated for the second service when the first request is received;

storing first data on the client in response to the received first request, said first data identifying that the first service desires to authenticate the user, said first data stored on the client further identifying that the user is not authenticated for the first service, and not authenticated for the second service when the first data is stored;

allowing the user to access the first service without authenticating the user during which the user continues to be unauthenticated for the first service and unauthenticated for the second service, said first service not receiving an authentication ticket and profile information associated with the user and said user not authenticated for the first service;

receiving a second request from the second network server to provide the second service, which is in a second domain which is different than the first domain, to the user wherein the second service requires authentication of the user, wherein the user is not authenticated for the first service and wherein the first service does not have an authentication ticket and profile information associated with the user;

authenticating the user for the second service in response to the received second request;

allowing the user access to the second service in response to authenticating the user for the second service wherein the user is not authenticated for the first service and wherein the first service does not have an authentication ticket and profile information associated with the user;

generating, in response to authenticating the user for the second service, an authentication ticket and profile information associated with the user, said generated authentication ticket and profile information communicated to the second service, said user not authenticated for the first service and said first service not having an authentication ticket and profile information associated with the user;

in response to the authentication of the user for the second service and in response to the generated authentication ticket and profile information communicated to the second service, authenticating the user for the first service identified in the stored first data;

communicating, in response to the authentication of the user for the first service, the generated authentication ticket and profile information to the first service; and

updating the stored first data identifying that the user is authenticated for the first service and further identifying that the user is authenticated for the second service.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Providing services within a network of service providers sharing an authentication service and a set of business rules. A central server receives a first request from a first server to provide a first service to a user via a client without forcing the user to present credentials. In response to the received first request, the central server stores data identifying the first service on the client. The central server further receives a second request from a second server to provide a second service to the user via the client after the user presents the credentials to the second service. After receiving the second request and the presented credentials, the central server allows the user access to the second service. In response to allowing the user access to the second service, the central server further allows the user access to the first service as a result of the stored data.

146 Citations

20 Claims

1. A method for providing a first service and a second service to a user via a client being coupled to a data communication network, said first service being provided by a first network server also being coupled to the data communication network, said second service being provided by a second network server also being coupled to the data communication network, said method comprising:
- receiving a first request from the first network server to provide the first service in a first domain to the user, said user not authenticated for the first service and not authenticated for the second service when the first request is received;
  
  storing first data on the client in response to the received first request, said first data identifying that the first service desires to authenticate the user, said first data stored on the client further identifying that the user is not authenticated for the first service, and not authenticated for the second service when the first data is stored;
  
  allowing the user to access the first service without authenticating the user during which the user continues to be unauthenticated for the first service and unauthenticated for the second service, said first service not receiving an authentication ticket and profile information associated with the user and said user not authenticated for the first service;
  
  receiving a second request from the second network server to provide the second service, which is in a second domain which is different than the first domain, to the user wherein the second service requires authentication of the user, wherein the user is not authenticated for the first service and wherein the first service does not have an authentication ticket and profile information associated with the user;
  
  authenticating the user for the second service in response to the received second request;
  
  allowing the user access to the second service in response to authenticating the user for the second service wherein the user is not authenticated for the first service and wherein the first service does not have an authentication ticket and profile information associated with the user;
  
  generating, in response to authenticating the user for the second service, an authentication ticket and profile information associated with the user, said generated authentication ticket and profile information communicated to the second service, said user not authenticated for the first service and said first service not having an authentication ticket and profile information associated with the user;
  
  in response to the authentication of the user for the second service and in response to the generated authentication ticket and profile information communicated to the second service, authenticating the user for the first service identified in the stored first data;
  
  communicating, in response to the authentication of the user for the first service, the generated authentication ticket and profile information to the first service; and
  
  updating the stored first data identifying that the user is authenticated for the first service and further identifying that the user is authenticated for the second service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the stored first data indicates a policy group associated with the first service, and further comprising allowing, in response to allowing the user access to the second service, the user access to the first service prior to authenticating the user for the first service if the second service is associated with the policy group indicated by the stored first data.
  - 3. The method of claim 2, further comprising sharing, by members of the policy group, a set of business rules, said set of business rules comprising a privacy policy.
  - 4. The method of claim 1 wherein said receiving the first request comprises receiving the first request from a first network server via an image tag.
  - 5. The method of claim 1, further comprising storing second data on the client in response to the received first request, said second data being issued by the first network server to indicate that the first network server has requested to provide the first service to the user.
  - 6. The method of claim 5, further comprising storing the first data and the second data as cookies on the client.
  - 7. The method of claim 5, further comprising receiving a subsequent visit at the first network server by the user, the first network server being adapted not to request to provide the first service to the user if the second data is stored on the client.
  - 8. The method of claim 5, wherein the stored first data indicates a policy group associated with the first service, and further comprising deleting the second data from the client in response to allowing the user access to the second service if the second service is associated with the policy group indicated by the stored first data.
  - 9. The method of claim 8, said deleting further comprising rendering a web page to the client, said web page including an image tag directing the client to a script of the second service, said script adapted to delete the second data from the client.

10. A system for providing services to a user, said system comprising:
- a first network server coupled to a data communication network, said first network server being configured to provide to a user a first offering of a first service, which does not require authentication of the user, and to provide to the user a second offering of the first service which requires authentication of said user, said first service being provided via a client coupled to the data communications network;
  
  a client storing first data in response to a first request from the first service, said first data identifying the first service desires to authenticate the user, said first data stored on the client further identifying that the user is not authenticated for the first service;
  
  a second network server coupled to the data communication network, said second network server being configured to provide a second service to the user via the client, said second service requiring authentication of the user for the user is not authenticated for the second service when the first data is stored on the client; and
  
  a central server coupled to the data communication network, said central server being configured to receive a first request from the first network server to provide a second request from the second network server to provide the second offering of the first service to the user without authenticating the user when said first request is, for at least a portion of the first, offering of the first service, and to provide a service to the user after authenticating the user;
  
  said first network server being configured to direct the first request to the central server, said central server further being configured to generate and store first data on the client in response to receiving the first request, said first data identifying the first service, the user not authenticated for the first offering of the first service and not authenticated for the second service, said first service allowing the user to access the first offering of the first service without authenticating the user and forbidding the user to access the second offering of the first service, during which the user continues to be unauthenticated for the first service and unauthenticated for the second service,said second network server being configured to direct the second request to the central server, said second service requiring authentication of the user,the central server being configured to allow the user access to the second service after an authentication ticket and profile information associated with the user is provided to said second service and a database having a unique identifier and the profile information corresponding to the user is used to authenticate the user for the second service in response to the received second request, the authenticated user being subsequently allowed to use the second service for a predefined period of time, andthe central server being configured to authenticate the user for the first offering and for the second offering of the first service identified in the stored first data in response to authentication of the user by the second request.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The system of claim 10, wherein the first network server and the second network server are configured to communicate the first request and the second request to the central server via an image tag.
  - 12. The system of claim 11, further comprising a database associated with the central server, said database configured to store an identification corresponding to the user to be authenticated, said database providing said identification to the central server to allow the central server to authenticate the user, said database being further configured to store information identifying a first policy group associated with the first service and a second policy group associated with the second service, the first policy group defining a shared set of business rules to restrict authentication of a user across different domains and the second policy group defines a shared set of business rules to restrict authentication of a user across different domains,the second network server being configured to generate and store second data on the client if the second policy group identified by the stored information identifying the second policy group associated with the second service is not the same as the first policy group identified by the stored first data, said second data indicating that the second network server has communicated the second request to the central server, said second request indicating a desire of the second network server to provide the second service to the user, andthe second network server being configured, on a subsequent visit to the second network server by the user, to not direct a request to the central server to provide the second service to the user if the second data is stored on the client.
  - 13. The system of claim 12, wherein the updated first data further identifies the second policy group associated with the second service.
  - 14. The system of claim 13, further comprising:
    - a third network server coupled to the data communication network, said third network server being configured to provide a third service to the user via the client, said central server being further configured to receive a third request from the third network server to provide the third service to the user and to authenticate the user for access to the third service in response to the received third request,the stored information identifying the third policy group associated with the third service further identifying a third policy group associated with the third service, the third policy group defining a shared set of business rules to restrict authentication of a user across different domains, andthe central server being configured to allow the user access to the second service on a subsequent visit to the second network server if the user has been authenticated and if the third policy group identified by the stored information identifying the third policy group associated with the third service is the same as the second policy group identified by the updated first data.

15. A system for providing services to a user, said system comprising:
- a first network server coupled to a data communication network, said first network server being configured to provide a first service to a user via a client that is also coupled to the data communication network, said first service requiring authentication of the user;
  
  a second network server coupled to the data communication network, said second network server being configured to provide a second service to the user via the client;
  
  a central server coupled to the data communication network, said central server being configured to receive a first request from the first network server to provide the first service to the user, and a second request from the second network server to provide the second service to the user; and
  
  a database associated with the central server, said database configured to store first data identifying that the first service desires to authenticate the user and an identification corresponding to the user to be authenticated wherein the first data identifying said user is not authenticated for the first service and not authenticated for the second service, said database providing said identification to the central server to allow the central server to authenticate the user, said database being further configured to store information identifying a first policy group associated with the first service and a second policy group associated with the second service, said identification comprising one or more of the following;
  
  an email address and password, a login identifier (ID) and password, a phone number and Personal Identification Number (PIN), and a biometric signature of the user, said identification associated with a user profile of the user, said user profile comprising one or more of the following;
  
  email-address, first name, last name, country, region, state, territory, ZIP code, postal code, language preference, time zone, gender, birth date, occupation, one or more telephone numbers, credit card information, billing addresses, shipping addresses, passwords, PINS, secret question-answer pairs, clothing sizes and music preferences, said first policy group defining a shared set of business rules to restrict authentication of a user across different domains and said second policy group defining a shared set of business rules to restrict authentication of a user across different domains,the central server being configured to allow the user access to the first service and to generate and store first data on the client based on the stored information identifying the first policy group associated with the first service in response to the received first request, said first data identifying the first policy group associated with the first service, the central server authenticating the user for the first service in response to the received first request, the user being allowed to use the first service for a predefined period of time,the central server being configured to allow the user access to the second service in response to the received second request if the second policy group identified by the stored information identifying the second policy group associated with the second service is the same as the first policy group identified by the stored first data, the user being authenticated by the central server for the second service in response to the received second request, in response to the authentication of the user for the second service an authentication ticket is generated and profile information associated with the user is provided to said second service, the central server being configured to update the stored first data stored on the client to identify the second service in response to the received second request if the second policy group identified by the stored information identifying the second policy group associated with the second service is not the same as the first policy group identified by the stored first data, and the central server being configured to allow the unauthenticated user to access the second service during which the user continues to be unauthenticated for the second service.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the second network server is configured to generate and store second data on the client if the second policy group identified by the stored information identifying the second policy group associated with the second service is not the same as the first policy group identified by the stored first data, said second data indicating that the second network server has communicated the second request to the central server, said second request indicating a desire of the second network server to provide the second service to the user, andthe second network server being configured not to direct a request to the central server to provide the second service to the user on a subsequent visit to the second network server by the user if the second data is stored on the client.
  - 17. The system of claim 15, wherein the updated first data further identifies the second policy group associated with the second service.
  - 18. The system of claim 17, further comprising:
    - a third network server coupled to the data communication network, said third network server being configured to provide a third service to the user via the client,said central server being further configured to receive a third request from the third network server to provide the third service to the user and to authenticate the user for access to the third service in response to the received third request,the stored information identifying the third policy group associated with the third service further identifying a third policy group associated with the third service, the third policy group defining a shared set of business rules to restrict authentication of a user across different domains, andthe central server being configured to allow the user access to the second service on a subsequent visit to the second network server if the user has been authenticated and if the third policy group identified by the stored information identifying the third policy group associated with the third service is the same as the second policy group identified by the updated first data.
  - 19. The system of claim 18, wherein the second network server is configured to generate and store second data on the client if the second policy group identified by the stored information identifying the second policy group associated with the second service is not the same as the first policy group identified by the stored first data, said second data indicating that the second network server has communicated the second request to the central server, said second request indicating a desire of the second network server to provide the second service to the user, and the second network server being configured not to direct a request to the central server to provide the second service to the user on a subsequent visit to the second network server by the user if the second data is stored on the client.
  - 20. The system of claim 15, wherein the first network server and the second network server are configured to communicate the first request and the second request to the central server via an image tag.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Blinn, Arnold N., Guo, Wei-Quiang Michael, Jiang, Wei, Perumal, Raja Pazhanivel, Calinov, Iulian D.
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
SHAIFER HARRIMAN, DANT B

Application Number

US13/076,164
Publication Number

US 20110179469A1
Time in Patent Office

1,098 Days
Field of Search

726/9, 726/10
US Class Current

726/10
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

Cross-domain authentication

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

146 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Cross-domain authentication

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

146 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others