Cross-domain authentication
First Claim
1. A method for providing a first service and a second service to a user via a client being coupled to a data communication network, said first service being provided by a first network server also being coupled to the data communication network, said second service being provided by a second network server also being coupled to the data communication network, said method comprising:
- receiving a first request from the first network server to provide the first service in a first domain to the user, said user not authenticated for the first service and not authenticated for the second service when the first request is received;
storing first data on the client in response to the received first request, said first data identifying that the first service desires to authenticate the user, said first data stored on the client further identifying that the user is not authenticated for the first service, and not authenticated for the second service when the first data is stored;
allowing the user to access the first service without authenticating the user during which the user continues to be unauthenticated for the first service and unauthenticated for the second service, said first service not receiving an authentication ticket and profile information associated with the user and said user not authenticated for the first service;
receiving a second request from the second network server to provide the second service, which is in a second domain which is different than the first domain, to the user wherein the second service requires authentication of the user, wherein the user is not authenticated for the first service and wherein the first service does not have an authentication ticket and profile information associated with the user;
authenticating the user for the second service in response to the received second request;
allowing the user access to the second service in response to authenticating the user for the second service wherein the user is not authenticated for the first service and wherein the first service does not have an authentication ticket and profile information associated with the user;
generating, in response to authenticating the user for the second service, an authentication ticket and profile information associated with the user, said generated authentication ticket and profile information communicated to the second service, said user not authenticated for the first service and said first service not having an authentication ticket and profile information associated with the user;
in response to the authentication of the user for the second service and in response to the generated authentication ticket and profile information communicated to the second service, authenticating the user for the first service identified in the stored first data;
communicating, in response to the authentication of the user for the first service, the generated authentication ticket and profile information to the first service; and
updating the stored first data identifying that the user is authenticated for the first service and further identifying that the user is authenticated for the second service.
3 Assignments
0 Petitions
Accused Products
Abstract
Providing services within a network of service providers sharing an authentication service and a set of business rules. A central server receives a first request from a first server to provide a first service to a user via a client without forcing the user to present credentials. In response to the received first request, the central server stores data identifying the first service on the client. The central server further receives a second request from a second server to provide a second service to the user via the client after the user presents the credentials to the second service. After receiving the second request and the presented credentials, the central server allows the user access to the second service. In response to allowing the user access to the second service, the central server further allows the user access to the first service as a result of the stored data.
146 Citations
20 Claims
-
1. A method for providing a first service and a second service to a user via a client being coupled to a data communication network, said first service being provided by a first network server also being coupled to the data communication network, said second service being provided by a second network server also being coupled to the data communication network, said method comprising:
-
receiving a first request from the first network server to provide the first service in a first domain to the user, said user not authenticated for the first service and not authenticated for the second service when the first request is received; storing first data on the client in response to the received first request, said first data identifying that the first service desires to authenticate the user, said first data stored on the client further identifying that the user is not authenticated for the first service, and not authenticated for the second service when the first data is stored; allowing the user to access the first service without authenticating the user during which the user continues to be unauthenticated for the first service and unauthenticated for the second service, said first service not receiving an authentication ticket and profile information associated with the user and said user not authenticated for the first service; receiving a second request from the second network server to provide the second service, which is in a second domain which is different than the first domain, to the user wherein the second service requires authentication of the user, wherein the user is not authenticated for the first service and wherein the first service does not have an authentication ticket and profile information associated with the user; authenticating the user for the second service in response to the received second request; allowing the user access to the second service in response to authenticating the user for the second service wherein the user is not authenticated for the first service and wherein the first service does not have an authentication ticket and profile information associated with the user; generating, in response to authenticating the user for the second service, an authentication ticket and profile information associated with the user, said generated authentication ticket and profile information communicated to the second service, said user not authenticated for the first service and said first service not having an authentication ticket and profile information associated with the user; in response to the authentication of the user for the second service and in response to the generated authentication ticket and profile information communicated to the second service, authenticating the user for the first service identified in the stored first data; communicating, in response to the authentication of the user for the first service, the generated authentication ticket and profile information to the first service; and updating the stored first data identifying that the user is authenticated for the first service and further identifying that the user is authenticated for the second service. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for providing services to a user, said system comprising:
-
a first network server coupled to a data communication network, said first network server being configured to provide to a user a first offering of a first service, which does not require authentication of the user, and to provide to the user a second offering of the first service which requires authentication of said user, said first service being provided via a client coupled to the data communications network; a client storing first data in response to a first request from the first service, said first data identifying the first service desires to authenticate the user, said first data stored on the client further identifying that the user is not authenticated for the first service; a second network server coupled to the data communication network, said second network server being configured to provide a second service to the user via the client, said second service requiring authentication of the user for the user is not authenticated for the second service when the first data is stored on the client; and a central server coupled to the data communication network, said central server being configured to receive a first request from the first network server to provide a second request from the second network server to provide the second offering of the first service to the user without authenticating the user when said first request is, for at least a portion of the first, offering of the first service, and to provide a service to the user after authenticating the user; said first network server being configured to direct the first request to the central server, said central server further being configured to generate and store first data on the client in response to receiving the first request, said first data identifying the first service, the user not authenticated for the first offering of the first service and not authenticated for the second service, said first service allowing the user to access the first offering of the first service without authenticating the user and forbidding the user to access the second offering of the first service, during which the user continues to be unauthenticated for the first service and unauthenticated for the second service, said second network server being configured to direct the second request to the central server, said second service requiring authentication of the user, the central server being configured to allow the user access to the second service after an authentication ticket and profile information associated with the user is provided to said second service and a database having a unique identifier and the profile information corresponding to the user is used to authenticate the user for the second service in response to the received second request, the authenticated user being subsequently allowed to use the second service for a predefined period of time, and the central server being configured to authenticate the user for the first offering and for the second offering of the first service identified in the stored first data in response to authentication of the user by the second request. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A system for providing services to a user, said system comprising:
-
a first network server coupled to a data communication network, said first network server being configured to provide a first service to a user via a client that is also coupled to the data communication network, said first service requiring authentication of the user; a second network server coupled to the data communication network, said second network server being configured to provide a second service to the user via the client; a central server coupled to the data communication network, said central server being configured to receive a first request from the first network server to provide the first service to the user, and a second request from the second network server to provide the second service to the user; and a database associated with the central server, said database configured to store first data identifying that the first service desires to authenticate the user and an identification corresponding to the user to be authenticated wherein the first data identifying said user is not authenticated for the first service and not authenticated for the second service, said database providing said identification to the central server to allow the central server to authenticate the user, said database being further configured to store information identifying a first policy group associated with the first service and a second policy group associated with the second service, said identification comprising one or more of the following;
an email address and password, a login identifier (ID) and password, a phone number and Personal Identification Number (PIN), and a biometric signature of the user, said identification associated with a user profile of the user, said user profile comprising one or more of the following;
email-address, first name, last name, country, region, state, territory, ZIP code, postal code, language preference, time zone, gender, birth date, occupation, one or more telephone numbers, credit card information, billing addresses, shipping addresses, passwords, PINS, secret question-answer pairs, clothing sizes and music preferences, said first policy group defining a shared set of business rules to restrict authentication of a user across different domains and said second policy group defining a shared set of business rules to restrict authentication of a user across different domains,the central server being configured to allow the user access to the first service and to generate and store first data on the client based on the stored information identifying the first policy group associated with the first service in response to the received first request, said first data identifying the first policy group associated with the first service, the central server authenticating the user for the first service in response to the received first request, the user being allowed to use the first service for a predefined period of time, the central server being configured to allow the user access to the second service in response to the received second request if the second policy group identified by the stored information identifying the second policy group associated with the second service is the same as the first policy group identified by the stored first data, the user being authenticated by the central server for the second service in response to the received second request, in response to the authentication of the user for the second service an authentication ticket is generated and profile information associated with the user is provided to said second service, the central server being configured to update the stored first data stored on the client to identify the second service in response to the received second request if the second policy group identified by the stored information identifying the second policy group associated with the second service is not the same as the first policy group identified by the stored first data, and the central server being configured to allow the unauthenticated user to access the second service during which the user continues to be unauthenticated for the second service. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification