Methods and systems for completing, by a single-sign on component, an authentication process in a federated environment to a resource not supporting federation

US 8,813,203 B2
Filed: 09/04/2012
Issued: 08/19/2014
Est. Priority Date: 10/20/2006
Status: Active Grant

First Claim

Patent Images

1. A system for facilitating distributed authentication comprising:

a client machine, in a first domain that comprises a federated environment, receiving, from a user, a first set of authentication credentials;

an intermediate machine in a second domain that comprises the federated environment, authenticating the user responsive to receiving the first set of authentication credentials and generating a second set of authentication credentials, the second set of authentication credentials different from the first set of authentication credentials;

a first server in the second domain, authenticating the user responsive to the second set of authentication credentials generated by the intermediate machine;

a password management program comprising a single sign-on component and, executing on the first server, retrieving a third set of authentication credentials associated with the user responsive to the authentication of the user by the first server in the federated environment, retrieving a cryptographic key using the second set of authentication credentials, and decrypting the third set of authentication credentials using the cryptographic key; and

a second server outside the federated environment, authenticating the user, to grant access to a resource outside the federated environment and stored on a computing device other than the client machine, responsive to receiving, from the password management program, the third set of authentication credentials.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for distributed authentication includes a client machine, in a first domain in a federation, that receives from a user a first set of authentication credentials. The system also includes an intermediate machine in a second domain in the federation, a server, also in the second domain, a password management program executing on the server and a non-federated resource. The intermediate machine authenticates the user responsive to receiving the first set of authentication credentials and identifies a second set of authentication credentials. The server in the second domain authenticates the user, responsive to the second set of authentication credentials. The password management program, executing on the server, retrieves a third set of authentication credentials associated with the user. The non-federated resource authenticates the user, responsive to receiving, from the password management program, the third set of authentication credentials.

Citations

11 Claims

1. A system for facilitating distributed authentication comprising:
- a client machine, in a first domain that comprises a federated environment, receiving, from a user, a first set of authentication credentials;
  
  an intermediate machine in a second domain that comprises the federated environment, authenticating the user responsive to receiving the first set of authentication credentials and generating a second set of authentication credentials, the second set of authentication credentials different from the first set of authentication credentials;
  
  a first server in the second domain, authenticating the user responsive to the second set of authentication credentials generated by the intermediate machine;
  
  a password management program comprising a single sign-on component and, executing on the first server, retrieving a third set of authentication credentials associated with the user responsive to the authentication of the user by the first server in the federated environment, retrieving a cryptographic key using the second set of authentication credentials, and decrypting the third set of authentication credentials using the cryptographic key; and
  
  a second server outside the federated environment, authenticating the user, to grant access to a resource outside the federated environment and stored on a computing device other than the client machine, responsive to receiving, from the password management program, the third set of authentication credentials.
- View Dependent Claims (2, 3)
- - 2. The system of claim 1, wherein the federated environment comprises a set of entities having a pre-established trust relationship with each other and within which a common set of authentication credentials, known as the federated identity, is valid.
  - 3. The system of claim 1, wherein one or more of the authentication credentials are selected from a group consisting of a user id-password pair, a smart card certificate, a smart card personal identification number (PIN), a Kerberos authentication credential, a biometric authentication mechanism and a Data Protection Application Programming Interface (DPAPI).

4. A method for facilitating distributed authentication, the method comprising the steps of:
- receiving, by a client machine in a first domain in a federated environment, from a user, a first set of authentication credentials;
  
  authenticating the user, by an intermediate machine in a second domain, responsive to receiving the first set of authentication credentials;
  
  generating, by the intermediate machine, a second set of authentication credentials, the second set of authentication credentials different from the first set of authentication credentials;
  
  authenticating, by a first server in the second domain of the federated environment, the user, responsive to the second set of authentication credentials generated by the intermediate machine;
  
  retrieving, by a password management program executing on the first server, a third set of authentication credentials associated with the user, the password management program comprising a single sign-on component;
  
  retrieving, by the password manager, a cryptographic key using the second set of authentication credentials;
  
  decrypting, by the password manager, the third set of authentication credentials using the cryptographic key; and
  
  authenticating, by a second server outside the federated environment, the user, to grant access to a resource outside the federated environment and stored on a computing device other than the client machine, responsive to receiving, from the password management program, the third set of authentication credentials.
- View Dependent Claims (5, 6, 7)
- - 5. The method of claim 4, wherein the first server retrieves the second set of authentication credentials from the second server identified by the intermediate machine.
  - 6. The method of claim 4, wherein the first server in the second domain of the federated environment, retrieves the second set of authentication credentials from the second server identified by a second intermediate machine in communication with the intermediate machine.
  - 7. The method of claim 4, wherein one or more of the authentication credentials are selected from a group consisting of a user id-password pair, a smart card certificate, a smart card personal identification number (PIN), a Kerberos authentication credential, a biometric authentication mechanism and a Data Protection Application Programming Interface (DPAPI).

8. A system for facilitating distributed authentication comprising:
- means, in a first domain in a federation, for receiving, from a user, a first set of authentication credentials;
  
  means, in a second domain of the federation, for authenticating the user responsive to receiving the first set of authentication credentials;
  
  means, in the second domain, for generating a second set of authentication credentials, the second set of authentication credentials different from the first set of authentication credentials;
  
  first server means in the second domain of the federation for authenticating the user responsive to the second set of authentication credentials generated by an intermediate machine;
  
  password management program, comprising a single sign-on component and executing on the first server, retrieving a third set of authentication credentials associated with the user, retrieving a cryptographic key using the second set of authentication credentials; and
  
  decrypting the third set of authentication credentials using the cryptographic key; and
  
  second server means, in a domain not in the federation, for authenticating the user to grant access to a resource outside the federated environment and stored on a computing device other than the client machine, responsive to receiving, from the password management program, the third set of authentication credentials.
- View Dependent Claims (9, 10, 11)
- - 9. The system of claim 8, wherein the means for authenticating the user responsive to receiving the first set of authentication credentials further comprises the intermediate machine in the second domain in the federation, authenticating the user responsive to receiving the first set of authentication credentials.
  - 10. The system of claim 8, wherein the federation comprises a set of entities having a pre-established trust relationship with each other and within which a common set of authentication credentials, known as the federated identity, is valid.
  - 11. The system of claim 8, wherein one or more of the authentication credentials are selected from a group consisting of a user id-password pair, a smart card certificate, a smart card personal identification number (PIN), a Kerberos authentication credential, a biometric authentication mechanism and a Data Protection Application Programming Interface (DPAPI).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Anderson, Bradley Paul
Primary Examiner(s)
Vaughan, Michael R

Application Number

US13/602,899
Publication Number

US 20120331535A1
Time in Patent Office

714 Days
Field of Search
US Class Current

726/7
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3271   using challenge-response

Methods and systems for completing, by a single-sign on component, an authentication process in a federated environment to a resource not supporting federation

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for completing, by a single-sign on component, an authentication process in a federated environment to a resource not supporting federation

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links