System and method for providing access credentials

US 9,130,935 B2
Filed: 05/05/2011
Issued: 09/08/2015
Est. Priority Date: 05/05/2011
Status: Active Grant

First Claim

Patent Images

1. A method of providing access credentials associated with a user of a first terminal to a service server comprising a service, the method comprising:

receiving, at a proxy server, from the first terminal, a request to establish a first data connection, the request including user identification data;

identifying, at the proxy server, authentication credentials associated with the user of the first terminal;

verifying, at the proxy server, the received user identification data based on the identified authentication credentials associated with the user of the first terminal;

establishing, at the proxy server, the first data connection with the first terminal based on verifying the received user identification data;

establishing, at the proxy server, a second data connection with the service server after verifying the received user identification data;

bridging, at the proxy server, the first data connection and the second data connection in order to establish a first communications session using a first communications protocol between the first terminal and the service server;

establishing, at the proxy server, a second communications session using a second communications protocol between the proxy server and the service server;

receiving, at the proxy server from the service server, via the second communications session, a request for access credentials associated with the user, the request including information received by the service server via the first communications session, wherein the access credentials associated with the user are different from the user identification data;

identifying, at the proxy server, the access credentials associated with the user based on the information received by the service server; and

transmitting, from the proxy server to the service server, the identified access credentials via the second communications session.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention are concerned with providing access credentials associated with a user of a service to a server hosting the service, e.g. enabling single sign on by the user to a number of servers.

The embodiments include functionality for establishing a first data connection with a terminal associated with the user and a second data connection with the server, and bridging the first and second data connections in order to establish a first communications session, using a first communications protocol, between the terminal and the server. A second communications session, using a second communications protocol, is also established with the server, via which a request for access credentials associated with the user is received. This request includes information received by the server in the first communications session, which is used to identify access credentials of the user that are transmitted to the server via the second communications session.

22 Citations

View as Search Results

23 Claims

1. A method of providing access credentials associated with a user of a first terminal to a service server comprising a service, the method comprising:
- receiving, at a proxy server, from the first terminal, a request to establish a first data connection, the request including user identification data;
  
  identifying, at the proxy server, authentication credentials associated with the user of the first terminal;
  
  verifying, at the proxy server, the received user identification data based on the identified authentication credentials associated with the user of the first terminal;
  
  establishing, at the proxy server, the first data connection with the first terminal based on verifying the received user identification data;
  
  establishing, at the proxy server, a second data connection with the service server after verifying the received user identification data;
  
  bridging, at the proxy server, the first data connection and the second data connection in order to establish a first communications session using a first communications protocol between the first terminal and the service server;
  
  establishing, at the proxy server, a second communications session using a second communications protocol between the proxy server and the service server;
  
  receiving, at the proxy server from the service server, via the second communications session, a request for access credentials associated with the user, the request including information received by the service server via the first communications session, wherein the access credentials associated with the user are different from the user identification data;
  
  identifying, at the proxy server, the access credentials associated with the user based on the information received by the service server; and
  
  transmitting, from the proxy server to the service server, the identified access credentials via the second communications session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method according to claim 1, wherein the second communications protocol is not used in the first communications session.
  - 3. The method according to claim 2, wherein the user identification data received by the service server includes a message authentication code generated using the authentication credentials associated with the user of the first terminal.
  - 4. The method according to claim 1, the method further comprising:
    - storing, at the proxy server, an association between the first data connection and the second data connectionwherein the information received by the service server comprises a data connection identifier configured to identify the stored association between the first data connection and the second data connection.
  - 5. The method according to claim 4, wherein the stored association identifies a first communications port of the proxy server used to establish the first data connection and a second communications port at the proxy server used to establish the second data connection.
  - 6. The method according to claim 1, wherein the identified authentication credentials comprise a secret key associated with the user and the first terminal.
  - 7. The method according to claim 1, wherein the user identification data comprises one of a username associated with the user or a secret key associated with the user.
  - 8. The method according to claim 1, further comprising:
    - receiving, at the proxy server, via the first data connection, a service server connection request from the first terminanl,wherein the server connection request comprises a service access request, and wherein the requested service requires the access credentials associated with the user in order to enable the first terminal to access the service.
  - 9. The method according to claim 1, wherein the first data connection is established between the first terminal and the proxy server separated by a firewall, and wherein the first data connection is established via one or more relay servers enabling the establishment of the first data connection via the firewall.
  - 10. The method according to claim 1, the method further comprising:
    - receiving, at the proxy server, a hash associated with a new password entered at the first terminal;
      
      identifying, at the proxy server, a second terminal associated with the user of the first terminal based on the received hash;
      
      transmitting, from the proxy server to the second terminal, the received hash of the new password,wherein the hash of the new password is configured to be used by the second terminal to encrypt authentication credentials.
  - 11. The method according to claim 10, the method further comprising:
    - receiving, at the proxy server, a request for data identifying the second terminal.
  - 12. The method according to claim 1, the method further comprising:
    - verifying, at the proxy server, the information received by the service server from the first terminal based on the identified authentication credentials stored at the proxy server and associated with the user of the first terminal.
  - 13. The method according to claim 1, wherein the information received by the service server from the first terminal comprises an access token.

14. A system comprising:
- at least one processor; and
  
  at least one memory including computer-executable code and authentication credentials, wherein the processor is configured to execute the computer-executable code and cause the system to;
  
  receive, from a terminal, a request to establish a first data connection, the request including user identification data;
  
  identify authentication credentials associated with the user of the terminal;
  
  verify the received user identification data based on the identified authentication credentials associated with the user of the terminal;
  
  establish the first data connection with the terminal based on verifying the received user identification data;
  
  establish a second data connection with a service server after verifying the received user identification data;
  
  bridge the first data connection and the second data connection in order to establish a first communications session using a first communications protocol between the terminal and the service server;
  
  establish a second communications session using a second communications protocol with the service server;
  
  receive, from the service server, via the second communications session, a request for access credentials associated with the user, the request including information received by the service server via the first communications session, wherein the access credentials associated with the user are different from the user identification data;
  
  identify the access credentials based on the information received by the service server; and
  
  transmit to the service server the identified access credentials via the second communications session.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The system according to claim 14, wherein the second communications protocol is not used in the first communications session.
  - 16. The system according to claim 15, wherein the user identification data received by the service server includes a message authentication code generated using the authentication credentials associated with the user of the terminal.
  - 17. The system according to claim 14, wherein the processor is configured to execute the computer-executable code and further cause the system to:
    - store an association between the first data connection and the second data connection,wherein the information received by the service server comprises a data connection identifier configured to identify the stored association between the first data connection and the second data connections.
  - 18. The system according to claim 17, wherein the stored association identifies a first communications port used to establish the first data connection and a second communications port used to establish the second data connection.
  - 19. The system according to claim 14, wherein the processor is configured to execute the computer-executable code and further cause the system to:
    - verify the information received by the service server from the terminal based on the identified authentication credentials associated with the user of the terminal.

20. A proxy server for providing access credentials associated with a user of terminal to a service server, the proxy server comprising a processing system and a communications interface, wherein the proxy server is configured to:
- receive, from a terminal, via the communications interface, a request to establish a first data connection, the request including user identification data;
  
  identify authentication credentials associated with the user of the terminal;
  
  verify the received user identification data based on the identified authentication credentials associated with the user of the terminalestablish the first data connection with the terminal via the communications interface based on verifying the received user identification data;
  
  establish a second data connection with the service server via the communications interface after verifying the received user identification data;
  
  bridge the first data connection and the second data connection in order to establish a first communications session using a first communications protocol between the terminal and the service server;
  
  establish a second communications session using a second communications protocol with the service server via the communications interface;
  
  receive, from the service server, via the communications interface, via the second communications session, a request for access credentials associated with the user, the request including information received by the service server via the first communications session, wherein the access credentials associated with the user are different from the user identification data;
  
  identify the access credentials based on the information received from the service server; and
  
  transmit, to the service server via the communications interface, the identified access credentials via the second communications session.

21. A computer program product comprising a non-transitory, computer-readable storage medium having computer readable instructions stored thereon, the computer readable instructions being executable by a proxy server to cause the proxy server to perform a method of providing access to credentials associated with a user of a terminal to a service server hosting a service, the method comprising:
- receiving, at the proxy server, from the terminal, a request to establish a first data connection, the request including user identification data;
  
  identifying, at the proxy server, authentication credentials associated with the user of the terminal;
  
  verifying, at the proxy server, the received user identification data based on the identified authentication credentials associated with the user of the terminal;
  
  establishing, at the proxy server, the first data connection with the terminal based on verifying the received user identification data;
  
  establishing, at the proxy server, a second data connection with the service server after verifying the received user identification data;
  
  bridging, at the proxy server, the first data connection and the second data connection in order to establish a first communications session using a first communications protocol between the terminal and the service server;
  
  establishing, at the proxy server, a second communications session using a second communications protocol between the proxy server and the service server;
  
  receiving, at the proxy server from the service server, via the second communications session, a request for access credentials associated with the user, the request including information received by the service server via the first communications session, wherein the access credentials associated with the user are different from the user identification data;
  
  identifying, at the proxy server, the access credentials associated with the user based on the information received by the service server; and
  
  transmitting, from the proxy server to the service server, the identified access credentials via the second communications session.
- View Dependent Claims (22, 23)
- - 22. The computer program product of claim 21, wherein the user identification data comprises one of a username associated with the user or a secret key associated with the user.
  - 23. The computer program product of claim 21, wherein the information received by the service server comprises an access token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Good Technology Corporation (Blackberry Limited)
Inventors
Somani, Haniff, Quinlan, Sean Michael
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
GYORFI, THOMAS A

Application Number

US13/101,962
Publication Number

US 20120284786A1
Time in Patent Office

1,587 Days
Field of Search

726/7, 726/12
US Class Current

1/1
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/0281   Proxies

H04L 63/0815   providing single-sign-on or...

H04L 63/0884   by delegation of authentica...

System and method for providing access credentials

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing access credentials

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links