Single sign-on process

US 9,148,420 B2
Filed: 07/29/2014
Issued: 09/29/2015
Est. Priority Date: 02/08/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for allowing a user to remotely access a remote location, the method comprising:

sending by a server associated with the remote location, an authentication request to user equipment associated with the user, in response to the user requesting remote access;

receiving by the server, corresponding remote-access authentication data from the user equipment, wherein;

the remote-access authentication data is obtained, without requiring user input, from an activated smart-card associated with the user equipment,the smart-card is activated based on successful verification of the user using local-access authentication data,the local-access authentication data is provided by the user in response to request by the user equipment,the local-access authentication data is different from the remote-access authentication data, andauthenticating the user by the server based on the remote-access authentication data, wherein the user is granted access to the remote location over a communication network based on successful authentication of the user.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are provided for single sign-on process for remote-access to remote servers, using user equipment associated with a user. An intermediate device (e.g., smart-card) associated with the user equipment may be activated using local-access authentication information provided by the user. The local-access authentication data may be provided by the user in response to requests by the user equipment. Once activated, the intermediate device may support remote-access operations, by providing, in response to authentication requests received from remote servers, remote-access authentication data, which may be used in authenticating the user at the remote servers. The authentication requests may be sent by the remote server to the user equipment in response to the user requesting remote access. The remote-access authentication data may be provided without requiring user input, once the intermediate device is activated. Further, the remote-access authentication data is different from the local-access authentication data.

Citations

30 Claims

1. A method for allowing a user to remotely access a remote location, the method comprising:
- sending by a server associated with the remote location, an authentication request to user equipment associated with the user, in response to the user requesting remote access;
  
  receiving by the server, corresponding remote-access authentication data from the user equipment, wherein;
  
  the remote-access authentication data is obtained, without requiring user input, from an activated smart-card associated with the user equipment,the smart-card is activated based on successful verification of the user using local-access authentication data,the local-access authentication data is provided by the user in response to request by the user equipment,the local-access authentication data is different from the remote-access authentication data, andauthenticating the user by the server based on the remote-access authentication data, wherein the user is granted access to the remote location over a communication network based on successful authentication of the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, comprising independently authenticating the user for each of a plurality of layers used in establishing connectivity between the remote location and the user equipment based on at least a portion of the remote-access authentication data.
  - 3. The method of claim 1, comprising processing the remote-access authentication data to facilitate authenticating the user.
  - 4. The method of claim 3, comprising processing the remote-access authentication data by applying to at least a portion of user related authentication information at least one cryptographic function, based on at least one key.
  - 5. The method of claim 1, wherein:
    - the server associated with the remote location comprises an IPSEC gateway;
      
      the remote-access authentication data comprises IPSEC-related data; and
      
      authenticating the user comprises verifying the identity of the user by the IPSEC gateway using the IPSEC-related data.
  - 6. The method of claim 1, wherein:
    - the server associated with the remote location comprises a firewall;
      
      the remote-access authentication data comprises firewall-related data; and
      
      authenticating the user comprises verifying the identity of the user by the firewall using the firewall-related data.
  - 7. The method of claim 1, wherein:
    - the server associated with the remote location comprises an operating system domain based server;
      
      the remote-access authentication data comprises domain-access data; and
      
      authenticating the user comprises verifying the identity of the user by the operating system domain based server using the domain-access data.
  - 8. The method of claim 7, wherein the domain-access data comprises a password for logging onto the operating system domain.

9. A method for allowing a user to remotely access a remote location, the method comprising:
- in user equipment associated with the user;
  
  receiving local-access authentication data from the user;
  
  authenticating the user based on the local-access authentication data;
  
  activating a smart-card when the user is successfully authenticated using the local-access authentication data; and
  
  in response to the user requesting remote access to the remote location, for each authentication request received from a server associated with the remote location;
  
  obtaining corresponding remote-access authentication data from the smart-card; and
  
  sending the remote-access authentication data to the server associated with the remote location; and
  
  wherein;
  
  the remote-access authentication data is different from the local-access authentication data,the remote-access authentication data is provided by the smart-card, once activated, without requiring additional user input, andthe user is granted access to the remote location over a communication network based on successful authentication of the user.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9, comprising computing at least a portion of the remote-access authentication data using at least one cryptographic function, based on at least one key.
  - 11. The method of claim 9, comprising establishing connectivity to the remote location over the communication network, the establishing comprising setting up a plurality of communication layers.
  - 12. The method of claim 11, comprising generating, obtaining, and/or sending the remote-access authentication data to enable authenticating the user independently for each of the plurality of layers.
  - 13. The method of claim 11, comprising:
    - sequentially constructing each one of the plurality of layers; and
      
      obtaining and sending for each one of the plurality of layers, respective remote-access authentication data to enable independently authenticating the user for said one of the plurality of layers.
  - 14. The method of claim 11, wherein:
    - the remote location comprises one or more of an IPSEC gateway, a firewall, and a server associated with an operating system domain; and
      
      the remote-access authentication data comprising a corresponding one or more of IPSEC-related data, firewall-related data, and domain-access related data.

15. A system comprising:
- one or more servers for use in allowing a user to remotely access a remote location, wherein each server is operable to;
  
  send an authentication request to user equipment associated with the user, in response to the user requesting remote access;
  
  receive corresponding remote-access authentication data from the user equipment, wherein;
  
  the remote-access authentication data is obtained, without requiring user input, from an activated smart-card associated with the user equipment,the smart-card is activated based on successful verification of the user using local-access authentication data,the local-access authentication data is provided by the user in response to request by the user equipment, andthe local-access authentication data is different from the remote-access authentication data; and
  
  authenticate the user based on the remote-access authentication data, wherein the user is granted access to the remote location over a communication network based on successful authentication of the user.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
- - 16. The system of claim 15, wherein the one or more servers are operable to independently authenticate the user for each of a plurality of layers, used in establishing connectivity between the remote location and the user equipment, based on at least a portion of the remote-access authentication data.
  - 17. The system of claim 15, wherein at least one server is operable to compute at least a portion of user related authentication information using at least one cryptographic function, based on at least one key.
  - 18. The system of claim 15, wherein:
    - the one or more servers at the remote location comprise an IPSEC gateway;
      
      the remote-access authentication data comprises IPSEC-related data; and
      
      said IPSEC gateway being operable to authenticate the user comprises said IPSEC gateway being operable to verify the identity of the user using the IPSEC-related data.
  - 19. The system of claim 15, wherein:
    - the one or more servers at the remote location comprise a firewall;
      
      the remote-access authentication data comprises firewall-related data; and
      
      said firewall being operable to authenticate the user comprises said firewall being operable to verify the identity of the user using the firewall-related data.
  - 20. The system of claim 15, wherein:
    - wherein the one or more servers at the remote location comprise a server associated with operating system domain;
      
      the remote-access authentication data comprises domain-access data; and
      
      said server associated with the operating system domain being operable to authenticate the user comprises said server associated with the operating system domain being operable to verify the identity of the user using the domain-access data.
  - 21. The system of claim 15, wherein the remote location comprises a corporate network with remote access capabilities.
  - 22. The system of claim 15, wherein the communication network comprise a mobile network.
  - 23. The system of claim 22, wherein the mobile network comprises a GPRS, EDGE, HSCSD and/or UMTS network.

24. A system for allowing a user to remotely access a remote location, comprising:
- user equipment that comprises at least one processor;
  
  a smart-card associated with the user equipment; and
  
  wherein the user equipment is operable to;
  
  receive local-access authentication data from the user;
  
  authenticate the user based on the local-access authentication data;
  
  activate the smart-card when the user is successfully authenticated using the local-access authentication data; and
  
  in response to the user requesting remote access to the remote location, for each authentication request received from a server associated with the remote location;
  
  obtain from the smart-card corresponding remote-access authentication data; and
  
  send the remote-access authentication data to the server of the remote location; and
  
  wherein;
  
  the remote-access authentication data is different from the local-access authentication data,the remote-access authentication data is provided by the smart-card, once activated, without requiring additional user input, andthe user is granted access to the remote location over a communication network based on successful authentication of the user.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The system of claim 24, wherein the user equipment is operable to establish connectivity to the remote location over the communication network, the establishing comprising setting up plurality of communication layers.
  - 26. The system of claim 24, wherein user equipment is operable to obtain or send remote-access authentication data to enable independently authenticating the user for each of the plurality of layers.
  - 27. The system of claim 24, wherein user equipment is operable to:
    - sequentially construct each one of the plurality of layers; and
      
      obtain and send for each one of the plurality of layers, respective remote-access authentication data to enable independently authenticating the user for said one of the plurality of layers.
  - 28. The system of claim 24, wherein the user equipment or the smart-card is operable to compute at least a portion of the remote-access authentication data using at least one cryptographic function, based on at least one key.
  - 29. The system of claim 24, wherein the smart-card is operable to generate and/or store a plurality of remote-access authentication data sets, wherein each of the plurality of remote-access authentication data sets corresponds to a particular authentication interaction.
  - 30. The system of claim 29, wherein each authentication interaction is based on one or more of:
    - particular authentication mechanism or algorithm, a particular communication layer, a particular type of a remote server, and a particular type of user identification information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VL Collective IP, LLC (VideoLabs, Inc.)
Original Assignee
Swisscom AG (Government of Switzerland)
Inventors
Ferchichi, Azim, Lauper, Eric
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US14/445,539
Publication Number

US 20150089618A1
Time in Patent Office

427 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/41   where a single sign-on prov...

H04L 63/0442   wherein the sending and rec...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04L 63/164   at the network layer

H04L 67/04   specially adapted for termi...

H04L 67/14   Session management for real...

H04W 12/02   Protecting privacy or anony...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 12/082   using revocation of authori...

H04W 8/265   for initial activation of n...

Single sign-on process

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Single sign-on process

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links