Method and apparatus for multi-domain authentication

US 9,276,929 B2
Filed: 03/15/2013
Issued: 03/01/2016
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving credentials for a user at a first domain;

receiving a request from the user at the first domain to redirect to a second domain;

redirecting the user to the second domain;

generating a token based on the user credentials on the first domain;

sending the token to the user and storing the token in a single shared database;

receiving a request from the user at the second domain to access data in the single shared database wherein the first and second domains provide user access to the single shared database, the request including the token;

comparing the received token to the stored token and conditionally authenticating the user at the second domain based on the token comparison; and

providing the requested data from the single shared database to the user upon authenticating the user at the second domain.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for multi-domain authentication is described. In one example, credentials are received for a user accessing a first domain. User access to the first domain and a second domain is confirmed. A token is created for access to the second domain and the is provided with access to the second domain.

Citations

18 Claims

1. A method comprising:
- receiving credentials for a user at a first domain;
  
  receiving a request from the user at the first domain to redirect to a second domain;
  
  redirecting the user to the second domain;
  
  generating a token based on the user credentials on the first domain;
  
  sending the token to the user and storing the token in a single shared database;
  
  receiving a request from the user at the second domain to access data in the single shared database wherein the first and second domains provide user access to the single shared database, the request including the token;
  
  comparing the received token to the stored token and conditionally authenticating the user at the second domain based on the token comparison; and
  
  providing the requested data from the single shared database to the user upon authenticating the user at the second domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein storing the token comprises storing the token in a database accessible to the first and the second domains.
  - 3. The method of claim 1, wherein receiving credentials comprises logging a user into a session on the first domain.
  - 4. The method of claim 1, wherein receiving a request comprises receiving a request to log the user into a session in the second domain and wherein authenticating the user comprises logging the user into a session on the first domain.
  - 5. The method of claim 1, wherein receiving the token comprises receiving a hash of the token with an ID of the user and wherein comparing comprises generating a hash of the stored token with a stored user ID and comparing the generated hash to the received hash.
  - 6. The method of claim 5, wherein sending the token to the user comprises sending the token not hashed with the user ID.
  - 7. The method of claim 1, further comprising searching the single shared database for an active session for the user with the first domain and if no active session is found not authenticating the user at the second domain.
  - 8. The method of claim 7, wherein searching for an active session comprises searching for a valid session cookie.
  - 9. The method of claim 1, further comprising retrieving permissions of the user for the first domain from the single shared database and not authenticating the user at the second domain if the permissions are not sufficient for the first domain.
  - 10. The method of claim 9, wherein retrieving permissions comprises retrieving permissions for the user to access data in the single shared database and wherein sufficient permissions are permissions that allow the user to access data in the single shared database.
  - 11. The method of claim 1, further comprising checking the single shared database to determine whether the token has been consumed and if the token has been consumed, then not authenticating the user at the second domain.
  - 12. The method of claim 11, further comprising consuming the token after authenticating the user at the second domain.
  - 13. The method of claim 1, further comprising checking to determine whether the token has expired and if the token has expired, then not authenticating the user at the second domain.

14. A system comprising:
- a computing device having a memory to store instructions, and a processing device to execute the instructions, the computing device further having a mechanism to;
  
  receive credentials for a user at a first domain;
  
  receive a request from the user at the first domain to redirect to a second domain;
  
  redirect the user to the second domain;
  
  generate a token based on the user credentials on the first domain;
  
  send the token to the user and store the token in a single shared database;
  
  receive a request from the user at the second domain to access data in the single shared database wherein the first and second domains provide user access to the single shared database, the request including the token;
  
  compare the received token to the stored token and conditionally authenticate the user at the second domain based on the token comparison; and
  
  provide the requested data from the single shared database to the user upon authenticating the user at the second domain.
- View Dependent Claims (15)
- - 15. The system of claim 14, wherein the database includes credentials for the user and wherein generating a user token includes storing the token in the shared database.

16. A non-transitory, computer-readable medium having instruction thereon that when operated on by a computer cause the computer to perform operations comprising:
- receiving credentials for a user at a first domain;
  
  receiving a request from the user at the first domain to redirect to a second domain;
  
  redirecting the user to the second domain;
  
  generating a token based on the user credentials on the first domain;
  
  sending the token to the user and storing the token in a single shared database;
  
  receiving a request from the user at the second domain to access data in the single shared database wherein the first and second domains provide user access to a single shared database, the request including the token;
  
  comparing the received token to the stored token and conditionally authenticating the user at the second domain based on the token comparison; and
  
  providing the requested data from the single shared database to the user upon authenticating the user at the second domain.
- View Dependent Claims (17)
- - 17. The medium of claim 16, the operations further comprising determining whether the user has a valid session with the first domain and wherein authenticating the user at the second domain comprises authenticating the user only if the user has a valid session with the first domain.

18. A method comprising:
- receiving credentials for a user that is accessing data through a first domain by accessing a single shared database that contains data that is shared by the first and a second domain to determine whether user credentials for the first domain are stored in the shared database;
  
  confirming that the user has access to the first domain and the second domain;
  
  creating a token for access to the second domain; and
  
  ,providing the user access to the data of the single shared database through the second domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Williams, Christopher, Singh, Atul, Khimich, Oleksandr, Wong, Fang
Primary Examiner(s)
HENNING, MATTHEW T

Application Number

US13/843,079
Publication Number

US 20140282940A1
Time in Patent Office

1,082 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/1466   Active attacks involving in...

Method and apparatus for multi-domain authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for multi-domain authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links