Methods of authenticating users to a site

US 9,344,419 B2
Filed: 02/27/2014
Issued: 05/17/2016
Est. Priority Date: 02/27/2014
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating within a single sign-on federated authentication system, the method comprising:

enrolling a user, including creating a record for the user, the record storing a user ID for the user and storing an association between a site identifier for a first server and a first authentication method, and storing a further association between a site identifier of a second server and each of a second authentication method and a third authentication method;

after enrolling the user, receiving, with the first server, a first claimant target for the user;

authenticating the user to the first server according to the first authentication method;

after authenticating the user to the first server, receiving with the first server from a second server an authentication request including the second site identifier and a second claimant target, wherein the first and second claimant targets each consist of one of the user ID, a username, or a biometric;

again authenticating the user according to a second authentication method including using the second claimant target to locate the record for the user, thenselecting the second authentication method from between the second and third a plurality of authentication methods associated with the second site identifier in the record for the user, thenauthenticating the user according to the selected second authentication method including receiving a response from the user; and

sending to the second server an indication of successful authentication.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for user authentication within federated computing systems are provided. In a session, a user can be authenticated multiple times by different authentication methods for different servers of the federated system, however, once the user has been authenticated by any given authentication method, the user need not repeat that method. Systems of the present invention comprise a plurality of servers including an authentication server. The authentication server maintains authentication records for users, where each record includes which authentication methods apply to which servers. When a user first seeks access to a particular server, the server identifies the user and the server to the authentication server. If the user has already been authenticated elsewhere according to the authentication method required by the new server, the authentication server indicates to the new server that the user is authenticated, else the authentication server invokes the necessary authentication method.

148 Citations

8 Claims

1. A method for authenticating within a single sign-on federated authentication system, the method comprising:
- enrolling a user, including creating a record for the user, the record storing a user ID for the user and storing an association between a site identifier for a first server and a first authentication method, and storing a further association between a site identifier of a second server and each of a second authentication method and a third authentication method;
  
  after enrolling the user, receiving, with the first server, a first claimant target for the user;
  
  authenticating the user to the first server according to the first authentication method;
  
  after authenticating the user to the first server, receiving with the first server from a second server an authentication request including the second site identifier and a second claimant target, wherein the first and second claimant targets each consist of one of the user ID, a username, or a biometric;
  
  again authenticating the user according to a second authentication method including using the second claimant target to locate the record for the user, thenselecting the second authentication method from between the second and third a plurality of authentication methods associated with the second site identifier in the record for the user, thenauthenticating the user according to the selected second authentication method including receiving a response from the user; and
  
  sending to the second server an indication of successful authentication.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein enrolling the user comprisesreceiving a user selection of the first authentication method.
  - 3. The method of claim 1 wherein authenticating the user to the first server includes determining the first authentication method.
  - 4. The method of claim 3 wherein determining the first authentication method includes selecting the first authentication method from a plurality of authentication methods identified in the record for the user.
  - 5. The method of claim 3 wherein the first server is in communication with a client computing device employed by the user and wherein determining the first authentication method includes identifying the client computing device.

6. A system for authenticating within a single sign-on federated authentication system, the system comprising:
- an enrollment server configured to enroll a user, wherein enrolling the user includes creating a record for the user, and storing in the record a user ID for the user, and storing in the record an association between a site identifier for a first server and a first authentication method, and storing in the record a further association between a site identifier of a second server and each of a second authentication method and a third authentication method;
  
  a database, stored on a non-transitory storage medium, the database including the record for the user;
  
  an authentication server configured to;
  
  after enrolling the user, receive a first claimant target for the user,authenticate the user according to the first authentication method, after authenticating the user to the authentication server, receive an authentication request including the second site identifier and a second claimant target, wherein the first and second claimant targets each consist of one of the user ID, a username, or a biometric,authenticate the user again according to a second authentication methodincluding using the second claimant target to locate the record for the user in the database, then selecting the second authentication method from between the second and third a plurality of authentication methods associated with the second site identifier in the record, then authenticating the user according to the selected second authentication method, including receiving a response from the user; and
  
  a relying party server in communication with the authentication server across a network, the relying party server configured to send the authentication request to the authentication server and to receive an indication of authentication from the authentication server.
- View Dependent Claims (7, 8)
- - 7. The system of claim 6 wherein the authentication server is further configured to determine the first authentication method by selecting the first authentication method from a plurality of authentication methods identified in the record for the user.
  - 8. The system of claim 6 wherein the first server is in communication with a client computing device employed by the user and wherein determining the first authentication method includes identifying the client computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Francine CANI 2002 Living Trust
Original Assignee
Ky Trix Ltd.
Inventors
Ma, Karen
Primary Examiner(s)
Tran, Tri

Application Number

US14/192,865
Publication Number

US 20150244696A1
Time in Patent Office

810 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 67/01   Protocols

H04L 67/125   involving control of end-de...

H04L 67/14   Session management for real...

H04L 9/321   involving a third party or ...

H04W 12/062   Pre-authentication

H04W 12/068   using credential vaults, e....

Methods of authenticating users to a site

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

148 Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Methods of authenticating users to a site

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

148 Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links