Multi-domain applications with authorization and authentication in cloud environment

US 9,386,007 B2
Filed: 12/27/2013
Issued: 07/05/2016
Est. Priority Date: 12/27/2013
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method comprising:

receiving a request from a user via a Web browser to access a multi-domain application, wherein the request is a single sign-on (SSO) request or a single logout (SLO) request, and wherein the multi-domain application runs on multiple domains in parallel;

redirecting the Web browser to request a multi-domain service (MDS) endpoint accessible from a services domain with one or more parameters signed by a service provider, wherein the service provider issues an MDS cookie that includes a multi-domain application URL to access a domain of the multi-domain application, and wherein the service provider supports authentication and authorization services accessible from the services domain for the multiple domains of the multi-domain application;

generating an original URL cookie (OUC) comprising the multi-domain application URL, wherein the multi-domain application URL is extracted from the MDS cookie at the MDS endpoint;

redirecting the Web browser to request an identity provider, wherein the SSO request includes a login assertion parameter or the SLO request includes a logout assertion parameter, and wherein the identity provider request includes a name of the original URL cookie (OUC) comprising the multi-domain application URL;

receiving an assertion response from the identity provider comprising;

receiving the assertion response at an assertion consumer service (ACS) that the user is authenticated with the identity provider, when redirecting the SSO request;

orreceiving the assertion response at a SLO service that the user is logged out from the identity provider, when redirecting the SLO request, wherein receiving the assertion response at the SLO service further comprises sending a logout request from the SLO service to a domain specific SLO service and receiving a logout response from the domain specific SLO service that the user is logged out of the domain by invalidating the user session for the domain; and

redirecting the Web browser to request the multi-domain application with the received assertion response, wherein the multi-domain application URL is retrieved from the OUC cookie.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A multi-domain application requiring SSO and SLO operations in cloud environment is presented. The computing system of the multi-domain application includes a multi-domain service (MDS) to redirect the calls for the multi-domain application to an identity provider to authenticate the user or to invoke the single logout services (SLOs) on the domains of the multi-domain application and to invalidate the user sessions on the domains. A cookie that includes the multi-domain application URL is generated to reach the assertion consumer service (ACS) and the single logout service (SLO) that receive an identity assertion response from the identity provider. Domain specific SLOs are provided. A trust between these domain specific SLOs and the SLO is provided based on service provider keys. The SAML mechanism for a logout scenario is reused for communication between the SLO and the domain specific SLOs, where the SLO plays a role of a local IDP.

30 Citations

View as Search Results

13 Claims

1. A computer implemented method comprising:
- receiving a request from a user via a Web browser to access a multi-domain application, wherein the request is a single sign-on (SSO) request or a single logout (SLO) request, and wherein the multi-domain application runs on multiple domains in parallel;
  
  redirecting the Web browser to request a multi-domain service (MDS) endpoint accessible from a services domain with one or more parameters signed by a service provider, wherein the service provider issues an MDS cookie that includes a multi-domain application URL to access a domain of the multi-domain application, and wherein the service provider supports authentication and authorization services accessible from the services domain for the multiple domains of the multi-domain application;
  
  generating an original URL cookie (OUC) comprising the multi-domain application URL, wherein the multi-domain application URL is extracted from the MDS cookie at the MDS endpoint;
  
  redirecting the Web browser to request an identity provider, wherein the SSO request includes a login assertion parameter or the SLO request includes a logout assertion parameter, and wherein the identity provider request includes a name of the original URL cookie (OUC) comprising the multi-domain application URL;
  
  receiving an assertion response from the identity provider comprising;
  
  receiving the assertion response at an assertion consumer service (ACS) that the user is authenticated with the identity provider, when redirecting the SSO request;
  
  orreceiving the assertion response at a SLO service that the user is logged out from the identity provider, when redirecting the SLO request, wherein receiving the assertion response at the SLO service further comprises sending a logout request from the SLO service to a domain specific SLO service and receiving a logout response from the domain specific SLO service that the user is logged out of the domain by invalidating the user session for the domain; and
  
  redirecting the Web browser to request the multi-domain application with the received assertion response, wherein the multi-domain application URL is retrieved from the OUC cookie.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein an ACS endpoint URL and an SLO service endpoint URL are predefined configurations listed in the identity provider.
  - 3. The method of claim 2, wherein the MDS endpoint, the ACS endpoint, and the SLO service endpoint reside on the services domain.
  - 4. The method of claim 1, wherein redirecting the Web browser to request the multi-domain application with the SSO request comprises the MDS cookie.

5. A computer system comprising:
- a processor;
  
  a memory in communication with the processor, the memory storing instructions which when executed by the processor cause the computer system to;
  
  receive a request from a user via a Web browser to access a multi-domain application, wherein the request is a single sign-on (SSO) request or a single logout (SLO) request, and wherein the multi-domain application runs on multiple domains in parallel;
  
  redirect the Web browser to request a multi-domain service (MDS) endpoint accessible from a services domain with one or more parameters signed by a service provider, wherein the service provider issues an MDS cookie that includes a multi-domain application URL to access a domain of the multi-domain application, and wherein the service provider supports authentication and authorization services accessible from the services domain for the multiple domains of the multi-domain application;
  
  generate an original URL cookie (OUC) comprising the multi-domain application URL, wherein the multi-domain application URL is extracted from the MDS cookie at the MDS endpoint;
  
  redirect the Web browser to request an identity provider, wherein the SSO request includes a login assertion parameter or the SLO request includes a logout assertion parameter, and wherein the identity provider request includes a name of the original URL cookie (OUC) comprising the multi-domain application URL;
  
  receive an assertion response from the identity provider comprising;
  
  receive the assertion response at an assertion consumer service (ACS) that the user is authenticated with the identity provider, when redirecting the SSO request;
  
  orreceive the assertion response at a SLO service that the user is logged out from the identity provider, when redirecting the SLO request, wherein receiving the assertion response at the SLO service further comprises sending a logout request from the SLO service to a domain specific SLO service and receiving a logout response from the domain specific SLO service that the user is logged out of the domain by invalidating the user session for the domain; and
  
  redirect the Web browser to request the multi-domain application with the received assertion response, wherein the multi-domain application URL is retrieved from the OUC cookie.
- View Dependent Claims (6, 7, 8, 13)
- - 6. The computer system of claim 5, wherein the OUC cookie name and the login assertion parameter for the SSO request and the logout assertion parameter for the SLO request are sent to the identity provider.
  - 7. The computer system of claim 5, wherein an ACS endpoint URL and a SLO service endpoint URL are predefined configurations listed in the identity provider.
  - 8. The computer system of claim 7, wherein an MDS endpoint, the ACS endpoint, and the SLO service endpoint reside on the services domain.
  - 13. The computer system of claim 5, wherein the service provider generates the MDS cookie that includes the multi-domain application URL, wherein the MDS cookie is sent to the Web browser to access the multi-domain application in response to user authentication with the identity provider.

9. A non-transitory computer-readable medium storing instructions, which when executed cause a computer system to:
- receive a request from a user via a Web browser to access a multi-domain application, wherein the request is a single sign-on (SSO) request or a single logout (SLO) request, and wherein the multi-domain application runs on multiple domains in parallel;
  
  redirect the Web browser to request a multi-domain service (MDS) endpoint accessible from a services domain with one or more parameters signed by a service provider, wherein the service provider issues an MDS cookie that includes a multi-domain application URL, wherein the service provider supports authentication and authorization services accessible from the services domain for the multiple domains of the multi-domain application;
  
  generate an original URL cookie (OUC) comprising the multi-domain application URL, wherein the multi-domain application URL is extracted from the MDS cookie at the MDS endpoint;
  
  redirect the Web browser to request an identity provider, wherein the SSO request includes a login assertion parameter or the SLO request includes a logout assertion parameter, and wherein the identity provider request includes an original URL cookie (OUC) comprising the multi-domain application URL;
  
  receive an assertion response from the identity provider comprising;
  
  receive the assertion response at an assertion consumer service (ACS) that the user is authenticated with the identity provider, when redirecting the SSO request;
  
  orreceive the assertion response at a SLO service that the user is logged out from the identity provider, when redirecting the SLO request, wherein receiving the assertion response at the SLO service further comprises sending a logout request from the SLO service to a domain specific SLO service and receiving a logout response from the domain specific SLO service that the user is logged out of the domain by invalidating the user session for the domain; and
  
  redirect the Web browser to request the multi-domain application with the received assertion response, wherein the multi-domain application URL is retrieved from the OUC cookie.
- View Dependent Claims (10, 11, 12)
- - 10. The computer-readable medium of claim 9, wherein an ACS endpoint URL and a SLO service endpoint URL are predefined configurations listed in the identity provider.
  - 11. The computer-readable medium of claim 10, wherein the MDS endpoint, the ACS endpoint, and the SLO service endpoint reside on the services domain.
  - 12. The computer-readable medium of claim 9, wherein redirecting the Web browser to request the multi-domain application with the SSO request comprises the MDS cookie.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Minov, Jasen, Manov, Milen, Petrov, Stefan
Primary Examiner(s)
Rashid, Harunur

Application Number

US14/141,495
Publication Number

US 20150188906A1
Time in Patent Office

921 Days
Field of Search

726/8
US Class Current

1/1
CPC Class Codes

H04L 63/062   for key distribution, e.g. ...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

Multi-domain applications with authorization and authentication in cloud environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-domain applications with authorization and authentication in cloud environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links