Mechanism of passing security tokens through both untrusted and validating intermediaries
First Claim
1. A method for performing a single sign on (SSO) service for a client in a system having a server that provides resources for the client, comprising:
- receiving a request from the client to access a resource provided by the server, wherein the request contains an artifact referencing a security token and the security token contains an assertion for authorizing the client for a single sign on service with the server;
embedding the artifact in an access token, wherein the access token includes, in addition to the artifact, one or more fields for validating the access token itself;
after the access token is validated, the artifact is extracted from the access token and the server is in possession of the artifact, receiving a request from the server to resolve the artifact; and
sending the assertion to the server, wherein the assertion permits the client to access the requested resource provided by the server.
2 Assignments
0 Petitions
Accused Products
Abstract
Disclosed is a system and technique for validating a user for a single sign on without exposing secure information about the user to any part of the system except the connection server and the identity provider. In the technique, instead of relying directly on a SAML assertion, the technique uses an artifact representing the assertion and wraps the artifact in an access token. The access token is able to carry the artifact through one or more gateways on its way to a connection server without revealing any security information. Upon the access token being verified by either the gateway or the connection server, the artifact can be extracted from the access token and verification of the user for the single sign on can proceed between only the connection server and the identity provider.
7 Citations
21 Claims
-
1. A method for performing a single sign on (SSO) service for a client in a system having a server that provides resources for the client, comprising:
-
receiving a request from the client to access a resource provided by the server, wherein the request contains an artifact referencing a security token and the security token contains an assertion for authorizing the client for a single sign on service with the server; embedding the artifact in an access token, wherein the access token includes, in addition to the artifact, one or more fields for validating the access token itself; after the access token is validated, the artifact is extracted from the access token and the server is in possession of the artifact, receiving a request from the server to resolve the artifact; and sending the assertion to the server, wherein the assertion permits the client to access the requested resource provided by the server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer readable medium containing instructions for performing a single sign on (SSO) service for a client in a system having a server that provides resources for the client and which, when executed by one or more processors, perform the steps of:
-
receiving a request from the client to access a resource provided by the server, wherein the request contains an artifact referencing a security token and the security token contains an assertion for authorizing the client for a single sign on service with the server; embedding the artifact in an access token, wherein the access token includes, in addition to the artifact, one or more fields for validating the access token itself; after the access token is validated, the artifact is extracted from the access token and the server is in possession of the artifact, receiving a request from the server to resolve the artifact; and sending the assertion to the server, wherein the assertion permits the client to access the requested resource provided by the server. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A computer system comprising:
-
a client; a server configured to provide resources for the client upon a successful sign on by the client; and an identity provider connected between the client and the server and configured to; receive a request from the client to access a resource provided by the server, wherein the request contains an artifact referencing a security token and the security token contains an assertion for authorizing the client for a single sign on service with the server; embed the artifact in an access token, wherein the access token includes, in addition to the artifact, one or more fields for validating the access token itself; after the access token is validated, the artifact is extracted from the access token and the server is in possession of the artifact, receive a request from the server to resolve the artifact; and send the assertion to the server, wherein the assertion permits the client to access the requested resource provided by the server. - View Dependent Claims (17, 18, 19, 20, 21)
-
Specification