Method for a single sign-on

US 20030182551A1
Filed: 03/25/2002
Published: 09/25/2003
Est. Priority Date: 03/25/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method for authenticating a client for multiple services on a network, comprising the acts of:

authenticating a client for a first service without transmitting client credentials across the network;

retaining client authentication data associated with the first service at a server and at a client computer for the client; and

automatically authenticating the client for a second service using the client authentication data retained at the client computer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique is provided for authenticating a client for multiple network devices and services using a single sign-on mechanism. The present technique stores client credentials at each of the multiple network devices and services, which generate and transform an authentication challenge (e.g., a random number) using an appropriate one of the client credentials stored thereon. At the client-side, the single sign-on mechanism stores client credentials entered during a first authentication process. Subsequent authentication processes simply retrieve the client credentials stored by the single sign-on mechanism during the first authentication process. The technique then independently transforms the authentication challenge received at the client-side using the client credentials at the client-side. The technique then authenticates the client if the independent transformations produce an equivalent result. Alternatively, the single sign-on mechanism may retain an authentication token generated during the first authentication process. In either case, the present technique authenticates the client by retaining client credentials independently at both the client-side and server-side, thereby improving security and reducing or eliminating the need for data encryption during the authentication process.

226 Citations

72 Claims

1. A method for authenticating a client for multiple services on a network, comprising the acts of:
- authenticating a client for a first service without transmitting client credentials across the network;
  
  retaining client authentication data associated with the first service at a server and at a client computer for the client; and
  
  automatically authenticating the client for a second service using the client authentication data retained at the client computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1, wherein the act of authenticating the client comprises the act of securely authenticating the client without using data encryption.
  - 3. The method of claim 1, wherein the act of authenticating the client comprises the act of securely authenticating the client without using a remote directory service.
  - 4. The method of claim 1, wherein the act of authenticating the client comprises the act of securely authenticating the client by performing authentication routines independently at the server and at the client computer using client credentials independently retained at the server and at the client computer.
  - 5. The method of claim 1, wherein the act of authenticating the client comprises the act of prompting the client to input client credentials.
  - 6. The method of claim 5, wherein the act of prompting the client to input client credentials comprises the act of requesting a user identity and a user password from the client.
  - 7. The method of claim 1, wherein the act of authenticating the client comprises the act of generating an authentication token for the client.
  - 8. The method of claim 7, wherein the act of retaining client authentication data comprises the act of locally retaining the authentication token at the client computer.
  - 9. The method of claim 1, wherein the act of retaining client authentication data comprises the act of locally retaining the client credentials at the client computer.
  - 10. The method of claim 1, wherein the act of authenticating the client comprises the acts of:
    - transmitting an authentication challenge from a desired one of the multiple services to the client in response to an access request from the client; and
      
      computing a response to the authentication challenge at the client computer by transforming the authentication challenge using client credentials obtained at the client computer.
  - 11. The method of claim 10, wherein the act of retaining client authentication data comprises the act of locally retaining the client credentials at the client computer.
  - 12. The method of claim 10, wherein the act of retaining client authentication data comprises the act of locally retaining the response at the client computer.
  - 13. The method of claim 10, wherein the act of authenticating the client comprises the acts of:
    - computing an answer to the authentication challenge at a server for the first service by transforming the authentication challenge using client credentials stored at the server; and
      
      comparing the response against the answer.
  - 14. The method of claim 13, wherein the act of computing the answer comprises the acts of:
    - identifying the client; and
      
      retrieving the client credentials for the client from storage at the server.
  - 15. The method of claim 14, wherein the act of authenticating the client comprises the act of transmitting the response and a client identifier from the client computer to the server.
  - 16. The method of claim 13, wherein the act of computing the answer comprises the act of successively transforming the authentication challenge using successive client credentials of a plurality of client credentials stored at the server, and wherein the act of authenticating the client comprises the act of providing an authentication grant only if a match is identified between the response and the answer.
  - 17. The method of claim 1, wherein the act of retaining client authentication data comprises the act of temporarily retaining the client authentication data at the client computer.
  - 18. The method of claim 17, wherein the act of temporarily retaining the client authentication data comprises the act of eliminating the client authentication data from local memory at the client computer upon completion of a service session.
  - 19. The method of claim 1, wherein the act of authenticating the client comprises the act of transmitting an authentication module to a web browser at the client computer.
  - 20. The method of claim 1, wherein the act of retaining client authentication data comprises the act of executing a single sign-on module at the client computer.
  - 21. The method of claim 20, wherein the act of executing the single sign-on program comprises the act of temporarily retaining and providing the client authentication data for automatically authenticating the client for the second service.
  - 22. The method of claim 21, wherein the act of automatically authenticating the client comprises the acts of:
    - executing an authentication routine by a client web browser; and
      
      automatically passing the client authentication data from the single sign-on module to the authentication routine.

23. A single sign-on method for a client to sign-on to multiple services on a network, comprising the acts of:
- transmitting an authentication challenge for a desired service of the multiple services to a client computer in response to an access request;
  
  obtaining client credentials from the client;
  
  computing a response to the authentication challenge using the client credentials at the client computer;
  
  computing an answer to the authentication challenge using client credentials stored at a server for the desired service;
  
  authenticating the client for the desired service if the response satisfies the answer; and
  
  retaining the client credentials at the client computer to authenticate the client for a subsequent desired service of the multiple services.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 24. The method of claim 23, wherein the act of authenticating the client comprises the act of securely authenticating the client without transmitting the client credentials over the network.
  - 25. The method of claim 23, wherein the act of authenticating the client comprises the act of securely authenticating the client without encrypting data transmissions between the client computer and the server.
  - 26. The method of claim 23, wherein the act of authenticating the client comprises the act of securely authenticating the client without using a remote directory service.
  - 27. The method of claim 23, comprising the act of generating the authentication challenge comprising a random number.
  - 28. The method of claim 27, wherein the act of computing the response comprises transforming the random number with the client credentials stored at the client computer.
  - 29. The method of claim 27, wherein the act of computing the answer comprises transforming the random number with the client credentials stored at the server.
  - 30. The single sign-on method of claim 23, comprising automatically authenticating the client for the subsequent desired service using the client credentials retained at the client computer.
  - 31. The single sign-on method of claim 23, wherein the act of authenticating the client comprises the act of transmitting an authentication module to a web browser at the client computer.
  - 32. The single sign-on method of claim 23, wherein the act of authenticating the client comprising the act of initiating a single sign-on module at the client computer.
  - 33. The single sign-on method of claim 32, wherein the act of initiating the single sign-on module comprises the act of retaining and providing the client credentials for automatically authenticating the client for the subsequent desired service of the multiple services.
  - 34. The single sign-on method of claim 33, comprising the acts of:
    - executing an authentication module at the client computer to authenticate the client for the subsequent desired service of the multiple services; and
      
      automatically passing the client credentials retained for the single sign-on module from the single sign-on module to the authentication module.
  - 35. The single sign-on method of claim 23, wherein the act of computing the answer comprises the acts of:
    - identifying the client using a client identifier received from the client computer; and
      
      retrieving the client credentials for the client from storage at the server.
  - 36. The single sign-on method of claim 23, wherein the act of computing the answer comprises the act of successively transforming the authentication challenge using successive client credentials of a plurality of client credentials stored at the server, and wherein the act of authenticating the client comprises the act of providing an authentication grant only if a match is identified between the response and the answer.
  - 37. The single sign-on method of claim 23, wherein the act of computing the response comprises the act of transforming the authentication challenge using an authentication token and the client credentials at the client computer.
  - 38. The single sign-on method of claim 23, wherein the act of computing the response comprises the act of transforming the authentication challenge using a smart card and the client credentials at the client computer.
  - 39. The single sign-on method of claim 23, wherein the acts of computing the response and computing the answer comprise the act of transforming the authentication challenge independently at the client computer and the server using private and public keys and the client credentials.

40. A computer system comprising a plurality of networked computing devices, comprising:
- a network;
  
  a client computer operably coupled to the network;
  
  a plurality of servers operably coupled to the network;
  
  a plurality of services disposed on the servers and accessible by the client computer via the network;
  
  a secure client authentication system having authentication routines independently executable at the client computer and at the server;
  
  a database of client credentials accessible by a server-side routine of the authentication routines; and
  
  a single sign-on service comprising a data retention module to retain client credentials obtained at the client computer and an automatic sign-on module to pass the client credentials to a client-side routine of the authentication routines.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49)
- - 41. The computer system of claim 40, wherein the authentication routines each comprise response computation modules adapted to compute independent transformations of a random authentication challenge using the client credentials independently accessible by the client computer and the server.
  - 42. The computer system of claim 41, wherein the secure client authentication system comprises a comparison module adapted to compare the independent transformations.
  - 43. The computer system of claim 40, wherein the secure client authentication system is operable without data encryption.
  - 44. The computer system of claim 40, wherein the secure client authentication system is operable without a remote directory service.
  - 45. The computer system of claim 40, wherein the secure client authentication system is operable without transmitting client credentials across the network.
  - 46. The computer system of claim 40, wherein the secure client authentication system is a challenge-response authentication system, which depends on independent instances of the client credentials at the client computer and at the server.
  - 47. The computer system of claim 40, wherein the single sign-on service automates the client-side routine for automatically signing the client onto subsequent services of the plurality of services after the secure client authentication system has authenticated the client for a first service of the plurality of services.
  - 48. The computer system of claim 40, wherein the secure client authentication system comprises a security set of public and private keys.
  - 49. The computer system of claim 48, wherein the secure client authentication system comprises a smart card accessible at the client computer.

50. A server comprising a service accessible by a client computer via a network, comprising:
- a single sign-on service for a secure client authentication system that depends on independent instances of client credentials at a server-side and at a client-side of the network to authenticate a client for a desired service without transmitting the client credentials across the network, the single sign-on service comprising;
  
  a data retention module that locally retains client credentials obtained locally from the client for the secure client authentication system; and
  
  a data exchange module that automatically passes the client credentials retained by the data retention module to the secure client authentication system.
- View Dependent Claims (51, 52, 53, 54)
- - 51. The server of claim 50, wherein the secure client authentication system comprises a response computation module adapted to transform a random authentication challenge independently at the client computer and at the server using the client credentials independently accessible by the client computer and the server.
  - 52. The server of claim 50, wherein the secure client authentication system is operable without data encryption.
  - 53. The server of claim 50, wherein the secure client authentication system is operable without a remote directory service.
  - 54. The server of claim 50, wherein the data exchange module comprises an authentication interaction module to identify an authentication challenge from the desired service and to provide the client credentials locally for the authentication challenge if the data retention module previously retained the client credentials for another authentication challenge.

55. A single sign-on service module comprising:
- an interaction module that identifies an authentication challenge from a secure client authentication system, which depends on independent instances of client credentials at a server side and at a client side of the network to authenticate a client for a desired service without transmitting the client credentials across the network;
  
  a data retention module that locally retains client credentials obtained locally from the client for the secure client authentication system; and
  
  a data exchange module that automatically passes the client credentials retained by the data retention module to the secure client authentication system.
- View Dependent Claims (56, 57)
- - 56. The single sign-on service module of claim 55, wherein the interaction module executes the data exchange module to provide the client credentials locally for the authentication challenge if the data retention module previously retained the client credentials for another authentication challenge.
  - 57. The single sign-on service module of claim 55, wherein the interaction module, the data retention module, and the data exchange module are executable by a web browser.

58. A method for signing onto multiple services on a network, comprising the acts of:
- locating a first service on the network;
  
  receiving a first authentication challenge from a client authentication system for the first service;
  
  inputting client credentials into a client computer in response to the first authentication challenge;
  
  gaining access to the first service if the client authentication system for the first service authenticates the client against a database of client credentials remote from the client computer without transmitting the client credentials across the network;
  
  retaining the client credentials at the client computer;
  
  locating a second service on the network;
  
  receiving a second authentication challenge from a client authentication system for the second service;
  
  automatically providing the client credentials for the second authentication challenge; and
  
  gaining access to the second service if the client authentication system for the second service authenticates the client against a database of client credentials remote from the client computer without transmitting the client credentials across the network.
- View Dependent Claims (59, 60, 61, 62)
- - 59. The method of claim 58, wherein the acts of gaining access to the first and second services comprise the act of transmitting authentication data across the network without data encryption or directory services.
  - 60. The method of claim 58, wherein the act of gaining access to the first service comprises the act of obtaining an authentication token for the second authentication challenge.
  - 61. The method of claim 60, wherein the act of retaining the client credentials comprises the act of retaining the authentication token.
  - 62. The method of claim 61, wherein the act of automatically providing the client credentials comprises automatically transmitting the authentication token to satisfy the second authentication challenge for the second service.

63. A method for authenticating a client for multiple services on a network, comprising the acts of:
- receiving an authentication challenge from a client authentication system for a service desired by the client at a client computer;
  
  prompting the client to input client credentials at the client computer in response to the authentication challenge;
  
  transmitting an authentication response devoid of the client credentials to the client authentication system for comparison against an authentication answer derived from the authentication challenge and client credentials retained independently from the client computer;
  
  receiving an authentication grant from the client authentication system if the authentication response satisfies the authentication answer;
  
  retaining the client credentials at the client computer; and
  
  automatically providing the client credentials for a subsequent authentication challenge received at the client computer to authenticate the client automatically for a subsequent service.
- View Dependent Claims (64, 65, 66)
- - 64. The method of claim 63, wherein the act of transmitting the authentication response is performed without data encryption.
  - 65. The method of claim 63, wherein the act of receiving an authentication grant comprises the act of obtaining an authentication token for the subsequent authentication challenge.
  - 66. The method of claim 65, wherein the act of retaining the client credentials comprises the act of retaining the authentication token.

67. A method for authenticating a client for multiple services on a network, comprising the acts of:
- transmitting an authentication challenge for a service desired by the client from a server to a client computer;
  
  querying whether client credentials are retained at the client computer;
  
  prompting the client to input client credentials if not retained at the client computer;
  
  prompting the client computer to access client credentials at the client computer if client credentials are present at the client computer;
  
  independently transforming the authentication challenge at the client computer and at the server using the client credentials accessible at the client computer and at the server;
  
  transmitting authentication data derived from one of the foregoing transformations over the network; and
  
  authenticating the client if the foregoing transformations produce equivalent authentication data.
- View Dependent Claims (68, 69, 70, 71, 72)
- - 68. The method of claim 67, wherein the act of transmitting the authentication data is performed without data encryption.
  - 69. The method of claim 67, wherein the act of authenticating the client comprises the act of transmitting an authentication token to the client computer for subsequent authentication challenges.
  - 70. The method of claim 67, wherein the act of independently transforming the authentication challenge comprises the act of using an authentication token.
  - 71. The method of claim 70, wherein the act of independently transforming the authentication challenge comprises the act of accessing a smart card.
  - 72. The method of claim 67, wherein the act of independently transforming the authentication challenge comprises the act of using public and private keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Neufeld, E. David, Frantz, Christopher J.

Application Number

US10/105,145
Publication Number

US 20030182551A1
Time in Patent Office

Days
Field of Search
US Class Current

713/170
CPC Class Codes

G06F 21/41 where a single sign-on prov...

Method for a single sign-on

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

226 Citations

72 Claims

Specification

Use Cases

Quick Links

Others

Method for a single sign-on

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

226 Citations

72 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others