Method for a single sign-on
First Claim
1. A method for authenticating a client for multiple services on a network, comprising the acts of:
- authenticating a client for a first service without transmitting client credentials across the network;
retaining client authentication data associated with the first service at a server and at a client computer for the client; and
automatically authenticating the client for a second service using the client authentication data retained at the client computer.
2 Assignments
0 Petitions
Accused Products
Abstract
A technique is provided for authenticating a client for multiple network devices and services using a single sign-on mechanism. The present technique stores client credentials at each of the multiple network devices and services, which generate and transform an authentication challenge (e.g., a random number) using an appropriate one of the client credentials stored thereon. At the client-side, the single sign-on mechanism stores client credentials entered during a first authentication process. Subsequent authentication processes simply retrieve the client credentials stored by the single sign-on mechanism during the first authentication process. The technique then independently transforms the authentication challenge received at the client-side using the client credentials at the client-side. The technique then authenticates the client if the independent transformations produce an equivalent result. Alternatively, the single sign-on mechanism may retain an authentication token generated during the first authentication process. In either case, the present technique authenticates the client by retaining client credentials independently at both the client-side and server-side, thereby improving security and reducing or eliminating the need for data encryption during the authentication process.
226 Citations
72 Claims
-
1. A method for authenticating a client for multiple services on a network, comprising the acts of:
-
authenticating a client for a first service without transmitting client credentials across the network;
retaining client authentication data associated with the first service at a server and at a client computer for the client; and
automatically authenticating the client for a second service using the client authentication data retained at the client computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A single sign-on method for a client to sign-on to multiple services on a network, comprising the acts of:
-
transmitting an authentication challenge for a desired service of the multiple services to a client computer in response to an access request;
obtaining client credentials from the client;
computing a response to the authentication challenge using the client credentials at the client computer;
computing an answer to the authentication challenge using client credentials stored at a server for the desired service;
authenticating the client for the desired service if the response satisfies the answer; and
retaining the client credentials at the client computer to authenticate the client for a subsequent desired service of the multiple services. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
-
-
40. A computer system comprising a plurality of networked computing devices, comprising:
-
a network;
a client computer operably coupled to the network;
a plurality of servers operably coupled to the network;
a plurality of services disposed on the servers and accessible by the client computer via the network;
a secure client authentication system having authentication routines independently executable at the client computer and at the server;
a database of client credentials accessible by a server-side routine of the authentication routines; and
a single sign-on service comprising a data retention module to retain client credentials obtained at the client computer and an automatic sign-on module to pass the client credentials to a client-side routine of the authentication routines. - View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49)
-
-
50. A server comprising a service accessible by a client computer via a network, comprising:
a single sign-on service for a secure client authentication system that depends on independent instances of client credentials at a server-side and at a client-side of the network to authenticate a client for a desired service without transmitting the client credentials across the network, the single sign-on service comprising;
a data retention module that locally retains client credentials obtained locally from the client for the secure client authentication system; and
a data exchange module that automatically passes the client credentials retained by the data retention module to the secure client authentication system. - View Dependent Claims (51, 52, 53, 54)
-
55. A single sign-on service module comprising:
-
an interaction module that identifies an authentication challenge from a secure client authentication system, which depends on independent instances of client credentials at a server side and at a client side of the network to authenticate a client for a desired service without transmitting the client credentials across the network;
a data retention module that locally retains client credentials obtained locally from the client for the secure client authentication system; and
a data exchange module that automatically passes the client credentials retained by the data retention module to the secure client authentication system. - View Dependent Claims (56, 57)
-
-
58. A method for signing onto multiple services on a network, comprising the acts of:
-
locating a first service on the network;
receiving a first authentication challenge from a client authentication system for the first service;
inputting client credentials into a client computer in response to the first authentication challenge;
gaining access to the first service if the client authentication system for the first service authenticates the client against a database of client credentials remote from the client computer without transmitting the client credentials across the network;
retaining the client credentials at the client computer;
locating a second service on the network;
receiving a second authentication challenge from a client authentication system for the second service;
automatically providing the client credentials for the second authentication challenge; and
gaining access to the second service if the client authentication system for the second service authenticates the client against a database of client credentials remote from the client computer without transmitting the client credentials across the network. - View Dependent Claims (59, 60, 61, 62)
-
-
63. A method for authenticating a client for multiple services on a network, comprising the acts of:
-
receiving an authentication challenge from a client authentication system for a service desired by the client at a client computer;
prompting the client to input client credentials at the client computer in response to the authentication challenge;
transmitting an authentication response devoid of the client credentials to the client authentication system for comparison against an authentication answer derived from the authentication challenge and client credentials retained independently from the client computer;
receiving an authentication grant from the client authentication system if the authentication response satisfies the authentication answer;
retaining the client credentials at the client computer; and
automatically providing the client credentials for a subsequent authentication challenge received at the client computer to authenticate the client automatically for a subsequent service. - View Dependent Claims (64, 65, 66)
-
-
67. A method for authenticating a client for multiple services on a network, comprising the acts of:
-
transmitting an authentication challenge for a service desired by the client from a server to a client computer;
querying whether client credentials are retained at the client computer;
prompting the client to input client credentials if not retained at the client computer;
prompting the client computer to access client credentials at the client computer if client credentials are present at the client computer;
independently transforming the authentication challenge at the client computer and at the server using the client credentials accessible at the client computer and at the server;
transmitting authentication data derived from one of the foregoing transformations over the network; and
authenticating the client if the foregoing transformations produce equivalent authentication data. - View Dependent Claims (68, 69, 70, 71, 72)
-
Specification