Secure authentication in browser redirection authentication schemes

US 20080189778A1
Filed: 02/05/2007
Published: 08/07/2008
Est. Priority Date: 02/05/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for authenticating a client, the method comprising:

authenticating, by an identity provider server, the client redirected from a relying party server, wherein the identity provider server authenticates the client without receiving a replayable credential from the client; and

transmitting a token of authentication to the client by the identity provider server upon authentication of the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for authenticating a client is described. In one embodiment, an identity provider server authenticates the client that is redirected from a relying party server. The identity provider server authenticates the client without receiving a replayable credential from the client. Upon authentication of the client, the identity provider server transmits a token of authentication to the client.

114 Citations

30 Claims

1. A computer-implemented method for authenticating a client, the method comprising:
- authenticating, by an identity provider server, the client redirected from a relying party server, wherein the identity provider server authenticates the client without receiving a replayable credential from the client; and
  
  transmitting a token of authentication to the client by the identity provider server upon authentication of the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 further comprising:
    - issuing a certificate by the identity provider to the client, prior to the client redirected from the relying party server,wherein authenticating further comprises verifying the certificate.
  - 3. The method of claim 1 further comprising:
    - generating a key pair to the client, prior to the client redirected from the relying party server; and
      
      issuing a challenge to the client using the key pair.
  - 4. The method of claim 1 wherein the relying party server receives the token of authentication from the client, and accepts the client authentication by the identity provider server.
  - 5. The method of claim 1 wherein authenticating further comprises:
    - using a public key infrastructure (PKI).
  - 6. The method of claim 1 wherein authenticating further comprises:
    - authenticating the client without receiving a password associated with a username from the client.
  - 7. The method of claim 1 further comprising:
    - upon authenticating, receiving a profile configuration for the relying party server from the client, the profile configuration including selected user data to be communicated to the relying party server.
  - 8. The method of claim 7 further comprising:
    - transmitting through the client selected user data to the to the relying party server.
  - 9. The method of claim 1 wherein the client includes a web browser, the web browser communicating with the relying party server and the identity provider server through a network.
  - 10. The method of claim 1 wherein the client initiates a login process with the relying party server.
  - 11. The method of claim 10 wherein the login process includes submitting a Uniform Resource Locator (URL) of the identity provider server.

12. An apparatus comprising:
- an identity provider server to authenticate a client redirected from a relying party server, to authenticate the client without receiving a replayable credential from the client, and transmit a token of authentication to the client upon authentication of the client.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 25, 26)
- - 13. The apparatus of claim 12 wherein the identity provider server to issue a certificate to the client, prior to the client redirected from the relying party server.
  - 14. The apparatus of claim 12 wherein the identity provider server to generate a key pair to the client, prior to the client redirected from the relying party server, and to issue a challenge to the client based on the key pair.
  - 15. The apparatus of claim 12 wherein the relying party server receives the token of authentication from the client, and accepts the client authentication by the identity provider server.
  - 16. The apparatus of claim 12 wherein the identity provider server to use a public key infrastructure (PKI).
  - 17. The apparatus of claim 12 wherein the identity provider server to authenticate the client without receiving a password associated with a username from the client.
  - 18. The apparatus of claim 12 wherein the identity provider server upon authenticating the client, to receive a profile configuration for the relying party server from the client, the profile configuration including selected user data to be communicated to the relying party server.
  - 19. The apparatus of claim 18 wherein the identity provider server to transmit through the client the selected user data to the relying party server.
  - 25. The article of manufacture of claim 18 wherein authenticating further comprises:
    - authenticating the client without receiving a password associated with a username from the client.
  - 26. The article of manufacture of claim 18 wherein the method further comprises:
    - upon authenticating, receiving a profile configuration for the relying party server from the client, the profile configuration including selected user data to be communicated to the relying party server.

20. An article of manufacture comprising:
- a machine-accessible storage medium including data that, when accessed by a machine, cause the machine to perform a method comprising;
  
  authenticating, by an identity provider server, a client redirected from a relying party server, wherein the identity provider server authenticates the client without receiving a replayable credential from the client; and
  
  transmitting a token of authentication to the client by the identity provider server upon authentication of the client.
- View Dependent Claims (21, 22, 23, 24, 27)
- - 21. The article of manufacture of claim 20 wherein the method further comprises:
    - issuing a certificate by the identity provider to the client, prior to the client redirected from the relying party server,wherein authenticating comprises verifying the certificate.
  - 22. The article of manufacture of claim 20 wherein the method further comprises:
    - generating a key pair to the client, prior to the client redirected from the relying party server; and
      
      issuing a challenge to the client based on the key pair.
  - 23. The article of manufacture of claim 20 wherein the relying party server receives the token of authentication from the client, and accepts the client authentication by the identity provider server.
  - 24. The article of manufacture of claim 20 wherein authenticating further comprises:
    - using a public key infrastructure (PKI).
  - 27. The article of manufacture of claim 23 wherein the method further comprises:
    - transmitting through the client the selected user data to the to the relying party server.

28. An apparatus for authenticating a client comprising:
- a network interface of an identity provider server to communicate with a client redirected from a relying party server; and
  
  means for authenticating the client without receiving a replayable credential from the client,wherein the network interface of the identity provider server to transmit a token of authentication to the client upon authentication of the client.
- View Dependent Claims (29, 30)
- - 29. The apparatus of claim 28 wherein the means for authenticating comprise:
    - an authentication certificate issued by the identity provider server to the client.
  - 30. The apparatus of claim 28 wherein the means for authenticating comprise:
    - a key pair generated by the identity provider server to the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Rowley, Peter Andrew

Granted Patent

US 8,590,027 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3263   involving certificates, e.g...

H04L 9/3271   using challenge-response

Secure authentication in browser redirection authentication schemes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

114 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Secure authentication in browser redirection authentication schemes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links