Multi-domain access control

US 6,339,423 B1
Filed: 03/23/2000
Issued: 01/15/2002
Est. Priority Date: 08/23/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method of controlling access to a resource protected by an access control system that uses access control information transmitted in conjunction with requests to access the resource to determine whether access may be permitted, the method comprising the steps of:

a first server receiving a particular data item from a client, wherein said first server transmits and receives access control information generated by said access control system in first data items that are only transmitted between a first class of one or more servers and said client, wherein said particular data item;

was transmitted to said client from a second server that does not belong to said first class, and indicates that a user has been authenticated by said access control system;

said first server determining that said user has been authenticated by said access control system based on said particular data item; and

in response to said first server determining that said user may access said resource, transmitting access control information in a first data item of said first data items.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A multi-domain resource access control mechanism uses a single access control system to manage access by users to resources that belong to multiple domains. A server is associated with each domain in a set of domains. Access to resources in the domains is governed by an access control system. A first server for a first domain transmits a data token to a client seeking access to a resource in a second domain. The client transmits the data token to a second server in the other domain. The second server uses the data token to verify that the user is authentic, that is, authorized to access resources protected by the access control system. Once determining that the user is authorized to access resources, access control cookies are transmitted to client. When the client requests access to a resource in the second domain, and the request did not include access control cookies for the second domain, data is transmitted to the browser causing it to generate another request to the first server. The first server ensures that the user has been authenticated before transmitting the data token to the browser. In addition, the first server may cause copies of access control cookies for the user to be stored for later transmission to the second server.

406 Citations

28 Claims

1. A method of controlling access to a resource protected by an access control system that uses access control information transmitted in conjunction with requests to access the resource to determine whether access may be permitted, the method comprising the steps of:
- a first server receiving a particular data item from a client, wherein said first server transmits and receives access control information generated by said access control system in first data items that are only transmitted between a first class of one or more servers and said client, wherein said particular data item;
  
  was transmitted to said client from a second server that does not belong to said first class, and indicates that a user has been authenticated by said access control system;
  
  said first server determining that said user has been authenticated by said access control system based on said particular data item; and
  
  in response to said first server determining that said user may access said resource, transmitting access control information in a first data item of said first data items.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further including the steps of:
3. The method of claim 2, wherein said particular data item was transmitted to said client from a second server in response to said second server determining that said user has been authenticated.
4. The method of claim 3, wherein said second server determining that said user has been authenticated includes said second server causing said user to log-in to said access control system to be authenticated by said access control system.
5. The method of claim 3, wherein said second server determining that said user has been authenticated includes said second server determining that said user has been authenticated by said access control system.
6. The method of claim 5, wherein said second server determining that said user has been authenticated by said access control system is performed by examining one or more cookies that are associated with a domain name associated with said second server but not said first server.
7. The method of claim 1, further including the steps of:
- causing said client to transmit said particular data item to one or more other servers, wherein each other server of said one or more other servers transmits other data items that are only transmitted between said client and another class of one or more servers to which said each other server belongs; and
  
  each other server of said one or more other servers transmitting other access control information generated by said access control system in another data item of said respective other data items.
8. The method of claim 1, the method further including the steps of:
- said second server causing a second data item which reflects said access control information in said first data item to be stored in a storage mechanism that may be accessed by said first server; and
  
  said first server retrieving said second data item to generate said first data item.
9. The method of claim 8, wherein said storage mechanism is a particular server dedicated to generating data items that each indicate that a particular user has been authenticated by said access control system, the method further including the step of said particular server generating said particular data item in response to a request transmitted by said second server to said particular server.
10. The method of claim 1, further including the steps of:
- said second server transmitting a request for said particular data item to a particular server dedicated to generating data items that each indicate that a particular user has been authenticated by said access control system; and
  
  said particular server generating said particular data item and transmitting said particular data item to said second server.
11. The method of claim 10, wherein the step of said first server determining that said user has been authenticated by said access control system includes said first server transmitting a request to said particular server to verify that said particular data item is associated with a user that has been authenticated.
12. The method of claim 1, wherein said first class of servers are servers that belong to the same particular domain.
13. The method of claim 12, wherein said second server belongs a second domain and not said particular domain.
14. The method of claim 1, wherein said first data items are cookies.

15. A computer-readable medium carrying one or more sequences of one or more instructions for controlling access to a resource protected by an access control system that uses access control information transmitted in conjunction with requests to access the resource to determine whether access may be permitted, the one or more sequences of one or more instructions including instructions which when executed by one or more processors, cause the one or more processors to perform the steps of:
- a first server receiving a particular data item from a client, wherein said first server transmits and receives access control information generated by said access control system in first data items that are only transmitted between a first class of one or more servers and said client, wherein said particular data item;
  
  was transmitted to said client from a second server that does not belong to said first class, and indicates that a user has been authenticated by said access control system;
  
  said first server determining that said user has been authenticated by said access control system based on said particular data item; and
  
  in response to said first server determining that said user may access said resource, transmitting access control information in a first data item of said first data items.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable medium of claim 15, further including the steps of:
17. The computer-readable medium of claim 16, wherein said particular data item was transmitted to said client from a second server in response to said second server determining that said user has been authenticated.
18. The computer-readable medium of claim 17, wherein said second server determining that said user has been authenticated includes said second server causing said user to log-in to said access control system to be authenticated by said access control system.
19. The computer-readable medium of claim 17, wherein said second server determining that said user has been authenticated includes said second server determining that said user has been authenticated by said access control system.
20. The computer-readable medium of claim 19, wherein said second server determining that said user has been authenticated by said access control system is performed by examining one or more cookies that are associated with a domain name associated with said second server but not said first server.

21. A method of controlling access to a resource protected by an access control system that uses access control information transmitted in cookies to determine whether access may be permitted, the method comprising the steps of:
- a first server receiving a particular data item from a client, wherein said first server transmits and receives access control information generated by said access control system in cookies associated with a first domain;
  
  wherein said first server belongs to said first domain;
  
  wherein said particular data item;
  
  was transmitted to said client from a second server that does not belong to said first domain, and indicates that a user has been authenticated by said access control system;
  
  said first server determining that said user has been authenticated by said access control system based on said particular data item; and
  
  in response to said first server determining that said user may access said resource, transmitting access control information in a cookie associated with the first domain to said client.
- View Dependent Claims (22, 23)
- - 22. The method of claim 21, further including the steps of:
23. The method of claim 22, wherein said particular data item was transmitted to said client from a second server in response to said second server determining that said user has been authenticated.

24. A method of controlling access to a resource protected by an access control system that uses access control information transmitted in conjunction with requests to access the resource to determine whether access may be permitted, the method comprising the steps of:
- a first server receiving a particular data item from a client, wherein said first server transmits and receives access control information generated by said access control system in first data items that are only transmitted by said client to one or more servers belonging to a first class of one or more servers, wherein said particular data item;
  
  was transmitted to said client from a second server that does not belong to said first class, and indicates that a user has been authenticated by said access control system;
  
  said first server determining that said user has been authenticated by said access control system based on said particular data item; and
  
  in response to said first server determining that said user may access said resource, transmitting access control information in a first data item of said first data items to said client.
- View Dependent Claims (25, 26, 27, 28)
- - 25. The method of claim 24, further including the steps of:
26. The method of claim 25, wherein said particular data item was transmitted to said client from a second server in response to said second server determining that said user has been authenticated.
27. The method of claim 25, wherein said client is a browser.
28. The method of claim 25, wherein said first data items are cookies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Entrust Corp.
Original Assignee
Entrust Incorporated (Entrust Corp.)
Inventors
Medina, Raul, Fanti, Marco, Belmonte, Emilio, Sampson, Lawrence
Primary Examiner(s)
Bayerl, Raymond J.
Assistant Examiner(s)
Nguyen, Cao H.

Application Number

US09/535,080
Time in Patent Office

663 Days
Field of Search

709/217, 709/218, 709/219, 709/225, 713/200, 713/201, 345/331, 345/335, 345/356, 345/357
US Class Current

715/854
CPC Class Codes

G05B 19/0425   Safety, monitoring

G05B 2219/24167   Encryption, password, user ...

G05B 2219/32126   Hyperlink, access to progra...

G06F 21/41   where a single sign-on prov...

H04L 63/08   for authentication of entit...

H04L 63/104   Grouping of entities

Multi-domain access control

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

406 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-domain access control

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

406 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links