Methods for more flexible SAML session

US 7,506,162 B1
Filed: 04/27/2004
Issued: 03/17/2009
Est. Priority Date: 07/14/2003
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving by a second server at a second site a first request from a first server at a first site to access a resource on the second site, wherein a first user has authenticated with the first site;

receiving from the first site a first assertion comprising an identifier indicating the first site as a source of the first assertion, an indication that the first user is authorized to access the resource on the second site and a first set of attributes associated with a first account on the first site;

determining, based upon the first assertion and a mapping, a subset of the first set of attributes to be used for mapping accounts on the first site to accounts on the second site, wherein the subset of the first set of attributes does not include an account identifier for the first account on the first site;

mapping the first account on the first site to a particular account on the second site based upon the subset of the first set of attributes;

receiving at the second site a second request from the first site to access the resource on the second site, wherein a second user has authenticated with the first site, the second user differing from the first user;

receiving from the first site a second assertion comprising an identifier indicating the first site as a source of the second assertion, an indication that the second user is authorized to access the resource on the second site, and a second set of attributes associated with a second account on the first site;

determining, based upon the second assertion and a mapping, a subset of the second set of attributes to be used for mapping accounts on the first site to accounts on the second site, wherein the subset of the second set of attributes does not include an account identifier for the second account on the first site, and wherein the subset of the second set of attributes includes at least one attribute in common with the subset of the first set of attributes; and

mapping the second account on the first site to the same particular account on the second site based upon the subset of the second set of attributes, thereby mapping a plurality of accounts on the first site to the same particular account on the second site.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with one embodiment of the present invention, there is provided a mechanism for implementing navigation seamlessly between sites in a computing environment in order to access resources without having to require users or user agents to re-authenticate. In one embodiment, there is provided the ability to determine different attribute sets for use with different resources on a target site for a user or user agent authenticated with a first site seeking to access one or more resources of the second site without re-authenticating. In one embodiment, there is provided the ability to map accounts on a first site to accounts on the second site using a set of attributes selected from among attributes provided by an application on the first site. With this mechanism, it is possible for applications or other resources to share information about a user or a user agent across disparate web sites seamlessly.

43 Citations

View as Search Results

9 Claims

1. A method, comprising:
- receiving by a second server at a second site a first request from a first server at a first site to access a resource on the second site, wherein a first user has authenticated with the first site;
  
  receiving from the first site a first assertion comprising an identifier indicating the first site as a source of the first assertion, an indication that the first user is authorized to access the resource on the second site and a first set of attributes associated with a first account on the first site;
  
  determining, based upon the first assertion and a mapping, a subset of the first set of attributes to be used for mapping accounts on the first site to accounts on the second site, wherein the subset of the first set of attributes does not include an account identifier for the first account on the first site;
  
  mapping the first account on the first site to a particular account on the second site based upon the subset of the first set of attributes;
  
  receiving at the second site a second request from the first site to access the resource on the second site, wherein a second user has authenticated with the first site, the second user differing from the first user;
  
  receiving from the first site a second assertion comprising an identifier indicating the first site as a source of the second assertion, an indication that the second user is authorized to access the resource on the second site, and a second set of attributes associated with a second account on the first site;
  
  determining, based upon the second assertion and a mapping, a subset of the second set of attributes to be used for mapping accounts on the first site to accounts on the second site, wherein the subset of the second set of attributes does not include an account identifier for the second account on the first site, and wherein the subset of the second set of attributes includes at least one attribute in common with the subset of the first set of attributes; and
  
  mapping the second account on the first site to the same particular account on the second site based upon the subset of the second set of attributes, thereby mapping a plurality of accounts on the first site to the same particular account on the second site.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the resource comprises at least one of:
    - an application and a service.
  - 3. The method of claim 2, wherein:
    - application includes at least one of;
      
      a travel agent application, a rental car application, an electronic commerce application, and a reservation application; and
      
      service includes at least one of;
      
      a backup storage service, a storage service, a user authorization service, and an encryption/decryption service.
  - 4. The method of claim 1, further comprising:
    - receiving an artifact added to the first request, which artifact comprises an identity of the first site and a unique identifier corresponding to a specific assertion prepared by the first site; and
      
      requesting the specific assertion based upon the artifact.

5. A machine readable storage medium, carrying one or more sequences of instructions for mapping accounts within a single sign-on computing environment, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- receiving at a second site a first request from a first site to access a resource on the second site, wherein a first user has authenticated with the first site;
  
  receiving from the first site a first assertion comprising an identifier indicating the first site as a source of the first assertion, an indication that the first user is authorized to access the resource on the second site and a first set of attributes associated with a first account on the first site;
  
  determining, based upon the first assertion and a mapping, a subset of the first set of attributes to be used for mapping accounts on the first site to accounts on the second site, wherein the subset of the first set of attributes does not include an account identifier for the first account on the first site;
  
  mapping the first account on the first site to a particular account on the second site based upon the subset of the first set of attributes;
  
  receiving at the second site a second request from the first site to access the resource on the second site, wherein a second user has authenticated with the first site, the second user differing from the first user;
  
  receiving from the first site a second assertion comprising an identifier indicating the first site as a source of the second assertion, an indication that the second user is authorized to access the resource on the second site, and a second set of attributes associated with a second account on the first site;
  
  determining, based upon the second assertion and a mapping, a subset of the second set of attributes to be used for mapping accounts on the first site to accounts on the second site, wherein the subset of the second set of attributes does not include an account identifier for the second account on the first site, and wherein the subset of the second set of attributes includes at least one attribute in common with the subset of the first set of attributes; and
  
  mapping the second account on the first site to the same particular account on the second site based upon the subset of the second set of attributes, thereby mapping a plurality of accounts on the first site to the same particular account on the second site.
- View Dependent Claims (6, 7, 8)
- - 6. The machine readable storage medium of claim 5, wherein the resource comprises at least one of:
    - an application and a service.
  - 7. The machine readable storage medium of claim 6, wherein:
    - application includes at least one of;
      
      a travel agent application, a rental car application, an electronic commerce application, and a reservation application; and
      
      service includes at least one of;
      
      a backup storage service, a storage service, a user authorization service, and an encryption/decryption service.
  - 8. The machine readable storage medium of claim 5, further comprising instructions for causing one or more processors to carry out the steps of:
    - receiving an artifact added to the first request, which artifact comprises an identity of the first site and a unique identifier corresponding to a specific assertion prepared by the first site; and
      
      requesting the specific assertion based upon the artifact.

9. An apparatus, comprising:
- one or more processors configured to implement;
  
  a mechanism for receiving by a second server at a second site a first request from a first server at a first site to access a resource on the second site, wherein a first user has authenticated with the first site;
  
  a mechanism for receiving from the first site a first assertion comprising an identifier indicating the first site as a source of the first assertion, an indication that the first user is authorized to access the resource on the second site and a first set of attributes associated with a first account on the first site;
  
  a mechanism for determining, based upon the first assertion and a mapping, a subset of the first set of attributes to be used for mapping accounts on the first site to accounts on the second site, wherein the subset of the first set of attributes does not include an account identifier for the first account on the first site;
  
  a mechanism for mapping the first account on the first site to a particular account on the second site based upon the subset of the first set of attributes;
  
  a mechanism for receiving at the second site a second request from the first site to access the resource on the second site, wherein a second user has authenticated with the first site, the second user differing from the first user;
  
  a mechanism for receiving from the first site a second assertion comprising an identifier indicating the first site as a source of the second assertion, an indication that the second user is authorized to access the resource on the second site, and a second set of attributes associated with a second account on the first site;
  
  a mechanism for determining, based upon the second assertion and a mapping, a subset of the second set of attributes to be used for mapping accounts on the first site to accounts on the second site, wherein the subset of the second set of attributes does not include an account identifier for the second account on the first site, and wherein the subset of the second set of attributes includes at least one attribute in common with the subset of the first set of attributes; and
  
  a mechanism for mapping the second account on the first site to the same particular account on the second site based upon the subset of the second set of attributes, thereby mapping a plurality of accounts on the first site to the same particular account on the second site.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Luo, Ping, Hsu, Heng-Ming, Cheng, Qingwen, Bhatnagar, Bhavna
Primary Examiner(s)
Chai; Longbit

Application Number

US10/833,414
Time in Patent Office

1,785 Days
Field of Search

726/4, 713/168
US Class Current

713/168
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

Methods for more flexible SAML session

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

43 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for more flexible SAML session

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links