System and method for single sign-on session management without central server

US 7,941,533 B2
Filed: 02/19/2002
Issued: 05/10/2011
Est. Priority Date: 02/19/2002
Status: Active Grant

First Claim

Patent Images

1. A method for single sign-on session management, the method comprising:

receiving, at a first server, a list of authorized users from a global repository, other servers also receiving the list of authorized users from the global repository, the first server and the other servers each having protected resources;

establishing a session credential at the first server using the list of authorized users, the other servers also capable of establishing session credentials;

sending the session credential from the first server to a client;

receiving a protected resource request from the client at the first server, the protected resource request including the session credential established by the first server;

responsive to receiving the session credential at the first server from the client, validating the session credential entirely within the first server, and upon validation of the session credential, granting the client access to a first protected resource at the first server;

sending the session credential from the client to one of the other servers;

receiving the session credential at the one of the other servers; and

allowing the client access to a second protected resource at the one of the other servers based on the session credential that was established by the first server.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for single sign-on session management. Functions of session management and client log-in, normally handled by separate system servers, are incorporated as plug-in modules on individual web content servers. In this manner, network traffic to grant and validate client user credentials is reduced or minimized.

523 Citations

42 Claims

1. A method for single sign-on session management, the method comprising:
- receiving, at a first server, a list of authorized users from a global repository, other servers also receiving the list of authorized users from the global repository, the first server and the other servers each having protected resources;
  
  establishing a session credential at the first server using the list of authorized users, the other servers also capable of establishing session credentials;
  
  sending the session credential from the first server to a client;
  
  receiving a protected resource request from the client at the first server, the protected resource request including the session credential established by the first server;
  
  responsive to receiving the session credential at the first server from the client, validating the session credential entirely within the first server, and upon validation of the session credential, granting the client access to a first protected resource at the first server;
  
  sending the session credential from the client to one of the other servers;
  
  receiving the session credential at the one of the other servers; and
  
  allowing the client access to a second protected resource at the one of the other servers based on the session credential that was established by the first server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 39, 40, 41)
- - 2. A method according to claim 1, further comprising updating a time value within the session credential at the first server.
  - 3. A method according to claim 2, wherein the time value is a session timeout value.
  - 4. A method according to claim 2, wherein the time value is a maximum idle time value.
  - 5. A method according to claim 1, further comprising updating a time value within the session credential in conjunction with granting access to the resource of the first server.
  - 6. A method according to claim 1, further comprising:
    - checking for presence of a session credential; and
      
      if a session credential is not present, then establishing the session credential.
  - 7. A method according to claim 1, wherein the session credential is contained within a token that is received by the one of the other servers.
  - 8. A method according to claim 7, wherein the token is a cryptographically generated cookie.
  - 9. A method according to claim 7, wherein the token is held by a client browser.
  - 10. A method according to claim 1, wherein the validation of the session credential entirely within the first server comprises decrypting a cryptographically generated cookie.
  - 11. A method according to claim 1, wherein the first resource is a protected resource.
  - 39. The method according to claim 1, further including:
    - updating the list of authorized users by adding and deleting users.
  - 40. The method according to claim 1, further including:
    - updating the list of authorized users by changing accesses of users.
  - 41. The method according to claim 1, further including:
    - updating the list of authorized users by changing entitlements of users.

12. A method for single sign-on session management, the method comprising:
- providing a list of authorized users to a first server and second server from a global repository, the list of authorized users being sent from the global repository to the first server and the second server;
  
  establishing a cryptographically generated first cookie at the first server using the list of authorized users;
  
  sending the first cookie to a client browser as a session credential;
  
  receiving the session credential from the client browser at the first server;
  
  decrypting the first cookie at the first server;
  
  validating the session credential entirely within the first server;
  
  responsive to validating the session credential entirely within the first server, granting the client browser access to a first protected resource of the first server;
  
  updating a timeout value contained within the session credential;
  
  cryptographically generating a new session credential as a second cookie containing the updated timeout value;
  
  sending the new session credential to the client browser;
  
  sending the new session credential from the client browser to the second server;
  
  receiving the new session credential at the second server;
  
  decrypting the second cookie at the second server;
  
  validating the new session credential within the second server; and
  
  responsive to validating the session credential entirely at the second server, granting access to a second protected resource of the second server.

13. A computer readable medium having computer executable code stored thereon, the code for single sign-on session management, the code comprising:
- code to provide a list of authorized users to a first server and a second server, the list received from a global repository;
  
  code to establish a session credential at the first server using the list of authorized users;
  
  code to send the session credential from the client to the first server;
  
  code to receive the session credential at the first server;
  
  code to validate the session credential entirely within the first server,responsive to validating the session credential entirely at the first server, code to grant access to a first resource of the first server;
  
  code to send the session credential from the client to the second server;
  
  code to receive the session credential at the second server;
  
  code to validate the session credential entirely within the second server; and
  
  responsive to validating the session credential entirely at the second server, code to grant access to a second resource of the second server.

14. A method for single sign-on session management, the method comprising:
- providing a list of authorized users to a first server and a second server, the list of authorized users being input from a global repository to the first server and the second server, both the first server and the second server having protected resources for access by the client;
  
  establishing a session credential at the first server using the list of authorized users;
  
  sending the session credential to a client;
  
  sending the session credential from the client to the first server;
  
  receiving, at the first server, the session credential from the client;
  
  validating the session credential entirely within the first server, the validating being performed by a log-in plug-in running on the first server;
  
  sending the session credential from the client to the second server;
  
  receiving, at the second server, the session credential from the client;
  
  validating the session credential entirely within the second server;
  
  providing an update to the list of authorized users to the first server and to the second server, the update received from the global repository; and
  
  changing, at the first server and the second server, the session credential based on the update to the list.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 15. A method according to claim 14, further comprising granting access to a resource on the first server after validating the session credential.
  - 16. A method according to claim 15, wherein the resource is a protected resource.
  - 17. A method according to claim 14, wherein changing the session credential includes revoking access to a resource held by the first server.
  - 18. A method according to claim 14, wherein changing the session credential includes adding access to a resource held by the first server.
  - 19. A method according to claim 14, wherein changing the session credential includes removing access to a resources held by the first server.
  - 20. A method according to claim 14, wherein providing a list of authorized users includes sending the list to the first and second servers.
  - 21. A method according to claim 14, wherein providing a list of authorized users includes making the list available to the first and second servers.
  - 22. A method according to claim 14, wherein providing an update to the list of authorized users includes sending the update to the first and second servers.
  - 23. A method according to claim 14, wherein providing the list or update to the list of authorized users includes using a public network.
  - 24. A method according to claim 14, wherein providing the list or update to the list of authorized users includes using a private network.
  - 25. A method according to claim 14, wherein establishing a session credential includes cryptographically generating a cookie.
  - 26. A method according to claim 14, wherein validating the session credential entirely within the first server includes using a session management plug-in running on the first server.
  - 27. A method according to claim 14, wherein validating the session credential entirely within the first server includes decrypting a cryptographically generated cookie.

28. A system for single-sign-on session management, the system comprising:
- a global repository that generates a list of authorized users;
  
  a first server with a first resource, the first server inputting the list of authorized users from the global repository;
  
  a session management plug-in running on the first server that uses the list of authorized users to validate a session credential;
  
  a second server with a second resource, the second server inputting the list of authorized users from the global repository;
  
  a session management plug-in running on the second server that uses the list of authorized users to validate the session credential;
  
  a first network providing a connection between the global repository, the second server and the first server; and
  
  a client holding the session credential, the client connectable to the first server and to the second server by the first network, wherein;
  
  the first server entirely validates the session credential using only the session management plug-in running on the first server; and
  
  the second server entirely validates the session credential using only the session management plug-in running on the second server.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 29. A system according to claim 28, further comprising a third server with an authorized list of users, the third server connectable to the first server and to the second server by a second network.
  - 30. A system according to claim 29, wherein the first network and the second network are interconnected.
  - 31. A system according to claim 29, wherein the first network and the second network are the same network.
  - 32. A system according to claim 29, wherein the second network is a public network.
  - 33. A system according to claim 29, wherein the second network is a private network.
  - 34. A system according to claim 28, further comprising:
    - a log-in plug-in running on the first server;
      
      a log-in plug-in running on the second server.
  - 35. A system according to claim 28, wherein the first network is a public network.
  - 36. A system according to claim 28, wherein the first network is a private network.
  - 37. A system according to claim 28, wherein the session credential is a cryptographically generated cookie.
  - 38. A system according to claim 28, wherein the resource on the first server is a protected resource.

42. A system for single-sign-on session management, the system comprising:
- a global repository that generates a list of authorized users;
  
  multiple servers, each of the multiple servers inputting the list of authorized users from the global repository;
  
  protected resources residing on each of the multiple servers;
  
  multiple log-in plug-ins, each of the multiple servers running one of the multiple log-in plug-ins, wherein each of the log-in plug-ins uses the list of authorized users to establish session credentials, such that each of the multiple servers is capable of independently establishing the session credentials; and
  
  multiple session management plug-ins, each of the multiple servers running one of the session management plug-ins, wherein each of the session management plug-ins processes the session credentials established by any one of the multiple log-in plug-ins in order to validate a user session, thereby enabling user access to a requested protected resource on any of the multiple servers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Original Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Inventors
Miller, Lawrence R, Skingle, Bruce J.
Primary Examiner(s)
Refai; Ramsey

Application Number

US10/078,687
Publication Number

US 20030158949A1
Time in Patent Office

3,367 Days
Field of Search

709227-229, 709/225, 709/217, 726/17, 726/18
US Class Current

709/225
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/0428   wherein the data content is...

H04L 63/0815   providing single-sign-on or...

H04L 63/101   Access control lists [ACL]

H04L 63/126   the source of the received ...

H04L 65/1101   Session protocols

System and method for single sign-on session management without central server

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

523 Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for single sign-on session management without central server

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

523 Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links