Cross-domain authentication
First Claim
1. A method for providing a first service and a second service to a user via a client being coupled to a data communication network, said first service being provided by a first network server also being coupled to the data communication network, said second service being provided by a second network server also being coupled to the data communication network, said method comprising:
- receiving a first request from the first network server to provide the first service in a first domain to the user wherein the user is not authenticated for the first service and not authenticated for the second service when the first request is received;
storing first data on the client in response to the received first request, said first data identifying the first service wherein the user is not authenticated for the first service and not authenticated for the second service when the first data is stored;
allowing the user to access the first service without authenticating the user during which the user continues to be unauthenticated for the first service and unauthenticated for the second service wherein the first service does not receive an authentication ticket and profile information associated with the user and wherein the user is not authenticated for the first service;
receiving a second request from the second network server to provide the second service, which is in a second domain which is different than the first domain, to the user wherein the second service requires authentication of the user, wherein the user is not authenticated for the first service and wherein the first service does not have an authentication ticket and profile information associated with the user;
authenticating the user for the second service in response to the received second request;
allowing the user access to the second service in response to authenticating the user for the second service wherein the user is not authenticated for the first service and wherein the first service does not have an authentication ticket and profile information associated with the user;
generating, in response to authenticating the user for the second service, an authentication ticket and profile information associated with the user wherein the generated authentication ticket and profile information is communicated to the second service, wherein the user is not authenticated for the first service and wherein the first service does not have an authentication ticket and profile information associated with the user; and
authenticating, in response to the authentication of the user for the second request, the user for the first service identified in the stored first data wherein, in response to the authentication of the user for the first service, the generated authentication ticket and profile information is communicated to the first service.
1 Assignment
0 Petitions
Accused Products
Abstract
Providing services within a network of service providers sharing an authentication service and a set of business rules. A central server receives a first request from a first server to provide a first service to a user via a client without forcing the user to present credentials. In response to the received first request, the central server stores data identifying the first service on the client. The central server further receives a second request from a second server to provide a second service to the user via the client after the user presents the credentials to the second service. After receiving the second request and the presented credentials, the central server allows the user access to the second service. In response to allowing the user access to the second service, the central server further allows the user access to the first service as a result of the stored data.
154 Citations
20 Claims
-
1. A method for providing a first service and a second service to a user via a client being coupled to a data communication network, said first service being provided by a first network server also being coupled to the data communication network, said second service being provided by a second network server also being coupled to the data communication network, said method comprising:
-
receiving a first request from the first network server to provide the first service in a first domain to the user wherein the user is not authenticated for the first service and not authenticated for the second service when the first request is received; storing first data on the client in response to the received first request, said first data identifying the first service wherein the user is not authenticated for the first service and not authenticated for the second service when the first data is stored; allowing the user to access the first service without authenticating the user during which the user continues to be unauthenticated for the first service and unauthenticated for the second service wherein the first service does not receive an authentication ticket and profile information associated with the user and wherein the user is not authenticated for the first service; receiving a second request from the second network server to provide the second service, which is in a second domain which is different than the first domain, to the user wherein the second service requires authentication of the user, wherein the user is not authenticated for the first service and wherein the first service does not have an authentication ticket and profile information associated with the user; authenticating the user for the second service in response to the received second request; allowing the user access to the second service in response to authenticating the user for the second service wherein the user is not authenticated for the first service and wherein the first service does not have an authentication ticket and profile information associated with the user; generating, in response to authenticating the user for the second service, an authentication ticket and profile information associated with the user wherein the generated authentication ticket and profile information is communicated to the second service, wherein the user is not authenticated for the first service and wherein the first service does not have an authentication ticket and profile information associated with the user; and authenticating, in response to the authentication of the user for the second request, the user for the first service identified in the stored first data wherein, in response to the authentication of the user for the first service, the generated authentication ticket and profile information is communicated to the first service. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for providing services to a user, said system comprising:
-
a first network server coupled to a data communication network, said first network server being configured to provide a first service to a user via a client also coupled to the data communication network; a second network server coupled to the data communication network, said second network server being configured to provide a second service to the user via the client; a central server coupled to the data communication network, said central server being configured to receive a first request from the first network server to provide the first service to the user and a second request from the second network server to provide the second service to the user; said first network server being configured to direct the first request to the central server, said central server further being configured to generate and store first data on the client in response to receiving the first request, said first data identifying the first service wherein the user is not authenticated for the first service and not authenticated for the second service, said first service allowing the user to access the first service without authenticating the user during which the user continues to be unauthenticated for the first service and unauthenticated for the second service; said second network server being configured to direct the second request to the central server, said second service requiring authentication of the user; wherein, in response to the received second request, the central server is configured to allow the user access to the second service wherein the user is authenticated by the central server for the second service in response to the received second request, wherein the central server authenticates the user via a database having a unique identifier corresponding to the user, and wherein the user is allowed to use the second service for a predefined period of time; and wherein, in response to authentication of the user by the second request, the central server is configured to authenticate the user for the first service identified in the stored first data. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A system for providing services to a user, said system comprising:
-
a first network server coupled to a data communication network, said first network server being configured to provide a first service to a user via a client also coupled to the data communication network, said first service requiring authentication of the user; a second network server coupled to the data communication network, said second network server being configured to provide a second service to the user via the client; a central server coupled to the data communication network, said central server being configured to receive a first request from the first network server to provide the first service to the user and a second request from the second network server to provide the second service to the user; a database associated with the central server, said database configured to store an identification corresponding to the user to be authenticated, said database providing said identification to the central server to allow the central server to authenticate the user, said database being further configured to store information identifying a first policy group associated with the first service and a second policy group associated with the second service, wherein the first policy group defines a shared set of business rules to restrict authentication of a user across different domains and the second policy group defines a shared set of business rules to restrict authentication of a user across different domains; wherein, in response to the received first request, the central server is configured to allow the user access to the first service and to generate and store first data on the client based on the stored information identifying the first policy group associated with the first service, said first data identifying the first policy group associated with the first service wherein the central server authenticates the user for the first service in response to the received first request, wherein the user is allowed to use the first service for a predefined period of time; wherein if the second policy group identified by the stored information identifying the second policy group associated with the second service is the same as the first policy group identified by the stored first data, the central server is configured to allow the user access to the second service in response to the received second request wherein the user is authenticated by the central server for the second service in response to the received second request; and wherein if the second policy group identified by the stored information identifying the second policy group associated with the second service is not the same as the first policy group identified by the stored first data, the central server is configured to update the stored first data to identify the second service in response to the received second request and the central server is configured to allow the unauthenticated user to access the second service during which the user continues to be unauthenticated for the second service. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification