Method and system for extending authentication methods

US 8,006,289 B2
Filed: 12/16/2005
Issued: 08/23/2011
Est. Priority Date: 12/16/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for managing authentication credentials for a user within a data processing system, the method comprising:

receiving at a session management server from a client a request to access a protected resource on behalf of a user, wherein the session management server performs session management with respect to the user for a domain that includes the protected resource, and wherein access to the protected resource requires authentication credentials that have been generated for a first type of authentication context;

in response to determining by the session management server that authentication credentials for the user indicate that the authentication credentials have been generated for a second type of authentication context, sending a first message from the session management server to an authentication proxy server, wherein the first message contains the authentication credentials for the user and an indicator for the first type of authentication context; and

receiving a second message at the session management server from the authentication proxy server, wherein the second message contains updated authentication credentials for the user, and wherein the updated authentication credentials indicate that the updated authentication credentials have been generated for the first type of authentication context.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is presented for managing authentication credentials for a user. A session management server performs session management with respect to the user for a domain that includes a protected resource. The session management server receives a request to access the protected resource, which requires authentication credentials that have been generated for a first type of authentication context. In response to determining that authentication credentials for the user have been generated for a second type of authentication context, the session management server sends to an authentication proxy server a first message that contains the authentication credentials for the user and an indicator for the first type of authentication context. The session management server subsequently receives a second message that contains updated authentication credentials for the user that indicate that the updated authentication credentials have been generated for the first type of authentication context.

76 Citations

View as Search Results

20 Claims

1. A computer-implemented method for managing authentication credentials for a user within a data processing system, the method comprising:
- receiving at a session management server from a client a request to access a protected resource on behalf of a user, wherein the session management server performs session management with respect to the user for a domain that includes the protected resource, and wherein access to the protected resource requires authentication credentials that have been generated for a first type of authentication context;
  
  in response to determining by the session management server that authentication credentials for the user indicate that the authentication credentials have been generated for a second type of authentication context, sending a first message from the session management server to an authentication proxy server, wherein the first message contains the authentication credentials for the user and an indicator for the first type of authentication context; and
  
  receiving a second message at the session management server from the authentication proxy server, wherein the second message contains updated authentication credentials for the user, and wherein the updated authentication credentials indicate that the updated authentication credentials have been generated for the first type of authentication context.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1 further comprising:
    - associating the updated authentication credentials with a pre-existing session for the user without requiring establishment of a new session for the user.
  - 3. The computer-implemented method of claim 1 further comprising:
    - sending from the session management server the request to access the protected resource on behalf of the user after receiving the updated authentication credentials.
  - 4. The computer-implemented method of claim 1 further comprising:
    - extracting by the session management server a Uniform Resource Identifier (URI) for the protected resource from the request to access the protected resource; and
      
      performing a lookup operation based on the extracted URI to obtain the first type of authentication context.
  - 5. The computer-implemented method of claim 1 further comprising:
    - retrieving by the session management server a URI for the authentication proxy server from configurable information; and
      
      employing the retrieved URI for the authentication proxy server for each request from the session management server to obtain updated credentials.
  - 6. The computer-implemented method of claim 1 further comprising:
    - retrieving by the authentication proxy server a URI for the session management server from configurable information; and
      
      employing the retrieved URI for the session management server for each response from the authentication proxy server to return updated credentials.
  - 7. The computer-implemented method of claim 1 further comprising:
    - extracting by the authentication proxy server from the first message the indicator for the first type of authentication context; and
      
      performing a lookup operation based on the extracted indicator for the first type of authentication context to determine an authentication method to be employed to update the authentication credentials for the user.
  - 8. The computer-implemented method of claim 7 further comprising:
    - sending by the authentication proxy server the authentication credentials to the determined authentication method.

9. A computer program product on a computer-readable storage medium for use within a data processing system for managing authentication credentials for a user, the computer program product holding computer program instructions which when executed by the data processing system perform a method comprising:
- receiving at a session management server from a client a request to access a protected resource on behalf of a user, wherein the session management server performs session management with respect to the user for a domain that includes the protected resource, and wherein access to the protected resource requires authentication credentials that have been generated for a first type of authentication context;
  
  sending, in response to determining by the session management server that authentication credentials for the user indicate that the authentication credentials have been generated for a second type of authentication context, a first message from the session management server to an authentication proxy server, wherein the first message contains the authentication credentials for the user and an indicator for the first type of authentication context; and
  
  receiving a second message at the session management server from the authentication proxy server, wherein the second message contains updated authentication credentials for the user, and wherein the updated authentication credentials indicate that the updated authentication credentials have been generated for the first type of authentication context.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer program product of claim 9 wherein the method further comprises:
    - associating the updated authentication credentials with a pre-existing session for the user without requiring establishment of a new session for the user.
  - 11. The computer program product of claim 9 wherein the method further comprises:
    - sending from the session management server the request to access the protected resource on behalf of the user after receiving the updated authentication credentials.
  - 12. The computer program product of claim 9 wherein the method further comprises:
    - extracting by the session management server a Uniform Resource Identifier (URI) for the protected resource from the request to access the protected resource; and
      
      performing a lookup operation based on the extracted URI to obtain the first type of authentication context.
  - 13. The computer program product of claim 9 wherein the method further comprises:
    - retrieving by the session management server a URI for the authentication proxy server from configurable information; and
      
      employing the retrieved URI for the authentication proxy server for each request from the session management server to obtain updated credentials.
  - 14. The computer program product of claim 9 wherein the method further comprises:
    - retrieving by the authentication proxy server a URI for the session management server from configurable information; and
      
      employing the retrieved URI for the session management server for each response from the authentication proxy server to return updated credentials.
  - 15. The computer program product of claim 9 wherein the method further comprises:
    - extracting by the authentication proxy server from the first message the indicator for the first type of authentication context; and
      
      performing a lookup operation based on the extracted indicator for the first type of authentication context to determine an authentication method to be employed to update the authentication credentials for the user.
  - 16. The computer program product of claim 15 wherein the method further comprises:
    - sending by the authentication proxy server the authentication credentials to the determined authentication method.

17. An apparatus for managing authentication credentials for a user within a data processing system, the apparatus comprising:
- a processor;
  
  a computer memory holding computer program instructions which when executed by the processor perform a method comprising;
  
  receiving at a session management server from a client a request to access a protected resource on behalf of a user, wherein the session management server performs session management with respect to the user for a domain that includes the protected resource, and wherein access to the protected resource requires authentication credentials that have been generated for a first type of authentication context;
  
  sending, in response to determining by the session management server that authentication credentials for the user indicate that the authentication credentials have been generated for a second type of authentication context, a first message from the session management server to an authentication proxy server, wherein the first message contains the authentication credentials for the user and an indicator for the first type of authentication context; and
  
  receiving a second message at the session management server from the authentication proxy server, wherein the second message contains updated authentication credentials for the user, and wherein the updated authentication credentials indicate that the updated authentication credentials have been generated for the first type of authentication context.
- View Dependent Claims (18, 19, 20)
- - 18. The apparatus of claim 17wherein the method further comprises:
    - associating the updated authentication credentials with a pre-existing session for the user without requiring establishment of a new session for the user.
  - 19. The apparatus of claim 17 wherein the method further comprises:
    - sending from the session management server the request to access the protected resource on behalf of the user after receiving the updated authentication credentials.
  - 20. The apparatus of claim 17 wherein the method further comprises:
    - extracting by the session management server a Uniform Resource Identifier (URI) for the protected resource from the request to access the protected resource; and
      
      performing a lookup operation based on the extracted URI to obtain the first type of authentication context.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Finjan Blue, Inc. (SoftBank Group Corp.)
Original Assignee
International Business Machines Corporation
Inventors
Harmon, Benjamin, Moran, Anthony, Hinton, Heather M.
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
KANAAN, SIMON P

Application Number

US11/305,646
Publication Number

US 20080134305A1
Time in Patent Office

2,076 Days
Field of Search

726/5, 726/8
US Class Current

726/5
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/0815 providing single-sign-on or...

Method and system for extending authentication methods

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

76 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Method and system for extending authentication methods

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

76 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others