Coordinating user target logons in a single sign-on (SSO)...

Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer

Reexamination Certificate

Rate now

  [ 0.00 ] – not rated yet Voters 0   Comments 0

Details

C713S152000

Reexamination Certificate

active

06178511

ABSTRACT:

BACKGROUND OF THE INVENTION
1. Technical Field
The present invention relates generally to accessing heterogeneous networks and reducing costs by increasing productivity for end-users and system administrators in an enterprise computer environment.
2. Description of the Related Art
With sprawling client-server systems growing daily, applications and information are spread across many PC networks, mainframes and minicomputers. In a distributed system environment connected by networks, a user must access many database systems, network systems, operating systems and mainframe applications. To use these systems and applications, the user must issue separate sign-on commands for each specific system or application. Indeed, it is not unusual for a user to encounter ten or more different login sessions during a working shift, and these often are different interfaces with different userid and authentication information, usually passwords. This places the user under a significant burden to remember and maintain this information.
It would be quite beneficial to provide a single sign-on (SSO) tool to enable authorized users to perform one initial sign-on to access a variety of networks, systems and applications. A single sign-on system should provide secure storage of user passwords, support for more than one user password, as well as support for multiple target logon methods. Each of these issues presents varying design considerations.
With respect to the first issue, there are multiple approaches to storing and managing passwords. One approach is to use the same password for all accessible systems/applications. This technique may weaken system security, however, because a compromised password in any of the systems or applications compromises the user's privileges on these systems and applications at the same time. Further, different sign-on mechanisms may have their own distinctive password requirements and, thus, it is problematic to use the same password for multiple targets.
Another approach to storing and managing passwords is password-mapping, which refers to using the user's primary password to encrypt all the user's secondary passwords. The encrypted passwords are stored in a local storage space accessible to the user (e.g., a local file, a readable/writable smartcard, and the like). Once the primary password is verified, the local system authentication module obtains the passwords for other sign-on systems and applications by decrypting the mechanism-specific encrypted password with the primary password. The security of this password-mapping scheme assumes that the primary password is the user's strongest password, and it also depends on the security of the local storage for the secondary passwords. If the secondary passwords are stored in an untrusted publicly accessible machine, an intruder is provided with opportunities for potential attacks. Moreover, although this approach is simple, the password file must be moved from machine to machine by the user to logon to more than one machine.
The target logon alternatives also influence the single sign-on system design. In particular, the method used for storing a user password heavily influences the design of target logon code. It is known to embed passwords in target specific logon scripts. This is how many “homegrown” single sign-on systems work today. This technique is the least extendible design because it ties passwords (and logon target code) to each machine the user uses. It is also hard to maintain passwords in this design because passwords need to be changed both in the applications and in the logon scripts. For a mobile user, the scripts need to be present on all machines the user might use. The overall security of this approach is thus very weak.
Another target logon alternative involves building in all the logon methods for every possible target to which any user may desire to logon. This “hardcoded” approach assumes that all workstations and applications are configured similarly and do not change. Because the logon methods are built into the solution, changes made to the logon methods require changes to the actual solution itself. This approach is costly and also is not very extensible.
These known approaches to secure password storage/management and target logon have yet to provide an adequate single sign-on solution. The present invention addresses and solves this problem.
BRIEF SUMMARY OF THE INVENTION
The present invention implements a single sign-on (SSO) mechanism that coordinates logois to local and remote resources in a computer enterprise with preferably one ID and password.
More specifically, this invention provides a single sign-on (SSO) framework that allow users to sign on to a client system one time entering ones password. The SSO framework then signs on to other applications on the user's behalf.
The SSO framework supports storage of all passwords and keys belonging to a user in secure storage (e.g., either in local storage, a centralized password service, a smartcard, or the like), so that the user needs to remember only one ID and password. Upon authentication, the SSO mechanism securely retrieves all the passwords for a user from the secure storage and automatically (i.e. without additional user intervention) issues sign-ons to each system/application the user is authorized to access.
The system framework preferably includes a number of modules including a configuration information manager (CIM), which includes information on how to logon to the applications configured on a given machine, a personal key manager (PKM), which includes information about users, systems and passwords they use to logon to those systems, and a logon coordinator (LC), which retrieves the user's passwords from PKM and uses them in conjunction with target-specific logon code to log users onto all their systems, preferably without and additional user intervention.
The CIM facilitates adding new logon methods as needed. Information is preferably stored in the CIM using “templates” referred to as program template files (PTFs). A given PTF thus is used to create entries in the CIM. This template mechanism enables an application vendor to specify how to log onto a given application. Thus, independent software vendors and others can easily plug their applications into the SSO framework without writing a large amount of code.
The SSO framework preferably implements a “data model” where information used to sign on to applications is kept in the separate PKM and CIM databases. Preferably, the PKM is globally accessible and stores user-specific information, and the CIM is locally accessible and stores application-specific information derived from PTF files. In operation, the logon coordinator (LC) accesses the PKM to obtain the user's information (e.g., which target systems and applications to which the user can sign-on), as well as the passwords and keys for those systems/applications. The LC then uses these passwords/keys, together with the target logon information found in the CIM, to sign-on to various target systems and applications. Sign-on is preferably based upon the target's own protocols and mechanisms as defined in the PTF.
Another objective of this invention is to allow applications to be plugged into the single sign-on (SSO) framework. According to the invention, preferably the program template file (PTF) is used to inform the single sign-on mechanism how to interact with a given application or subsystem to perform SSO-related operations. The PTF enables applications to be plugged into the SSO mechanism without changing the SSO code itself and without requiring any programs to be written to plug into the new application.
Still another more general objective of this invention is to provide a framework-type SSO mechanism that enables any kind of target to be user-specified.
The foregoing has outlined some of the more pertinent objects of the present invention. These objects should be construed to be merely illustrative of some of the more prominent features and applications of the inve

LandOfFree

Say what you really think

Search LandOfFree.com for the USA inventors and patents. Rate them and share your experience with other people.

Rating

Coordinating user target logons in a single sign-on (SSO)... does not yet have a rating. At this time, there are no reviews or comments for this patent.

If you have personal experience with Coordinating user target logons in a single sign-on (SSO)..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Coordinating user target logons in a single sign-on (SSO)... will most certainly appreciate the feedback.

Rate now

     

Profile ID: LFUS-PAI-O-2466338

  Search
All data on this website is collected from public sources. Our data reflects the most accurate information available at the time of publication.