US2004054898A1PendingUtilityA1

Authenticating and communicating verifiable authorization between disparate network domains

44
Assignee: IBMPriority: Aug 28, 2002Filed: Aug 28, 2002Published: Mar 18, 2004
Est. expiryAug 28, 2022(expired)· nominal 20-yr term from priority
H04L 63/12H04L 9/3213H04L 63/08H04L 2209/68H04L 9/3247
44
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Verifiable authentication credentials are provided to foreign systems without passing an id and password to the protected resource. A user wishing to access a secure remote site is prompted for credentials, the credentials are authenticated locally and a digitally signed token is created. The token is redirected to the secure remote site by the user's browser using HTTP redirection. The digitally signature is verified by the secure remote site preferably by a digital signature web service. The remote site establishes communications with the user if the digital signature is valid.

Claims

exact text as granted — not AI-modified
What is claimed is:  
     
         1 . A method for a user to access a secure Internet site, the method utilizing user credential data and other user data, the method comprising the steps of: 
 checking user credential data according to a first predetermined plan;    authorizing said user to access a secure Internet site if said user credentials permit;    creating a digitally signed request comprising said other user data for said authorized user according to a second predetermined plan; and    transmitting said digitally signed request to said secure Internet site.    
     
     
         2 . The method according to  claim 1  wherein said Internet site comprises world wide web pages.  
     
     
         3 . The method according to  claim 1  comprising the further steps of: 
 providing a web page to a client browser, said web page prompting said user for identification information; and  
 using said identification information to retrieve user credentials.  
 
     
     
         4 . The method according to  claim 3  wherein the providing step further comprises the step of dynamically generating said web page based on identifying information associated with said secure site.  
     
     
         5 . The method according to  claim 4  wherein said dynamically generating step further comprises an authentication prompt.  
     
     
         6 . The method according to  claim 1  further comprising the steps of: 
 receiving said digitally signed request at said secure Internet site;  
 verifying the validity of said digitally signed request; and  
 establishing a communication session with said first user if said digitally signed request is valid.  
 
     
     
         7 . The method according to  claim 6  wherein said verifying step comprises the further steps of: 
 sending said digital signature to a digital signature verification service at a verification Internet site; and  
 receiving an indication of the validity of said digital signature from said verification Internet site.  
 
     
     
         8 . The method according to  claim 1  wherein said checking user credentials step further comprises the steps of: 
 checking said user credentials against data in a common directory;  
 creating token message;  
 creating a redirect URL to the secure Internet site; and  
 communicating the redirect URL to a user browser.  
 
     
     
         9 . The method according to  claim 8  wherein said token message comprises any one of XML data, an expiration field or unique user information.  
     
     
         10 . The method according to  claim 8  wherein said redirect URL is digitally signed.  
     
     
         11 . A system for a user to access a secure Internet site, the system utilizing user credential data and other user data, the system comprising: 
 a checker checking user credential data according to a first predetermined plan;    an authorizer authorizing said user to access a secure Internet site if said user credentials permit;    a signature generator creating a digitally signed request comprising said other user data for said authorized user according to a second predetermined plan; and    a transmitter transmitting said digitally signed request to said secure Internet site.    
     
     
         12 . The system according to  claim 11  wherein said Internet site comprises world wide web pages.  
     
     
         13 . The system according to  claim 11  further comprising: 
 a web page provider providing a web page to a client browser, said web page prompting said user for identification information; and  
 an authenticator using said identification information to retrieve user credentials.  
 
     
     
         14 . The system according to  claim 13  wherein the web page provider further dynamically generates said web page based on identifying information associated with said secure site.  
     
     
         15 . The system according to  claim 14  wherein said web page provider dynamically generates an authentication prompt.  
     
     
         16 . The system according to  claim 11  further comprising: 
 a receiver receiving said digitally signed request at said secure Internet site;  
 a digital signature verifier, verifying the validity of said digitally signed request; and  
 a session establisher establishing a communication session with said first user if said digitally signed request is valid.  
 
     
     
         17 . The system according to  claim 16  wherein said digital signature verifier further comprises: 
 signature sender sending said digital signature to a digital signature verification service at a verification Internet site; and  
 a signature validity receiver receiving an indication of the validity of said digital signature from said verification Internet site.  
 
     
     
         18 . The system according to  claim 11  wherein said checker further comprises: 
 a user checker checking said user credentials against data in a common directory;  
 a token generator creating token message;  
 a redirection creator creating a redirect URL to the secure Internet site; and  
 a redirect communicator communicating the redirect URL to a user browser.  
 
     
     
         19 . The system according to  claim 18  wherein said token message comprises any one of XML data, an expiration field or unique user information.  
     
     
         20 . The system according to  claim 18  wherein said redirect URL is digitally signed.  
     
     
         21 . A computer program product for a user to access a secure Internet site, the computer program product utilizing user credential data and other user data, the computer program product comprising a computer readable medium having computer readable program code therein, the computer program product comprising: 
 computer readable program code for checking user credential data according to a first predetermined plan;    computer readable program code for authorizing said user to access a secure Internet site if said user credentials permit;    computer readable program code for creating a digitally signed request comprising said other user data for said authorized user according to a second predetermined plan; and    computer readable program code for transmitting said digitally signed request to said secure Internet site.    
     
     
         22 . The computer program product according to  claim 21  wherein said Internet site comprises world wide web pages.  
     
     
         23 . The computer program product according to  claim 21  further comprising: 
 computer readable program code for providing a web page to a client browser, said web page prompting said user for identification information; and  
 computer readable program code for using said identification information to retrieve user credentials.  
 
     
     
         24 . The computer program product according to  claim 23  wherein the web page provider further dynamically generates said web page based on identifying information associated with said secure site.  
     
     
         25 . The computer program product according to  claim 24  wherein said web page provider dynamically generates an authentication prompt.  
     
     
         26 . The computer program product according to  claim 21  further comprising: 
 computer readable program code for receiving said digitally signed request at said secure Internet site;  
 a digital signature verifier, verifying the validity of said digitally signed request; and  
 computer readable program code for establishing a communication session with said first user if said digitally signed request is valid.  
 
     
     
         27 . The computer program product according to  claim 26  wherein said digital signature verifier further comprises: 
 computer readable program code for sending said digital signature to a digital signature verification service at a verification Internet site; and  
 computer readable program code for receiving an indication of the validity of said digital signature from said verification Internet site.  
 
     
     
         28 . The computer program product according to  claim 21  wherein said checker further comprises: 
 computer readable program code for checking said user credentials against data in a common directory;  
 computer readable program code for creating token message;  
 a redirection creator creating a redirect URL to the secure Internet site; and  
 computer readable program code for communicating the redirect URL to a user browser.  
 
     
     
         29 . The computer program product according to  claim 28  wherein said token message comprises any one of XML data, an expiration field or unique user information.  
     
     
         30 . The computer program product according to  claim 28  wherein said redirect URL is digitally signed.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.