Browse Prior Art Database

Secure single sign-on among set of independent web applications

IP.com Disclosure Number: IPCOM000011800D
Original Publication Date: 2003-Mar-17
Included in the Prior Art Database: 2003-Mar-17
Document File: 2 page(s) / 46K

Publishing Venue

IBM

Abstract

A program is disclosed that allows a secure single sign-on (or single login) facility for a distributed set of cooperating web applications. The first time a user logs into to a member of the set, the user is required to authenticate (sign in or login); subsequent access to other members of the set of cooperating applications can occur with authentication, but without the user having to manually sign in again on each additional application. The program does not require cryptographic or other security software beyond that which is commonly found in web programming environments.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 47% of the total text.

Page 1 of 2

Secure single sign-on among set of independent web applications

   Web-based applications often need to securely authenticate and authorize their users before allowing those users any access to the features of the application. A user who has to interact with a variety of web-based applications as part of their regular job duties would in the normal course of events have to re-enter their username and password each time a new application is accessed the first time in a given session. (To make the scenario concrete, one can imagine a variety of hardware devices that are managed by a single administrative user, and each device has an embedded web-based configuration application running on its own web server). It is desirable for a user to authenticate once, the first time an application in the set is accessed (no matter which application is the first to be accessed)--but then to avoid having to authenticate again when other applications in the set are accessed.

     When a web-based application (the "local application") needs to display content from or allow interaction with a remote application (running on a remote web server), it authenticates itself to the remote application--in the preferred embodiment, by executing an HTTP POST URL and supplying the same username and password that the user supplied to authenticate to the local application. The remote application authenticates the username and password, and if valid, creates a globally unique textual token that it stores and also returns to the local application. The local application can supply this token as part of the URL arguments when accessing the remote application for the first time. The remote application, if it validates the token, can create a session that will allow further interaction between the two applications without further application. In the preferred embodiment, the communication between the two applications is via HTTPS, which inhibits eavesdropping on the token. In addition, the token must be validated within a fixed (small) period of time, and can be validated only once, to reduce any remaining vulnerability to replay.

     The advantages of this scheme is that it allows single sign-on among a set of distributed, independent web applications without relying on any unusual infrastructure. Everything that is required is part of normal web application hosting environments. All that remains is for the different applications to be able to authenticate a user using a common username/password repository, which could be provided by Network Information Service (NIS), Windows 2000* Active Directory, Lightweight Directory Access Protocol (LDAP), or some other mechanism that can be reasonably expected to already exist in a customer's environment.

     Each application using the disclosed mechanism conceptually provides a token management service. This service allows tokens to be created and validated. When a token is created, it is a GUID (globally-unique identifier) that is never reus...