Browse Prior Art Database

Single Sign-On Across Legacy Authentication Environments Using an Adaptive Reverse Proxy Credential Vault

IP.com Disclosure Number: IPCOM000234022D
Publication Date: 2014-Jan-07
Document File: 3 page(s) / 98K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is a process that automatically generates single sign-on capabilities across a variety of legacy authentication environments using a credential vault and reverse proxy that records and replays authentication processes.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 44% of the total text.

Page 01 of 3

Single Sign-On Across Legacy Authentication Environments Using an Adaptive Reverse Proxy Credential Vault

Background: Many organizations with legacy applications face difficulty implementing single sign-on (SSO) across their applications. Often applications may be many picked up through acquisitions or written by other development teams, of varying quality and age. Applications that are tied to custom legacy user authentication forms and custom identity stores have no easy SSO option, so it may be impossible for those applications to achieve SSO without significant upgrades to use centralized identity and authentication protocols.

The disclosed invention proposes the use of a new SSO service between the user and application that builds up user credentials to provide simulated SSO capability.

Prior art search:

"credential vault"

http://www.google.com/patents/US20060248577
uses SSO to manage credentials, but not based on a vault

"sso for multiple protocols"

http://www.google.com/patents/US20120011578
Handles cross-protocol SSO, but not related to vault or learning credentials

"parse and store credentials"

none relevant

"multiple authentication credential vault"

none relevant

"transparent credential vault"

http://www.google.com/patents/EP2122526A1
Solves the problem of storing credentials on the filesystem, like between an application server and database. The basic step of replacing a backend credential with a temporary credential is similar, however it does not process or manage HTTP requests - it is done at the application and filesystem layers. Also no centralized service or learning of credentials.

"credential vault proxy"

none relevant

Description: at a high level SSO can be achieved through a new service that intercepts user credentials to various backed applications, stores the credentials, and proxies user requests with the SSO token.

The new SSO service will:

First log in the user, or send the user to a true SSO server to authenticate Intercept the user's request to the backend application

1.


2.

3.


4.


1.

2.


1.

2.

If the request if for an application that the user has not requested before, the SSO service begins recording the user login process
The user sends their login credentials to the application

The credentials are intercepted by the SSO service and the SSO service stores a mapping between the [user, application, credentials] in the SSO service credential vault
The SSO service also stores a recording of the login process (HTTP requests, request data, returned cookies

or tokens) to be replayed. This can use leverage some existing recording technology, such as available in application scanning services.

The next time the user logs into the application through the SSO service,


3.

The SSO service intercepts the requests

The SSO service logs into the application by replaying the login steps with the user credentials

1


Page 02 of 3


4.

3.

If the user's credentials to the backend application expire, the SSO service will fail to log...