Browse Prior Art Database

System and method for using flexible authentication mechanism for a single sign-on system. Disclosure Number: IPCOM000201837D
Publication Date: 2010-Nov-26
Document File: 6 page(s) / 68K

Publishing Venue

The Prior Art Database


Most of the Single Sign-On (SSO) systems bind themselves to a specific Identity provider, forcing users to authenticate with that particular Identity provider before they can begin using the SSO system. What the users should have is a choice on the Identity provider they want to use, because one user may use GMail more regularly while other may use Yahoo!. This article explains how the binding could be made a choice for each individual user of a SSO system.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 51% of the total text.

Page 01 of 6

System and method for using flexible authentication mechanism for a single sign -on system.

Most SSO systems either creates a new identity for a user and consolidate all other identities of the user under that new identity, or they pick a identity provider common to all users and consolidate the other identities of a user under that identity. This gives user very little flexibility and does not allow him to choose the way he wants to be identified by the SSO system.

Solution is to allow the user to choose the identity providers he wants to use to fully identify himself to the SSO system. E.g. the user could say, as long as I am identified and authenticated by the email server the SSO system should consider me authenticated. The system is flexible to the point of being able to say e.g. "user is authenticated and identified if and only if he logs into GMail, followed by Yahoo! (strictly in the same sequence)". We achieve this flexibility by monitoring the UI of the application and detecting when the user has successfully authenticated to the application.

The SSO System consists of UI Automation/Monitoring Agents. These are pieces of code distributed in form of shared libraries. When the agents are installed on a computer system, they get loaded into any application that is launched on the computer. The agents are capable of monitoring the user interface events in the application Windows and automating user actions such as filling in log-on forms etc.

The encryption scheme of the system works by creating a user specific symmetric cryptographic encryption key, called Cryptographic Symmetric Key (CSK) which encrypts all his credentials; and that CSK itself is encrypted by password corresponding to the identity provider of his choice (we can call them "trusted identity provider"). As the user chooses more identity providers that he wants to trust the system would keep the CSK encrypted with password corresponding to that identity provider.

When a user is successfully authenticated by one/many of his trusted identity providers the SSO system would start injecting passwords into other applications when required.

Any time the SSO system captures a new password for an application it confirms with the user if he wants to use the new identity as the trusted identity.

Additional details and explanatory diagrams have been provided in the following.

Sample data the SSO system can have


Page 02 of 6

(This page contains 00 pictures or other non-text o...