US2016248757A1PendingUtilityA1

Method and apparatus for multi-domain authentication

Assignee: SALESFORCE COM INCPriority: Feb 11, 2011Filed: Feb 3, 2016Published: Aug 25, 2016
Est. expiryFeb 11, 2031(~4.6 yrs left)· nominal 20-yr term from priority
H04L 63/10H04L 63/1466H04L 63/0815H04L 63/0807
46
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A method and apparatus for multi-domain authentication is described. In one example, credentials are received for a user accessing a first domain. User access to the first domain and a second domain is confirmed. A token is created for access to the second domain and the is provided with access to the second domain.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method comprising:
 receiving credentials for a user at a first domain   receiving a request from the user at the first domain to redirect to a second domain;   redirecting the user to the second domain;   generating a token based on the user credentials on the first domain;   sending the token to the user and storing the token;   receiving a request from the user at the second domain, the request including the token;   comparing the received token to the stored token and conditionally authenticating the user at the second domain based on the token comparison.   
     
     
         2 . The method of  claim 1 , wherein storing the token comprises storing the token in a database accessible to the first and the second domains. 
     
     
         3 . The method of  claim 1 , wherein receiving credentials comprises logging a user into a session on the first domain. 
     
     
         4 . The method of  claim 1 , wherein receiving a request comprises receiving a request to log the user into a session in the second domain and wherein authenticating the user comprises logging the user into a session on the first domain. 
     
     
         5 . The method of  claim 1 , wherein receiving the token comprises receiving a hash of the token with an ID of the user and wherein comparing comprises generating a hash of the stored token with a stored user ID and comparing the generated hash to the received hash. 
     
     
         6 . The method of  claim 5 , wherein sending the token to the user comprises sending the token not hashed with the user ID. 
     
     
         7 . The method of  claim 1 , further comprising searching for an active session for the user with the first domain and if no active session is found not authenticating the user at the second domain. 
     
     
         8 . The method of  claim 7 , wherein searching for an active session comprises searching for a valid session cookie. 
     
     
         9 . The method of  claim 1 , further comprising retrieving permissions of the user for the first domain and not authenticating the user at the second domain if the permissions are not sufficient for the first domain. 
     
     
         10 . The method of  claim 9 , wherein the first and second domains provide user access to a single shared database and wherein retrieving permissions comprises retrieving permissions for the user to access data in the single shared database and wherein sufficient permissions are permissions that allow the user to access data in the single shared database. 
     
     
         11 . The method of  claim 1 , further comprising checking to determine whether the token has been consumed and if the token has been consumed, then not authenticating the user at the second domain. 
     
     
         12 . The method of  claim 11 , further comprising consuming the token after authenticating the user at the second domain. 
     
     
         13 . The method of  claim 1 , further comprising checking to determine whether the token has expired and if the token has expired, then not authenticating the user at the second domain. 
     
     
         14 . A system comprising:
 a computing device having a memory to store instructions, and a processing device to execute the instructions, the computing device further having a mechanism to:   receiving credentials for a user at a first domain   receiving a request from the user at the first domain to redirect to a second domain;   redirecting the user to the second domain;   generating a token based on the user credentials on the first domain;   sending the token to the user and storing the token;   receiving a request from the user at the second domain, the request including the token;   comparing the received token to the stored token and conditionally authenticating the user at the second domain based on the token comparison.   
     
     
         15 . The system of  claim 14 , further comprising a database shared by the first and second domain, the database including credentials for the user and wherein generating a user taken includes storing the token in the shared database. 
     
     
         16 . A computer-readable medium having instruction thereon that when operated on by a computer cause the computer to perform operations comprising:
 receiving credentials for a user at a first domain   receiving a request from the user at the first domain to redirect to a second domain;   redirecting the user to the second domain;   generating a token based on the user credentials on the first domain;   sending the token to the user and storing the token;   receiving a request from the user at the second domain, the request including the token;   comparing the received token to the stored token and conditionally authenticating the user at the second domain based on the token comparison.   
     
     
         17 . The medium of  claim 16 , the operations further comprising determining whether the user has a valid session with the first domain and wherein authenticating the user at the second domain comprises authenticating the user only if the user has a valid session with the first domain. 
     
     
         18 . A method comprising:
 receiving credentials for a user accessing a first domain;   confirming that the user has access to the first domain and a second domain;   creating a token for access to the second domain; and,   providing the user access to the second domain.   
     
     
         19 . The method of  claim 18 , wherein receiving credentials comprises accessing a database shared by the first and the second domain to determine whether user credential for the first domain are stored in the shared database.

Join the waitlist — get patent alerts

Track US2016248757A1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.