Distributed Software Engineering with Client-Server Computing
IPCOM000242565D
1.
Method and System for Synchronizing Authentication
Approaches in a Corporate Environment
An IP.com Prior Art Database Technical Disclosure
IP.com is the world's leader in defensive publications. The largest and most innovative companies publish their technical
disclosures into the IP.com Prior Art Database. Disclosures can be published in any language, and they are searchable in those
languages online. Unique identifiers indicate documents containing chemical structures. Original disclosures that are published
online also appear in The IP.com Journal. The IP.com Prior Art Database is freely available to search by patent examiners
throughout the world.
Terms: Client may copy any content obtained through the site for Client's individual, non-commercial internal use only. Client
agrees not to otherwise copy, change, upload, transmit, sell, publish, commercially exploit, modify, create derivative works or
distribute any content available through the site.
Note: This is a PDF rendering of the actual disclosure. To access the disclosure package containing an exact copy of the
publication in its original format as well as any attached files, please download the full document from IP.com at:
http://null/IPCOM/000242565
Authors et. al.: Disclosed Anonymously
IP.com Number: 000242565
IP.com Electronic Publication: July 26, 2015
2. 1
Method and System for Synchronizing Authentication Approaches in a Corporate
Environment
Typically, synchronization software in a corporate or enterprise environment works with
various standard or non-standard authentication technologies. Generally, enterprises
which have file synchronization software may offer only a solution for standard
authentication already supported in web environments, or may include a single custom
authentication. The ability to use different corporate authentication approaches in a
corporate environment is critical for the success of large enterprises that wishes to use
synchronization approaches. A typical synchronization client uses supplied credentials
and performs any required networks access to a synchronizing server along with any
necessary authentication. For example, if the synchronization software uses Hypertext
Transfer Protocol (HTTP), then an HTTP call may be challenged to provide credentials
and retry the call. In case of desktops, currently the file synchronization software
utilizes preferences with desktops but such file synchronization software may not allow
the user to selectively synchronize on a variety of different repositories or servers.
Typically, the file synchronization software can only connect from a single server to a
user's client machine. The synchronization happens one way and can only be
managed in a limited manner.
Disclosed is a method and system for synchronizing authentication approaches in a
corporate environment. The method and system enables a variety of corporate
authentication approaches (like Kerberos*, SAML*, basic and custom authentication
approach) to be used in synchronization software. The synchronization software
includes a module which implements the custom authentication approach for a client.
The module is inserted into a flow of network calls in the corporate environment.
In an implementation of the method and system, a synchronization client attempts to
contact a server with a network operation. The server responds with an error or other
indication that the operation failed due to the client not being authenticated. The
authentication software calls the module of the synchronization software at this point.
The module examines the results of the network operation to determine if the
authentication is needed. If the operation is completed normally, no further work is
performed. If the authentication is needed, the module performs any operations
needed by the custom authentication approach. The operations include one or more
of, but not limited to, contacting one or more additional systems or databases
responsible for completing authentication, providing credentials to the one or more
additional systems, collecting a certificate, token, software assertion, or other indication
of successful authentication. The synchronization client repeats the original network
operation and provides a collected authentication indicator to complete the
authentication.
In many environments, the authentication needs to be performed at periodic intervals,
or after a significant event such as a lost network connection or software restart either
on client or server end. The module examines results of the operations before
performing the authentication. In cases where the authentication has already been
performed recently, an authentication indicator provides subsequent network operations
till the time the network operations continue to fail. Thus, the authentication indicator
indicates the need to authenticate again. The need to authenticate again indicates
3. 2
another failure in authentication, or some form of "credential expiration" error.
In order to support a broadest collection of corporate environments the synchronization
software makes a request to the server using any of the known standard authentication
methods (such as Basic, Digest or Kerberos) either before or after the authentication.
For desktops implementations, the method and system uses preferences with desktops
and a managed mode model for file synchronization. The characterization of desktops
and the managed mode model with the use of preferences in the file synchronization
software is to organize a file synchronization structure of a user. Specifically, a user
can synchronize with a provided server and mark the server as a desktop. The user
can synchronize with multiple servers with different Uniform Resource Locators (URLs),
configurations, or different credentials. Thus, the user is allowed to synchronize files
with multiple different repositories. In addition, the file synchronization server can be
set into a managed mode, which allows the server to dictate if file synchronizations are
performed on an interval level, manually, or continuously. The server can also dictate
the number of folder depth a client can synchronize to. The ability to enable the file
synchronization software to synchronize based on different desktops that each includes
different credentials, repository or server location, and different authentication
mechanisms assist users in selective synchronization.
In addition, the managed mode in the file synchronization software enables an
administrator of a server or repository to set limitations on users of the server or
repository to effectively manage synchronizations. The administrator can set if file
synchronizations can be performed constantly or on an interval basis to reduce network
or server load.
The synchronization software utilizes a username, password, and URL as a unique
combination to identify a specific connection to synchronize with a specific repository or
server. The synchronization software allows the user to identify a variety of locations to
synchronize using a single client. The synchronization software also allows the user to
pre-specify a list of desktop connections to be made in the configuration file or in a
predefined file. Further, the synchronization software also allows the user to use
different authentication approaches for each desktop connection such as Kerberos,
basic, SAML, or a custom authentication. Thus, the users have a large range of
flexibility to synchronize across devices and desktops.
With the managed mode, the server is able to dictate down synchronization interval and
folder level settings. The synchronization client consumes a managed mode setting
and overrides own settings with the managed mode settings. The user's client is able
to specify servers and the type of authentication required for synchronization.
Thus, the disclosed method and system allows a variety of corporate authentication
approaches to be used in synchronization software.
* Product and service names used in this article might be trademarks or service marks
of their respective owners.