US20020029269A1 - Methods and systems for coordinating the termination of sessions on one or more systems - Google Patents

Abstract

The present invention extends to methods and systems for providing a seamless user interface to one or more web-based external systems and applications that monitor and control access to information, products, and/or services provided by such web-based external systems. Accordingly, the methods and systems enable a user to utilize a single web-based graphical user interface to access external systems with minimal input from the user. Further, the invention coordinates the log-on, log-out, and time-out of the user from the external systems so that user has a seamless on-line experience. The user remains logged into each of the external systems so long as the user is logged into a main system and can log out of all the external systems by logging out of the main system. In addition, the user is not timed out of any external system unless the user is timed out of the main system.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS
• This application claims priority of U.S. Provisional Application Ser. No. 60/214,937, filed Jun. 29, 2000. Reference is made to co-pending U.S. patent application Ser. No. ______, filed ______, entitled “Methods and Systems for Coordinating Sessions on One or More Systems,” the disclosure of which is incorporated herein by this reference.[0001]
BACKGROUND OF THE INVENTION
• 1. Field of the Invention[0002]
• The present invention relates to facilitating communication between various disparate applications and systems. More specifically, the present invention relates to logging into and out of multiple disparate applications and systems, while enabling such applications and systems to track the activities of the user and maintain state. Further, the present invention relates to providing an interface for the user that seamlessly displays information and data from the multiple disparate applications and systems as user accesses the same applications and systems.[0003]
• 2. The Relevant Technology[0004]
• Storing and controlling information and knowledge has been a continual challenge and pursuit of individuals and businesses alike. From managing access to information stored on paper or microfilm products to protecting information stored on magnetic or optical media, individuals and businesses attempt to control access to and use of selected information. With advances in technology in recent years, the amount of available information has increased dramatically, with the potential for growth in the quantity and quality of available information in the future.[0005]
• One development that promotes access to different information and knowledge is the Internet. Through the Internet, individuals and businesses can access an assortment of repositories containing varied materials. Typically, web-based repositories limit access to their resources through requiring users to open an account or otherwise become a registered user. Users of these sites commonly create a user account through a registration process that lets the user choose a user identity and a password; i.e. “credentials.” Once registered, the user can login to the web site and access the protected resources within the repository.[0006]
• In addition to the Internet, many organizations and businesses develop intranets or networks to populate information and knowledge between the members of the organization or business. Typically, such intranets are based upon TCP/IP protocols, and are accessible only to authorized employees or users associated with the particular organization or business. These intranets can display information and knowledge as web pages and can use uniform resource locators (URLs) to identify the location of such web pages within the intranet.[0007]
• One type of organization that can use an intranet is a university or similar institution. A university's intranet typically connects the various buildings and departments and facilitates communication between students, faculty, alumni, and university administration. The user of the network will have a credential to access certain information available through the network. Unfortunately, each user may have multiple identities and credentials to access multiple repositories or different services provided by the university or institution. For instance, a user may use one set of credentials to access an electronic mail (email) account, while using a different set of credentials to access their library account.[0008]
• Further, each user may have multiple identities and credentials to access external systems or applications not included within the university's network, but which they frequently access from university computers. For example, a student may have credentials allowing the student to use online research resources related to the student's major. Consequently, many users must remember multiple identities and credentials to access different information repositories or services accessible through the university's intranet and the Internet. Attempting to remember multiple identities and credentials is problematic and provides a fertile field for forgotten or inaccurately input identity information or credentials as a user attempts to access resources and information.[0009]
• In addition to problems associated with remembering multiple identities and credentials, various systems or applications accessible through the intranet or Internet typically require each user to separately access such systems or platforms. For instance, a user may research a project using a third-party system, enroll in courses through another application, system, or platform, and send electronic mail messages through yet another application or system. The user, therefore, must switch from one application or system to another to perform the desired activities and input the requisite identity and credential information. This is a time consuming and tedious process to perform each time a user changes activities.[0010]
• Accordingly, there is a need for improved methods and systems that overcome or avoid the above problems and limitations.[0011]
SUMMARY OF THE INVENTION
• The present invention provides systems and methods to present a seamless user interface as a user accesses different web-based external systems, while maintaining the independence of the external systems. The systems and methods enable each external system to maintain state with each user through creating a session for each user that accesses the external systems. Thus, each external system can track user activity on the external system and consequently maintain state. Further, the present invention provides systems and methods to enable a user to create a session on the information system; thereby enabling the information system to track user activity on the information system and consequently maintain state. Additionally, the present invention provides systems and methods to enable the information system, or modules, components, platforms, or the like of the information system to create a session on the external system; thereby enabling the information system to track actions and activities of the external system and consequently maintain state.[0012]
• According to another aspect of the present invention, each user need only login to the information system and he/she will have automatic access to the other external systems accessible within or through the information system. Similarly, when a user logs-out of the information system, the information system directs the information system to log-out the user from all of the other systems that the user has an active session. Further, the information system maintains the user's login status to those web-based external systems accessed by the user unless there is no activity within a given time period at any of the web-based external systems accessed by the user during that session, i.e., the user's session has timed-out and the external system has terminated the session due to the inactivity of the user.[0013]
• When a user has been inactive on the information system for a period of time greater than a period defined by an administrator of the information system, i.e., the time-out period, the information system terminates the user's session on the information system. This process is known as being timed-out. Each of the external systems can perform a similar process when the user does not perform an action or input on the external system for an extended period of time.[0014]
• In one configuration, the information system, such as a university system, includes an integration module that acts as a hub to control access to each of the various systems forming the information system or other systems accessible through the information system. The integration module is adapted to enable a user to login to the information system, while also controlling access to the web-based external systems. Further, the integration module can offer a user multiple services, such as but not limited to e-mail, chat rooms, or the like. This integration module includes a graphical user interface through which the user can input identity information, credentials, and other information, receive information, receive prompts to input additional information, or the like.[0015]
• This graphical user interface facilitates a seamless user experience. In this experience, the user needs only to login to the integration module, and the user will have automatic access to the other web-based external systems, whether such systems are included within the information system or otherwise accessible through the integration module. This is made possible by the integration module sending a request along with an identifier of the user to the external system and requesting authentication on behalf of the user. The external system uses one of a number of authentication schemes to authenticate the user and establish a session in their system for the identified user. Simultaneously, a session is created between the information system and the external system, thereby allowing the information system to maintain state.[0016]
• Upon a successful authentication response from the external system, the information system can transparently redirect the uniform resource locator (URL) of the user's browser to the external system, giving the utilized by the user the experience of seamless integration between the two systems.[0017]
• According to another aspect, the integration module can also log-out or terminate sessions on the external systems when a user's session is voluntarily or involuntarily terminated. This can be achieved voluntarily when a user logs-out, or involuntarily when a user has an extended period of inactivity upon the information system or one of the various web-based external systems. When the user session ends on the web-based integration module, i.e., the user logs-out or is timed-out, the information system will send a request along with an identifier of the user to one or more external systems and request that the user's session be terminated on those systems.[0018]
• This coordinated log-out and time-out provides the benefit of reduced web server resources, higher security by allowing normal time-outs to occur, and sets up the overall interaction and system state to allow quick and automatic re-authentication to any of the resources previously accessible to the users of the system. In this manner, the integration module can control a user's access to various web-based systems and applications.[0019]
• Additionally, the invention provides methods for centralizing time-out of the user from the entire system and for maintaining the user's seamless experience even where the user has timed-out of the external system. One such system provides a method for providing a time-out from one or more of the information system and the external system.[0020]
• The method can include transmitting to one or more external systems to which a user has an established session a request to specify the last active time of the user on the one or more external systems. This is performed when the system has verified that a logged-in user has not accessed the integration module within a specified minimum logout period.[0021]
• After the integration module receives a response that either identifies the last activey time of the user on the external system or indicates that the user is not logged-in to such external system, the integration module records the most recent activity time of the user on the integration module and the one or more external systems as the most recent activity time of the user in the integration module. Finally, if the most recent activity time of the user is outside a specified minimum time-out period, the integration module logs the user out of the integration module and actively logs-out or de-authenticates the user from each external system to which the user is logged-in.[0022]
• According to yet another embodiment of the invention, after the integration module receives notification that a user has been denied access to one or more external systems, i.e., the user attempts to access a session on an external system which has been timed-out because of inactivity of the user, the integration module searches for access information associated with the one or more external systems. Upon locating the access information related to the user for a particular external system, the integration module interfaces with the one or more external systems to re-establish the user's session on the external system, thereby enabling the user to access the external system. Preferably, the user is unaware of this re-authentication process, thereby preserving a seamless on-line experience.[0023]
• Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the invention. The features and advantages of the invention may be realized and obtained by means of the instruments and combinations particularly pointed out in the appended claims. These and other features of the present invention will become more fully apparent from the following description and appended claims, or may be learned by the practice of the invention as set forth hereinafter.[0024]
BRIEF DESCRIPTION OF THE DRAWINGS
• To further clarify the above and other advantages and features of the present invention, a more particular description of the invention will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings. It is appreciated that these drawings depict only typical embodiments of the invention and are therefore not to be considered limiting of its scope. The invention will be described and explained with additional specificity and detail through the use of the accompanying drawings in which:[0025]
• FIG. 1 illustrates an exemplary system that provides a suitable operating environment for the present invention;[0026]
• FIG. 2 is a generalized schematic representation of one illustrative system of the present invention;[0027]
• FIG. 3 is a more detailed schematic representation of one illustrative system of the present invention;[0028]
• FIG. 4 is an illustration of a graphical user interface according to the present invention;[0029]
• FIG. 5 is a detailed schematic representation of the interaction between selected modules of the system illustrated in FIGS.[0030]2-3 as the authentication process utilizes a URL rewriting technique;
• FIG. 6 is another detailed schematic representation of the interaction between selected modules of the system illustrated in FIGS.[0031]2-3 as the authentication process uses cookies;
• FIG. 7 is a flow diagram representing an illustrative flow of data through the system illustrated in FIGS.[0032]2-3;
• FIG. 8 is another more detailed schematic representation of the interaction between selected modules when a user logs-out of the information system of the system illustrated in FIGS.[0033]2-3;
• FIG. 9 is another flow diagram representing an illustrative flow of data through the system of the present invention upon the occurrence of the user logging out of the information system as illustrated in FIG. 8;[0034]
• FIG. 10 is yet another more detailed schematic representation of the interaction of selected modules when the user is timed-out from his/her access to the integration module of the system illustrated in FIGS.[0035]2-3;
• FIG. 11 is still another flow diagram representing an illustrative flow of data through the system illustrated in FIGS.[0036]2-3 when the user is timed-out from the integration module as illustrated in FIG. 10;
• FIG. 12 is a more detailed schematic representation of the interaction of some of the modules of the system illustrated in FIGS.[0037]2-3 when a user requests access to an external system from which the user has been timed-out or logged-out due to inactivity; and
• FIG. 13 is a flow diagram representing an illustrative flow of data through the system illustrated in FIGS.[0038]2-3 upon the occurrence of the event depicted in FIG. 12.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
• The present invention extends to methods and systems for providing a seamless user interface to one or more web-based external systems and applications that monitor and control access to information, products, and/or services provided by such web-based external systems. Accordingly, the methods and systems enable a user to utilize a single web-based graphical user interface to access multiple external systems with minimal input from the user. Further, the methods and systems of the invention coordinate the log-on, log-off, and timing-out of the user from the external systems so that user has a seamless user interface experience. The present invention provides integration through a URL-based application program interface (API) allowing external systems to integrate their Web-based applications within the systems of the present invention. The embodiments of the present invention may comprise a special purpose or general-purpose computer including computer hardware, as discussed in detail below.[0039]
• Embodiments within the scope of the present invention also include computer-readable media for carrying or having computer-executable instructions or data structures stored thereon. Such computer-readable media can be any available media that can be accessed by a general purpose or special purpose computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to carry or store desired program code means in the form of computer-executable instructions or data structures and which can be accessed by a general purpose or special purpose computer. When information is transferred or provided over a network or another communications connection (either hardwired, wireless, or a combination of hardwired or wireless) to a computer, the computer properly views the connection as a computer-readable medium. Thus, any such connection is properly termed a computer-readable medium. Combinations of the above should also be included within the scope of computer-readable media. Computer-executable instructions comprise, for example, instructions and data which cause a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions.[0040]
• FIG. 1 and the following discussion are intended to provide a brief, general description of a suitable computing environment in which the invention may be implemented. Although not required, the invention will be described in the general context of computer-executable instructions, such as program modules, being executed by computers in network environments. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. Computer-executable instructions, associated data structures, and program modules represent examples of the program code means for executing steps of the methods disclosed herein. The particular sequence of such executable instructions or associated data structures represents examples of corresponding acts for implementing the functions described in such steps.[0041]
• Those skilled in the art will appreciate that the invention may be practiced in network computing environments with many types of computer system configurations, including personal computers, hand-held devices, multi-processor systems, microprocessor-based or programmable consumer electronics, network PCs, minicomputers, mainframe computers, and the like. The invention may also be practiced in distributed computing environments where tasks are performed by local and remote processing devices that are linked (either by hardwired links, wireless links, or by a combination of hardwired or wireless links) through a communications network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.[0042]
• With reference to FIG. 1, an exemplary system for implementing the invention includes a general-purpose computing device in the form of a[0043]conventional computer20, including aprocessing unit21, asystem memory22, and asystem bus23 that couples various system components including thesystem memory22 to theprocessing unit21. Thesystem bus23 may be any of several types of bus structures including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures. The system memory includes read only memory (ROM)24 and random access memory (RAM)25. A basic input/output system (BIOS)26, containing the basic routines that help transfer information between elements within thecomputer20, such as during start-up, may be stored inROM24.
• The[0044]computer20 may also include a magnetichard disk drive27 for reading from and writing to a magnetichard disk39, amagnetic disk drive28 for reading from or writing to a removablemagnetic disk29, and anoptical disk drive30 for reading from or writing to removableoptical disk31 such as a CD-ROM or other optical media. The magnetichard disk drive27,magnetic disk drive28, andoptical disk drive30 are connected to thesystem bus23 by a harddisk drive interface32, a magnetic disk drive-interface33, and anoptical drive interface34, respectively. The drives and their associated computer-readable media provide nonvolatile storage of computer-executable instructions, data structures, program modules, and other data for thecomputer20. Although the exemplary environment described herein employs a magnetichard disk39, a removablemagnetic disk29 and a removableoptical disk31, other types of computer readable media for storing data can be used, including magnetic cassettes, flash memory cards, digital versatile disks, Bernoulli cartridges, RAMs, ROMs, and the like.
• Program code means comprising one or more program modules may be stored on the[0045]hard disk39,magnetic disk29,optical disk31,ROM24 orRAM25, including anoperating system35, one ormore application programs36,other program modules37, andprogram data38. A user may enter commands and information into thecomputer20 throughkeyboard40, pointingdevice42, or other input devices (not shown), such as a microphone, joy stick, game pad, satellite dish, scanner, or the like. These and other input devices are often connected to theprocessing unit21 through aserial port interface46 coupled tosystem bus23. Alternatively, the input devices may be connected by other interfaces, such as a parallel port, a game port, or a universal serial bus (USB). Amonitor47 or another display device is also connected tosystem bus23 via an interface, such asvideo adapter48. In addition to the monitor, personal computers typically include other peripheral output devices (not shown), such as speakers and printers.
• The[0046]computer20 may operate in a networked environment using logical connections to one or more remote computers, such asremote computers49aand49b.Remote computers49aand49bmay each be another personal computer, a server, a router, a network PC, a peer device or other common network node, and typically include many or all of the elements described above relative to thecomputer20, although onlymemory storage devices50aand50band their associatedapplication programs36aand36bhave been illustrated in FIG. 1. The logical connections depicted in FIG. 1 include a local area network (LAN)51 and a wide area network (WAN)52 that are presented here by way of example and not limitation. Such networking environments are commonplace in office-wide or enterprise-wide computer networks, intranets, and the Internet.
• When used in a LAN networking environment, the[0047]computer20 is connected to thelocal network51 through a network interface oradapter53. When used in a WAN networking environment, thecomputer20 may include amodem54, a wireless link, or other means for establishing communications over thewide area network52, such as the Internet. Themodem54, which may be internal or external, is connected to thesystem bus23 via theserial port interface46. In a networked environment, program modules depicted relative to thecomputer20, or portions thereof, may be stored in the remote memory storage device. It will be appreciated that the network connections shown are exemplary and other means of establishing communications overwide area network52 may be used.
• Referring now to FIG. 2, depicted is a schematic representation of one illustrative system utilizing the benefits of the present invention. As shown, the system, as designated by[0048]reference numeral100, includes one or more user modules102a-102nthat communicate withinformation system108 throughnetwork106. Optionally, anexternal repository104 communicates withinformation system108 throughnetwork106.
• The use of the term “communicate with” or the like terms as used herein is understood by one skilled in art to include any type of applicable connectivity or communication line connection between hardware and/or software modules and components of[0049]system100. Such a connection or connectivity can include, but is not limited to, transmitting and receiving electrical, wireless, or data signals, physical connection between hardware modules, virtual connection between software modules, optical connection, combinations thereof, or the like.
• Each user modules[0050]102a-102ncan represent an user or group of users that desire to access the resources and services associated withinformation system108 through one or more hardware and/or software modules. Alternatively, each user module102a-102ncan represent solely the hardware and/or software modules utilized by one or more users to accessinformation system108. Consequently, each user module102a-102ncan represent a browser that facilitates communication withinformation system108 and access to the web-based applications and systems accessible therein or therethrough. In one configuration, the browser can be Microsoft® Internet Explorer, Netscape® Navigator or Communicator, or other browser applications known by one skilled in the art.
• Besides user modules[0051]102a-102n,information system108 can communicate withexternal repository104. Although only a singleexternal repository104 is depicted, one skilled in the art can appreciate thatsystem100 can include multiple external repositories.External repository104 acts as a data or information store accessible toinformation system108 and/or user modules102a-102n. The information and data stored withinexternal repository104 can be related or unrelated to the operation of an organization or institution that hostsinformation system108.
• The[0052]external repository104 can store different types of data and information within a database, whether hierarchical, relational, flat, or other database structure, including related database management systems (not shown). Such database can include modular or fixed memory, magnetic storage disks, optical storage media, or other mass storage for storing the information and data.External repository104 can also include on-line web-based services that are hosted at various web sites, such as, for example, Infospace® or other web sites offering services such as news and information, retail purchasing, etc.
• Facilitating communication between user modules[0053]102a-102n,external repository104, andinformation system108 isnetwork106.Network106 can have many configurations, such as but not limited to a local area network (LAN) or a wide area network (WAN), no matter the particular type of topology, protocol, or architecture used to formnetwork106, so long asnetwork106 allows data transmission between user modules102a-102n,external repository104, andinformation system108. Although FIG. 2 depicts user modules102a-102ncommunicating withexternal repository104 vianetwork106, one skilled in the art can understand that user modules102a-102ncan optionally communicate directly withexternal repository104 withoutnetwork106.
• To prevent unwanted access to[0054]information system108,system100 can optionally include afirewall110.Firewall110 can use various techniques to protectinformation system108 and the various other modules and components on the information system side ofsystem100 from unwanted access by users not meeting the designated security criteria or having the correct credentials. For instance, and not by limitation,firewall110 can use a packet filter technique, an application gateway, a circuit-level gateway, a proxy server, other hardware and/or software modules and components, combinations thereof, or the like to prevent or control unwanted access toinformation system108.
• In one setting,[0055]information system108 provides services and information about a university or to students, faculty, administration, and/or alumni of a university. For instance,information system108 can allow a user, through a user module, to access information about classes, enrollment, libraries, work opportunities, administrative applications or systems, or the like. Additionally, both students and faculty can e-mail one another, post assignments and projects, view calendared events for the institution, or the like.
• Although reference is made to application of the present invention within an information system hosted by a university, one skilled in the art can understand that various other organizations or institutions can utilize the benefits of the present invention. For example, embodiments of the present invention can be used with any organization or institution that includes one or more users that can receive electronic communication, i.e. instant messages, email, announcements, or the like, and would benefit from receiving such electronic communication.[0056]
• Referring now to FIG. 3, discussion will be made with respect to the functionality and capabilities of[0057]information system108 as it relates to a university environment. Although reference is made to application of the present invention within a university, one skilled in the art can understand that various other organizations or institutions can utilize the benefits of the present invention.
• As shown,[0058]information system108 can include anintegration module120 that communicates with astudent information module122, alegacy module124, athird party module126, and one or more other future modules, as represented byreference numeral128. Further,information system108 can include user modules130a-130nthat can accessintegration module120,student information module122,legacy module124,third party module126, andfuture modules128 without passing throughfirewall110. Such user modules130a-130ncan include administrative personnel, technical personnel, IT personnel, students, faculty, or the like that access information through the university's intranet. For convenience, and not by way of limitation, user modules102a-102nand130a-130nwill hereinafter be referred to collectively as user modules102a-102n.
• While the various embodiments of the present invention are described as utilizing a[0059]localized integration module120 to coordinate the seamless interface, login, log-out, and time-out, it will be appreciated that other systems known in the art can be utilized in place ofintegration module120 to coordinate various inventive aspects of the invention. For instance, in another configuration, a centralized host system can be used to facilitate coordinated login and logout of a user frominformation system108 and various other systems or applications.
• The[0060]student information module122,legacy module124,third party module126,future module128, and user modules102a-102nact as external systems with respect tointegration module120. Consequently, each of these modules is considered as an external system and collectively as external systems. More generally, any module, system, application, or platform not included inintegration module120 can be considered as an external system.
• These external systems can typically uniquely identify users of the system, allow users to access the services or products of the external system though establishing a session, can track a particular user's session, and can terminate access by the user when the user is timed-out. Additionally, the external systems can deliver to and receive information and data from[0061]integration module120, thereby enablingintegration module120 to maintain a session with the external systems and hence maintain state. Although reference is made to certain functionality of the external systems, it can be appreciated that the external systems can have a variety of other functionality. For example, student calendar information, content management application functionality, or the like.
• [0062]Integration module120 and the external systems are web-based systems that are identified by a domain, where each web page, on-line document, or other products or services available viaintegration module120 and the external systems are described by uniform resource locators (URLs). These URLs having a domain name and/or arguments that define the particular location of each portion ofsystem100.
• [0063]Integration module120, as the name implies, controls access to and communication between the disparate modules and systems ofsystem100. This can be achieved through use of a variety of different networks, such as but not limited to those types of network discussed herein with respect tonetwork106, whether or not such network is considered as an intranet.
• In one configuration,[0064]integration module120 acts as the hub ofinformation system108, optionally with all communication between user modules102a-102nand the external systems ofinformation system108 passing throughintegration module120. Therefore,integration module120 can act as a portal through which user modules102a-102ncan access the web-based external systems ofsystem100, including those external systems remote frominformation system108. Consequently,integration module120 can be configured to communicate with each external system, i.e., deliver information or data to the external systems and receive information and data therefrom, no matter the type or configuration of the external system. Therefore,integration module120 is configured to create a session with the external systems and maintain state, while user modules102a-102ncreate a session with the external systems.
• Although, in one embodiment,[0065]integration module120 controls access to the various other external systems, one skilled in the art can appreciate that each of the external systems ofsystem100 can communicate one with another, without communicating throughintegration module120.
• In addition to the above,[0066]integration module120 can include at least oneapplication132 that provides a user ofintegration module120 with the functionality described herein, such as but not limited to, university services and courses, information about classes, enrollment, libraries, work opportunities, e-mail, notices, assignments and projects, or the like. Additionally,application132 can generate and/or control an interface through which user modules102a-102ncan access the external systems ofsystem100 and the services provided byinformation system108 andintegration module120. Thisapplication132 provides user modules102a-102nwith a seamless navigation experience between all accessible systems, modules, and platforms ofsystem100, while providing various services that are useful to the users ofsystem100.
• It can be understood that[0067]integration module120 can include a plurality of applications, as illustrated by the dotted representation of asecond application132, whether or not they are external or remote tointegration module120 and/orinformation system108. The services accessible viaapplication132 can include, but are not limited to, (i) security functions to protect access to sensitive information ofinformation system108, (ii) e-mail services for those users accessinginformation system100, (iii) chat room services, (iv) message board services, (v) calendar services, or the like. These services can be integrated with the existing services provided by the other modules and systems ofsystem100, such as the external systems. The services can be integrated through coding changes to existing applications or by some other manner known by one skilled in the art in light of the teaching contained herein.
• As described in this illustrative configuration, access to one or more of such external systems can be limited to those users having the correct credentials, such as but not limited to user identifiers and passwords. To facilitate this,[0068]integration module120 can include adatabase134 filled with user accounts and associated access information, i.e., identifiers, user names, user identifiers, passwords, other credentials, or the like. Thisdatabase134 can be populated with the access information by importing such information from other systems, applications, and platforms, such asstudent information module122,legacy module124,third party module126,future module128, or other external systems. Alternatively, access information can be input manually intodatabase134 and/or each of the applicable systems, applications, and platforms to provide consistency between the credentials or access information stored at the external systems and those stored atintegration module120.
• In addition to storing user access information, each user account can store the status of the user's session on[0069]integration module120 and the various external systems. For example, each user account can include a “last activity” attribute that defines the time or period when the user was last using the services or products related tointegration module120 or the external system. Further, each user account can include an “external session” attribute for each external system that the user can access. This external session attribute defines the session that the user is to commence upon accessing or authenticating to the external system. The external session attribute can include status information, i.e., active or inactive session, for the particular session and external system.
• Alternatively, the external session attribute can include no status information, rather the inclusion of an external session attribute defines that the user has an active session upon the particular external system. Consequently, in such a case, when no external session attribute is present, the user has no active session on that particular external system. Further, in such a case, the user receives a new external session attribute each time the user creates a session on the external system.[0070]
• Additionally, each user account can store the identifiers and credentials that enable the user or integration module to login to the external system. Further, each user account can include attributes or information about user's gender, class status, e.g., sophomore, junior, senior, etc., grade point average, full time, part-time, continuing education, teaching assistant, full names, email address, list of courses currently attending, roles, group memberships, courses taught, academic major and minor, data of birth, year in school, school address, home address, date of last login, or the like.[0071]
• The above information, and other appropriate information known to one skilled in the art, can be stored in a[0072]database134 included withinintegration module120. Optionally,integration module120 can include multiple databases, as illustrated in dotted lines, whether or not one or more of the databases are remote from integration module and/orinformation system108.
• One skilled in the art can identify various manners to obtain consistency between the various systems, applications, and platforms of[0073]system100 and/or populatedatabase134 with a list of the available identifiers and credentials for each user associated with each user module102a-102n.Database134 also optionally includes other information useful for production of the on-line document, such as user preferences, user names, and the like.
• [0074]Integration module120 is configured to facilitate use of a web-based application and system to assist with the performance of the methods described herein. These methods enable the user to access various external systems in a seamless manner from the point of view of the user that accessesintegration module120 and its associatedgraphical user interface132. Further, the methods allowintegration module120 to create a session on one or more of the external systems as a user requests access to each external system. This enables each external system, andintegration module120, to track the activities of the user associated with user modules102a-102nand maintain state.
• [0075]Integration module120 is configured to facilitate access to various external systems. Illustratively, the external systems depicted in FIG. 3 represent systems associated with a university or other educational institution. Other organizations or businesses can have external systems associated with other departments, divisions, peer groups, management, or the like. For instance, the external systems can be department specific, such as but not limited to, human resources, accounting, finance, manufacturing, sales, marketing, research and development, or the like. The external systems can be regional specific, Asia, Europe, South America, North America, Northwest, Midwest, East, West, South, North, or the like.
• As depicted in FIG. 3, one illustrative external system is[0076]student information module122 that represents, in one configuration, one of the many administrative system databases ofinformation system108. Thestudent information module122 stores information related to students, faculty, administration, alumni, or the like in a data store, such as one or more relational, hierarchical, flat or the like databases with associated database management systems, whether such databases are incorporated within one or more networked or standalone computers, such ascomputer20.
• The information stored within[0077]student information module122 can include, but is not limited to, student names, addresses, social security numbers, e-mail addresses, grades, classes completed or enrolled in, class schedules, faculty information, administration information, or the like. Although discussion is made herein to the above-recited information, one skilled in the art can appreciate that other information can be stored and accessed byintegration module120 and other modules described herein; based upon the particular application ofsystem100.
• Another module optionally forming part of[0078]information system108 islegacy module124. Thelegacy module124 includes, for example, existing mainframe, network, or personal computer systems on which the university or college executes software or maintains a database for conducting school business.Legacy module124 represents various applications and systems that a university or similar institution would currently have installed before incorporatingintegration module120 withininformation system108. These applications and systems often include, but are not limited to existing administration, finance, and enrollment systems and contain information such as course listings, course description, registration, grades, student information, student finances, student housing information, and the like. Theintegration module120 and the methods and systems described herein are configured to interface withlegacy module124 and control access to such existing systems and applications.
• As the names suggest,[0079]third party module126 andfuture modules128 represent additional systems and modules that can be added toinformation system108 at later dates, based upon the implementation of the various portions ofinformation system108. These systems can include numerous backup data storage repositories, research databases, libraries, or the like.
• Referring now to FIG. 4, embodiments of the present invention provide methods and systems for providing a user with a seamless user experience as the user accesses multiple, separate web-based systems. Depicted in FIG. 4 is one exemplary graphical user interface, designated by[0080]reference numeral150, through which the seamless user experience can be provided. Thegraphical user interface150 is depicted as aweb page152 displayable by a conventional browser, such as those browsers described earlier and those others known to one skilled in the art in light of the teaching contained herein.
• The[0081]interface150 includesbrowser toolbar155,information system header156, and externalsystem web page157. Thetoolbar155 provides various typical “tools” and functions to a user utilizinginformation system108. For example,browser toolbar155 can provide the functions and tools provided by Microsoft® Internet Explorer, Netscape® Navigator or Communicator, or other browser applications known by one skilled in the art.
• [0082]Information system header156 defines the different accessible portions ofinformation system108 and acts as an interface to various other web pages associated withininformation system108. As depicted,header156 uses a “tab” type interface where selecting a tab enables a user to navigate from web page to web page for the selected information. Although this is one embodiment,header156 can use various other navigating methods as known to those skilled in the art. For example,header156 can use drop-down menus, hypertext links, or the like. Although this is one embodiment, header408 can use various other navigating methods as known to those skilled in the art. For example, header408 can use drop-down menus, hypertext links, area maps, WML cards, JavaScript hierarchical menus, or the like.
• [0083]Header156 includes a customizedweb page tab164, which links to a user's customized web page that provides a user accessinginformation system108 with information and services typically utilized by the user, such as personalized announcements, calendar, news, or the like. In addition,header156, in this illustrative embodiment, includes aservices tab158 that enables an user to review course schedules, e-mail faculty, use message boards or chat with students and faculty, check grades, visit career and research resources, or the like.
• Additionally,[0084]header156 includes alife tab160 that provides an user with weather information, club listing, other organization listings, upcoming event information, access to a user modifiable web page listing the above, or the like. Further,header156 includes aweb life tab162 that provides short cuts or hypertext links to music, videos, online stores, online media and entertainment, or the like available on the World Wide Web. In addition to the above,header156 can includeicons166 and168 that provide links to an email system and administrative systems or web sites, respectively.
• As shown in FIG. 4,[0085]services tab158 is selected, thereby accessing a particular externalsystem web page157 that displays a variety of available services. This web page provides a further directory of links to various administrative services that provides access to specific web sites associated with the organization, such aspersonal information170,alumni services172,employee services174, student services andfinancial aid176, andfaculty services178.
• By providing[0086]header156, the system provides a seamless user interface as the user module navigates through various external systems, such as those depicted in FIG. 4. Preferably, the external systems can be designed to match the overall style and appearance ofheader156, thereby enhancing the seamless experience.
• [0087]Graphical user interface150 further provides an interface through which users can access the external systems ofsystem100 and the services provided byinformation system108 andintegration module120. This graphical user interface provides each user with a seamless navigation experience between the accessible systems, modules, and platforms ofsystem100, while providing various services that are useful to the users ofsystem100, such as but not limited to, those described with respect totabs158,160,162, and164 andicons166 and168.
• Creation of a seamless user experience utilizes an always-present user interface to select application functionality and coordinate any changes to the user interface. In FIG. 4, the always-present user interface is graphically depicted as[0088]header156. Accordingly,integration module120 preferably contains means for generating a user interface. Theintegration module120 can also contain the Hypertext Markup Language (HTML) necessary to generateheader156. Although reference is made to HTML, it can be understood thatintegration module120 can contain data or instructions to generateheader156, and more generally interface150, in a variety of other languages. For example,integration module120 can use Extensible Markup Language (XML), Extensible Hypertext Markup Language (XHTML), Wireless Markup Language (WML), or the like.
• As discussed above, one aspect of the present invention is a coordinated login to the various external systems. The[0089]integration module120 facilitates “single sign-on” of a user through user modules102a-102ntointegration module120 and one or more of the external system. Accordingly,integration module120 controls the manner by which a user can login to the different external systems, while controlling the manner by which these users can log-out of the external systems.Integration module120 enables the user to login once toinformation system108 and subsequently optionally dynamically and/or automatically “logging in” the user to each external system as the user selects to access each external system. In this manner,integration module120 integrates the various external systems associated withsystem100 and creates a seamless interface for a user that accessesintegration module120 and the external systems through one or more of user modules102a-102n.
• By allowing “single sign-on,”[0090]integration module120 substantially eliminates the need for each user to remember every user identifier and credential and use such identifier and credentials each time the user wishes to access each external system through user modules102a-102n. In addition,integration module120 is configured to create a user session on each external system as each particular user access the external system through user module102a-102n. Consequently, by enabling a user to create an active session, or user session, on the external systems, the external systems are able to track the activities of the users and user modules102a-102nas they access each external system, thereby maintaining state.
• As mentioned above,[0091]information system108 can use an architecture whereintegration module120 and the external systems are accessible through a web-based interface, i.e., browser, and defined by URLs and arguments. Theintegration module120 of the present invention is configured to create a session on each external system as each user selects to access those external systems through user modules102a-102n.Integration module120 can track the activities of those users, through user modules102a-102n, which login tointegration module120. Consequently,integration module120 can maintain state.
• By creating user sessions on each external system,[0092]integration module120 enables each respective external system to track the activities of each user and/or user module102a-102nwith a current session on the particular external system and maintain state for each user and user module102a-102n.
• Stated another way,[0093]integration module120 maintains state as each user, through user module102a-102n, is “logged in” to and “logged out” ofintegration module120. Further,integration module120 aids with creating the connections and sessions for the user on the external systems that enable each external system to maintain state. One skilled in the art can identify various other methods and manners by whichintegration module120 can enable the external systems to maintain state as each user, through associated user module102a-102n, is granted access to such external systems throughintegration module120. These methods and manners further enableintegration module120 to integrate the various external systems ofsystem100 and create a substantially seamless experience for the user as he/she accesses the same through an associated user module102a-102n.
• Referring now to FIG. 5, illustrated is a schematic representation of the interaction between user module[0094]200,integration module120, andexternal system202. This illustrative schematic is for the case whereexternal system202 utilizes URL rewriting to establish a session, authenticate user module200, and grant user module200 the right to access various portions ofexternal system202, and maintain session state while user module200 is “logged in” toexternal system202.
• Although a single user module[0095]200 is illustrated, one skilled in the art can appreciate that a similar discussion can be made for multiple user modules, as well as formultiple integration modules120 and multipleexternal systems202. The user module200 represents a user that is to accessintegration module120 and external system200 using hardware and/or software modules, i.e., a browser installed on a computer. Alternatively, user module200 can represent solely the hardware and/or software modules through which a user can accessintegration module120 and external system200. Consequently, user module200 can be similar or dissimilar from user modules102a-102nand130a-130n.
• In general terms, URL rewriting entails writing a session identifier within the URL of the web page or address requested by user module[0096]200 and displayed through user module200 as user module200 accesses the web page or address. Different session identifiers can designate different access rights for different user modules, i.e. different users that access the external system or other sub-system ofinformation system108. Consequently, as a user accessesexternal system202 through user module200 andintegration module120, the URL sending user module200 to the particular destination requested by the user through user module200 includes a session identifier that authenticates user module200 as having rights to access such a portion ofexternal system202.
• In this illustrative configuration, an user utilizing a browser associated with user module[0097]200 logs-in tointegration module120 and information system108 (FIG. 2) through typical login procedures, such as but not limited to inputting a user name and password, other credentials, or the like. One skilled in the art can identify various other login procedures that could be used to facilitate user module200 accessingintegration modules120. For example, challenge/response authentication, X.509 certificates, or the like.
• When the user has logged-in to[0098]integration module120, the user through user module200 and its associated browser, can request access toexternal system202. This request is sent tointegration module120 upon the user, through user module200 and graphical user interface associated withintegration module120, selecting a link to a particular external system, such asexternal system202. Although it is preferable that links are used to navigate aboutinformation system108 andsystem100, one skilled in the art can identify various other manners by which a user can select to access an external system. For instance, a user can select an entry from a drop down menu, check a box associated with a description of the external system, or the like.
• No matter the manner by which a request is made, such a request can take the form of a URL defining the particular external system to which the user and consequently user module[0099]200 desires access and a destination URL defining the particular web page ofexternal system202 to be displayed to user through user module200. Following receipt of the request,integration module120 can forward access information or credentials toexternal system202. Onceexternal system202 authenticates the access information,external system202 can forward a session identifier tointegration module120. This session identifier defines the access rights granted to the user and user module200 forexternal system202. Following receipt of the session identifier,integration module120 stores the session identifier so thatintegration module120 can track which external systems user module200 has accessed, and thereby maintain state.
• Subsequent to receiving the session identifier,[0100]integration module120 can combine the session identifier with the destination URL, deliver the session identifier and the destination URL to user module200, and redirect user module200 to the destination URL ofexternal system202. Therefore, a session for the user and user module200 is created onexternal system202 andexternal system202 can track the activities of the user and user module200 independently fromintegration module120. Consequently,external system202 can maintain state.
• Referring now to FIG. 6, depicted is a schematic representation of the interaction between user module[0101]210,integration module120, andexternal system212 for the case whereexternal system212 utilizes a cookie to establish a session withexternal system212 and enableexternal system212 to maintain state through creating the session.
• Upon a user utilizing user module[0102]210 to login to integration module210, user module210 can request access toexternal system212. Such a request can take the form of a URL defining the particular external system to be accessed and the destination URL within the external system to be displayed at user module210.
• Following receipt of the request,[0103]integration module120 can deliver access information or credentials toexternal system212. Onceexternal system212 authenticates the access information,external system212 can forward a one-time usage URL that defines a particular URL location ofexternal system212 where user module210 can complete the authentication process and establish a session onexternal system212. Optionally,external system212 can pass a session identifier with the one-time usage URL, whenexternal system212 uses both URL rewriting and cookies to authenticate the user and user module210 and establish a session that allowsexternal system212 to maintain state.
• Following receipt of the one-time URL and/or the session identifier,[0104]integration module120 can add the destination URL received from user module210 as an argument to the one-time use URL and forward this combined URL to user module210. Subsequently,integration module120 can redirect user module210 to the one-time use URL associated withexternal system212.
• When[0105]external system212 receives the request from user module210 for the one-time use URL,external system212 can write out a cookie to the computer associated with user module210. In this manner, the computer and user module210 receives a cookie fromexternal system212, which is the only system authorized to write out a cookie from the external system's212 domain.
• In addition to writing out a cookie,[0106]external system212 can retrieve the destination URL and redirect user module210 to the destination URL without the user using user module210 knowing of the various activities and actions taken following the user selecting a particular link throughgraphical user interface132 displayed to the user via a browser. In this manner, user module210 has accessedexternal system212 without entering additional access information specific toexternal system212, i.e.,integration module120 has facilitated a single sign-on process.
• Referring now to FIG. 7, a flow diagram describing an illustrative flow of information and data between[0107]integration module120, user module200,210 andexternal systems202,212 is depicted. Although discussion will be directed to user module200 andexternal system202, it will be appreciated that a similar discussion can be made for user module210 andexternal system212.
• Initially a user logs-in to[0108]integration module120 through user module200, as represented byblock220. Upon receiving the credentials,integration module120 can verify that the user has the right to accessintegration module120. In the event that the user does not input the correct credentials or the user does not have any credentials,integration module120 can deny access to the services and/or products associated withintegration module120 andsystem100. Otherwise, the user can access the services and/or products related tosystem100 through user module200.
• In some circumstance the user may desire to access[0109]external system202, such as by selecting a link included on the user interface associated withintegration module120, as represented byblock222. Associated with the link for the particularexternal system202 is a destination URL as an argument to the URL definition of the particularexternal system202. Optionally, the destination URL can include a session placeholder that defines the position within the destination URL where a session identifier received fromexternal system202 can be placed. For example, the link could have a form ofcp/ip/login?sys=library&url=library/sessionplaceholder/science, where “cp/ip/login” is the URL where user module200 is to login to a library system and “library/sessionplaceholder/science” is the destination URL defining the web page or address within the library system to be displayed to user module200 upon user module200 accessing the library system. The session placeholder can be any string of characters, such as numbers, letters, symbols, combination thereof, or the like.
• Upon the user selecting a particular link through user module[0110]200,integration module120 checks the stored credentials and access information of the user to identify the availability of access information for the specific user for the particularexternal system202, as represented bydecision block224. In the event that access information is available,integration module120 retrieves the access information for the specific user and the specificexternal system202, as represented byblock226. When the same access information allows a user access to multipleexternal systems202,integration module120 need only retrieve the stored access information and not search for specific access information for specificexternal systems202.
• When no access information is available, in one configuration,[0111]integration module120 verifies that the user typically is allowed to accessexternal system202, as represented bydecision block228. For instance, some users may be limited in their rights to access certain functionality or portions ofinformation system108 orsystem100 and may be denied access toexternal system202, such as whendecision block228 is in the negative. When the user is denied access to the selectedexternal system202,integration module120 can return an access denied notice to the user throughgraphical user interface132.
• In the alternative, when the user should be granted access to[0112]external system202, but no access information is available,integration module120 can prompt the user to provide or input access information for the selectedexternal system202, as represented byblock230. This can be achieved by displaying a pop-up window through user module200 that contains one or more fields that the user can fill with appropriate credentials and other information. This pop-up window is optionally a one-time window. Additionally,integration module120 can provide a summary or other information aboutexternal system202, user module200 or the user, through the pop-up window. Such information can include the name ofexternal system202, accessible content ofexternal system202, or the like. By analyzing the request received from user module200 to identify the particularexternal system202 that the user is attempting to access,integration module120 can display such summary information or other appropriate information.
• When the user has completed inputting the credentials or other information into the pop-up window,[0113]integration module120 closes the pop-up window and subsequently stores the access information in database134 (FIG. 3) for future retrieval, as represented byblock232.
• Following storage and retrieval of the access information,[0114]integration module120 delivers the access information toexternal system202, as represented byblock234. This access information may vary depending upon the particular type ofexternal system202 and interface used byexternal system202 to communicate withintegration module120. For instance, someexternal systems132 receive a user ID as the credential, while otherexternal systems132 receive both user ID's and password as the credential. Other embodiments may user different combinations of identifiers, passwords, or the like as credentials.
• In this illustrative configuration,[0115]external system202 can include a defined URL to whichintegration module120 delivers the access information. The particular form of the URL can vary based upon the particular configuration ofexternal system202, so long asexternal system202 includes a particular URL to whichintegration module120 can send a request to access or login toexternal system202. Eachexternal system202 can have other types of functionally specific URLs to facilitate communication betweenintegration module120 andexternal system202. For instance, whenintegration module120 is configured to track whether the user is actively usingexternal system202,external system202 can include a “Last Activity URL” to whichintegration module120 can “call” or request to receive a status report for the user's activity uponexternal system202. Similarly,external system202 can include a “log-out URL” to whichintegration module120 sends a request to log-out the user and user module200.External systems132 can include other functionally specific URLs, as know to one skilled in the art, in light of the teaching contained herein.
• Upon receiving the credential,[0116]external system202 can compare the delivered access information against the stored information withinexternal system202. In some circumstances,external system202 can request additional information about user module200 or the specific user utilizing user module200, such as through a challenge/response authentication process that verifies the credentials are being correct. One skilled in the art can identify various other manners or methods to authenticate the request to accessexternal system202 in light of the teaching contained herein.
• Based upon the above analysis,[0117]external system202 can grant or deny access to the resources, services, and/or products associated withexternal system202, as represented bydecision block236. When access is denied, such as whendecision block236 is in the negative,integration module120 can determine whether the user and/or user module200 should have access toexternal system202, as represented bydecision block238. In the event that the user and/or user module200 should not have access, the user and/or user module200 is denied access toexternal system202. In contrast, when the user and/or user module200 should have access toexternal system202, but is denied access for some reason,integration module120 determines if the user and/or user module200 is a new user ofinformation system108 is using user module200 to access integration module200, as represented bydecision block240.
• One case where the user is denied access and decision block is the negative occurs when the user has previously circumvented[0118]integration module120 using user module200 to directly accessexternal system202. Sinceintegration module120 creates an interface withexternal system202 and does not eliminate the front-end ofexternal system202, that the user can optionally circumventintegration module120, in some cases, to create a session and accessexternal system202. The user through user module200 can employ the resources, services, and/or products associated withexternal system202, including changing those credentials used by the user to accessexternal system202. In this manner, the user may modify their access information and credentials while being disconnected fromintegration module120.
• Consequently, these changes may not be incorporated within database[0119]134 (FIG. 3) ofintegration module120. Therefore, when the user logs-in tointegration module120 through user module200 and attempts to accessexternal system202 throughintegration module120, since the user has modified their credentials,integration module120 may deliver inaccurate credentials toexternal system202, resulting inexternal system202 denying access to its resources, services, and/or products.
• To enable[0120]integration module120 to facilitate the user's access toexternal system202,integration module120 can be configured to request and store corrected or new access information, as represented byblocks244 and246, such as through displaying a pop-up window and requesting the user to input the correct information and credentials, as described herein.
• In the case where the user should be given access based upon account information stored within[0121]database134, i.e., a new user toinformation system108,integration module120, alone or in combination withexternal system202 creates new access information, as represented byblock242. Optionally,integration module120 orexternal system202 can request information from the user through module200. Following creation of the new user access information,integration module120 stores the information, as represented byblock246.
• Upon storage of the new or updated access information,[0122]integration module120 can deliver the access information toexternal system202, which analyzes the access information and grants or denies access thereto, as represented bydecision block236. Although in oneembodiment integration module120 resends the access information toexternal system202, one skilled in the art can understand that these steps can be circumvented byexternal system202 delivering the authorization information tointegration module120 upon completing the access information updating or creating process.
• No matter the particular manner by which authorization is granted,[0123]integration module120 can receive authorization information, as represented byblock248. Depending upon the particular configuration of the present invention, different authorization information can be delivered tointegration module120 fromexternal system202. For example, whereexternal system202 maintains state through URL rewriting,external system202 can send a session identifier tointegration module132, while ifexternal system202 maintains state through cookies, external system can send a one-time use URL to enable delivery of a cookie to user module200, as described herein. In other configurations, both the one-time use URL and the session identifier can be sent tointegration module120.
• Following receipt of the authorization information, whether session identifiers, one-time use URLs, combination thereof, or the like,[0124]integration module120 stores the authorization information for future access, as represented byblock250. In this manner, when the user, through user module200, desires to accessexternal system202 after the user voluntarily logs-out or is involuntarily logged-out fromexternal system202,integration module120 can use the authorization information to redirect user module200 to the appropriate URL in accordance with the authorization information. It can be understood by one skilled in the art that someexternal systems132 may include time dependent authorization information, that may result inintegration module120 requesting new authorization information each time the user module200 requests access toexternal system202.
• Upon receiving the authorization information,[0125]integration module120 can send the authorization information to user module200, as represented byblock252. Depending upon the particular authentication method and/or the manner by which state is maintained byexternal system202, the authorization information can be combined with the destination URL, such as including the destination URL as an argument to the URL description ofexternal system202. Consequently, user module200 is redirected to the selected URL and associated web page or address ofexternal system202, in the case of URL rewriting, or redirected to the one-time use URL, resulting inexternal system202 delivering the cookie to user module200 and redirecting user module200 to the destination URL, as represented byblock254. In this manner,integration module120 creates a session onexternal system202 and enablesexternal system202 to maintain state, whether by URL rewriting, cookies, or by some other manner known by one skilled in the art.
• Although reference is made herein to use of the methods and systems to login a user to web-based applications and systems, one skilled in the art can appreciate that a similar process can be used to log-out the user and associated user module from various web-based applications and systems.[0126]
• Generally,[0127]integration module120 controls the manner by which a user through user module200 logs-in to and logs-out of external systems200. For instance, when an user through user module200 voluntarily logs-out ofinformation system108,integration module120 can request eachexternal system202, to which the user has an active session, such as through the functionally specific URLs described herein to, that these external systems terminate the session or log-out the user. Alternatively,integration module120 can perform a similar process when the user and/or user module200 is involuntarily logged-out ofinformation system108, such as when the user and/or user module200 is no longer actively using the resources ofinformation system108 or the external systems200.
• Although[0128]integration module120 facilitates integration and communication between user module200 andexternal systems202, eachexternal system202 can operate independently fromintegration module120 and may maintain state independently fromintegration module120. Consequently, with regard to “logging out” the user and/or user module200, eachexternal system202 can selectively log-out the user and/or user module200 based upon criteria or controls specific to the particularexternal system202. Therefore, the web-based applications and systems associated withinformation system108, and more specificallyintegration module120 and the methods and systems associated therewith, facilitate access to various disparate systems and modules ofsystems100, while enabling external systems to maintain state according to the particular methods and manners associated with each particular external system.
• Referring now to FIG. 8, depicted is a schematic representation of the interaction between a user module[0129]270,integration module120, and anexternal system272 for the case where a user and/or user module270 initiates a log-out fromintegration module120. Theintegration module120 coordinates the log-out sequence for eachexternal system272 to which the user and/or user module270 has been authenticated.
• The descriptions related to user modules[0130]102a-102n,130a-130n,200, and210 apply to user module270. Similarly, the descriptions related toexternal system132,202, and212 apply toexternal system272.
• The coordinated log-out or de-authentication of the user utilizing user module[0131]270 is achieved by maintaining status information for each known external system for each user that has created a user session in the integration module. This status information is stored withinintegration module120, either in a centralized data store of status information or within respective user accounts of those users that have accessed or created an active session upon one or more of the external systems.
• The status information defines whether the user is “logged in” to an external system and to which external system. The status information, in one embodiment, is a list of the external systems that each specific user can login to and one or more attributes that define whether the user is active or inactive on such an external system. For example, the status information can be associated with the external session attribute stored within the user's account within the information.[0132]
• In another configuration, the status information can take the form of a status attribute that includes multiple other attributes storing external system identifiers for those external systems upon which the user is active. One skilled in the art can identify a variety of different manners for defining and storing the status information.[0133]
• A user can select to log-out of[0134]integration module120 at any time. Upon the user selecting to log-out, in one embodiment, the graphical user interface displays a terminating dialog menu that enables the user to confirm that the user wishes to terminate a session onintegration module120. Various other manners are known to one skilled in the art to enable the user to terminate a session onintegration module120. For example, the user can select a log-out, exit, terminate, or the like selection from a drop down menu, the tool bar, or the like to terminate the session. In other configurations, the graphical user interface displays a log-out, exit, terminate, or the like selectable button that can be selected or clicked by the user to terminate the session. Other manners are known to those skilled in the art.
• Upon a request from the user, through user module[0135]270, to log-out or de-authenticate fromintegration module120,integration module120 iterates over a list of knownexternal systems272. For eachexternal system272 that has an active user session for that user module270,integration module120 invokes the log-out or de-authenticate URL on behalf of the user to log-out the user fromexternal system272. Once the user is logged out of allexternal systems272, the user is “logged out” or de-authenticated fromintegration module120. After the user, through user module270, requests a log-out fromintegration module120, andintegration module120 logs-out the user from external system270, any attempt thereafter by the user to accessexternal system272 results in an access denied message being transmitted to user module270.
• In one embodiment, log-out from each[0136]external system272 is effected though a de-authenticate user URL of the external system. Theintegration module120 delivers to such a URL parameters that specifies the user and/or user module270 that is to be logged out. When the user and/or user module270 is logged out, all server-side resources atexternal system272 are freed.
• Due to the flexibility of the “single-sign on” model, there is a matching flexibility in the log-out operation. For example, in the event that an external session attribute has been stored within the user's account within[0137]integration module120, that external session attribute is substituted for the placeholder pattern in the log-out URL invocation. In the event that no external session attribute has been stored in the user's account, then the de-authenticate user URL invocation can include the specific user credentials for that external system in order to allow the external system to have the information needed to log-out the user.
• Those skilled in the art will realize that there will be cases where the external session attribute will remain in the browser or[0138]integration module120 even though the user has log-out ofintegration module120. This case can be handled in the same way as when the user is timed-out from an external system, described hereinafter.
• Referring now to FIG. 9, depicted is a flow diagram describing a coordinated log-out procedure implemented between[0139]integration module120, user module270, andexternal system272. In this embodiment,integration module120 forces a log-out from one or moreexternal systems272 after a user session onintegration module120 is terminated, i.e., the user logs-out.
• As illustrated, the method includes selecting a first external system under which the user and/or user module[0140]270 has been authenticated, as represented byblock280. For that external system,integration module120 forms a de-authenticate user URL, as described hereinabove and represented byblock282. Theintegration module120 then delivers the de-authenticate user URL toexternal system272, as represented byblock284. Afterexternal system272 receives the de-authenticate user URL,external system272 logs-out the user and/or user module270. This enablesexternal system272 to free server-side resources.
• In addition to delivering a log-out URL to the first[0141]external system272,integration module120 verifies whether the user and/or user module270 has been authenticated in other external systems, as represented byblock290. If so, such external systems are logged-out of as described herein.
• After the user and/or user module[0142]270 is logged-out of theexternal system272, user module270 and the associated user are logged-out ofintegration module120, as represented byblock292. Finally,integration module120 displays the login page upon the browser associated with user module270, as represented byblock294.
• Referring now to FIG. 10, depicted is a schematic representation of the interaction between[0143]user module290,integration module120, andexternal system292 for the case where the user is timed-out fromintegration module120 for inactivity. The majority of the features and functions discussed with other embodiments of user modules and external systems apply touser module290 andexternal system292 respectively.
• In the event that the user utilizing[0144]user module290 is inactive for longer than a time-out period defined by an administrator ofintegration module120,integration module120 will commence a log-out procedure to de-authenticate the user and associateduser module290 from theentire information system108 depicted in FIG. 2. This time-out period can be defined by the administrator ofinformation system108 and be referenced by the number of seconds, minutes, hours, etc. that the user can wait between performing actions upon the information system and/or the external systems. Alternatively, and more typically, the administrators of each external system and module of the information module separately define the time-out period.
• However, before integration module terminates the user's session,[0145]integration module120 checks allexternal systems292 that the user has accessed to identify whether the user is active in one or more of the external system. In the event that the user is still active in anyexternal system292, then the log-out procedure is aborted.
• Similar to the checks made during a coordinated log-out operation,[0146]integration module120 iterates over the known set ofexternal systems292, checking each for the status of the user, i.e., identify whether the user has an active session upon one or more ofexternal systems292. For each system that is identified as having an active session, i.e., is logged intoexternal system292 and performing some action within a period defined byexternal system292,integration module120 issues a request to the “last activity” URL ofexternal system292. This request has an associated request time that is stored withinintegration module120, such as in the centralized data store or within the user's account. This request initiates the retrieval of the time when the user was “last active” upon that particular external system, i.e., the last time the user performed an action, a request, input information, or the like.
• In the event that the user has timed-out on that particular external system, i.e., is not performing actions and the session has been terminated, the “last active” time for that user is taken to be at the beginning of the “epoch” (time “0”). When that is the case, the stored status information for that external system is changed to logged-out or inactive.[0147]
• In the event that the user has not timed-out on that particular external system, the “last active” time for the user is delivered to[0148]integration module120. This will be compared to the stored value for the “last active” time as reported by all external systems thus far. In the event that the newly reported “last active” time is more recent than the stored value for the “last active” time, the stored value for the “last active” time is changed to equal the new “last active” time. Thus, at the end of the iteration over all known and logged-in systems,integration module120 has the most recent “last active” time across all knownexternal systems292 for that user. In some embodiment,integration module120 can stop the process after encountering recent activity in a single external system, thus avoiding excessive use of resources.
• By doing so, this allows coordination of the time-out across[0149]integration module120 and theexternal systems292 in a manner that preserves the semantics of the configured time-out value. In the event that the last activity attribute, containing the “last active” time is more than a maximum time-out value allowable byintegration module120, i.e., the “time-out period,” the user is logged out according to the already-described coordinated log-out operation.
• When the user has timed-out of all external systems that the user created session upon during the session on[0150]integration module120,integration module120 logs-out the user according to the already-described log-out operation.
• Referring now to FIG. 11, depicted is a flow diagram describing a time-out procedure for the user and/or user module from[0151]integration module120 and/orexternal system292. In this embodiment, a user utilizinguser module290 is inactive in his/her use of the sessions or products associated withintegration module120 for longer than the time-out period. This inactivity triggersintegration module120 to initiate a log-out sequence. In this embodiment,integration module120 selects a first external system that the user and/or user module has been authenticated with, as represented byblock300. Theintegration module120 then generates a last activity URL forexternal system292, as represented byblock302.
• The[0152]integration module120 next delivers a request on the last activity URL ofexternal system292, as represented byblock303, andexternal system292 returns a “last active” time. When the user has an active session onexternal system292,integration module120 receives the “last active” time, as represented byblock304, otherwiseexternal system292 returns a “not active” time.
• When[0153]integration module120 receives the “last active” time,integration module120 compares the received “last active” time against the “time-out period” defined byintegration module120 forsystem100, as represented byblock306. When the “last active” time is less than the time-out period, the log-out process is stopped, as represented byblock308. When this is not the case, the external session attribute forexternal system292 within the user's account is marked as not active, as represented byblock310.
• Following identifying that a user has an active session or no session on a first external system,[0154]integration module120 queries whether there are otherexternal systems292 to which the user has been authenticated and from which the “last active” time has not yet been received, as represented byblock312. When this is the case, then the above “last active” time determination process is repeated for eachexternal system292. When all external systems have been checked, then the user and/or user module is logged out ofintegration module120, as represented byblock314, and the login page is displayed atuser module290, as represented byblock316.
• In this way, the maximum time-out period can be defined globally by[0155]integration module120 and not individually byexternal systems292. Consequently, the present invention preserves a seamless on-line experience for the user.
• Referring now to FIG. 12, represented is a schematic representation of the interaction between user module[0156]330,integration module120, andexternal system332 for the case where a user's session initiated through user module330 onexternal system332 is terminated because of inactivity of the user onexternal system332, but the user has an active session onintegration module120. The majority of the features and functions discussed with other embodiments of user modules and external systems apply to user module330 andexternal system332 respectively.
• Time-out of a user session on[0157]external system332 occurs when the user using user module330 has not performed any activities within a specified time-out period on the particularexternal system332 to which the user has logged-in. When this condition is encountered,external system332 performs internal purging of those current user sessions that have become inactive. Sinceintegration module120 is not notified of this timed-out condition, the external session attribute stored inintegration module120 is not reset andintegration module120 operates as though the user is still logged-in toexternal system332 even after being timed-out ofexternal system332.
• When the user, through user module[0158]330, requests access toexternal system332 subsequent to when the user has timed-out,external system332 will deny access to the resources as per the process of requiring a user to login to obtain access. Theexternal system332 instead redirects user module330 to be re-authenticated withintegration module120, and consequently to reauthenticate withexternal system332.
• When[0159]integration module120 receives the redirected request, the user session can either be timed-out or not timed-out. In the case when the user session on integration module1202 is timed-out,integration module120 redirects the request to the login page. The effect of this operation is that the request toexternal system332 results in a login page being displayed to the user through user module330, which is desired effect of a unified application space.
• In the case where the user session is still active on[0160]integration module120,integration module120 recognizes the redirect request as a request to reauthenticate the user automatically to the specifiedexternal system332. Upon successful re-authentication, integration module330 will redirect the request back to the original URL requested by the user uponexternal system332, resulting in a seamless experience for the user.
• Referring now to FIG. 13, represented is a flow diagram describing the process whereby the user has access to an[0161]external system332 from which the user utilizing user module330 has been timed-out for inactivity. In this embodiment, the user utilizing user module330 is inactive in anexternal system332 for a period longer than the time-out period allowed on thatexternal system332, and the external system session is terminated. However, there is a possibility that the user is still logged-in tointegration module120 and still has a browser window open with links that will result in a denial of access to a particular external system, i.e., stale links. In this event, when the user selects one of those stale links, the method depicted in FIG. 13 is performed.
• After the user is logged-out of[0162]external system332 for inactivity, as represented byblock340, the present method is initiated as user module330 delivers a URL request toexternal system332, as represented byblock342. Althoughexternal system332 receives the URL request, as represented byblock344, the user, through user module330, is denied access because he/she has been logged out. Theexternal system332 then uses either cookie information or other access information stored withinexternal system332 to generate a time-out URL that refers to theintegration module120, as represented byblock346.
• The[0163]external system332 next issues a redirect to the time-out URL as represented byblock348. This time-out URL can specify either the HyperText Transport Protocol (HTTP) or the secure HyperText Transfer Protocol (HTTPS).
• This time-out URL includes the original destination URL selected by the user upon the user making a request to access the external system through the user module. When cookies are used, as the time-out URL is delivered to[0164]integration module120, a redirect message is sent to the user module that includes a “cookie killer” that removes the session cookie from the user module for thatexternal system332.
• After receiving the time-out URL, as represented by[0165]block350,integration module120 then queries the “last active” time onintegration module120, i.e., checks the last activity attribute. If the user is timed-out ofintegration module120, then user module330 is redirected to the login page, as represented byblock354.
• If the user is not timed-out of[0166]integration module120,integration module120 re-authenticates the user ontoexternal system332 using the processes described herein.
• This re-authentication is performed without notifying the user of the time-out condition upon[0167]external system332, thereby preserving a seamless experience for the user. Instead,integration module120 identifiesexternal system332 from the redirected time-out request, as represented byblock356, and initiates the authentication sequence to enable the user to access theexternal system120 through user module330 in a seamless fashion, as represented byblock358. For example, delivering a request to authenticate the user, receiving access information from the external system, and delivering the access information to the user module to enable the user module to automatically authenticate the user to the external system and create an active session thereupon. In this manner, the user's session is re-established with the external system330.
• The present invention may be embodied in other specific forms without departing from its spirit or essential characteristics. The described embodiments are to be considered in all respects only as illustrative and not restrictive. The scope of the invention is, therefore, indicated by the appended claims rather than by the foregoing description. All changes which come within the meaning and range of equivalency of the claims are to be embraced within their scope.[0168]

Claims (39)

What is claimed is:

1. In a system comprising a plurality of external systems and an integration module for facilitating communication with the plurality of external systems, a method for coordinating the termination of a session on at least one of the plurality of external systems, the method comprising:

upon a user selecting to terminate a session on an integration module, identifying one or more external systems of a plurality of external systems upon which a user has an active session;

transmitting a de-authentication request to the one or more external systems to terminate the active session on the one or more external systems; and

upon delivering the de-authentication request to each of the one or more external systems, terminating the session on the integration module.

2. The method as recited inclaim 1, where in the active session is terminated by the user selecting to log-out of the integration module.

3. The method as recited inclaim 1, where in the active session is terminated by the user being inactive for a period of time in excess of a time-out period associated with the integration module.

4. The method as recited inclaim 3, wherein the time-out period is defined by an administrator of the integration module.

5. The method as recited inclaim 1, wherein identifying one or more external systems comprises searching status information stored in the integration module, the status information defining the one or more external systems of a plurality of external systems upon which the user has the active session.

6. The method as recited inclaim 5, wherein the integration module comprises one or more user accounts, the status information being stored in the one or more user accounts.

7. The method as recited inclaim 1, wherein identifying one or more external systems comprises searching for one or more external session attributes.

8. The method as recited inclaim 7, wherein upon identifying the one or more external session attributes, identifying an active status or an inactive status for each of the one or more external systems.

9. The method as recited inclaim 1, wherein de-authenticating the user from the one or more external systems frees system resources.

10. The method as recited inclaim 1, wherein transmitting a de-authentication request comprises transmitting a de-authentication request to an external system of the one or more external systems that is remote form the information system.

11. The method as recited inclaim 1, wherein transmitting a de-authentication request comprises transmitting a request to a de-authentication uniform resource locator associated with each of the one or more external systems.

12. The method as recited inclaim 1, wherein selecting to terminate the session on the integration module comprises selecting a terminating dialog menu.

13. The method as recited inclaim 1, wherein selecting to terminate the session on the integration module comprises selecting a button on a graphical user interface.

14. A computer product for implementing, in a system comprising one or more external systems and an integration module for facilitating communication between a user module and the one or more external systems, a method for coordinating terminating a session on at least one of the one or more external systems and the integration module, the computer program product comprising:

a computer readable medium carrying computer-executable instructions for implementing the method, wherein the computer-executable instructions causing the system to perform:

upon a user selecting to terminate a session on an integration module, a step for identifying one or more external systems of a plurality of external systems upon which a user has an active session;

a step for transmitting a de-authentication request to the one or more external systems to terminate the active session on the one or more external systems; and

upon delivering the de-authentication request to each of the one or more external systems, a step for terminating the session on the integration module.

15. The method as recited inclaim 14, wherein the computer-executable instructions cause a step for terminating the session when the user selects to logout of the integration module.

16. The method as recited inclaim 14, wherein the computer-executable instructions cause a step for terminating the active session when the user is inactive for a period of time in excess of a time-out period.

17. The method as recited inclaim 14, wherein the computer-executable instructions cause a step for searching status information stored in the integration module, the status information defining the one or more external systems of a plurality of external systems upon which the user has the active session.

18. The method as recited inclaim 17, wherein the computer-executable instructions cause a step for searching for status information stored one or more user accounts, each of the one or more user accounts storing status information specific for an associated user.

19. The method as recited inclaim 14, wherein the computer-executable instructions cause a step for identifying one or more external systems comprises searching for one or more external session attributes.

20. The method as recited inclaim 19, wherein the computer-executable instructions cause a step for identifying an active status or an inactive status for each of the one or more external systems upon identifying the one or more external session attributes

21. The method as recited inclaim 14, wherein the computer-executable instructions cause a step for transmitting a de-authentication request to an external system of the one or more external systems that is remote form the information system.

22. The method as recited inclaim 14, wherein the computer-executable instructions cause a step for transmitting a request to a de-authentication uniform resource locator associated with each of the one or more external systems.

23. The method as recited inclaim 14, wherein the computer-executable instructions cause a step for selecting a terminating dialog menu to select to terminate the session on the integration module.

24. The method as recited inclaim 14, wherein the computer-executable instructions cause a step for selecting a button on a graphical user interface to select to terminate the session on the integration module.

25. In a system comprising an external system and an integration module for facilitating communication with the external system, a method for coordinating terminating a session on the external system and the integration module, the method comprising:

displaying a graphical user interface to a user, the graphical user interface facilitating the user in creating active sessions on an integration module and an external module;

upon the user selecting to terminate an active session on the integration module through the graphical user interface, identifying the external system upon which the user has created the active session;

transmitting a de-authentication request to the external system to terminate the active session on the external system; and

upon delivering the de-authentication request to the external system, terminating the session on the integration module.

26. The method as recited inclaim 25, wherein displaying the graphical user interface comprises displaying a header portion and an external system portion, the header portion remaining constantly displayed to the user as the user accesses a plurality of external systems.

27. The method as recited inclaim 25, further comprising displaying a session terminating dialog menu to the user.

28. The method as recited inclaim 25, further comprising displaying a selectable terminating button to the user.

29. The method as recited inclaim 25, wherein selecting to terminate the active session comprises selecting the selectable terminating button.

30. The method as recited inclaim 25, wherein identifying the external system comprises accessing a user account for the user to retrieve an external session attribute associated with the external system.

31. The method as recited inclaim 30, further comprising accessing the external session attribute to retrieve status information.

32. The method as recited inclaim 31, wherein the status information is selected from a group consisting of an active status and an inactive status.

33. The method as recited inclaim 25, wherein transmitting a de-authentication request comprises transmitting a credential associated with the user and the external system.

34. The method as recited inclaim 25, wherein transmitting a de-authentication request comprises transmitting a session identifier for the external system.

35. In a system comprising an external system and an integration module for facilitating communication with the external system, a method for coordinating terminating a session on an external system, the method comprising:

upon a user selecting to terminate an active session on an integration module through a graphical user interface, receiving at an external system a de-authentication request from the integration module;

upon receiving the de-authentication request, identifying the session on the external system that is associated with the user selecting to terminate the active session; and

terminating the session on the external system.

36. A method as recited inclaim 35, further comprising receiving a session identifier and a credential associated with the user.

37. A method as recited inclaim 35, further comprising selecting the session from a list of session stored at the external system.

38. A method as recited inclaim 35, further comprising receiving an identifier and a credential associated with the user.

39. In a system comprising at least one external system and an integration module for facilitating communication between a user module and the at least one external system, a method for, coordinating the termination of a session on the at least one external system and a session on the integration module the method comprising:

upon a user creating a first session on an integration module and a second session on at least one external system, tracking the actions of the user on both the external system and the integration module;

upon the user completing the first session on the integration module, receiving a de-authentication request from the user through a user module;

identifying the external system upon which a user has a active session;

transmitting a de-authentication request to the external system to terminate the active session on the external system; and

upon delivering the de-authentication request to the external system, terminating the session on the integration module.

Images