SSO functionality by means of a temporary password and out-of-band communications

US 10,063,539 B2
Filed: 08/24/2017
Issued: 08/28/2018
Est. Priority Date: 11/24/2015
Status: Active Grant

First Claim

Patent Images

1. A method for using an out-of-band password to provide enhanced SSO functionality, the method comprising:

a processor of a computer system receiving notice of a user'"'"'s access request from an Identity Provider (IDP) of a Federated Single Sign-On (F-SSO) federation, where the access request requests access to a service provided by a Service Provider (SP) of the federation, and where the federation does not support Single Sign-On functionality for that service;

the processor, in response to receiving the notice, identifying and validating the user;

the processor sending a temporary password to the user through an out-of-band communications method, where the user is required to perform an additional authentication procedure when re-entering the temporary password;

the processor updating an information repository with a value of the temporary password;

the processor detecting that the user has entered a correct value of the temporary password;

the processor generating a single-use password; and

the processor communicating the single-use password to the user, such that the user may use the single-use password to access the service, and where the in-band communication is a secure communication that is communicated through a medium under control of the Service Provider to a device under control of the Service Provider.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for using a single-use password to add SSO functionality to a service of a Service Provider belonging to an F-SSO federation that does not support F-SSO functionality for the service. In response to receiving notification from an Identity Provider that a user has requested access to the service, the Service Provider uses information provided by the Identity Provider to identify and authenticate the user, and then uses standard API calls to create and send a temporary password to the user. This password may be created as a function of the user'"'"'s physical location or IP address and may be communicated out-of-band. Upon determining that the user has correctly returned the temporary password to the Service Provider, the Service Provider generates and sends the user a strong single-use password through a secure in-band communication, through which the user may access the service.

22 Citations

View as Search Results

20 Claims

1. A method for using an out-of-band password to provide enhanced SSO functionality, the method comprising:
- a processor of a computer system receiving notice of a user'"'"'s access request from an Identity Provider (IDP) of a Federated Single Sign-On (F-SSO) federation, where the access request requests access to a service provided by a Service Provider (SP) of the federation, and where the federation does not support Single Sign-On functionality for that service;
  
  the processor, in response to receiving the notice, identifying and validating the user;
  
  the processor sending a temporary password to the user through an out-of-band communications method, where the user is required to perform an additional authentication procedure when re-entering the temporary password;
  
  the processor updating an information repository with a value of the temporary password;
  
  the processor detecting that the user has entered a correct value of the temporary password;
  
  the processor generating a single-use password; and
  
  the processor communicating the single-use password to the user, such that the user may use the single-use password to access the service, and where the in-band communication is a secure communication that is communicated through a medium under control of the Service Provider to a device under control of the Service Provider.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, where the temporary password is subject to constraints selected from the group consisting of:
    - limiting the temporary password to a certain number of uses;
      
      limiting the temporary password to use during a single session of the secured service;
      
      limiting the temporary password to use during a specified period of time; and
      
      limiting the temporary password to use during a specified duration of time after the first use of the temporary password.
  - 3. The method of claim 2, where the out-of-band communication method comprises a communication sent to a destination that is not part of the F-SSO federation and that is not under control of the Service Provider, and where the out-of-band communication is selected from a group consisting of:
    - a voice message;
      
      a fax;
      
      an SMS text message;
      
      an email message;
      
      a communication to a social-media service;
      
      an instant message; and
      
      a communication sent through the Internet to a software program running on a device that is accessible to the user.
  - 4. The method of claim 1, where the out-of-band communications method is selected from the group consisting of:
    - transmitting the password to a smartphone or mobile device by means of a Short Messaging Service (SMS) text message, where the smartphone or mobile device is distinct from the computer system;
      
      transmitting to a smartphone or mobile device a Web page that identifies the password, where the smartphone or mobile device is distinct from the computer system;
      
      transmitting to a smartphone or mobile device, by means of a Short Messaging Service (SMS), a text message that identifies a URL of a Web page that identifies the password, where the smartphone or mobile device is distinct from the computer system; and
      
      reading the password, by means of a synthesized voice, to the user during a phone call initiated by the user.
  - 5. The method of claim 1, where the identifying and validating the user comprises:
    - the processor, in response to the receiving notice, requesting that the IDP identify and authenticate the user;
      
      the processor redirecting the user to a portal under control of the IDP;
      
      the processor receiving authentication data from the IDP, andthe processor redirecting the user to a portal under control of the SP.
  - 6. The method of claim 1, further comprising:
    - the processor storing a copy of the temporary password in an enterprise directory under control of the SP;
      
      the processor, upon receiving from the user the response to the sending, where the response is a password entered by the user, attempting to match the entered password with the password stored in the enterprise directory; and
      
      the processor, deeming the user to have been identified and authenticated as a result of having successfully matched the entered password to the stored password.
  - 7. The method of claim 1, where the Service Provider is an Information as a Service cloud-service provider, the service is a cloud-based service deployed and controlled by the Service Provider on cloud infrastructure under control of the Service Provider, and the IDP is a client of the Service Provider that controls an application deployed on cloud infrastructure under control of the Service Provider.
  - 8. The method of claim 1, further comprising:
    - the processor selecting the temporary password as a function of the user'"'"'s location, where the user'"'"'s location comprises an Internet Protocol address of a device by which the user entered the sign-on request.
  - 9. The method of claim 1, further comprising providing at least one support service for at least one of creating, integrating, hosting, maintaining, and deploying computer-readable program code in the computer system, where the computer-readable program code in combination with the computer system is configured to implement the receiving notice, the identifying and validating, the sending, the updating, the detecting, the generating, and the communicating.

10. A system for using an out-of-band password to provide enhanced SSO functionality comprising a processor, a memory coupled to the processor, and a computer-readable hardware storage device coupled to the processor, the storage device containing program code configured to be run by the processor via the memory to implement a method for using an out-of-band password to provide enhanced SSO functionality, the method comprising:
- the processor receiving notice of a user'"'"'s access request from an Identity Provider (IDP) of a Federated Single Sign-On (F-SSO) federation, where the access request requests access to a service provided by a Service Provider (SP) of the federation, and where the federation does not support Single Sign-On functionality for that service;
  
  the processor, in response to receiving the notice, identifying and validating the user;
  
  the processor sending a temporary password to the user through an out-of-band communications method, where the user is required to perform an additional authentication procedure when re-entering the temporary password;
  
  the processor updating an information repository with a value of the temporary password;
  
  the processor detecting that the user has entered a correct value of the temporary password;
  
  the processor generating a single-use password; and
  
  the processor communicating the single-use password to the user, such that the user may use the single-use password to access the service, and where the in-band communication is a secure communication that is communicated through a medium under control of the Service Provider to a device under control of the Service Provider.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, where the temporary password is subject to constraints selected from the group consisting of:
    - limiting the temporary password to a certain number of uses;
      
      limiting the temporary password to use during a single session of the secured service;
      
      limiting the temporary password to use during a specified period of time; and
      
      limiting the temporary password to use during a specified duration of time after the first use of the temporary password.
  - 12. The system of claim 10, where the out-of-band communications method is selected from the group consisting of:
    - transmitting the password to a smartphone or mobile device by means of a Short Messaging Service (SMS) text message, where the smartphone or mobile device is distinct from the computer system;
      
      transmitting to a smartphone or mobile device a Web page that identifies the password, where the smartphone or mobile device is distinct from the computer system;
      
      transmitting to a smartphone or mobile device, by means of a Short Messaging Service (SMS), a text message that identifies a URL of a Web page that identifies the password, where the smartphone or mobile device is distinct from the computer system; and
      
      reading the password, by means of a synthesized voice, to the user during a phone call initiated by the user.
  - 13. The system of claim 10, where the identifying and validating the user comprises:
    - the processor, in response to the receiving notice, requesting that the IDP identify and authenticate the user;
      
      the processor redirecting the user to a portal under control of the IDP;
      
      the processor receiving authentication data from the IDP, andthe processor redirecting the user to a portal under control of the SP.
  - 14. The system of claim 10, further comprising:
    - the processor storing a copy of the temporary password in an enterprise directory under control of the SP;
      
      the processor, upon receiving from the user the response to the sending, where the response is a password entered by the user, attempting to match the entered password with the password stored in the enterprise directory; and
      
      the processor, deeming the user to have been identified and authenticated as a result of having successfully matched the entered password to the stored password.
  - 15. The system of claim 10, further comprising:
    - the processor selecting the temporary password as a function of the user'"'"'s location, where the user'"'"'s location comprises an Internet Protocol address of a device by which the user entered the sign-on request.

16. A computer program product, comprising a computer-readable hardware storage device having a computer-readable program code stored therein, the program code configured to be executed by a system comprising a processor, a memory coupled to the processor, and a computer-readable hardware storage device coupled to the processor, the storage device containing program code configured to be run by the processor via the memory to implement a method for using an out-of-band password to provide enhanced SSO functionality, the method comprising:
- the processor receiving notice of a user'"'"'s access request from an Identity Provider (IDP) of a Federated Single Sign-On (F-SSO) federation, where the access request requests access to a service provided by a Service Provider (SP) of the federation, and where the federation does not support Single Sign-On functionality for that service;
  
  the processor, in response to receiving the notice, identifying and validating the user;
  
  the processor sending a temporary password to the user through an out-of-band communications method, where the user is required to perform an additional authentication procedure when re-entering the temporary password;
  
  the processor updating an information repository with a value of the temporary password;
  
  the processor detecting that the user has entered a correct value of the temporary password;
  
  the processor generating a single-use password; and
  
  the processor communicating the single-use password to the user, such that the user may use the single-use password to access the service, and where the in-band communication is a secure communication that is communicated through a medium under control of the Service Provider to a device under control of the Service Provider.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer program product of claim 16, where the temporary password is subject to constraints selected from the group consisting of:
    - limiting the temporary password to a certain number of uses;
      
      limiting the temporary password to use during a single session of the secured service;
      
      limiting the temporary password to use during a specified period of time; and
      
      limiting the temporary password to use during a specified duration of time after the first use of the temporary password.
  - 18. The computer program product of claim 16, where the out-of-band communications method is selected from the group consisting of:
    - transmitting the password to a smartphone or mobile device by means of a Short Messaging Service (SMS) text message, where the smartphone or mobile device is distinct from the computer system;
      
      transmitting to a smartphone or mobile device a Web page that identifies the password, where the smartphone or mobile device is distinct from the computer system;
      
      transmitting to a smartphone or mobile device, by means of a Short Messaging Service (SMS), a text message that identifies a URL of a Web page that identifies the password, where the smartphone or mobile device is distinct from the computer system; and
      
      reading the password, by means of a synthesized voice, to the user during a phone call initiated by the user.
  - 19. The computer program product of claim 16, where the identifying and validating the user comprises:
    - the processor, in response to the receiving notice, requesting that the IDP identify and authenticate the user;
      
      the processor redirecting the user to a portal under control of the IDP;
      
      the processor receiving authentication data from the IDP, andthe processor redirecting the user to a portal under control of the SP.
  - 20. The computer program product of claim 16, further comprising:
    - the processor storing a copy of the temporary password in an enterprise directory under control of the SP;
      
      the processor, upon receiving from the user the response to the sending, where the response is a password entered by the user, attempting to match the entered password with the password stored in the enterprise directory; and
      
      the processor, deeming the user to have been identified and authenticated as a result of having successfully matched the entered password to the stored password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Hinton, Heather M., Malone, Kelly
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Gyorfi, Thomas

Application Number

US15/685,794
Publication Number

US 20170353447A1
Time in Patent Office

369 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/0846   using time-dependent-passwo...

H04L 63/10   for controlling access to d...

SSO functionality by means of a temporary password and out-of-band communications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SSO functionality by means of a temporary password and out-of-band communications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links