Detection and repair of broken single sign-on integration

US 10,097,533 B2
Filed: 09/04/2015
Issued: 10/09/2018
Est. Priority Date: 09/15/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method performed by an identity management system, the method comprising:

storing, for each third-party service of a plurality of third-party services, a single sign-on (SSO) integration for the third-party service, the SSO integration comprising information enabling automated login to the third-party service;

for a first one of the third-party services and a corresponding first one of the SSO integrations;

successfully signing in users into accounts of the users on the first one of the third-party services using the first one of the SSO integrations; and

detecting that the first one of the SSO integrations can no longer automatically sign in users into accounts of the users on the first one of the third-party services;

repairing the first SSO integration responsive to detecting that the first SSO integration can no longer automatically sign in users into accounts of the users on the third-party service; and

determining that the first SSO integration has been successfully repaired by;

receiving a request from a user to login to the first third-party service;

using the repaired first SSO integration to attempt to log the user into the first third-party service; and

analyzing behavior of the user after the attempted login using the repaired first SSO integration.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An identity management system provides single sign-on (SSO) services to clients, logging the clients into a variety of third-party services for which the clients have accounts. An SSO integration is stored for each of the third-party services, the SSO integration including information that allows the identity management system to automate the login for the corresponding third-party service, such as locations of the login pages, and/or identities of username and password fields. The identity management system uses different techniques in different embodiments to detect that a given SSO integration is broken (i.e., no longer permits login for its corresponding third-party service) and/or to repair the SSO integration.

Citations

33 Claims

1. A computer-implemented method performed by an identity management system, the method comprising:
- storing, for each third-party service of a plurality of third-party services, a single sign-on (SSO) integration for the third-party service, the SSO integration comprising information enabling automated login to the third-party service;
  
  for a first one of the third-party services and a corresponding first one of the SSO integrations;
  
  successfully signing in users into accounts of the users on the first one of the third-party services using the first one of the SSO integrations; and
  
  detecting that the first one of the SSO integrations can no longer automatically sign in users into accounts of the users on the first one of the third-party services;
  
  repairing the first SSO integration responsive to detecting that the first SSO integration can no longer automatically sign in users into accounts of the users on the third-party service; and
  
  determining that the first SSO integration has been successfully repaired by;
  
  receiving a request from a user to login to the first third-party service;
  
  using the repaired first SSO integration to attempt to log the user into the first third-party service; and
  
  analyzing behavior of the user after the attempted login using the repaired first SSO integration.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The computer-implemented method of claim 1, wherein the detecting comprises:
    - attempting login to the first one of the third-party services using incorrect credentials; and
      
      determining, based on output of the attempted login, that the attempted login was legitimate except for the incorrect credentials.
  - 3. The computer-implemented method of claim 2, wherein determining that the attempted login was legitimate except for the incorrect credentials comprises determining whether a webpage that follows the attempted login includes specific strings of text indicating a login failure.
  - 4. The computer-implemented method of claim 3, further comprising previously identifying the specific strings of text by attempting to login with invalid credentials to a plurality of different third-party services and identifying strings present in webpages that followed the attempted logins.
  - 5. The computer-implemented method of claim 2, wherein determining that the attempted login was legitimate except for the incorrect credentials comprises:
    - obtaining a first screenshot of the first third-party service'"'"'s login page before the attempted login;
      
      obtaining a second screenshot of the first third-party service'"'"'s login page after the attempted login; and
      
      comparing visual properties of the first screenshot and second screenshot.
  - 6. The computer-implemented method of claim 5, wherein comparing the visual properties comprises determining whether the second screenshot includes an additional user interface element not included in the first screenshot.
  - 7. The computer-implemented method of claim 5, wherein comparing the visual properties comprises determining whether the second screenshot includes a given color not included in the first screenshot.
  - 8. The computer-implemented method of claim 1, wherein the detecting comprises comparing a login flow sequence of uniform resource locators (URLs) resulting from the attempted login to a baseline login flow sequence of uniform resource locators corresponding to a successful login.
  - 9. The computer-implemented method of claim 8, further comprising establishing the baseline login flow sequence based on login flow sequences of a plurality of successful logins into the first third-party service by a plurality of different users.
  - 10. The computer-implemented method of claim 1, wherein the detecting comprises:
    - determining that a first user has attempted to login to the first third-party service using the first SSO integration multiple times during a given time period.
  - 11. The computer-implemented method of claim 1, wherein the detecting further comprises:
    - receiving a confirmation from the first user that the first user is encountering a login failure.
  - 12. The computer-implemented method of claim 1, wherein the detecting is performed in response to a trigger event, the trigger event is at least one of the group consisting of an explicit request to test the first SSO integration, and expiration of a period of time since a previous test of the first SSO integration.
  - 13. The computer-implemented method of claim 1, further comprising detecting that the first one of the SSO integrations can no longer automatically sign in users into accounts of the users on the third-party service due to a change in content of a login page of the first third-party service, based on comparison of a hash value of the login page computed at a time of the detecting and a hash value of the login page computed at a prior time when login into the first third-party service was successful.
  - 14. The computer-implemented method of claim 13, further comprising identifying the login page by:
    - navigating to a root page of a domain of the first third-party service;
      
      navigating to a page target of a login hyperlink of the root page; and
      
      responsive to identifying login user interface elements in the page target, identifying the page target as the login page.
  - 15. The computer-implemented method of claim 1, wherein the repairing comprises:
    - parsing a login page of the first third-party service to identify a username field and a password field; and
      
      storing the identified username field and the identified password field in the first SSO integration.
  - 16. The computer-implemented method of claim 1, wherein the repairing comprises:
    - parsing a login page of the first third-party service to identify a submit button that is a closest button in the login page to a password field in the login page; and
      
      storing the identified submit button in the first SSO integration.
  - 17. The computer-implemented method of claim 16, wherein closeness is measured based on pixel distance.
  - 18. The computer-implemented method of claim 16, wherein closeness is measured based on a distance in a document object model (DOM) tree of the login page.
  - 19. The computer-implemented method of claim 1, further comprising determining that the first SSO integration has been successfully repaired by:
    - receiving a request from a user to login to the first third-party service;
      
      using the repaired first SSO integration to attempt to log the user into the first third-party service; and
      
      comparing a login flow sequence of uniform resource locators (URLs) resulting from the attempted login to a baseline login flow sequence of uniform resource locators corresponding to a successful login.
  - 20. The computer-implemented method of claim 1, wherein the SSO integration information enabling automated login to the third-party service comprises:
    - an address of a sign-in page of the third-party service, and information about form fields of the sign-in page.

21. A computer-implemented method performed by an identity management system, the method comprising:
- storing, for each third-party service of a plurality of third-party services, a single sign-on (SSO) integration for the third-party service, the SSO integration comprising information enabling automated login to the third-party service;
  
  for a first one of the third-party services and a corresponding first one of the SSO integrations;
  
  successfully signing in users into accounts of the users on the first one of the third-party services using the first one of the SSO integrations; and
  
  detecting that the first one of the SSO integrations can no longer automatically sign in users into accounts of the users on the first one of the third-party services, the detecting comprising;
  
  attempting login to the first one of the third-party services using incorrect credentials; and
  
  determining, based on output of the attempted login, that the attempted login was legitimate except for the incorrect credentials, the determining comprising;
  
  obtaining a first screenshot of the first third-party service'"'"'s login page before the attempted login;
  
  obtaining a second screenshot of the first third-party service'"'"'s login page after the attempted login; and
  
  comparing visual properties of the first screenshot and second screenshot.
- View Dependent Claims (22, 23)
- - 22. The computer-implemented method of claim 21, wherein comparing the visual properties comprises determining whether the second screenshot includes an additional user interface element not included in the first screenshot.
  - 23. The computer-implemented method of claim 21, wherein comparing the visual properties comprises determining whether the second screenshot includes a given color not included in the first screenshot.

24. A computer-implemented method performed by an identity management system, the method comprising:
- storing, for each third-party service of a plurality of third-party services, a single sign-on (SSO) integration for the third-party service, the SSO integration comprising information enabling automated login to the third-party service;
  
  for a first one of the third-party services and a corresponding first one of the SSO integrations;
  
  successfully signing in users into accounts of the users on the first one of the third-party services using the first one of the SSO integrations; and
  
  detecting that the first one of the SSO integrations can no longer automatically sign in users into accounts of the users on the first one of the third-party services; and
  
  determining that the first one of the SSO integrations can no longer automatically sign in users into accounts of the users on the third-party service due to a change in content of a login page of the first third-party service, based on comparison of a hash value of the login page computed at a time of the detecting and a hash value of the login page computed at a prior time when login into the first third-party service was successful.
- View Dependent Claims (25, 26, 27, 28)
- - 25. The computer-implemented method of claim 24, wherein the detecting comprises:
    - attempting login to the first one of the third-party services using incorrect credentials; and
      
      determining, based on output of the attempted login, that the attempted login was legitimate except for the incorrect credentials.
  - 26. The computer-implemented method of claim 24, wherein the detecting comprises comparing a login flow sequence of uniform resource locators (URLs) resulting from the attempted login to a baseline login flow sequence of uniform resource locators corresponding to a successful login.
  - 27. The computer-implemented method of claim 24, wherein the detecting comprises:
    - determining that a first user has attempted to login to the first third-party service using the first SSO integration multiple times during a given time period.
  - 28. The computer-implemented method of claim 24, wherein the detecting is performed in response to a trigger event, the trigger event is at least one of the group consisting of an explicit request to test the first SSO integration, and expiration of a period of time since a previous test of the first SSO integration.

29. A computer-implemented method performed by an identity management system, the method comprising:
- storing, for each third-party service of a plurality of third-party services, a single sign-on (SSO) integration for the third-party service, the SSO integration comprising information enabling automated login to the third-party service;
  
  for a first one of the third-party services and a corresponding first one of the SSO integrations;
  
  successfully signing in users into accounts of the users on the first one of the third-party services using the first one of the SSO integrations; and
  
  detecting that the first one of the SSO integrations can no longer automatically sign in users into accounts of the users on the first one of the third-party services; and
  
  repairing the first SSO integration responsive to detecting that the first SSO integration can no longer automatically sign in users into accounts of the users on the third-party service, the repairing comprising;
  
  parsing a login page of the first third-party service to identify a submit button that is a closest button in the login page to a password field in the login page; and
  
  storing the identified submit button in the first SSO integration.
- View Dependent Claims (30, 31, 32, 33)
- - 30. The computer-implemented method of claim 29, wherein the detecting comprises:
    - attempting login to the first one of the third-party services using incorrect credentials; and
      
      determining, based on output of the attempted login, that the attempted login was legitimate except for the incorrect credentials.
  - 31. The computer-implemented method of claim 29, wherein the detecting comprises comparing a login flow sequence of uniform resource locators (URLs) resulting from the attempted login to a baseline login flow sequence of uniform resource locators corresponding to a successful login.
  - 32. The computer-implemented method of claim 29, wherein the detecting comprises:
    - determining that a first user has attempted to login to the first third-party service using the first SSO integration multiple times during a given time period.
  - 33. The computer-implemented method of claim 29, wherein the detecting is performed in response to a trigger event, the trigger event is at least one of the group consisting of an explicit request to test the first SSO integration, and expiration of a period of time since a previous test of the first SSO integration.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Okta Incorporated
Original Assignee
Okta Incorporated
Inventors
Child, Reman P., Karaa, Hassen, Gu, Xin, Aguilar-Macias, Hector, Drozdov, Andrew P.
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
MURPHY, JOSEPH B

Application Number

US14/846,706
Publication Number

US 20160080360A1
Time in Patent Office

1,131 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/0815   providing single-sign-on or...

H04L 67/02   based on web technology, e....

Detection and repair of broken single sign-on integration

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Detection and repair of broken single sign-on integration

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links