System and method for proxying federated authentication protocols

US 10,200,368 B2
Filed: 10/06/2016
Issued: 02/05/2019
Est. Priority Date: 02/22/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a proxy server;

emulating an identity provider in a first instance of a federated authentication protocol based on a service provider identity request;

emulating a service provider in a second instance to thereby transmit a proxy identity request;

wherein the first instance of a federated authentication protocol is a first type of protocol, wherein the second instance of a federated authentication protocol is a second type of protocol, and wherein the first and second type of protocol are not the same;

executing a second layer of authentication; and

determining, at the proxy server, an identity assertion.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method that include receiving a service provider identity request through a federated authentication protocol; transmitting a proxy identity request to a configured identity provider; receiving an identity assertion; facilitating execution of a second layer of authentication; determining a proxy identity assertion based on the identity assertion and the second layer of authentication; and transmitting the proxy identity assertion to the service provider.

Citations

23 Claims

1. A method comprising:
- at a proxy server;
  
  emulating an identity provider in a first instance of a federated authentication protocol based on a service provider identity request;
  
  emulating a service provider in a second instance to thereby transmit a proxy identity request;
  
  wherein the first instance of a federated authentication protocol is a first type of protocol, wherein the second instance of a federated authentication protocol is a second type of protocol, and wherein the first and second type of protocol are not the same;
  
  executing a second layer of authentication; and
  
  determining, at the proxy server, an identity assertion.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein determining the identity assertion is based on (1) a successful identity assertion and (2) a successful execution of the second layer of authentication.
  - 3. The method of claim 1, wherein the transmitted proxy identity request is received at the identity provider;
    - andwherein the method further comprises;
      
      transmitting, from the identity provider, the identity assertion to the service provider emulated at the proxy server.
  - 4. The method of claim 3, wherein the service provider originates the service provider identity request and the service provider identity request is received at the proxy server;
    - andwherein the method further comprises;
      
      transmitting, from the identity provider emulated at the proxy server, the proxy identity assertion to the service provider.
  - 5. The method of claim 1, further comprising, in association with a managing account instance, configuring the first instance of a federated authentication protocol and the second instance of a federated authentication protocol;
    - and prior to transmitting the proxy identity request, selecting the second instance according to an identifier of the managing account from the first instance.
  - 6. The method of claim 1, wherein the federated authentication protocol of the first instance and the second instance is a security assertion markup language protocol (SAML).
  - 7. The method of claim 1, wherein the federated authentication protocol of the first and second instance is an OpenID Connect protocol.
  - 8. The method of claim 1, further comprising translating attributes between the first type of protocol and the second type of protocol.
  - 9. The method of claim 8, wherein the second type of protocol is a lightweight directory access protocol (LDAP).
  - 10. The method of claim 8, wherein translating attributes between the first type of protocol and the second type of protocol comprises translating from attributes of a security assertion markup authentication protocol (SAML) and scopes of an OpenID Connect protocol.
  - 11. The method of claim 1, wherein the proxy server installed within an internal network, and wherein the execution of the second layer of authentication is performed within the internal network.
  - 12. The method of claim 1, wherein the proxy server is of a multi-tenant service of second layer authentication service, and wherein the execution of the second layer of authentication is performed by the proxy server.
  - 13. The method of claim 1, wherein executing the second layer of authentication comprises authenticating the identity request with a secondary device associated with an identity of the identity request.
  - 14. The method of claim 1, wherein transmitting the proxy identity request comprises transmitting the proxy identity request to the identity provider if the second layer of authentication is determined to be successful;
    - and if the second layer of authentication is determined to be unsuccessful, transmitting a failed proxy identity assertion to the service provider.

15. A method for single sign-on comprising:
- configuring a first instance and a second instance of a federated authentication protocol;
  
  receiving an identity assertion through the first instance federated identity protocol;
  
  executing a second layer of authentication;
  
  emulating, in a second instance of a federated authentication protocol, an identity provider to thereby transmit a proxy identity assertion;
  
  in association with a managing account instance, configuring the first instance of a federated authentication protocol and the second instance of a federated authentication protocol; and
  
  prior to transmitting the proxy identity assertion, selecting the second instance according to an identifier of the managing account from the first instance.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15, wherein the first instance and second instance are different types of federated authentication protocols, and further comprising translating attributes between the first type of protocol and the second type of protocol.
  - 17. The method of claim 15, further comprising if the second layer of authentication is unsuccessful returning an error message to the identity provider.
  - 18. The method of claim 17, wherein the federated authentication proxy server is hosted in an internal network with an identity provider.
  - 19. The method of claim 15, wherein the first instance of a federated authentication protocol is a protocol of claim-based access control authorization of an active directory federation service.

20. A system comprising:
- a federated authentication proxy server that comprises;
  
  an identity provider interface that emulates an identity provider through a federated authentication protocol in a first instance,a service provider emulator that emulates a service provider through a federated authentication protocol in a second instance,a translation module that communicatively translates identity requests and identity assertions processed within the identity provider interface and the service provider emulator,a second layer authentication engine, andan account system with stored configuration of at least one managing account that includes configuration of the first instance of the federated authentication protocol, the second instance of the federated authentication protocol; and
  
  second layer of authentication settings of at least one identity associated with the managing account.
- View Dependent Claims (21, 22)
- - 21. The method of claim 20, wherein the translation module includes translation rules to translate between a security assertion markup language protocol and an Open ID Connect protocol.
  - 22. The method of claim 20, further comprising a two-factor authentication web service integrated with the second layer authentication engine;
    - and wherein the federated authentication proxy server is hosted in the two-factor authentication web service.

23. A system comprising:
- a federated authentication proxy server that comprises;
  
  an identity provider interface that emulates an identity provider through a federated authentication protocol in a first instance,a service provider emulator that emulates a service provider through a federated authentication protocol in a second instance,a second layer authentication engine,a two-factor authentication web service integrated with the second layer authentication engine, wherein the federated authentication proxy server is hosted in the two-factor authentication web service, andan account system with stored configuration of at least one managing account that includes configuration of the first instance of the federated authentication protocol, the second instance of the federated authentication protocol; and
  
  second layer of authentication settings of at least one identity associated with the managing account.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Duo Security Incorporated (Cisco Systems, Inc.)
Inventors
Oberheide, Jon, Song, Douglas
Primary Examiner(s)
Song, Hosuk

Application Number

US15/286,993
Publication Number

US 20170026374A1
Time in Patent Office

852 Days
Field of Search

726 1- 8, 713150-152, 713155, 713168-170
US Class Current
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

H04L 63/0884 by delegation of authentica...

System and method for proxying federated authentication protocols

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for proxying federated authentication protocols

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links