Non-intrusive security enforcement for federated single sign-on (SSO)
First Claim
1. A computer-implemented method of non-intrusively enforcing security during federated single sign-on (SSO) authentication without modifying a trust relationship between a service provider (SP) and an identity provider (IDP), the method including:
- establishing the trust relationship between the SP and the IDP by configuring a SSO-unified resource locator (URL) and a public key of the IDP at the SP and configuring an assertion consumer service (ACS)-URL of the SP at the IDP;
generating an assertion at the IDP when a user logs into the SP, identifying the SP'"'"'s ACS-URL in the generated assertion, and digitally signing the generated assertion using an IDP-certificate;
configuring the IDP to encrypt the signed assertion using a proxy-public key of an assertion proxy and to forward the encrypted assertion to a proxy-URL of the assertion proxy instead of the SP'"'"'s ACS-URL;
decrypting the encrypted assertion at the assertion proxy with a complementary proxy-private key and forwarding the decrypted assertion to an ACS of the SP using the SP'"'"'s ACS-URL identified in the decrypted assertion; and
preserving, without modifying the trust relationship between the SP and the IDP by validating the decrypted assertion at the SP using the IDP'"'"'s public key to establish a federated SSO authenticated session through the assertion proxy.
1 Assignment
0 Petitions
Accused Products
Abstract
The technology disclosed relates to non-intrusively enforcing security during federated single sign-on (SSO) authentication without modifying a trust relationship between a service provider (SP) and an identity provider (IDP). In particular, it relates to configuring the IDP to use a proxy-URL for forwarding an assertion generated when a user logs into the SP, in place of an assertion consumer service (ACS)-URL of the SP. It also relates to configuring an assertion proxy, at the proxy-URL, to use the SP'"'"'s ACS-URL for forwarding the assertion to the SP. It further relates to inserting the assertion proxy in between the user'"'"'s client and an ACS of the SP by forwarding the assertion to the SP'"'"'s ACS-URL to establish a federated SSO authenticated session through the inserted assertion proxy.
86 Citations
20 Claims
-
1. A computer-implemented method of non-intrusively enforcing security during federated single sign-on (SSO) authentication without modifying a trust relationship between a service provider (SP) and an identity provider (IDP), the method including:
-
establishing the trust relationship between the SP and the IDP by configuring a SSO-unified resource locator (URL) and a public key of the IDP at the SP and configuring an assertion consumer service (ACS)-URL of the SP at the IDP; generating an assertion at the IDP when a user logs into the SP, identifying the SP'"'"'s ACS-URL in the generated assertion, and digitally signing the generated assertion using an IDP-certificate; configuring the IDP to encrypt the signed assertion using a proxy-public key of an assertion proxy and to forward the encrypted assertion to a proxy-URL of the assertion proxy instead of the SP'"'"'s ACS-URL; decrypting the encrypted assertion at the assertion proxy with a complementary proxy-private key and forwarding the decrypted assertion to an ACS of the SP using the SP'"'"'s ACS-URL identified in the decrypted assertion; and preserving, without modifying the trust relationship between the SP and the IDP by validating the decrypted assertion at the SP using the IDP'"'"'s public key to establish a federated SSO authenticated session through the assertion proxy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer-implemented method of non-intrusive security enforcement for federated single sign-on (SSO) authentication, the method including:
-
establishing a trust relationship between the SP and the IDP by configuring a SSO-unified resource locator (URL) and a public key of the IDP at the SP and configuring an assertion consumer service (ACS)-URL of the SP at the IDP; configuring an identity provider (IDP) to use a proxy-unified resource locator (URL) for forwarding an assertion that identifies the SP'"'"'s (ACS)-URL and is generated when a user logs into a service provider (SP), in place of using an assertion consumer service (ACS)-URL of the SP, and to encrypt the assertion using a proxy-public key; configuring an assertion proxy, at the proxy-URL, to use the SP'"'"'s ACS-URL for forwarding; receiving the encrypted assertion at the assertion proxy and decrypting the encrypted assertion with a complementary proxy-private key; and preserving, without modifying the trust relationship between the SP and the IDP by inserting the assertion proxy in between the user'"'"'s client and an ACS of the SP by forwarding the decrypted assertion to the SP'"'"'s ACS-URL for the SP to validate the assertion using the IDP'"'"'s public key and establish a federated single sign-on (SSO) authenticated session through the inserted assertion proxy.
-
-
14. A computer-implemented method of non-intrusively enforcing security during federated single sign-on (SSO) authentication without modifying a trust relationship between a service provider (SP) and an identity provider (IDP), the method including:
-
establishing the trust relationship between the SP and the IDP by configuring a SSO-unified resource locator (URL) and a public key of the IDP at the SP and configuring an assertion consumer service (ACS)-URL of the SP at the IDP; configuring the IDP to forward an assertion that identifies the SP'"'"'s assertion consumer service (ACS)-URL and is generated when a user logs into the SP to an assertion proxy instead of an assertion consumer service of the SP; evaluating the assertion against one or more security policies using the assertion proxy and forwarding the evaluated assertion to the SP; and preserving without modifying the trust relationship between the SP and the IDP by validating the evaluated assertion at the SP using the certification of the IDP to establish a federated SSO authenticated session through the assertion proxy.
-
-
15. A non-transitory computer readable storage medium impressed with computer program instructions to non-intrusively enforcing security during federated single sign-on (SSO) authentication without modifying a trust relationship between a service provider (SP) and an identity provider (IDP), the instructions, when executed on a processor, implement a method comprising:
-
establishing the trust relationship between the SP and the IDP by configuring a SSO-unified resource locator (URL) and a public key of the IDP at the SP and configuring an assertion consumer service (ACS)-URL of the SP at the IDP; generating an assertion at the IDP when a user logs into the SP, identifying the SP'"'"'s ACS-URL in the generated assertion, and digitally signing the generated assertion using an IDP-certificate; configuring the IDP to encrypt the signed assertion using a proxy-public key of an assertion proxy and to forward the encrypted assertion to a proxy-URL of the assertion proxy instead of the SP'"'"'s ACS-URL; decrypting the encrypted assertion at the assertion proxy with a complementary proxy-private key and forwarding the decrypted assertion to an ACS of the SP using the SP'"'"'s ACS-URL identified in the decrypted assertion; and preserving, without modifying the trust relationship between the SP and the IDP by validating the decrypted assertion at the SP using the IDP'"'"'s public key to establish a federated SSO authenticated session through the assertion proxy.
-
-
16. A non-transitory computer readable storage medium impressed with computer program instructions to conduct non-intrusive security enforcement for federated single sign-on (SSO) authentication, the instructions, when executed on a processor, implement a method comprising:
-
establishing a trust relationship between the SP and the IDP by configuring a SSO-unified resource locator (URL) and a public key of the IDP at the SP and configuring an assertion consumer service (ACS)-URL of the SP at the IDP; configuring an identity provider (IDP) to use a proxy-unified resource locator (URL) for forwarding an assertion that identifies the SP'"'"'s (ACS)-URL and is generated when a user logs into a service provider (SP), in place of using an assertion consumer service (ACS)-URL of the SP, and to encrypt the assertion using a proxy-public key; configuring an assertion proxy, at the proxy-URL, to use the SP'"'"'s ACS-URL for forwarding; receiving the encrypted assertion at the assertion proxy and decrypting the encrypted assertion with a complementary proxy-private key; and preserving, without modifying the trust relationship between the SP and the IDP by inserting the assertion proxy in between the user'"'"'s client and an ACS of the SP by forwarding the decrypted assertion to the SP'"'"'s ACS-URL for the SP to validate the assertion using the IDP'"'"'s public key and establish a federated single sign-on (SSO) authenticated session through the inserted assertion proxy.
-
-
17. A non-transitory computer readable storage medium impressed with computer program instructions to non-intrusively enforce security during federated single sign-on (SSO) authentication without modifying a trust relationship between a service provider (SP) and an identity provider (IDP), the instructions, when executed on a processor, implement a method comprising:
-
establishing the trust relationship between the SP and the IDP by configuring a SSO-unified resource locator (URL) and a public key of the IDP at the SP and configuring an assertion consumer service (ACS)-URL of the SP at the IDP; configuring the IDP to forward an assertion that identifies the SP'"'"'s assertion consumer service (ACS)-URL and is generated when a user logs into the SP to an assertion proxy instead of an assertion consumer service of the SP; evaluating the assertion against one or more security policies using the assertion proxy and forwarding the evaluated assertion to the SP; and preserving without modifying the trust relationship between the SP and the IDP by validating the evaluated assertion at the SP using the certification of the IDP to establish a federated SSO authenticated session through the assertion proxy.
-
-
18. A system including one or more processors coupled to memory, the memory loaded with computer instructions, the instructions, when executed on the processors, implement a method including:
-
establishing the trust relationship between the SP and the IDP by configuring a SSO-unified resource locator (URL) and a public key of the IDP at the SP and configuring an assertion consumer service (ACS)-URL of the SP at the IDP; generating an assertion at the IDP when a user logs into the SP, identifying the SP'"'"'s ACS-URL in the generated assertion, and digitally signing the generated assertion using an IDP-certificate; configuring the IDP to encrypt the signed assertion using a proxy-public key of an assertion proxy and to forward the encrypted assertion to a proxy-URL of the assertion proxy instead of the SP'"'"'s ACS-URL; decrypting the encrypted assertion at the assertion proxy with a complementary proxy-private key and forwarding the decrypted assertion to an ACS of the SP using the SP'"'"'s ACS-URL identified in the decrypted assertion; and preserving, without modifying the trust relationship between the SP and the IDP by validating the decrypted assertion at the SP using the IDP'"'"'s public key to establish a federated SSO authenticated session through the assertion proxy.
-
-
19. A system including one or more processors coupled to memory, the memory loaded with computer instructions, the instructions, when executed on the processors, implement a method including:
-
establishing a trust relationship between the SP and the IDP by configuring a SSO-unified resource locator (URL) and a public key of the IDP at the SP and configuring an assertion consumer service (ACS)-URL of the SP at the IDP; configuring an identity provider (IDP) to use a proxy-unified resource locator (URL) for forwarding an assertion that identifies the SP'"'"'s (ACS)-URL and is generated when a user logs into a service provider (SP), in place of using an assertion consumer service (ACS)-URL of the SP, and to encrypt the assertion using a proxy-public key; configuring an assertion proxy, at the proxy-URL, to use the SP'"'"'s ACS-URL for forwarding; receiving the encrypted assertion at the assertion proxy and decrypting the encrypted assertion with a complementary proxy-private key; and preserving, without modifying the trust relationship between the SP and the IDP by inserting the assertion proxy in between the user'"'"'s client and an ACS of the SP by forwarding the decrypted assertion to the SP'"'"'s ACS-URL for the SP to validate the assertion using the IDP'"'"'s public key and establish a federated single sign-on (SSO) authenticated session through the inserted assertion proxy.
-
-
20. A system including one or more processors coupled to memory, the memory loaded with computer instructions, the instructions, when executed on the processors, implement a method including:
-
establishing the trust relationship between the SP and the IDP by configuring a SSO-unified resource locator (URL) and a public key of the IDP at the SP and configuring an assertion consumer service (ACS)-URL of the SP at the IDP; configuring the IDP to forward an assertion that identifies the SP'"'"'s assertion consumer service (ACS)-URL and is generated when a user logs into the SP to an assertion proxy instead of an assertion consumer service of the SP; evaluating the assertion against one or more security policies using the assertion proxy and forwarding the evaluated assertion to the SP; and preserving without modifying the trust relationship between the SP and the IDP by validating the evaluated assertion at the SP using the certification of the IDP to establish a federated SSO authenticated session through the assertion proxy.
-
Specification