System and method for securing authentication information in a networked environment

US 10,277,566 B2
Filed: 06/14/2017
Issued: 04/30/2019
Est. Priority Date: 07/03/2013
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a remote service comprising instructions on a non-transitory computer for executing on a processor of a computing device coupled to a network, the instructions for;

in response to an access over the network to the remote service operated by a first party from a client device operated by a second party, providing an authentication module and a public key from the remote service to the client device operated by the second party over the network, the authentication module for encrypting original authentication information provided by the first party at the client device with the public key to generate encrypted authentication information;

receiving the encrypted authentication information from the client device operated by the second party at the remote service operated by the first party over the network;

providing, over the network, the encrypted authentication information to an on-premises component behind a firewall of an enterprise operated by a third party distinct from the first party, wherein the enterprise is one of a plurality of enterprises and the public key is one a plurality of public keys, each enterprise of the plurality of enterprises having an associated public key of the plurality of public keys stored at the remote service; and

receiving a result of a validation from the on-premises component of the enterprise operated by the third party at the remote service operated by the first party over the network, wherein the on-premises component determines the result of the validation by decrypting the provided encrypted authentication information using a private key corresponding to the public key provided by the remote service operated by the second party to obtain the original authentication information, performing the validation on the original authentication information, and returning the result of the validation to the remote service over a network.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure is directed to systems and methods for securely communicating authentication information in a networked environment such as one involving a client device, a cloud based computing platform, and an enterprise computing environment. Some embodiments may include encrypting, by a client device using a public key, authentication information provided by a user. The encrypted authentication information is sent to a cloud based service which then sends it to an on-premises component residing behind a firewall of an enterprise. The on-premises component decrypts the authentication information using a private key, validates the authentication information, and returns the result to the cloud based service over a network. If validated, the cloud based service establishes a secure connection between the client device and the on-premises component such that the user can access the enterprise'"'"'s content without the enterprise having to share the authentication information with the cloud based service.

15 Citations

18 Claims

1. A system, comprising:
- a remote service comprising instructions on a non-transitory computer for executing on a processor of a computing device coupled to a network, the instructions for;
  
  in response to an access over the network to the remote service operated by a first party from a client device operated by a second party, providing an authentication module and a public key from the remote service to the client device operated by the second party over the network, the authentication module for encrypting original authentication information provided by the first party at the client device with the public key to generate encrypted authentication information;
  
  receiving the encrypted authentication information from the client device operated by the second party at the remote service operated by the first party over the network;
  
  providing, over the network, the encrypted authentication information to an on-premises component behind a firewall of an enterprise operated by a third party distinct from the first party, wherein the enterprise is one of a plurality of enterprises and the public key is one a plurality of public keys, each enterprise of the plurality of enterprises having an associated public key of the plurality of public keys stored at the remote service; and
  
  receiving a result of a validation from the on-premises component of the enterprise operated by the third party at the remote service operated by the first party over the network, wherein the on-premises component determines the result of the validation by decrypting the provided encrypted authentication information using a private key corresponding to the public key provided by the remote service operated by the second party to obtain the original authentication information, performing the validation on the original authentication information, and returning the result of the validation to the remote service over a network.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the encrypted authentication information is provided to the on-premises component behind the firewall of the enterprise operated by the third party in response to a communication from the on-premises component.
  - 3. The system of claim 1, wherein the access includes a request comprising an identification of the enterprise, and the remote service determines the public key based on an association between the public key and the identification of the enterprise.
  - 4. The system of claim 3, wherein the public key for the enterprise is established at the remote service by the enterprise through the on-premises component.
  - 5. The system of claim 1, wherein the result is signed by the on-premises component using the private key such that the remote service operated by the second party can verify the result was sent by the on-premises component behind a firewall of the enterprise operated by the third party.
  - 6. The system of claim 1, wherein the on-premises component utilizes the original authentication information or the encrypted authentication information to access a service external to the enterprise.

7. A non-transitory computer readable media storing instructions executable on a processor for:
- in response to an access over a network to a remote service operated by a first party from a client device operated by a second party, providing an authentication module and a public key from the remote service to the client device operated by the second party over the network, the authentication module for encrypting original authentication information provided by the first party at the client device with the public key to generate encrypted authentication information;
  
  receiving the encrypted authentication information from the client device operated by the second party at the remote service operated by the first party over the network;
  
  providing, over the network, the encrypted authentication information to an on-premises component behind a firewall of an enterprise operated by a third party distinct from the first party, wherein the enterprise is one of a plurality of enterprises and the public key is one a plurality of public keys, each enterprise of the plurality of enterprises having an associated public key of the plurality of public keys stored at the remote service; and
  
  receiving a result of a validation from the on-premises component of the enterprise operated by the third party at the remote service operated by the first party over the network, wherein the on-premises component determines the result of the validation by decrypting the provided encrypted authentication information using a private key corresponding to the public key provided by the remote service operated by the second party to obtain the original authentication information, performing the validation on the original authentication information, and returning the result of the validation to the remote service over a network.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The non-transitory computer readable media of claim 7, wherein the encrypted authentication information is provided to the on-premises component behind the firewall of the enterprise operated by the third party in response to a communication from the on-premises component.
  - 9. The non-transitory computer readable media of claim 7, wherein the access includes a request comprising an identification of the enterprise, and the remote service determines the public key based on an association between the public key and the identification of the enterprise.
  - 10. The non-transitory computer readable media of claim 9, wherein the public key for the enterprise is established at the remote service by the enterprise through the on-premises component.
  - 11. The non-transitory computer readable media of claim 7, wherein the result is signed by the on-premises component using the private key such that the remote service operated by the second party can verify the result was sent by the on-premises component behind a firewall of the enterprise operated by the third party.
  - 12. The non-transitory computer readable media of claim 7, wherein the on-premises component utilizes the original authentication information or the encrypted authentication information to access a service external to the enterprise.

13. A method, comprising:
- in response to an access over a network to a remote service operated by a first party from a client device operated by a second party, providing an authentication module and a public key from the remote service to the client device operated by the second party over the network, the authentication module for encrypting original authentication information provided by the first party at the client device with the public key to generate encrypted authentication information;
  
  receiving the encrypted authentication information from the client device operated by the second party at the remote service operated by the first party over the network;
  
  providing, over the network, the encrypted authentication information to an on-premises component behind a firewall of an enterprise operated by a third party distinct from the first party, wherein the enterprise is one of a plurality of enterprises and the public key is one a plurality of public keys, each enterprise of the plurality of enterprises having an associated public key of the plurality of public keys stored at the remote service;
  
  receiving a result of a validation from the on-premises component of the enterprise operated by the third party at the remote service operated by the first party over the network, wherein the on-premises component determines the result of the validation by decrypting the provided encrypted authentication information using a private key corresponding to the public key provided by the remote service operated by the second party to obtain the original authentication information, performing the validation on the original authentication information, and returning the result of the validation to the remote service over a network.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method of claim 13, wherein the encrypted authentication information is provided to the on-premises component behind the firewall of the enterprise operated by the third party in response to a communication from the on-premises component.
  - 15. The method of claim 13, wherein the access includes a request comprising an identification of the enterprise, and the remote service determines the public key based on an association between the public key and the identification of the enterprise.
  - 16. The method of claim 15, wherein the public key for the enterprise is established at the remote service by the enterprise through the on-premises component.
  - 17. The method of claim 13, wherein the result is signed by the on-premises component using the private key such that the remote service operated by the second party can verify the result was sent by the on-premises component behind a firewall of the enterprise operated by the third party.
  - 18. The method of claim 13, wherein the on-premises component utilizes the original authentication information or the encrypted authentication information to access a service external to the enterprise.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SailPoint Technologies, Inc. (SailPoint Technologies Holdings, Inc.)
Original Assignee
SailPoint Technologies, Inc. (SailPoint Technologies Holdings, Inc.)
Inventors
Forster, Craig Robert William, Greff, Daniel Thomas, Chow, Crandall B. T., Goldenburg, Phillip
Primary Examiner(s)
Turchen, James R

Application Number

US15/623,135
Publication Number

US 20170289116A1
Time in Patent Office

685 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2115   Third party

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 9/30   Public key, i.e. encryption...

System and method for securing authentication information in a networked environment

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for securing authentication information in a networked environment

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links