Proxy authentication for single sign-on
First Claim
1. A computing apparatus for providing a network gateway, comprising:
- a hardware platform comprising at least a processor;
a service database comprising authentication credentials, wherein the authentication credentials are owned by the network gateway and not by an end user;
a first network interface configured to communicatively couple the gateway to a network service;
a second network interface configured to communicatively couple the gateway to a client device; and
one or more logic elements implemented on the hardware platform and comprising an authentication proxy engine configured to;
intercept via the second network interface a request from the client device to access the network service;
determine that the intercepted request requires form-based authentication of the client device or a user of the client device;
receive a data page requiring form-based authentication from the network service;
inject a script into a modified data page from the network service, the script configured to detect a login action;
receive the detected login action from the script, the login action including profile login data and authentication for the client device or a user of the client device;
extract the authentication credentials from the service database, the authentication credentials comprising a password for the user or the client device; and
provide authentication data to the network service via the first network interface comprising filling in the form-based authentication.
9 Assignments
0 Petitions
Accused Products
Abstract
In an example, a web gateway is described, including an authentication proxy engine (PAE). The PAE authenticates a user device via, for example, a username and password, biometric data, or two-factor authentication. The web gateway then provides seamless and transparent single sign-on (SSO) for one or more web services. When the user requests a web page from the web service, the PAE inserts custom code that detects a login action. When the user logs in, a one-time token may be provided to auto-fill the username and password field. When the user submits the form, the PAE provides the actual credentials to the web service. The PAE may also provide authentication via authentication headers.
28 Citations
25 Claims
-
1. A computing apparatus for providing a network gateway, comprising:
-
a hardware platform comprising at least a processor; a service database comprising authentication credentials, wherein the authentication credentials are owned by the network gateway and not by an end user; a first network interface configured to communicatively couple the gateway to a network service; a second network interface configured to communicatively couple the gateway to a client device; and one or more logic elements implemented on the hardware platform and comprising an authentication proxy engine configured to; intercept via the second network interface a request from the client device to access the network service; determine that the intercepted request requires form-based authentication of the client device or a user of the client device; receive a data page requiring form-based authentication from the network service; inject a script into a modified data page from the network service, the script configured to detect a login action; receive the detected login action from the script, the login action including profile login data and authentication for the client device or a user of the client device; extract the authentication credentials from the service database, the authentication credentials comprising a password for the user or the client device; and provide authentication data to the network service via the first network interface comprising filling in the form-based authentication. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. One or more non-transitory computer-readable mediums having stored thereon executable instructions for providing a proxy engine configured to:
-
intercept a request for a network service from a client device to access the network service; determine that the intercepted request requires form-based authentication of the client device or a user of the client device; receive a data page requiring form-based authentication from the network service; inject a script into a modified data page from the network service, the script configured to detect a login action; receive the detected login action from the script, the login action including profile login data and authentication for the client device or a user of the client device; extract authentication credentials from a service database, the authentication credentials comprising a password for the user or the client device, wherein the authentication credentials are owned by a network gateway and not by an end user; provide authentication data to the network service via a first network interface comprising filling in the form-based authentication; receive an authentication validation from a network service via a first network interface; and provide the authentication validation to the client device via a second network interface. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A method of providing a proxy engine, comprising:
-
communicatively coupling to a network service via a first network interface; authenticating a client device via a second network interface; receiving a login request from the client device via the second network interface; intercepting via the second network interface a request from the client device to access the network service; determining that the intercepted request requires form-based authentication of the client device or a user of the client device; receiving a data page requiring form-based authentication from the network service; injecting a script into a modified data page from the network service, the script configured to detect a login action; receiving the detected login action from the script, the login action including profile login data and authentication for the client device or a user of the client device; extracting authentication credentials from a service database, the authentication credentials comprising a password for the user or the client device, wherein the authentication credentials are owned by a network gateway and not by an end user; and providing authentication data to the network service via the first network interface comprising filling in the form-based authentication. - View Dependent Claims (25)
-
Specification