Proxy authentication for single sign-on

US 10,554,624 B2
Filed: 09/25/2014
Issued: 02/04/2020
Est. Priority Date: 09/25/2013
Status: Active Grant

First Claim

Patent Images

1. A computing apparatus for providing a network gateway, comprising:

a hardware platform comprising at least a processor;

a service database comprising authentication credentials, wherein the authentication credentials are owned by the network gateway and not by an end user;

a first network interface configured to communicatively couple the gateway to a network service;

a second network interface configured to communicatively couple the gateway to a client device; and

one or more logic elements implemented on the hardware platform and comprising an authentication proxy engine configured to;

intercept via the second network interface a request from the client device to access the network service;

determine that the intercepted request requires form-based authentication of the client device or a user of the client device;

receive a data page requiring form-based authentication from the network service;

inject a script into a modified data page from the network service, the script configured to detect a login action;

receive the detected login action from the script, the login action including profile login data and authentication for the client device or a user of the client device;

extract the authentication credentials from the service database, the authentication credentials comprising a password for the user or the client device; and

provide authentication data to the network service via the first network interface comprising filling in the form-based authentication.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example, a web gateway is described, including an authentication proxy engine (PAE). The PAE authenticates a user device via, for example, a username and password, biometric data, or two-factor authentication. The web gateway then provides seamless and transparent single sign-on (SSO) for one or more web services. When the user requests a web page from the web service, the PAE inserts custom code that detects a login action. When the user logs in, a one-time token may be provided to auto-fill the username and password field. When the user submits the form, the PAE provides the actual credentials to the web service. The PAE may also provide authentication via authentication headers.

28 Citations

View as Search Results

25 Claims

1. A computing apparatus for providing a network gateway, comprising:
- a hardware platform comprising at least a processor;
  
  a service database comprising authentication credentials, wherein the authentication credentials are owned by the network gateway and not by an end user;
  
  a first network interface configured to communicatively couple the gateway to a network service;
  
  a second network interface configured to communicatively couple the gateway to a client device; and
  
  one or more logic elements implemented on the hardware platform and comprising an authentication proxy engine configured to;
  
  intercept via the second network interface a request from the client device to access the network service;
  
  determine that the intercepted request requires form-based authentication of the client device or a user of the client device;
  
  receive a data page requiring form-based authentication from the network service;
  
  inject a script into a modified data page from the network service, the script configured to detect a login action;
  
  receive the detected login action from the script, the login action including profile login data and authentication for the client device or a user of the client device;
  
  extract the authentication credentials from the service database, the authentication credentials comprising a password for the user or the client device; and
  
  provide authentication data to the network service via the first network interface comprising filling in the form-based authentication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computing apparatus of claim 1, wherein the proxy engine is further configured to:
    - receive an authentication validation from the network service via the first network interface; and
      
      provide the authentication validation to the client device via the second network interface.
  - 3. The computing apparatus of claim 1, wherein the proxy engine is further configured to:
    - receive a request for a data page from the client device via the second network interface;
      
      receive the data page from the network service via the first network interface; and
      
      forward the data page to the client device via the second network interface.
  - 4. The computing apparatus of claim 3, wherein the proxy engine is further configured to modify the data page request by inserting an authentication header into the data page.
  - 5. The computing apparatus of claim 3, wherein the proxy engine is further configured to modify the data page before forwarding the data page.
  - 6. The computing apparatus of claim 5, wherein modifying the data page comprises inserting instructions for detecting and intercepting a login action.
  - 7. The computing apparatus of claim 5, wherein the data page comprises a username or password field, and wherein modifying the data page comprises inserting a one-time random or pseudo-random token into the username or password field.
  - 8. The computing apparatus of claim 1, wherein the proxy engine is further configured to authenticate the client device via the second network interface.
  - 9. The computing apparatus of claim 8, wherein authenticating the client device comprises receiving biometric authentication data from the client device.
  - 10. The computing apparatus of claim 8, wherein authenticating the client device comprises two-factor authentication.
  - 11. The computing apparatus of claim 1, wherein the proxy engine is further configured to provide a token to the client device via the second network interface, wherein the token is different from the form-based authentication data.
  - 12. The computing apparatus of claim 11, wherein the token comprises a pseudo-username or pseudo-password.
  - 13. The computing apparatus of claim 1, wherein the proxy engine is further configured to provide a learning mode.

14. One or more non-transitory computer-readable mediums having stored thereon executable instructions for providing a proxy engine configured to:
- intercept a request for a network service from a client device to access the network service;
  
  determine that the intercepted request requires form-based authentication of the client device or a user of the client device;
  
  receive a data page requiring form-based authentication from the network service;
  
  inject a script into a modified data page from the network service, the script configured to detect a login action;
  
  receive the detected login action from the script, the login action including profile login data and authentication for the client device or a user of the client device;
  
  extract authentication credentials from a service database, the authentication credentials comprising a password for the user or the client device, wherein the authentication credentials are owned by a network gateway and not by an end user;
  
  provide authentication data to the network service via a first network interface comprising filling in the form-based authentication;
  
  receive an authentication validation from a network service via a first network interface; and
  
  provide the authentication validation to the client device via a second network interface.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The one or more non-transitory computer-readable mediums of claim 14, wherein the proxy engine is further configured to:
    - receive a request for a data page from the client device via the second network interface;
      
      receive the data page from the network service via the first network interface; and
      
      forward the data page to the client device via the second network interface.
  - 16. The one or more non-transitory computer-readable mediums of claim 15, wherein the proxy engine is further configured to modify the data page request, comprising inserting an authentication header into the data page.
  - 17. The one or more non-transitory computer-readable mediums of claim 15, wherein the proxy engine is further configured to modify the data page before forwarding the data page.
  - 18. The one or more non-transitory computer-readable mediums of claim 17, wherein modifying the data page comprises inserting instructions for detecting and intercepting a login action.
  - 19. The one or more non-transitory computer-readable mediums of claim 17, wherein the data page comprises a username or password field, and wherein modifying the data page comprises inserting a one-time random or pseudo-random token into the username or password field.
  - 20. The one or more non-transitory computer-readable mediums of claim 14, wherein the proxy engine is further configured to authenticate the client device via the second network interface.
  - 21. The one or more non-transitory computer-readable mediums of claim 20, wherein authenticating the client device comprises receiving biometric authentication data from the client device or two-factor authentication.
  - 22. The one or more non-transitory computer-readable mediums of claim 14, wherein the proxy engine is further configured to provide a token to the client device via the second network interface, wherein the token is different from the form-based authentication data.
  - 23. The one or more non-transitory computer-readable mediums of claim 22, wherein the token comprises a pseudo-username or pseudo-password.

24. A method of providing a proxy engine, comprising:
- communicatively coupling to a network service via a first network interface;
  
  authenticating a client device via a second network interface;
  
  receiving a login request from the client device via the second network interface;
  
  intercepting via the second network interface a request from the client device to access the network service;
  
  determining that the intercepted request requires form-based authentication of the client device or a user of the client device;
  
  receiving a data page requiring form-based authentication from the network service;
  
  injecting a script into a modified data page from the network service, the script configured to detect a login action;
  
  receiving the detected login action from the script, the login action including profile login data and authentication for the client device or a user of the client device;
  
  extracting authentication credentials from a service database, the authentication credentials comprising a password for the user or the client device, wherein the authentication credentials are owned by a network gateway and not by an end user; and
  
  providing authentication data to the network service via the first network interface comprising filling in the form-based authentication.
- View Dependent Claims (25)
- - 25. The method of claim 24, wherein authenticating the client device comprises biometric authentication or two-factor authentication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Ott, Alexey, Homann, Ulrich, Schnellbaecher, Jan F.
Primary Examiner(s)
Schmidt, Kari L

Application Number

US14/912,453
Publication Number

US 20160205089A1
Time in Patent Office

1,958 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 63/18   using different networks or...

H04L 9/32   including means for verifyi...

Proxy authentication for single sign-on

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Proxy authentication for single sign-on

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others