Enforcing restrictions on third-party accounts

US 10,560,435 B2
Filed: 02/28/2017
Issued: 02/11/2020
Est. Priority Date: 06/13/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, via an authentication management service executed by at least one of one or more computing devices with memory, a request from a client to access account credentials for a network site;

determining, via the authentication management service, that the client corresponds to a user in an organization and the network site corresponds to a third-party network site under management by the organization, the third-party network site being operated by a third party that does not correspond to the organization;

determining, via the authentication management service, whether network traffic between the client and the third-party network site is routed via a proxy server application operated by the organization; and

denying, via the authentication management service, access of the client to a managed account with the third-party network site in response to determining that the network traffic between the client and the third-party network site is not routed via the proxy server application, wherein denying access of the client to the managed account comprises refraining from providing a security credential of the managed account to the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various embodiments for management of third-party accounts for users in an organization. A request is received from a client corresponding to a user in an organization to access a third-party network site under management by the organization. The third-party network site is operated by a third party that does not correspond to the organization. It is determined whether network traffic between the client and the third-party network site is routed via a proxy server operated by the organization. Access of the client to a managed account with the third-party network site is denied in response to determining that the network traffic between the client and the third-party network site is not routed via the proxy server.

68 Citations

17 Claims

1. A method, comprising:
- receiving, via an authentication management service executed by at least one of one or more computing devices with memory, a request from a client to access account credentials for a network site;
  
  determining, via the authentication management service, that the client corresponds to a user in an organization and the network site corresponds to a third-party network site under management by the organization, the third-party network site being operated by a third party that does not correspond to the organization;
  
  determining, via the authentication management service, whether network traffic between the client and the third-party network site is routed via a proxy server application operated by the organization; and
  
  denying, via the authentication management service, access of the client to a managed account with the third-party network site in response to determining that the network traffic between the client and the third-party network site is not routed via the proxy server application, wherein denying access of the client to the managed account comprises refraining from providing a security credential of the managed account to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the proxy server application is implemented in the client.
  - 3. The method of claim 1, wherein the managed account is owned by the organization.
  - 4. The method of claim 1, further comprising blocking, via at least one of the one or more computing devices, access of the client to the third-party network site when the network traffic between the client and the third-party network site is determined not to be routed via the proxy server application.
  - 5. The method of claim 1, further comprising:
    - responsive to determining that the network traffic between the client and the third-party network site is routed via the proxy server;
      
      receiving, via at least one of the one or more computing devices, security credentials for the managed account;
      
      authenticating, via at least one of the one or more computing devices, with the third-party network site using the security credentials, wherein the security credentials are inaccessible to the user; and
      
      rendering, via at least one of the one or more computing devices, a user interface based at least in part on data received from the third-party network site after authentication with the third-party network site.
  - 6. The method of claim 1, wherein the proxy server is configured to inspect the network traffic and enforce a rule restricting access to the managed account.
  - 7. The method of claim 6, wherein the rule is established based at least in part on whether the user has specified that the managed account is for organizational purposes.
  - 8. The method of claim 6, further comprising:
    - receiving, via at least one of the one or more computing devices, a directive generated by the proxy server in response to the proxy server enforcing the rule; and
      
      implementing, via at least one of the one or more computing devices, an action in response to the directive.

9. A system, comprising:
- at least one computing device with memory; and
  
  at least one application executable in the at least one computing device, wherein when executed the at least one application causes the at least one computing device to at least;
  
  receive a request from a client to access account credentials for a network site;
  
  determine that the client corresponds to a user in an organization and the network site corresponds to a third-party network site under management by the organization, the third-party network site being operated by a third party that does not correspond to the organization;
  
  determine whether network traffic between the client and the third-party network site is routed via a proxy server operated by the organization; and
  
  deny access of the client to a managed account with the third-party network site in response to determining that the network traffic between the client and the third-party network site is not routed via the proxy server, wherein denying access of the client to the managed account comprises refraining from providing a security credential of the managed account to the client.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9, wherein the managed account is owned by the organization.
  - 11. The system of claim 9, wherein when executed the at least one application further causes the at least one computing device to at least block access of the client to the third-party network site when the network traffic between the client and the third-party network site is determined not to be routed via the proxy server.
  - 12. The system of claim 9, wherein when executed the at least one application further causes the at least one computing device to at least, responsive to determining that the network traffic between the client and the third-party network site is routed via the proxy server:
    - receive security credentials for the managed account;
      
      authenticate with the third-party network site using the security credentials, wherein the security credentials are inaccessible to the user; and
      
      render a user interface based at least in part on data received from the third-party network site after authentication with the third-party network site.
  - 13. The system of claim 9, wherein the proxy server is configured to inspect the network traffic and enforce a rule restricting access to the managed account.
  - 14. The system of claim 13, wherein the rule is established based at least in part on whether the user has specified that the managed account is for organizational purposes.
  - 15. The system of claim 13, wherein when executed the at least one application further causes the at least one computing device to at least:
    - receive a directive generated by the proxy server in response to the proxy server enforcing the rule; and
      
      implement an action in response to the directive.

16. A method, comprising:
- receiving, via an authentication management service executed by at least one of one or more computing devices with memory, a request from a client to access account credentials for a network site;
  
  determining, via the authentication management service, that the client corresponds to a user in an organization and the network site corresponds to a third-party network site under management by the organization, the third-party network site being operated by a third party that does not correspond to the organization;
  
  determining, via the authentication management service, that network traffic between the client and the third-party network site is routed via a proxy server operated by the organization; and
  
  granting, via the authentication management service, access of the client to a managed account with the third-party network site in response to determining that the network traffic between the client and the third-party network site is routed via the proxy server, granting access of the client to the managed account comprises sending a security credential for the managed account to the client.
- View Dependent Claims (17)
- - 17. The method of claim 16, further comprising inspecting, via the proxy server, the network traffic pertaining to use of the managed account for compliance with at least one rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Johansson, Jesper Mikael, Canavor, Darren Ernest, McClintock, Jon Arron
Primary Examiner(s)
Feild, Lynn D
Assistant Examiner(s)
Lakhia, Viral S

Application Number

US15/445,054
Publication Number

US 20170171161A1
Time in Patent Office

1,078 Days
Field of Search

726 2- 5, 713130-135, 709224
US Class Current
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Enforcing restrictions on third-party accounts

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

68 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcing restrictions on third-party accounts

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links