Cloud proxy for federated single sign-on (SSO) for cloud services

US 10,659,450 B2
Filed: 03/22/2019
Issued: 05/19/2020
Est. Priority Date: 11/04/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of non-intrusively enforcing security during federated single sign-on (SSO) authentication without modifying an established trust relationship between a service provider (SP) and an identity provider (IDP), the trust relationship having been established by configuring a SSO-unified resource locator (URL) and a public key of the IDP at the SP and configuring an assertion consumer service (ACS)-URL of the SP at the IDP, the method including:

configuring the IDP to encrypt a digitally signed assertion having been digitally signed using an IDP-certificate and having been generated at the IDP when a user logs into the SP, the digitally signed assertion being encrypted using a proxy-public key of an assertion proxy and to forward the encrypted assertion to a proxy-URL of the assertion proxy instead of an SP'"'"'s ACS-URL identified from the assertion;

decrypting the encrypted assertion at the assertion proxy with a complementary proxy-private key and forwarding the decrypted assertion to an ACS of the SP using the SP'"'"'s ACS-URL identified in the decrypted assertion; and

preserving, without modifying, the trust relationship between the SP and the IDP by validating the decrypted assertion at the SP using the IDP'"'"'s public key to establish a federated SSO authenticated session through the assertion proxy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The technology disclosed relates to non-intrusively enforcing security during federated single sign-on (SSO) authentication without modifying a trust relationship between a service provider (SP) and an identity provider (IDP). In particular, it relates to configuring the IDP to use a proxy-URL for forwarding an assertion generated when a user logs into the SP, in place of an assertion consumer service (ACS)-URL of the SP. It also relates to configuring an assertion proxy, at the proxy-URL, to use the SP'"'"'s ACS-URL for forwarding the assertion to the SP. It further relates to inserting the assertion proxy in between the user'"'"'s client and an ACS of the SP by forwarding the assertion to the SP'"'"'s ACS-URL to establish a federated SSO authenticated session through the inserted assertion proxy.

Citations

20 Claims

1. A computer-implemented method of non-intrusively enforcing security during federated single sign-on (SSO) authentication without modifying an established trust relationship between a service provider (SP) and an identity provider (IDP), the trust relationship having been established by configuring a SSO-unified resource locator (URL) and a public key of the IDP at the SP and configuring an assertion consumer service (ACS)-URL of the SP at the IDP, the method including:
- configuring the IDP to encrypt a digitally signed assertion having been digitally signed using an IDP-certificate and having been generated at the IDP when a user logs into the SP, the digitally signed assertion being encrypted using a proxy-public key of an assertion proxy and to forward the encrypted assertion to a proxy-URL of the assertion proxy instead of an SP'"'"'s ACS-URL identified from the assertion;
  
  decrypting the encrypted assertion at the assertion proxy with a complementary proxy-private key and forwarding the decrypted assertion to an ACS of the SP using the SP'"'"'s ACS-URL identified in the decrypted assertion; and
  
  preserving, without modifying, the trust relationship between the SP and the IDP by validating the decrypted assertion at the SP using the IDP'"'"'s public key to establish a federated SSO authenticated session through the assertion proxy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-implemented method of claim 1, further including:
    - in response to determining that a user'"'"'s client is an unmanaged device;
      
      encoding the SP'"'"'s ACS-URL with an added reverse proxy-domain at the assertion proxy and forwarding the decrypted assertion to a reverse proxy via the user'"'"'s client with a validation token;
      
      after validating the validation token, stripping the reverse proxy-domain at the reverse proxy and forwarding the decrypted assertion to a network security system;
      
      evaluating the decrypted assertion at the network security system based on one or more security policies and forwarding the evaluated assertion to the SP'"'"'s ACS; and
      
      rewriting, at the reverse proxy, URLs contained in pages served by the SP with rewritten URLs that redirect subsequent traffic from the user'"'"'s client during the federated SSO authenticated session through the reverse proxy.
  - 3. The computer-implemented method of claim 2, wherein the assertion proxy and the reverse proxy are combined and hosted as a single proxy.
  - 4. The computer-implemented method of claim 2, wherein the security policies are enforced at the assertion proxy, including allowing or blocking access to the SP based on IDP provided information in the assertion and verification of IDP'"'"'s identity by the assertion proxy in dependence upon the IDP'"'"'s public key configured at the assertion proxy.
  - 5. The computer-implemented method of claim 1, wherein the IDP uses a Security Assertion Markup Language (SAML) protocol.
  - 6. The computer-implemented method of claim 5, further including:
    - receiving the encrypted assertion at the assertion proxy via a user'"'"'s client.
  - 7. The computer-implemented method of claim 1, wherein the IDP uses a Web Services (WS)-Federation protocol for active authentication.
  - 8. The computer-implemented method of claim 7, further including:
    - receiving the encrypted assertion at the assertion proxy from the IDP.
  - 9. The computer-implemented method of claim 1, wherein the assertion proxy is a cloud service hosted by a cloud access service broker (CASB).
  - 10. The computer-implemented method of claim 1, wherein the assertion proxy is different from the IDP and hosted by a CASB separate from an IDaaS hosting the IDP.
  - 11. The computer-implemented method of claim 1, further including:
    - configuring one or more IDPs to use the proxy-URL, in place of ACS-URLs of multiples SPs, and to encrypt the assertions using the proxy-public key.
  - 12. The computer-implemented method of claim 1, further including:
    - re-encrypting the decrypted assertion at the assertion proxy using a public key of the SP and forwarding the re-encrypted assertion to ACS of the SP.

13. A computer-implemented method of non-intrusive security enforcement for federated single sign-on (SSO) authentication without modifying an established trust relationship between a service provider (SP) and an identity provider (IDP), the trust relationship having been established by configuring a SSO-unified resource locator (URL) and a public key of the IDP at the SP and configuring an SP'"'"'s assertion consumer service (ACS)-URL for the SP at the IDP, the method including:
- configuring an assertion proxy, at a proxy-unified resource locator (URL), to use an SP'"'"'s ACS-URL for forwarding, the SP'"'"'s ACS-URL identified in an assertion forwarded by an identity provider (IDP) that has been configured to use the proxy-unified resource locator (URL) in place of using the SP'"'"'s ACS-URL for forwarding assertions generated when a user logs into the service provider (SP), and to encrypt the assertion using a proxy-public key;
  
  receiving the encrypted assertion at the assertion proxy and decrypting the encrypted assertion with a complementary proxy-private key; and
  
  preserving, without modifying the trust relationship between the SP and the IDP by inserting the assertion proxy in between a user'"'"'s client and an ACS of the SP by forwarding the assertion as decrypted to the SP'"'"'s ACS-URL for the SP to validate the assertion using the IDP'"'"'s public key and establish a federated single sign-on (SSO) authenticated session through the inserted assertion proxy.

14. A computer-implemented method of non-intrusively enforcing security during federated single sign-on (SSO) authentication without modifying an established trust relationship between a service provider (SP) and an identity provider (IDP), the trust relationship having been established between the SP and the IDP by configuring a SSO-unified resource locator (URL) and a public key of the IDP at the SP and configuring an assertion consumer service (ACS)-URL of the SP at the IDP, the method including:
- receiving from an IDP that has been configured to forward assertions, an assertion that identifies an SP'"'"'s assertion consumer service (ACS)-URL of the SP and is generated when a user logs into the SP to an assertion proxy instead of an assertion consumer service of the SP;
  
  evaluating the assertion against one or more security policies using the assertion proxy and forwarding the evaluated assertion to the SP; and
  
  preserving without modifying the trust relationship established between the SP and the IDP by validating the evaluated assertion at the SP using a certification of the IDP to establish a federated SSO authenticated session through the assertion proxy.

15. A non-transitory computer readable storage medium impressed with computer program instructions to non-intrusively enforce security during federated single sign-on (SSO) authentication without modifying an established trust relationship between a service provider (SP) and an identity provider (IDP), the trust relationship having been established by configuring a SSO-unified resource locator (URL) and a public key of the IDP at the SP and configuring an assertion consumer service (ACS)-URL of the SP at the IDP, the instructions, when executed on a processor, implement a method comprising:
- configuring the IDP to encrypt a digitally signed assertion having been digitally signed using an IDP-certificate and having been generated at the IDP when a user logs into the SP, the digitally signed assertion being encrypted using a proxy-public key of an assertion proxy and to forward the encrypted assertion to a proxy-URL of the assertion proxy instead of an SP'"'"'s ACS-URL identified from the assertion;
  
  decrypting the encrypted assertion at the assertion proxy with a complementary proxy-private key and forwarding the decrypted assertion to an ACS of the SP using the SP'"'"'s ACS-URL identified in the decrypted assertion; and
  
  preserving, without modifying the trust relationship between the SP and the IDP by validating the decrypted assertion at the SP using the IDP'"'"'s public key to establish a federated SSO authenticated session through the assertion proxy.

16. A non-transitory computer readable storage medium impressed with computer program instructions to conduct non-intrusive security enforcement for federated single sign-on (SSO) authentication without modifying an established trust relationship between a service provider (SP) and an identity provider (IDP), the trust relationship having been established by configuring a SSO-unified resource locator (URL) and a public key of the IDP at the SP and configuring an SP'"'"'s assertion consumer service (ACS)-URL for the SP at the IDP, the instructions, when executed on a processor, implement a method comprising:
- configuring an assertion proxy, at at a proxy-unified resource locator (URL), to use an SP'"'"'s ACS-URL for forwarding, the SP'"'"'s ACS-URL identified in an assertion forwarded by an identity provider (IDP) that has been configured to use the proxy-unified resource locator (URL) in place of using the SP'"'"'s ACS-URL for forwarding assertions generated when a user logs into the service provider (SP), and to encrypt the assertion using a proxy-public key;
  
  receiving the encrypted assertion at the assertion proxy and decrypting the encrypted assertion with a complementary proxy-private key; and
  
  preserving, without modifying the trust relationship between the SP and the IDP by inserting the assertion proxy in between a user'"'"'s client and an ACS of the SP by forwarding the assertion as decrypted to the SP'"'"'s ACS-URL for the SP to validate the assertion using the IDP'"'"'s public key and establish a federated single sign-on (SSO) authenticated session through the inserted assertion proxy.

17. A non-transitory computer readable storage medium impressed with computer program instructions to non-intrusively enforce security during federated single sign-on (SSO) authentication without modifying a trust relationship that has been established between a service provider (SP) and an identity provider (IDP) the trust relationship having been established between the SP and the IDP by configuring a SSO-unified resource locator (URL) and a public key of the IDP at the SP and configuring an assertion consumer service (ACS)-URL of the SP at the IDP, the instructions, when executed on a processor, implement a method comprising:
- receiving from an IDP that has been configured to forward assertions, an assertion that identifies an SP'"'"'s assertion consumer service (ACS)-URL of the SP and is generated when a user logs into the SP to an assertion proxy instead of an assertion consumer service of the SP;
  
  evaluating the assertion against one or more security policies using the assertion proxy and forwarding the evaluated assertion to the SP; and
  
  preserving without modifying the trust relationship established between the SP and the IDP by validating the evaluated assertion at the SP using a certification of the IDP to establish a federated SSO authenticated session through the assertion proxy.

18. A system including one or more processors coupled to memory, the memory loaded with computer instructions for non-intrusively enforcing security during federated single sign-on (SSO) authentication without modifying an established trust relationship between a service provider (SP) and an identity provider (IDP), the trust relationship having been established by configuring a SSO-unified resource locator (URL) and a public key of the IDP at the SP and configuring an assertion consumer service (ACS)-URL of the SP at the IDP, the instructions, when executed on the processors, implement a method including:
- configuring the IDP to encrypt a digitally signed assertion having been digitally signed using an IDP-certificate and having been generated at the IDP when a user logs into the SP, the digitally signed assertion being encrypted using a proxy-public key of an assertion proxy and to forward the encrypted assertion to a proxy-URL of the assertion proxy instead of an SP'"'"'s ACS-URL identified from the assertion;
  
  decrypting the encrypted assertion at the assertion proxy with a complementary proxy-private key and forwarding the decrypted assertion to an ACS of the SP using the SP'"'"'s ACS-URL identified in the decrypted assertion; and
  
  preserving, without modifying the trust relationship between the SP and the IDP by validating the decrypted assertion at the SP using the IDP'"'"'s public key to establish a federated SSO authenticated session through the assertion proxy.

19. A system including one or more processors coupled to memory, the memory loaded with computer instructions for non-intrusive security enforcement for federated single sign-on (SSO) authentication without modifying an established trust relationship between a service provider (SP) and an identity provider (IDP), the trust relationship having been established by configuring a SSO-unified resource locator (URL) and a public key of the IDP at the SP and configuring an assertion consumer service (ACS)-URL of the SP at the IDP, the instructions, when executed on the processors, implement a method including:
- configuring an assertion proxy, at a proxy-unified resource locator (URL), to use an SP'"'"'s ACS-URL for forwarding, the SP'"'"'s ACS-URL identified in an assertion forwarded by an identity provider (IDP) that has been configured to use the proxy-unified resource locator (URL) in place of using the SP'"'"'s ACS-URL for forwarding assertions generated when a user logs into the service provider (SP), and to encrypt the assertion using a proxy-public key;
  
  receiving the encrypted assertion at the assertion proxy and decrypting the encrypted assertion with a complementary proxy-private key; and
  
  preserving, without modifying the trust relationship between the SP and the IDP by inserting the assertion proxy in between a user'"'"'s client and an ACS of the SP by forwarding the assertion as decrypted to the SP'"'"'s ACS-URL for the SP to validate the assertion using the IDP'"'"'s public key and establish a federated single sign-on (SSO) authenticated session through the inserted assertion proxy.

20. A system including one or more processors coupled to memory, the memory loaded with computer instructions to non-intrusively enforce security during federated single sign-on (SSO) authentication without modifying an established trust relationship between a service provider (SP) and an identity provider (IDP) by configuring a SSO-unified resource locator (URL) and a public key of the IDP at the SP and configuring an assertion consumer service (ACS)-URL of the SP at the IDP, the instructions, when executed on the processors, implement a method including:
- receiving from an IDP that has been configured to forward assertions, an assertion that identifies an SP'"'"'s assertion consumer service (ACS)-URL of the SP and is generated when a user logs into the SP to an assertion proxy instead of an assertion consumer service of the SP;
  
  evaluating the assertion against one or more security policies using the assertion proxy and forwarding the evaluated assertion to the SP; and
  
  preserving without modifying the trust relationship established between the SP and the IDP by validating the evaluated assertion at the SP using a certification of the IDP to establish a federated SSO authenticated session through the assertion proxy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Netskope Incorporated
Original Assignee
Netskope Incorporated
Inventors
Sridhar, Kartik Kumar Chatnalli Deshpande, Cheng, Lebin, Narayanaswamy, Krishna
Primary Examiner(s)
Murphy, J. Brant
Assistant Examiner(s)
Gundry, Stephen T

Application Number

US16/362,549
Publication Number

US 20190222568A1
Time in Patent Office

424 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0442   wherein the sending and rec...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

H04L 67/56   Provisioning of proxy servi...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3226   using a predetermined code,...

H04L 9/3247   involving digital signatures

H04L 9/3265   using certificate chains, t...

Cloud proxy for federated single sign-on (SSO) for cloud services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cloud proxy for federated single sign-on (SSO) for cloud services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links