Authentication for distributed secure content management system

US 20090300739A1
Filed: 05/27/2008
Published: 12/03/2009
Est. Priority Date: 05/27/2008
Status: Active Grant

First Claim

Patent Images

1. A method implemented at least in part by a computer, the method comprising:

receiving, at a security component, a message sent from a device, the security component being associated with a forward proxy that is logically between the device and a resource to which the device seeks access;

authenticating, via the security component, an entity associated with the device; and

sending a cookie to the device, the cookie indicating that the entity has been previously authenticated by the security component, the device to present the cookie with subsequent requests for access to resources accessible via the forward proxy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Aspects of the subject matter described herein relate to authentication for a distributed secure content management system. In aspects, a request to access a resource available through the Internet is routed to a security component. The security component is one of a plurality of security components distributed throughout the Internet and responsible for authenticating entities associated with an enterprise. The security component determines an authentication protocol to use with the entity and then authenticates the entity. If the entity is authenticated, the entity is allowed to use a forward proxy.

258 Citations

20 Claims

1. A method implemented at least in part by a computer, the method comprising:
- receiving, at a security component, a message sent from a device, the security component being associated with a forward proxy that is logically between the device and a resource to which the device seeks access;
  
  authenticating, via the security component, an entity associated with the device; and
  
  sending a cookie to the device, the cookie indicating that the entity has been previously authenticated by the security component, the device to present the cookie with subsequent requests for access to resources accessible via the forward proxy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the forward proxy operates at least as an HTTP proxy and wherein authenticating an entity associated with the device comprises establishing a secure connection between the forward proxy and the device.
  - 3. The method of claim 2, wherein the secure connection comprises a secure socket layer connection.
  - 4. The method of claim 2, wherein the secure connection comprises a transport layer security connection.
  - 5. The method of claim 1, wherein the forward proxy operates at least as an HTTP proxy and wherein authenticating an entity associated with the device comprises using a client certificate.
  - 6. The method of claim 1, wherein the cookie indicates an identity associated with the entity, the identity identifying the entity on a network controlled by a business entity associated with the entity associated with the device.
  - 7. The method of claim 1, wherein the cookie includes policy information associated with the entity, the policy information usable to enforce a policy for the subsequent requests.
  - 8. The method of claim 1, further comprising establishing a time to live for the cookie, the cookie being no longer useful for authentication after the time to live has expired.
  - 9. The method of claim 6, further comprising storing a history of subsequent requests sent by the device along with the identifier.
  - 10. The method of claim 1, further comprising establishing a trust relationship between a first identity system located on a first network local to the forward proxy and a second identity system on a network external to the first network.
  - 11. The method of claim 10, wherein establishing a trust relationship comprises synchronizing credentials between the first and second identity systems.

12. A computer storage medium having computer-executable instructions, which when executed perform actions, comprising:
- sending, from an entity associated with a device attached to a first network, a request to access a resource from a second network;
  
  receiving the request at a component hosted on the device, the component monitoring traffic between the device and the second network;
  
  before sending the request to the second network, authenticating, via the component, the entity; and
  
  sending the request to a forward proxy.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computer storage medium of claim 12, wherein authenticating, via the component, an entity associated with the device comprises communicating with a security component associated with the forward proxy attached to the second network, the forward proxy being logically between the device and the second network.
  - 14. The computer storage medium of claim 13, wherein the forward proxy operates at least as an HTTP proxy and wherein authenticating, via the component, an entity associated with the device comprises using a client certificate.
  - 15. The computer storage medium of claim 13 further comprising receiving a cookie from the forward proxy, the cookie indicating that the entity has been previously authenticated by the security component.
  - 16. The computer storage medium of claim 15, further comprising handling the cookie via the component, wherein handling the cookie comprises storing the cookie and sending the cookie in a subsequent request for a resource that is accessible via the second network.
  - 17. The computer storage medium of claim 12, wherein the entity comprises the device and/or a user.

18. In a computing environment, an apparatus comprising:
- a protocol selector operable to determine an authentication protocol to utilize in conjunction with authenticating an entity seeking to gain access to a resource available via a first network;
  
  a client component operable to authenticate the entity using the authentication protocol via a device associated with the entity; and
  
  an identity validator operable to obtain an identifier for the entity from a first identity system having a trust relationship with a second identity system, the first identity system residing on the first network, the second identity system residing on a second network; and
  
  a proxy informer operable to indicate to a forward proxy whether the entity is authenticated, the forward proxy being one of a plurality of forward proxies distributed across one or more networks, the forward proxies structured to allow authenticated entities to access resources available via the one or more networks.
- View Dependent Claims (19, 20)
- - 19. The apparatus of claim 18, further comprising a history tracker operable to store information identifying the entity and resources accessed by the entity that are available via the first network.
  - 20. The apparatus of claim 19, further comprising a reporting component operable to provide the information in a form that identifies the entity and the resources accessed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Teplitsky, Alexander, Nice, Nir, Ananiev, Oleg, Finkelstein, Amit, Wohlfert, John F.

Granted Patent

US 8,910,255 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

G06F 21/31   User authentication

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/0884   by delegation of authentica...

H04L 67/146   Markers for unambiguous ide...

H04L 67/56   Provisioning of proxy servi...

Authentication for distributed secure content management system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

258 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication for distributed secure content management system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

258 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links