SYSTEM AND METHOD OF FEDERATED AUTHENTICATION WITH REVERSE PROXY
First Claim
1. A method for authenticating a client device into a service provider computer through a reverse proxy computer, and thus obtaining access to a resource on the service provider computer, the method comprising:
- by the client device, sending an assertion, comprising a clear text and a signature, to the reverse proxy computer;
the assertion having been received from an identity provider (IDP) computer;
in the reverse proxy computer, converting the assertion into a revised assertion and sending the revised assertion to the service provider computer;
in the service provide computer, validating the revised assertion, and returning a Universal Resource Locator (URL) of the resource to the reverse proxy computer;
in the reverse proxy computer, replacing the URL with a modified URL, and returning the modified URL to the client device, thereby enabling the client to access the resource.
7 Assignments
0 Petitions
Accused Products
Abstract
A Security Assertion Markup Language (SAML) conversation is intercepted in an enhanced Reverse Proxy server computer located in the path between a user and a server computer that provide cloud application services to the user. During authentication, the SAML assertion signature is modified in the enhanced Reverse Proxy such that the enhanced Reverse Proxy and the user can share an encryption key. The modified assertion signature permits a common session key to be shared by the enhanced Reverse Proxy and a targeted application in the server, thus enabling the user to be authenticated, and subsequently to communicate via the enhanced Reverse Proxy in a secure session with an application in the server.
-
Citations
29 Claims
-
1. A method for authenticating a client device into a service provider computer through a reverse proxy computer, and thus obtaining access to a resource on the service provider computer, the method comprising:
-
by the client device, sending an assertion, comprising a clear text and a signature, to the reverse proxy computer;
the assertion having been received from an identity provider (IDP) computer;in the reverse proxy computer, converting the assertion into a revised assertion and sending the revised assertion to the service provider computer; in the service provide computer, validating the revised assertion, and returning a Universal Resource Locator (URL) of the resource to the reverse proxy computer; in the reverse proxy computer, replacing the URL with a modified URL, and returning the modified URL to the client device, thereby enabling the client to access the resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A reverse proxy computer for authenticating a client device into a service provider computer to obtain access to a resource on the service provider computer, the reverse proxy computer comprising:
-
a processor; and a memory having computer readable instructions stored thereon, causing the processor to; convert an assertion, the assertion having been received from an identity provider (IDP) computer through the client device, the assertion comprising a clear text and a signature, into a revised assertion;
send the revised assertion to the service provider computer;upon validation of the revised assertion by the service provider computer; receive a Universal Resource Locator (URL) of the resource; and replace the URL with a modified URL; and return the modified URL to the client device; thereby enabling the client to access the resource. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 29)
-
-
20. A reverse proxy computer for modifying an assertion received from a client device into a revised assertion for sending to a service provider computer, the reverse proxy computer comprising:
-
a processor; a memory having computer readable instructions stored thereon for execution by the processor, forming; an assertion processing module including instructions for converting the assertion into the revised assertion, the assertion comprising a clear text and signature; and a persistent storage unit (1206), comprising a key store (1222) for storing a first encryption key for validating the assertion, and a second encryption key for encrypting the revised assertion. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
-
Specification