SYSTEM AND METHOD OF FEDERATED AUTHENTICATION WITH REVERSE PROXY

US 20120278872A1
Filed: 04/19/2012
Published: 11/01/2012
Est. Priority Date: 04/27/2011
Status: Abandoned Application

First Claim

Patent Images

1. A method for authenticating a client device into a service provider computer through a reverse proxy computer, and thus obtaining access to a resource on the service provider computer, the method comprising:

by the client device, sending an assertion, comprising a clear text and a signature, to the reverse proxy computer;

the assertion having been received from an identity provider (IDP) computer;

in the reverse proxy computer, converting the assertion into a revised assertion and sending the revised assertion to the service provider computer;

in the service provide computer, validating the revised assertion, and returning a Universal Resource Locator (URL) of the resource to the reverse proxy computer;

in the reverse proxy computer, replacing the URL with a modified URL, and returning the modified URL to the client device, thereby enabling the client to access the resource.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A Security Assertion Markup Language (SAML) conversation is intercepted in an enhanced Reverse Proxy server computer located in the path between a user and a server computer that provide cloud application services to the user. During authentication, the SAML assertion signature is modified in the enhanced Reverse Proxy such that the enhanced Reverse Proxy and the user can share an encryption key. The modified assertion signature permits a common session key to be shared by the enhanced Reverse Proxy and a targeted application in the server, thus enabling the user to be authenticated, and subsequently to communicate via the enhanced Reverse Proxy in a secure session with an application in the server.

Citations

29 Claims

1. A method for authenticating a client device into a service provider computer through a reverse proxy computer, and thus obtaining access to a resource on the service provider computer, the method comprising:
- by the client device, sending an assertion, comprising a clear text and a signature, to the reverse proxy computer;
  
  the assertion having been received from an identity provider (IDP) computer;
  
  in the reverse proxy computer, converting the assertion into a revised assertion and sending the revised assertion to the service provider computer;
  
  in the service provide computer, validating the revised assertion, and returning a Universal Resource Locator (URL) of the resource to the reverse proxy computer;
  
  in the reverse proxy computer, replacing the URL with a modified URL, and returning the modified URL to the client device, thereby enabling the client to access the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the clear text comprises a first URL identifying the client device and a second URL identifying the reverse proxy computer.
  - 3. The method of claim 2, wherein the converting further comprises:
    - (i) validating the assertion with a first key “
      
      A”
      
      ;
      
      (ii) revising the assertion, including replacing the URLs in the clear text to generate a revised clear text; and
      
      (iii) encrypting the revised clear text with a second key “
      
      B”
      
      , thereby generating the revised assertion.
  - 4. The method of claim 3, wherein the step (ii) further comprises replacing the first URL with the second URL, and replacing the second URL with a third URL identifying the service provider computer.
  - 5. The method of claim 3, wherein the first key “
    - A”
      
      is a key that is shared between the IDP computer and the reverse proxy computer.
  - 6. The method of claim 3, wherein the second key “
    - B”
      
      is a key that is shared between the service provider computer and the reverse proxy computer.
  - 7. The method of claim 1, wherein the authenticating is a federated single sign-on procedure according to the Security Assertion Markup Language (SAML) standard.
  - 8. The method of claim 5, further comprising providing another IDP computer and sharing another first key “
    - A”
      
      between the another IDP computer and the reverse proxy.
  - 9. The method of claim 3, wherein the revising further comprises replacing URLs which identify the reverse proxy computer in the assertion, with corresponding URLs identifying the service provider computer.
  - 10. The method of claim 3, wherein the validating (i) further comprises:
    - generating a test signature, including encrypting the clear text of the assertion with the first key “
      
      A”
      
      ;
      
      comparing the test signature with the signature of the assertion; and
      
      otherwise discarding the assertion and abandoning the method, provided the test signature and the signature of the assertion do not match.

11. A reverse proxy computer for authenticating a client device into a service provider computer to obtain access to a resource on the service provider computer, the reverse proxy computer comprising:
- a processor; and
  
  a memory having computer readable instructions stored thereon, causing the processor to;
  
  convert an assertion, the assertion having been received from an identity provider (IDP) computer through the client device, the assertion comprising a clear text and a signature, into a revised assertion;
  
  send the revised assertion to the service provider computer;
  
  upon validation of the revised assertion by the service provider computer;
  
  receive a Universal Resource Locator (URL) of the resource; and
  
  replace the URL with a modified URL; and
  
  return the modified URL to the client device;
  
  thereby enabling the client to access the resource.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 29)
- - 12. The reverse proxy computer of claim 11, wherein the clear text comprises a first URL identifying the client device and a second URL identifying the reverse proxy computer.
  - 13. The reverse proxy computer of claim 12, the memory further having computer readable instructions stored thereon, causing the processor to:
    - validate the assertion with a first key “
      
      A”
      
      ;
      
      revise the assertion, including replace the URLs in the clear text to generate a revised clear text; and
      
      encrypt the revised clear text with a second key “
      
      B”
      
      , thereby generating the revised assertion.
  - 14. The reverse proxy computer of claim 13, the memory further having computer readable instructions stored thereon, causing the processor to replace the first URL with the second URL, and replace the second URL with a third URL which identifies the service provider computer.
  - 15. The reverse proxy computer of claim 13, wherein the first key “
    - A”
      
      is a key that is shared between the IDP computer and the reverse proxy computer.
  - 16. The reverse proxy computer of claim 13, wherein the second key “
    - B”
      
      is a key that is shared between the service provider computer and the reverse proxy computer.
  - 17. The reverse proxy computer of claim 11, the authenticating is a federated single sign-on procedure according to the Security Assertion Markup Language (SAML) standard.
  - 18. The reverse proxy computer of claim 13, the memory further having computer readable instructions stored thereon, causing the processor to replace URLs which identify the reverse proxy computer in the assertion, with corresponding URLs which identify the service provider computer.
  - 19. The reverse proxy computer of claim 13, the memory further having computer readable instructions stored thereon, causing the processor to validate the assertion by:
    - generating a test signature, including encrypting the clear text of the assertion with the first key “
      
      A”
      
      ;
      
      comparing the test signature with the signature of the assertion; and
      
      otherwise discarding the assertion, provided the test signature and the signature of the assertion do not match.
  - 29. A computer network, comprising the reverse proxy computer of claim 11.

20. A reverse proxy computer for modifying an assertion received from a client device into a revised assertion for sending to a service provider computer, the reverse proxy computer comprising:
- a processor;
  
  a memory having computer readable instructions stored thereon for execution by the processor, forming;
  
  an assertion processing module including instructions for converting the assertion into the revised assertion, the assertion comprising a clear text and signature; and
  
  a persistent storage unit (1206), comprising a key store (1222) for storing a first encryption key for validating the assertion, and a second encryption key for encrypting the revised assertion.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
- - 21. The reverse proxy computer of claim 20, wherein the clear text comprises a first URL identifying the client device and a second URL identifying the reverse proxy computer.
  - 22. The reverse proxy computer of claim 21, the assertion processing module further comprising computer readable instructions stored in the memory, causing the processor to:
    - validate the assertion with a first key “
      
      A”
      
      ;
      
      revise the clear text of the assertion, including replacing the URLs in the clear text to generate a revised clear text; and
      
      encrypt the revised clear text with a second key “
      
      B”
      
      , thereby generating the revised assertion.
  - 23. The reverse proxy computer of claim 21, the assertion processing module further comprising computer readable instructions stored thereon, causing the processor to replace the first URL with the second URL, and replace the second URL with a third URL which identifies the service provider computer.
  - 24. The reverse proxy computer of claim 22, wherein the first key “
    - A”
      
      is a key that is shared between an IDP computer and the reverse proxy computer.
  - 25. The reverse proxy computer of claim 22, wherein the second key “
    - B”
      
      is a key that is shared between the service provider computer and the reverse proxy computer.
  - 26. The reverse proxy computer of claim 20, the authenticating being a federated single sign-on procedure according to the Security Assertion Markup Language (SAML) standard.
  - 27. The reverse proxy computer of claim 22, the memory further having computer readable instructions stored thereon, causing the processor to replace URLs which identify the reverse proxy computer in the assertion, with corresponding URLs which identify the service provider computer.
  - 28. The reverse proxy computer of claim 22, the memory further having computer readable instructions stored thereon, causing the processor to validate the assertion by:
    - generating a test signature, including encrypting the clear text of the assertion with the first key “
      
      A”
      
      ;
      
      comparing the test signature with the signature of the assertion; and
      
      otherwise discarding the assertion, provided the test signature and the signature of the assertion do not match.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
WOELFEL, John Harold, Woloszyn, Terrence Peter

Application Number

US13/450,781
Publication Number

US 20120278872A1
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/602   Providing cryptographic fac...

G09C 1/00   Apparatus or methods whereb...

H04L 61/2596   Translation of addresses of...

H04L 61/301   Name conversion

H04L 63/0281   Proxies

H04L 63/0815   providing single-sign-on or...

H04L 67/02   based on web technology, e....

H04L 67/56   Provisioning of proxy servi...

SYSTEM AND METHOD OF FEDERATED AUTHENTICATION WITH REVERSE PROXY

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD OF FEDERATED AUTHENTICATION WITH REVERSE PROXY

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links