Confidence-based authentication discovery for an outbound proxy

US 20140020078A1
Filed: 07/12/2012
Published: 01/16/2014
Est. Priority Date: 07/12/2012
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to a resource, comprising:

receiving a request to access a resource from a user not currently authenticated;

in response, and without additional user input, initiating a federated single sign-on (F-SSO) flow to each of one or more known and trusted identity providers with whom the user has previously authenticated;

receiving results from the one or more F-SSO flows; and

analyzing information returned in the results from the one or more F-SSO flows to determine whether the user is permitted to access the resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A confidence-based authentication discovery scheme is implemented at a proxy. The scheme assumes that some level of unauthenticated browsing is allowed prior to enforcing authentication at the proxy. Once a known and trusted set of identity providers has been accessed and the user is required to authenticate at the proxy (e.g., as a result of policy), the proxy initiates Federated Single Sign-On (F-SSO) to one or more (or, preferably, all) known sites accessed by the browser. This F-SSO operation is performed seamlessly, preferably without the user'"'"'s knowledge (after the user allows an initial trust decision between the proxy acting as a service provider and the external identity provider). The proxy collates the results and, based on the trust it has with those sites, produces a confidence score. That score is then used as input into policy around whether or not a user should be permitted to access a particular site.

Citations

24 Claims

1. A method of controlling access to a resource, comprising:
- receiving a request to access a resource from a user not currently authenticated;
  
  in response, and without additional user input, initiating a federated single sign-on (F-SSO) flow to each of one or more known and trusted identity providers with whom the user has previously authenticated;
  
  receiving results from the one or more F-SSO flows; and
  
  analyzing information returned in the results from the one or more F-SSO flows to determine whether the user is permitted to access the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as described in claim 1 wherein the analyzing step comprises:
    - generate a confidence score that an identity of the user matches an identity of a user that has previously authenticated to the one or more known and trusted identity providers; and
      
      allowing or disallowing access to the request based on the confidence score.
  - 3. The method as described in claim 2 wherein the analyzing step further includes:
    - applying a policy to the confidence score.
  - 4. The method as described in claim 1 wherein the F-SSO flow is initiated by returning a markup language element to a browser from the request originates.
  - 5. The method as described in claim 4 wherein the markup language element is an HTML iframe.
  - 6. The method as described in claim 1 further including maintaining information about each of the one or more known and trusted identity providers with whom the user has previously authenticated.
  - 7. The method as described in claim 6 wherein the information includes an IP/MAC address combination associated with a browser instance from which the user has been previously authenticated.
  - 8. The method as described in claim 1 wherein the results returned from an F-SSO flow include an identity of the user.

9. Apparatus to control access to a resource, comprising:
- a processor;
  
  computer memory holding computer program instructions that when executed by the processor perform a method comprising;
  
  receiving a request to access a resource from a user not currently authenticated;
  
  in response, and without additional user input, initiating a federated single sign-on (F-SSO) flow to each of one or more known and trusted identity providers with whom the user has previously authenticated;
  
  receiving results from the one or more F-SSO flows; and
  
  analyzing information returned in the results from the one or more F-SSO flows to determine whether the user is permitted to access the resource.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus as described in claim 9 wherein the analyzing step comprises:
    - generate a confidence score that an identity of the user matches an identity of a user that has previously authenticated to the one or more known and trusted identity providers;
      
      and allowing or disallowing access to the request based on the confidence score.
  - 11. The apparatus as described in claim 10 wherein the analyzing step further includes:
    - applying a policy to the confidence score.
  - 12. The apparatus as described in claim 9 wherein the F-SSO flow is initiated by returning a markup language element to a browser from the request originates.
  - 13. The apparatus as described in claim 12 wherein the markup language element is an HTML iframe.
  - 14. The apparatus as described in claim 9 wherein the method further includes maintaining information about each of the one or more known and trusted identity providers with whom the user has previously authenticated.
  - 15. The apparatus as described in claim 14 wherein the information includes an IP/MAC address combination associated with a browser instance from which the user has been previously authenticated.
  - 16. The apparatus as described in claim 9 wherein the results returned from an F-SSO flow include an identity of the user.

17. A computer program product in a non-transitory computer readable medium for use in a data processing system to control access to a resource, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method comprising:
- receiving a request to access a resource from a user not currently authenticated;
  
  in response, and without additional user input, initiating a federated single sign-on (F-SSO) flow to each of one or more known and trusted identity providers with whom the user has previously authenticated;
  
  receiving results from the one or more F-SSO flows; and
  
  analyzing information returned in the results from the one or more F-SSO flows to determine whether the user is permitted to access the resource.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computer program product as described in claim 17 wherein the analyzing step comprises:
    - generate a confidence score that an identity of the user matches an identity of a user that has previously authenticated to the one or more known and trusted identity providers; and
      
      allowing or disallowing access to the request based on the confidence score.
  - 19. The computer program product as described in claim 18 wherein the analyzing step further includes:
    - applying a policy to the confidence score.
  - 20. The computer program product as described in claim 17 wherein the F-SSO flow is initiated by returning a markup language element to a browser from the request originates.
  - 21. The computer program product as described in claim 20 wherein the markup language element is an HTML iframe.
  - 22. The computer program product as described in claim 17 wherein the method further includes maintaining information about each of the one or more known and trusted identity providers with whom the user has previously authenticated.
  - 23. The computer program product as described in claim 22 wherein the information includes an IP/MAC address combination associated with a browser instance from which the user has been previously authenticated.
  - 24. The computer program product as described in claim 17 wherein the results returned from an F-SSO flow include an identity of the user not currently authenticated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Canning, Simon Gilbert, Gee, Simon Winston, Weeden, Shane Bradley

Granted Patent

US 9,246,907 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/8
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0815   providing single-sign-on or...

H04L 63/0884   by delegation of authentica...

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 9/321   involving a third party or ...

Confidence-based authentication discovery for an outbound proxy

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Confidence-based authentication discovery for an outbound proxy

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links