Confidence-based authentication discovery for an outbound proxy
First Claim
1. A method of controlling access to a resource, comprising:
- receiving a request to access a resource from a user not currently authenticated;
in response, and without additional user input, initiating a federated single sign-on (F-SSO) flow to each of one or more known and trusted identity providers with whom the user has previously authenticated;
receiving results from the one or more F-SSO flows; and
analyzing information returned in the results from the one or more F-SSO flows to determine whether the user is permitted to access the resource.
1 Assignment
0 Petitions
Accused Products
Abstract
A confidence-based authentication discovery scheme is implemented at a proxy. The scheme assumes that some level of unauthenticated browsing is allowed prior to enforcing authentication at the proxy. Once a known and trusted set of identity providers has been accessed and the user is required to authenticate at the proxy (e.g., as a result of policy), the proxy initiates Federated Single Sign-On (F-SSO) to one or more (or, preferably, all) known sites accessed by the browser. This F-SSO operation is performed seamlessly, preferably without the user'"'"'s knowledge (after the user allows an initial trust decision between the proxy acting as a service provider and the external identity provider). The proxy collates the results and, based on the trust it has with those sites, produces a confidence score. That score is then used as input into policy around whether or not a user should be permitted to access a particular site.
-
Citations
24 Claims
-
1. A method of controlling access to a resource, comprising:
-
receiving a request to access a resource from a user not currently authenticated; in response, and without additional user input, initiating a federated single sign-on (F-SSO) flow to each of one or more known and trusted identity providers with whom the user has previously authenticated; receiving results from the one or more F-SSO flows; and analyzing information returned in the results from the one or more F-SSO flows to determine whether the user is permitted to access the resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. Apparatus to control access to a resource, comprising:
-
a processor; computer memory holding computer program instructions that when executed by the processor perform a method comprising; receiving a request to access a resource from a user not currently authenticated; in response, and without additional user input, initiating a federated single sign-on (F-SSO) flow to each of one or more known and trusted identity providers with whom the user has previously authenticated; receiving results from the one or more F-SSO flows; and analyzing information returned in the results from the one or more F-SSO flows to determine whether the user is permitted to access the resource. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer program product in a non-transitory computer readable medium for use in a data processing system to control access to a resource, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method comprising:
-
receiving a request to access a resource from a user not currently authenticated; in response, and without additional user input, initiating a federated single sign-on (F-SSO) flow to each of one or more known and trusted identity providers with whom the user has previously authenticated; receiving results from the one or more F-SSO flows; and analyzing information returned in the results from the one or more F-SSO flows to determine whether the user is permitted to access the resource. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification