Detection And Repair Of Broken Single Sign-On Integration

US 20160080360A1
Filed: 09/04/2015
Published: 03/17/2016
Est. Priority Date: 09/15/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method performed by an identity management system, the method comprising:

storing, for each of a plurality a third-party services, a single sign-on (SSO) integration for the third-party service, the SSO integration comprising information enabling automated login to the third-party service; and

detecting, for a first one of the third-party services and a corresponding first one of the SSO integrations, that the first SSO integration is broken.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An identity management system provides single sign-on (SSO) services to clients, logging the clients into a variety of third-party services for which the clients have accounts. An SSO integration is stored for each of the third-party services, the SSO integration including information that allows the identity management system to automate the login for the corresponding third-party service, such as locations of the login pages, and/or identities of username and password fields. The identity management system uses different techniques in different embodiments to detect that a given SSO integration is broken (i.e., no longer permits login for its corresponding third-party service) and/or to repair the SSO integration.

Citations

21 Claims

1. A computer-implemented method performed by an identity management system, the method comprising:
- storing, for each of a plurality a third-party services, a single sign-on (SSO) integration for the third-party service, the SSO integration comprising information enabling automated login to the third-party service; and
  
  detecting, for a first one of the third-party services and a corresponding first one of the SSO integrations, that the first SSO integration is broken.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The computer-implemented method of claim 1, wherein the detecting comprises:
    - attempting login to the first third-party service using incorrect credentials; and
      
      determining, based on output of the attempted login, that the attempted login would have been successful had the credentials been correct.
  - 3. The computer-implemented method of claim 2, wherein determining that the attempted login would have been successful had the credentials been correct comprises determining whether a webpage that follows the attempted login includes specific strings of text indicating a login failure.
  - 4. The computer-implemented method of claim 3, further comprising previously identifying the specific strings of text by attempting to login with invalid credentials to a plurality of different third-party services and identifying strings present in webpages that followed the attempted logins.
  - 5. The computer-implemented method of claim 2, wherein determining that the attempted login would have been successful had the credentials been correct comprises:
    - obtaining a first screenshot of the first third-party service'"'"'s login page before the attempted login;
      
      obtaining a second screenshot of the first third-party service'"'"'s login page after the attempted login; and
      
      comparing visual properties of the first screenshot and second screenshot.
  - 6. The computer-implemented method of claim 5, wherein comparing the visual properties comprises determining whether the second screenshot includes an additional user interface element not included in the first screenshot.
  - 7. The computer-implemented method of claim 5, wherein comparing the visual properties comprises determining whether the second screenshot includes a given color not included in the first screenshot.
  - 8. The computer-implemented method of claim 1, wherein the detecting comprises comparing a login flow sequence of uniform resource locators (URLs) resulting from the attempted login to a baseline login flow sequence of uniform resource locators corresponding to a successful login.
  - 9. The computer-implemented method of claim 8, further comprising establishing the baseline login flow sequence based on login flow sequences of a plurality of successful logins into the first third-party service by a plurality of different users.
  - 10. The computer-implemented method of claim 1, wherein the detecting comprises:
    - determining that a first user has attempted to login to the first third-party service using the first SSO integration multiple times during a given time period.
  - 11. The computer-implemented method of claim 10, wherein the detecting further comprises:
    - receiving a confirmation from the first user that the first user is encountering a login failure.
  - 12. The computer-implemented method of claim 1, wherein the detecting is performed in response to a trigger event, the trigger event is at least one of the group consisting of an explicit request to test the first SSO integration, and expiration of a period of time since a previous test of the first SSO integration.
  - 13. The computer-implemented method of claim 1, further comprising determining that the first SSO integration is broken due to a change in content of a login page of the first third-party service, based on comparison of a hash value of the login page computed at a time of the attempted login and a hash value of the login page computed at a prior time when login into the first third-party service was successful.
  - 14. The computer-implemented method of claim 1, further comprising repairing the first SSO integration responsive to detecting that the first SSO integration is broken.
  - 15. The computer-implemented method of claim 13, wherein the repairing comprises:
    - parsing a login page of the first third-party service to identify a username field and a password field; and
      
      storing the identified username field and the identified password field in the first SSO integration.
  - 16. The computer-implemented method of claim 13, wherein the repairing comprises:
    - parsing a login page of the first third-party service to identify a submit button that is a closest button in the login page to a password field in the login page; and
      
      storing the identified submit button in the first SSO integration.
  - 17. The computer-implemented method of claim 16, wherein closeness is measured based on pixel distance.
  - 18. The computer-implemented method of claim 16, wherein closeness is measured based on a distance in a document object model (DOM) tree of the login page.
  - 19. The computer-implemented method of claim 15, further comprising identifying the login page by:
    - navigating to a root page of a domain of the first third-party service;
      
      navigating to a page target of a login hyperlink of the root page; and
      
      responsive to identifying login user interface elements in the page target, identifying the page target as the login page.
  - 20. The computer-implemented method of claim 14, further comprising determining that the first SSO integration has been successfully repaired by:
    - receiving a request from a user to login to the first third-party service;
      
      using the repaired first SSO integration to attempt to log the user into the first third-party service; and
      
      analyzing behavior of the user after the attempted login using the repaired first SSO integration.
  - 21. The computer-implemented method of claim 14, further comprising determining that the first SSO integration has been successfully repaired by:
    - receiving a request from a user to login to the first third-party service;
      
      using the repaired first SSO integration to attempt to log the user into the first third-party service; and
      
      comparing a login flow sequence of uniform resource locators (URLs) resulting from the attempted login to a baseline login flow sequence of uniform resource locators corresponding to a successful login.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Okta Incorporated
Original Assignee
Okta Incorporated
Inventors
Drozdov, Andrew P., Child, Reman P., Karaa, Hassen, Gu, Xin, Aguilar-Macias, Hector

Granted Patent

US 10,097,533 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/0815   providing single-sign-on or...

H04L 67/02   based on web technology, e....

Detection And Repair Of Broken Single Sign-On Integration

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Detection And Repair Of Broken Single Sign-On Integration

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links