USING A SERVICE-PROVIDER PASSWORD TO SIMULATE F-SSO FUNCTIONALITY

US 20170149767A1
Filed: 11/24/2015
Published: 05/25/2017
Est. Priority Date: 11/24/2015
Status: Active Grant

First Claim

Patent Images

1. A method for Single-Use Federated Single Sign-On (SU-F-SSO) functionality, the method comprising:

a processor of a computer system receiving, from an Identity Provider of an F-SSO federation, a single sign-on request, where the Service Provider'"'"'s authentication process does not provide single sign-on functionality to the secured service, and where the trusted data confirms a user'"'"'s identity and further confirms that the user'"'"'s privileges and authorization to access secured services at the Service Provider;

the processor, as a Single-Use F-SSO implementation, identifying the user and the user'"'"'s privileges as a function of the authenticated data;

the processor creating an on-demand password;

the processor storing a copy of the on-demand password in an information repository secured by the Service Provider;

the processor transmitting the on-demand password to the user;

the processor redirecting the user to the Service Provider'"'"'s logon portal;

the logon portal receiving from the user the on-demand password as part of a sign-on procedure of the logon portal;

the logon portal confirming the user'"'"'s identity by matching the returned password to the copy of the on-demand password stored in the repository; and

the logon portal as a function of the confirming, granting the user access to the secured service.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for using a Service-Provider password to simulate F-SSO functionality. A processor receives from an F-SSO Identity Provider authentication data for a user who has requested access to a secured service. The service is managed by an F-SSO Service Provider that does not offer F-SSO functionality for that service. Upon receiving the data, the processor redirects the user to an SU-F-SSO portal of the Service Provider, which uses the received authentication data to authenticate the user. The processor sends the user an on-demand password and, when the user uses that password to sign on, the processor matches the entered password with a stored copy of the password that was sent to the user. If they match, the processor grants the user access to the requested service. In some embodiments, the on-demand password may be a single-use password or may be sent to the user via an out-of-band communication.

Citations

20 Claims

1. A method for Single-Use Federated Single Sign-On (SU-F-SSO) functionality, the method comprising:
- a processor of a computer system receiving, from an Identity Provider of an F-SSO federation, a single sign-on request, where the Service Provider'"'"'s authentication process does not provide single sign-on functionality to the secured service, and where the trusted data confirms a user'"'"'s identity and further confirms that the user'"'"'s privileges and authorization to access secured services at the Service Provider;
  
  the processor, as a Single-Use F-SSO implementation, identifying the user and the user'"'"'s privileges as a function of the authenticated data;
  
  the processor creating an on-demand password;
  
  the processor storing a copy of the on-demand password in an information repository secured by the Service Provider;
  
  the processor transmitting the on-demand password to the user;
  
  the processor redirecting the user to the Service Provider'"'"'s logon portal;
  
  the logon portal receiving from the user the on-demand password as part of a sign-on procedure of the logon portal;
  
  the logon portal confirming the user'"'"'s identity by matching the returned password to the copy of the on-demand password stored in the repository; and
  
  the logon portal as a function of the confirming, granting the user access to the secured service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, where the on-demand password is limited to a single use.
  - 3. The method of claim 1, where the on-demand password is subject to constraints selected from a group consisting of:
    - limiting the on-demand password to a certain number of uses;
      
      limiting the password to use during a single session of the secured service;
      
      limiting the password to use during a specified period of time;
      
      limiting the password to use during a specified period of time after the first use of the password; and
      
      requiring the user to perform an additional authentication procedure when entering the password.
  - 4. The method of claim 1, where the on-demand password is transmitted to the user through an out-of-band communications method.
  - 5. The method of claim 4, where the out-of-band communications method comprises a communication sent to a user-controlled destination that is not part of an F-SSO protocol exchange, where the out-of-band communication is selected from a group consisting of:
    - a voice message;
      
      a fax;
      
      an SMS text message;
      
      an email message;
      
      a communication to a social-media service;
      
      an instant message; and
      
      a communication sent through the Internet to a software program running on a device that is accessible to the user.
  - 6. The method of claim 1, where the notification is received in response to:
    - the processor, in response to detecting that the user has requested access to the secured service from a portal under control of the Service Provider, redirecting the user to a portal under control of the IDP; and
      
      the processor requesting that the IDP identify and authenticate the user.
  - 7. The method of claim 1, where the notification is received in response to a detection by the IDP that the user has requested access to the secured service from a portal under control of the IDP.
  - 8. The method of claim 1, where the Service Provider is a cloud-computing service provider, the secured service is a cloud-based service deployed and controlled by the Service Provider on a cloud-computing platform provided by the Service Provider, and the IDP is a client of the Service Provider that controls an application deployed on the cloud-computing platform provided by the Service Provider.
  - 9. The method of claim 1, where the notification comprises an F-SSO message that in turn comprises an authentication token.
  - 10. The method of claim 9, where the F-SSO message and authentication token are formatted as one or more SAML assertions.
  - 11. The method of claim 1, further comprising providing at least one support service for at least one of creating, integrating, hosting, maintaining, and deploying computer-readable program code in the computer system, where the computer-readable program code in combination with the computer system is configured to implement the receiving, redirecting, authenticating, creating, storing, transmitting, identifying, confirming, and granting.

12. A Single-Use SU-F-SSO system comprising a processor, a memory coupled to the processor, and a computer-readable hardware storage device coupled to the processor, the storage device containing program code configured to be run by the processor via the memory to implement a method for using a Service-Provider password to simulate F-SSO functionality, the method comprising:
- the processor receiving, from an Identity Provider of an F-SSO federation, a single sign-on request, where the Service Provider'"'"'s authentication process does not provide single sign-on functionality to the secured service, and where the trusted data confirms a user'"'"'s identity and further confirms that the user'"'"'s privileges and authorization to access secured services at the Service Provider;
  
  the processor, as a Single-Use F-SSO implementation, identifying the user and the user'"'"'s privileges as a function of the authenticated data;
  
  the processor creating an on-demand password;
  
  the processor storing a copy of the on-demand password in an information repository secured by the Service Provider;
  
  the processor transmitting the on-demand password to the user;
  
  the processor redirecting the user to the Service Provider'"'"'s logon portal;
  
  the logon portal receiving from the user the on-demand password as part of a sign-on procedure of the logon portal;
  
  the logon portal confirming the user'"'"'s identity by matching the returned password to the copy of the on-demand password stored in the repository; and
  
  the logon portal as a function of the confirming, granting the user access to the secured service.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The system of claim 12, where the on-demand password is limited to a single use.
  - 14. The system of claim 12, where the on-demand password is subject to constraints selected from a group consisting of:
    - limiting the on-demand password to a certain number of uses;
      
      limiting the password to use during a single session of the secured service;
      
      limiting the password to use during a specified period of time;
      
      limiting the password to use during a specified period of time after the first use of the password; and
      
      requiring the user to perform an additional authentication procedure when entering the password.
  - 15. The system of claim 12, where the on-demand password is transmitted to the user through an out-of-band communications method, and where the out-of-band communications method comprises a communication sent to a user-controlled destination that is not part of an F-SSO protocol exchange, where the out-of-band communication is selected from a group consisting of:
    - a voice message;
      
      a fax;
      
      an SMS text message;
      
      an email message;
      
      a communication to a social-media service;
      
      an instant message; and
      
      a communication sent through the Internet to a software program running on a device that is accessible to the user.
  - 16. The system of claim 12, where the Service Provider is a cloud-computing service provider, the secured service is a cloud-based service deployed and controlled by the Service Provider on a cloud-computing platform provided by the Service Provider, and the IDP is a client of the Service Provider that controls an application deployed on the cloud-computing platform provided by the Service Provider.

17. A computer program product, comprising a computer-readable hardware storage device having a computer-readable program code stored therein, the program code configured to be executed by a system comprising a processor, a memory coupled to the processor, and a computer-readable hardware storage device coupled to the processor, the storage device containing program code configured to be run by the processor via the memory to implement a method for using a Service-Provider password to simulate F-SSO functionality, the method comprising:
- the processor receiving, from an Identity Provider of an F-SSO federation, a single sign-on request, where the Service Provider'"'"'s authentication process does not provide single sign-on functionality to the secured service, and where the trusted data confirms a user'"'"'s identity and further confirms that the user'"'"'s privileges and authorization to access secured services at the Service Provider;
  
  the processor, as a Single-Use F-SSO implementation, identifying the user and the user'"'"'s privileges as a function of the authenticated data;
  
  the processor creating an on-demand password;
  
  the processor storing a copy of the on-demand password in an information repository secured by the Service Provider;
  
  the processor transmitting the on-demand password to the user;
  
  the processor redirecting the user to the Service Provider'"'"'s logon portal;
  
  the logon portal receiving from the user the on-demand password as part of a sign-on procedure of the logon portal;
  
  the logon portal confirming the user'"'"'s identity by matching the returned password to the copy of the on-demand password stored in the repository; and
  
  the logon portal as a function of the confirming, granting the user access to the secured service.
- View Dependent Claims (18, 19, 20)
- - 18. The computer program product of claim 17, where the on-demand password is limited to a single use.
  - 19. The computer program product of claim 17, where the on-demand password is transmitted to the user through an out-of-band communications method, and where the out-of-band communications method comprises a communication sent to a user-controlled destination that is not part of an F-SSO protocol exchange.
  - 20. The computer program product of claim 17, where the Service Provider is a cloud-computing service provider, the secured service is a cloud-based service deployed and controlled by the Service Provider on a cloud-computing platform provided by the Service Provider, and the IDP is a client of the Service Provider that controls an application deployed on the cloud-computing platform provided by the Service Provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated (Kyndryl Holdings, Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Hinton, Heather M., Malone, Kelly

Granted Patent

US 10,305,882 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

H04L 63/10 for controlling access to d...

USING A SERVICE-PROVIDER PASSWORD TO SIMULATE F-SSO FUNCTIONALITY

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

USING A SERVICE-PROVIDER PASSWORD TO SIMULATE F-SSO FUNCTIONALITY

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links