System and method for proxying federated authentication protocols

US 8,893,230 B2
Filed: 02/24/2014
Issued: 11/18/2014
Est. Priority Date: 02/22/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a service provider identity request through a federated authentication protocol, which comprises emulating an identity provider in a first instance of a federated authentication protocol;

transmitting a proxy identity request to a configured identity provider;

receiving an identity assertion, wherein transmitting a proxy identity request to the configured identity provider and receiving an identity assertion comprises emulating a service provider in a second instance of a federated authentication protocol when transmitting to and receiving from the identity provider;

facilitating execution of a second layer of authentication;

determining a proxy identity assertion based on the identity assertion and the second layer of authentication; and

transmitting the proxy identity assertion to the service provider.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method that include receiving a service provider identity request through a federated authentication protocol; transmitting a proxy identity request to a configured identity provider; receiving an identity assertion; facilitating execution of a second layer of authentication; determining a proxy identity assertion based on the identity assertion and the second layer of authentication; and transmitting the proxy identity assertion to the service provider.

Citations

25 Claims

1. A method comprising:
- receiving a service provider identity request through a federated authentication protocol, which comprises emulating an identity provider in a first instance of a federated authentication protocol;
  
  transmitting a proxy identity request to a configured identity provider;
  
  receiving an identity assertion, wherein transmitting a proxy identity request to the configured identity provider and receiving an identity assertion comprises emulating a service provider in a second instance of a federated authentication protocol when transmitting to and receiving from the identity provider;
  
  facilitating execution of a second layer of authentication;
  
  determining a proxy identity assertion based on the identity assertion and the second layer of authentication; and
  
  transmitting the proxy identity assertion to the service provider.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 16)
- - 2. The method of claim 1, further comprising, in association with a managing account instance, configuring the first instance of a federated authentication protocol and the second instance of a federated authentication protocol;
    - and prior to transmitting the proxy identity request, selecting the second instance according to an identifier of the managing account from the first instance.
  - 3. The method of claim 1, wherein the federated authentication protocol of the first instance and the second instance is a security assertion markup language protocol (SAML).
  - 4. The method of claim 1, wherein the federated authentication protocol of the first and second instance is an OpenID Connect protocol.
  - 5. The method of claim 1, wherein the first instance of a federated authentication protocol is a first type of protocol;
    - wherein the second instance of a federated authentication protocol is a second type of protocol; and
      
      wherein the first and second type of protocol are not the same.
  - 6. The method of claim 5, further comprising translating attributes between the first type of protocol and the second type of protocol.
  - 7. The method of claim 6, wherein the second type of protocol is a lightweight directory access protocol (LDAP).
  - 8. The method of claim 6, wherein translating attributes between the first type of protocol and the second type of protocol comprises translating from attributes of a security assertion markup authentication protocol (SAML) and scopes of an OpenID Connect protocol.
  - 9. The method of claim 1, wherein receiving a service provider identity request through a federated authentication protocol, transmitting a proxy identity request to a configured identity provider, receiving an identity assertion, and facilitating execution of a second layer of authentication are performed at a proxy server installed within an internal network.
  - 16. The method of claim 1, wherein transmitting the proxy identity request comprises transmitting a proxy identity request to the configured identity provider if the second layer of authentication is determined to be successful;
    - and if the second layer of authentication is determined to be unsuccessful, transmitting a failed proxy identity assertion to the service provider.

10. A method comprising:
- receiving a service provider identity request through a federated authentication protocol;
  
  transmitting a proxy identity request to a configured identity provider;
  
  receiving an identity assertion;
  
  facilitating execution of a second layer of authentication;
  
  determining a proxy identity assertion based on the identity assertion and the second layer of authentication;
  
  transmitting the proxy identity assertion to the service provider; and
  
  wherein receiving a service provider identity request through a federated authentication protocol, transmitting a proxy identity request to a configured identity provider, receiving an identity assertion, and facilitating execution of a second layer of authentication are performed at a proxy server of a of a multi-tenant service of second layer authentication service.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10, wherein receiving the service provider identity request through a federated authentication protocol comprises emulating an identity provider in a first instance of a federated authentication protocol;
    - and wherein transmitting a proxy identity request to the configured identity provider and receiving an identity assertion comprises emulating a service provider in a second instance of a federated authentication protocol when transmitting to and receiving from the identity provider.
  - 12. The method of claim 11, wherein the federated authentication protocol of the first instance and the second instance is a security assertion markup language protocol (SAML).
  - 13. The method of claim 11, wherein the federated authentication protocol of the first and second instance is an OpenID Connect protocol.
  - 14. The method of claim 11, wherein the first instance of a federated authentication protocol is a first type of protocol;
    - wherein the second instance of a federated authentication protocol is a lightweight directory access protocol (LDAP) protocol; and
      
      wherein the first and second type of protocol are not the same;
      
      further comprising translating attributes between the first type of protocol and the LDAP protocol.
  - 15. The method of claim 10, wherein facilitating execution of a second layer of authentication comprises authenticating the identity request with a secondary device associated with an identity of the identity request.

17. A method for single sign-on comprising:
- in association with a managing account instance, configuring a first instance of a federated authentication protocol and a second instance of a federated authentication protocol;
  
  receiving an identity assertion of an identity provider through the first federated identity protocol;
  
  facilitating execution of a second layer of authentication;
  
  transmitting a proxy identity assertion to a service provider through the second instance of a federated authentication protocol comprising emulating an identity provider in the second instance of a federated authentication protocol, which comprises, prior to transmitting the proxy identity assertion selecting the second instance according to an identifier of the managing account from the first instance.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein the first instance and second instance are different types of federated authentication protocols, and further comprising translating attributes between the first type of protocol and the second type of protocol.
  - 19. The method of claim 17, further comprising if the second layer of authentication is unsuccessful returning an error message to the identity provider.
  - 20. The method of claim 17, wherein the first instance of a federated authentication protocol is a protocol of claim-based access control authorization of an active directory federation service.

21. A system comprising:
- a federated authentication proxy server that comprises;
  
  an identity provider interface that emulates an identity provider in a first instance of a federated authentication protocol with a service provider,a service provider emulator that emulates a service provider in a second instance of a federated authentication protocol during communication of a proxy identity request with an identity provider,a second layer authentication engine, andan account system with stored configuration of at least one managing account that includes configuration of a first instance of a federated authentication protocol with the identity provider interface, a second instance of a federated authentication protocol with the service provider emulator; and
  
  second layer of authentication settings of at least one identity associated with the managing account.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The system of claim 21 further comprising a translation module that communicatively translates identity requests and identity assertions processed within the identity provider interface and the service provider emulator.
  - 23. The system of claim 22, wherein the translation module includes translation rules to translate between a security assertion markup language protocol and an Open ID Connect protocol.
  - 24. The system of claim 21, further comprising a two-factor authentication web service integrated with the second layer authentication engine of the federated authentication proxy server;
    - and wherein the federated authentication proxy server is hosted in the two-factor authentication web service.
  - 25. The system of claim 21, wherein the federated authentication proxy server is hosted in an internal network with an identity provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Duo Security Incorporated (Cisco Systems, Inc.)
Inventors
Oberheide, Jon, Song, Douglas
Primary Examiner(s)
Song, Hosuk

Application Number

US14/188,449
Publication Number

US 20140245389A1
Time in Patent Office

267 Days
Field of Search

726 1- 8, 713150-152, 713/155, 713168-170
US Class Current

726/2
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

H04L 63/0884 by delegation of authentica...

System and method for proxying federated authentication protocols

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for proxying federated authentication protocols

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links