Authentication for distributed secure content management system
First Claim
Patent Images
1. A method implemented at least in part by a computer, the method comprising:
- receiving, at a security component, a message sent from a device, the security component being associated with a forward proxy that is logically between the device and a resource to which the device seeks access;
authenticating, via the security component, an entity associated with the device;
sending a cookie to the device, the cookie indicating that the entity has been previously authenticated by the security component, the device to present the cookie with subsequent requests for access to resources accessible via the forward proxy, the forward proxy providing connectivity of the device to the resource;
establishing a time to live for the cookie, the cookie being no longer useful for authentication after the time to live has expired, wherein the cookie includes policy information associated with the entity usable to enforce a policy for the subsequent requests, the policy information comprising indication of sites the entity is allowed to access; and
storing information identifying the entity.
2 Assignments
0 Petitions
Accused Products
Abstract
Aspects of the subject matter described herein relate to authentication for a distributed secure content management system. In aspects, a request to access a resource available through the Internet is routed to a security component. The security component is one of a plurality of security components distributed throughout the Internet and responsible for authenticating entities associated with an enterprise. The security component determines an authentication protocol to use with the entity and then authenticates the entity. If the entity is authenticated, the entity is allowed to use a forward proxy.
105 Citations
16 Claims
-
1. A method implemented at least in part by a computer, the method comprising:
-
receiving, at a security component, a message sent from a device, the security component being associated with a forward proxy that is logically between the device and a resource to which the device seeks access; authenticating, via the security component, an entity associated with the device; sending a cookie to the device, the cookie indicating that the entity has been previously authenticated by the security component, the device to present the cookie with subsequent requests for access to resources accessible via the forward proxy, the forward proxy providing connectivity of the device to the resource; establishing a time to live for the cookie, the cookie being no longer useful for authentication after the time to live has expired, wherein the cookie includes policy information associated with the entity usable to enforce a policy for the subsequent requests, the policy information comprising indication of sites the entity is allowed to access; and storing information identifying the entity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer storage memory having computer-executable instructions, which when executed perform actions, comprising:
-
sending, from an entity associated with a device attached to a first network, a request to access a resource from a second network; receiving the request at a component residing on the device, the component monitoring traffic between the device and the second network; before sending the request to the second network, using a protocol that allows the device to authenticate itself without user interaction, transparent to a user of the device, authenticating the entity via the component by communicating with a security component associated with a forward proxy attached to the second network, the forward proxy being logically between the device and the second network; sending the request to the forward proxy over a secure channel; and receiving a cookie from the forward proxy, the cookie indicating that the entity has been previously authenticated by the security component. - View Dependent Claims (12, 13, 14)
-
-
15. In a computing environment, an apparatus comprising:
-
a protocol selector operable to negotiate an authentication protocol with a device associated with an entity, the authentication protocol utilized in conjunction with authenticating the entity seeking to gain access to a resource available via a first network; a client component operable to authenticate the entity using the authentication protocol via the device associated with the entity; an identity validator operable to obtain an identifier for the entity from a first identity system having a trust relationship with a second identity system, the first identity system residing on the first network, the second identity system residing on a second network, wherein the second network is different than the first network; a proxy informer operable to indicate to a forward proxy whether the entity is authenticated, the forward proxy being one of a plurality of forward proxies distributed across one or more networks, the forward proxies structured to allow authenticated entities to access resources available via the one or more networks; a history tracker operable to store information identifying the entity and information identifying resources accessed by the entity that are available via the first network; and a reporting component operable to provide the information in a form that identifies the entity and the resources accessed. - View Dependent Claims (16)
-
Specification