Flexible end-point compliance and strong authentication for distributed hybrid enterprises

US 8,997,196 B2
Filed: 06/14/2010
Issued: 03/31/2015
Est. Priority Date: 06/14/2010
Status: Active Grant

First Claim

Patent Images

1. A method for use by a client computer to access at least one resource hosted by at least one server controlled by at least one service provider, comprising:

sending, from the client computer, to an access control gateway controlled by at least one enterprise different from the at least one service provider, authentication information associated with a user of the client computer and a statement of health regarding the client computer;

sending a request for the security token to the access control gateway;

receiving at least one security challenge from the access control gateway, wherein the access control gateway sends the at least one security challenge in response to the request for the security token, and wherein the client computer sends the authorization information and the statement of health in response to the at least one security challenge;

receiving, at the client computer, a security token from the access control gateway prior to attempting to access the at least one server hosting the at least one resource;

sending, by the client computer, to the at least one server hosting the at least one resource, the security token received from the access control gateway; and

accessing the at least one resource from the at least one server without further authentication processes.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods and apparatus for accessing at least one resource hosted by at least one server of a cloud service provider. In some embodiments, a client computer sends authentication information associated with a user of the client computer and a statement of health regarding the client computer to an access control gateway deployed in an enterprise'"'"'s managed network. The access control gateway authenticates the user and determines whether the user is authorized to access the at least one resource hosted in the cloud. If the user authentication and authorization succeeds, the access control gateway requests a security token from a security token service trusted by an access control component in the cloud and forwards the security token to the client computer. The client computer sends the security token to the access component in the cloud to access the at least one resource from the at least one server.

28 Citations

View as Search Results

16 Claims

1. A method for use by a client computer to access at least one resource hosted by at least one server controlled by at least one service provider, comprising:
- sending, from the client computer, to an access control gateway controlled by at least one enterprise different from the at least one service provider, authentication information associated with a user of the client computer and a statement of health regarding the client computer;
  
  sending a request for the security token to the access control gateway;
  
  receiving at least one security challenge from the access control gateway, wherein the access control gateway sends the at least one security challenge in response to the request for the security token, and wherein the client computer sends the authorization information and the statement of health in response to the at least one security challenge;
  
  receiving, at the client computer, a security token from the access control gateway prior to attempting to access the at least one server hosting the at least one resource;
  
  sending, by the client computer, to the at least one server hosting the at least one resource, the security token received from the access control gateway; and
  
  accessing the at least one resource from the at least one server without further authentication processes.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - sending, to the at least one server, a request to access the at least one resource; and
      
      receiving, from the at least one server, an instruction to contact the access control gateway as a prerequisite to accessing the at least one resource.
  - 3. The method of claim 1, wherein the authentication information comprises at least two user credentials selected from a group consisting of:
    - a secret knowledge credential, a physical object credential, and a personal physical characteristic credential.
  - 4. The method of claim 1, wherein the statement of health regarding the client computer comprises configuration information regarding at least one protective component of the client computer, the at least one protective component being selected from a group consisting of:
    - an anti-virus software, a firewall, and an operating system patch.
  - 5. The method of claim 1, wherein the access control gateway is configured to determine, based at least in part on the access request information, whether the client computer is authorized to access the at least one resource hosted by the at least one server, and wherein the security token is obtained from a security token service by the access control gateway if the access control gateway determines that the client computer is authorized to access the at least one resource, the security token service being trusted by the at least one server.

6. A client computer for accessing at least one resource hosted by at least one server controlled by at least one service provider, comprising at least one processor programmed to:
- send, from the client computer to an access control gateway controlled by at least one enterprise different from the at least one service provider, access request information purporting to indicate that the client computer is authorized to access the at least one resource;
  
  send a request for the security token to the access control gateway;
  
  receive at least one security challenge from the access control gateway, wherein the access control gateway sends the at least one security challenge in response to the request for the security token, and wherein the at least one processor is programmed to send the access request information in response to the at least one security challenge;
  
  receive a security token from the access control gateway at the client computer prior to attempting to access the at least one server hosting the at least one resource;
  
  send, from the client computer, to the at least one server hosting the at least one resource, the security token received from the access control gateway;
  
  access the at least one resource from the at least one server; and
  
  wherein the client computer includes at least one hardware processor.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The client computer of claim 6, wherein the at least one processor is further programmed to:
    - send, to the at least one server, a request to access the at least one resource; and
      
      receive, from the at least one server, an instruction to contact the access control gateway as a prerequisite to accessing the at least one resource.
  - 8. The client computer of claim 6, wherein the access request information comprises at least two user credentials selected from a group consisting of:
    - a secret knowledge credential, a physical object credential, and a personal physical characteristic credential.
  - 9. The client computer of claim 6, wherein the access request information comprises configuration information regarding at least one protective component of the client computer, the at least one protective component being selected from a group consisting of:
    - an anti-virus software, a firewall, and an operating system patch.
  - 10. The client computer of claim 6, wherein the access control gateway is configured to determine, based at least in part on the access request information, whether the client computer is authorized to access the at least one resource hosted by the at least one server, and wherein the security token is obtained from a security token service by the access control gateway if the access control gateway determines that the client computer is authorized to access the at least one resource, the security token service being trusted by the at least one server.
  - 11. The client computer of claim 10, wherein the at least one server is configured to determine whether the security token is generated by a trusted security token service, and wherein the at least one server allows the client computer to access the at least one resource only if the at least one server determines that the security token is generated by a trusted security token service.

12. At least one non-transitory computer-readable medium having encoded thereon instructions that, when executed by at least one processor, perform a method for use by an access gateway controlled by at least one enterprise, the method comprising:
- receiving, from a client computer, access request information purporting to indicate that the client computer is authorized to access at least one resource hosted by at least one server controlled by at least one service provider different from the at least one enterprise prior to the client computer attempting to access the at least one resource;
  
  receiving a request for the security token from the client computer;
  
  in response to the request for the security token, sending at least one security challenge to the client computer, wherein the client computer sends the access request information in response to the at least one security challenge;
  
  determining, based at least in part on the access request information, whether the client computer is authorized to access the at least one resource by forwarding at least some of the access request information comprising configuration information regarding the client computer to a health policy server controlled by the least one enterprise; and
  
  if it is determined that the client computer is authorized to access the at least one resource, sending a security token to the client computer to be presented to the at least one server to obtain access to the at least one resource.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The at least one non-transitory computer-readable medium of claim 12, wherein the method further comprises:
    - requesting the security token from a security token service trusted by the at least one server.
  - 14. The at least one non-transitory computer-readable medium of claim 12, wherein the access request information comprises at least two user credentials selected from a group consisting of:
    - a secret knowledge credential, a physical object credential, and a personal physical characteristic credential.
  - 15. The at least one non-transitory computer-readable medium of claim 12, wherein determining whether the client computer is authorized to access the at least one resource comprises:
    - forwarding at least some of the access request information comprising one or more user credentials to an authentication server controlled by the least one enterprise.
  - 16. The at least one non-transitory computer-readable medium of claim 12, wherein the access request information comprises configuration information regarding at least one protective component of the client computer, the at least one protective component being selected from a group consisting of:
    - an anti-virus software, a firewall, and an operating system patch.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Kariv, Asaf, Ananiev, Oleg, Tovbeyn, Eli, Kershaw, Daniel, Neystadt, Eugene (John)
Primary Examiner(s)
BAYOU, YONAS A

Application Number

US12/815,215
Publication Number

US 20110307947A1
Time in Patent Office

1,751 Days
Field of Search

726/12, 726/9
US Class Current

726/9
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

Flexible end-point compliance and strong authentication for distributed hybrid enterprises

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Flexible end-point compliance and strong authentication for distributed hybrid enterprises

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others