User authentication based on network context

US 9,021,558 B2
Filed: 01/22/2013
Issued: 04/28/2015
Est. Priority Date: 01/22/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, in response to a request transmitted from a computing device to access a computing solution, a command to authenticate a user of the computing device;

determining, in response to receiving the command, whether a network address corresponding to the request matches at least one network address associated with a protected network;

initiating, in response to the network address corresponding to the request not matching the at least one network address associated with the protected network, authentication of the user via a first number of authentication mechanisms defined via a stack of pluggable authentication modules at an identity provider corresponding to the computing solution; and

delegating, in response to the network address corresponding to the request matching the at least one network address associated with the protected network, the authentication of the user via a second number, that is greater than the first number, of authentication mechanisms defined via a stack of pluggable authentication modules to an identity management system located within the protected network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Example systems and methods of user authentication based on network context are presented. In one example, a command to authenticate a user of a computing device is received in response to a request transmitted from the computing device to access a computing solution. In response to the command, a determination is made whether a network address corresponding to the request matches at least one network address associated with a protected network. Based on the network address corresponding to the request not matching the at least one network address associated with the protected network, authentication of the user is initiated at an identity provider corresponding to the computing solution. Otherwise, based on the network address corresponding to the request matching the at least one network address associated with the protected network, authentication of the user is delegated to an identity management system located within the protected network.

27 Citations

View as Search Results

15 Claims

1. A method, comprising:
- receiving, in response to a request transmitted from a computing device to access a computing solution, a command to authenticate a user of the computing device;
  
  determining, in response to receiving the command, whether a network address corresponding to the request matches at least one network address associated with a protected network;
  
  initiating, in response to the network address corresponding to the request not matching the at least one network address associated with the protected network, authentication of the user via a first number of authentication mechanisms defined via a stack of pluggable authentication modules at an identity provider corresponding to the computing solution; and
  
  delegating, in response to the network address corresponding to the request matching the at least one network address associated with the protected network, the authentication of the user via a second number, that is greater than the first number, of authentication mechanisms defined via a stack of pluggable authentication modules to an identity management system located within the protected network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, the at least one network address associated with the protected network comprising one of a single network address, a range of network addresses, and a list of ranges of network addresses.
  - 3. The method of claim 1, the at least one network address associated with the protected network comprising a network address of a proxy server of the protected network.
  - 4. The method of claim 1, at least one of the identity provider and the identity management system providing the authentication of the user using a security assertion markup language.
  - 5. The method of claim 1, the delegating of the authentication of the user to the identity management system located within the protected network being performed using an identity provider proxy mechanism.
  - 6. The method of claim 1, wherein the at least one authentication mechanism provided by the identity provider is different than the at least one authentication mechanism provided by the identity management system.
  - 7. The method of claim 1, the initiating of the authentication of the user via the identity provider comprising forwarding at least a portion of the authentication from the identity provider to a second identity provider.

8. A system comprising:
- at least one hardware processor;
  
  a user location determination module executable using the at least one hardware processor, configured to;
  
  receive, in response to a request transmitted from a computing device to access a computing solution, a command to authenticate a user of the computing device; and
  
  determine, in response to receiving the command, whether a network address corresponding to the request matches at least one network address associated with a protected network;
  
  an authentication module comprising an identity provider executable using the at least one hardware processor, configured to authenticate the user via a first number of authentication mechanisms defined by a stack of pluggable authentication modules, at the identity provider corresponding to the computing solution, in response to the network address corresponding to the request not matching the at least one network address associated with the protected network; and
  
  a delegation module executable using the at least one hardware processor, configured to delegate, in response to the network address corresponding to the request matching the at least one network address associated with the protected network, the authentication of the user via a second number, that is greater than the first number, of authentication mechanisms defined by a stack of pluggable authentication modules to an identity management system located within the protected network.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the authentication module further configured to employ at least one additional identity provider external to the system to authenticate the user.
  - 10. The system of claim 8, the computing solution providing a single entry point for access to the computing solution via computing devices located within the protected network and outside the protected network.
  - 11. The system of claim 8, the at least one network address associated with the protected network comprising one of a single Internet Protocol (IP) address, a range of IP addresses, and a list of ranges of IP addresses.
  - 12. The system of claim 8, the at least one network address associated with the protected network comprising a network address of a proxy server of the protected network.
  - 13. The system of claim 8, wherein the at least one authentication mechanism provided by the identity provider is different than the at least one authentication mechanism provided by the identity management system.
  - 14. The system of claim 8, the network address corresponding to the request comprising a network address of a communication device from which the request was received at the computing solution.

15. A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a machine, cause the machine to perform operations comprising:
- receiving, from a computing solution in response to a request transmitted from a computing device to access the computing solution, a command to authenticate a user of the computing device, the command including a network address of a communication device from which the request was received at the computing solution;
  
  determining whether the network address corresponding to the request matches at least one network address associated with a protected network;
  
  initiating, in response to the network address corresponding to the request not matching the at least one network address associated with the protected network, authentication of the user via a first number of authentication mechanisms defined by a stack of pluggable authentication modules an identity provider corresponding to the computing solution; and
  
  in response to the network address corresponding to the request matching the at least one network address associated with the protected network, delegating the authentication of the user via a second number, that is greater than the first number, of authentication mechanisms defined via a stack of pluggable authentication modules to an identity management system located within the protected network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Zlatarev, Stephan
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Tolentino, Roderick

Application Number

US13/746,995
Publication Number

US 20140208382A1
Time in Patent Office

826 Days
Field of Search

726 1- 5
US Class Current

726/4
CPC Class Codes

G06F 21/31 User authentication

G06F 21/602 Providing cryptographic fac...

User authentication based on network context

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

User authentication based on network context

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links