Resource protection on un-trusted devices
First Claim
1. In a computing environment comprising one or more hardware processors, a method of authenticating an untrusted device to an enterprise service, the method comprising:
- at an enterprise gateway service of an enterprise network, receiving from an untrusted device that is outside of the enterprise network a secondary user credential for access to a plurality of services within the enterprise network,wherein the secondary user credential is associated with the untrusted device and with a primary user credential and is indirectly usable for access to one or more of the plurality of services by the untrusted device, the primary user credential being directly usable for access to the plurality of services by trusted devices that are within the enterprise network,wherein the enterprise gateway service is configured to enforce one or more restrictions that allow the secondary user credential to be used with a particular set of untrusted devices that includes the untrusted device, while excluding use of the secondary user credential with one or more devices not in the particular set of untrusted devices, andwherein the enterprise gateway service is configured to enforce a policy that limits access that the untrusted device is granted to the plurality of services based on the secondary user credential having been used, as compared to access that the trusted devices would be granted to the plurality of services when using the primary user credential;
at the enterprise gateway service, verifying that the secondary user credential was received from the untrusted device that is associated with the secondary user credential;
at the enterprise gateway service, verifying that the secondary user credential is valid; and
at the enterprise gateway service, based on the secondary user credential having been received from the untrusted device that is associated with the secondary user credential and based on the secondary user credential being valid, substituting the primary user credential for the secondary user credential, and forwarding the primary user credential to a first service of the plurality of services for granting the untrusted device access to the first service based on use of the secondary user credential, while enforcing the policy by refraining from forwarding the primary user credential to a second service of the plurality of services that would otherwise be accessible by a trusted device using the primary user credential.
3 Assignments
0 Petitions
Accused Products
Abstract
Authenticating a user to a first service to allow the user to access a resource provided by the first service. The resource is a protected resource requiring a general purpose credential (e.g. a user name and/or password) to access the resource. The method includes receiving at a second service, from the device, an ad-hoc credential. The ad-hoc credential is a credential that is particular to the device. The ad-hoc credential can be used to authenticate both the user and the device, but cannot be directly used to as authentication at the first service for the user to access the resource. The method further includes, at the second service, substituting the general purpose credential for the ad-hoc credential and forwarding the general purpose credential to the first service. As such the first service can provide the resource to the user at the device.
22 Citations
20 Claims
-
1. In a computing environment comprising one or more hardware processors, a method of authenticating an untrusted device to an enterprise service, the method comprising:
-
at an enterprise gateway service of an enterprise network, receiving from an untrusted device that is outside of the enterprise network a secondary user credential for access to a plurality of services within the enterprise network, wherein the secondary user credential is associated with the untrusted device and with a primary user credential and is indirectly usable for access to one or more of the plurality of services by the untrusted device, the primary user credential being directly usable for access to the plurality of services by trusted devices that are within the enterprise network, wherein the enterprise gateway service is configured to enforce one or more restrictions that allow the secondary user credential to be used with a particular set of untrusted devices that includes the untrusted device, while excluding use of the secondary user credential with one or more devices not in the particular set of untrusted devices, and wherein the enterprise gateway service is configured to enforce a policy that limits access that the untrusted device is granted to the plurality of services based on the secondary user credential having been used, as compared to access that the trusted devices would be granted to the plurality of services when using the primary user credential; at the enterprise gateway service, verifying that the secondary user credential was received from the untrusted device that is associated with the secondary user credential; at the enterprise gateway service, verifying that the secondary user credential is valid; and at the enterprise gateway service, based on the secondary user credential having been received from the untrusted device that is associated with the secondary user credential and based on the secondary user credential being valid, substituting the primary user credential for the secondary user credential, and forwarding the primary user credential to a first service of the plurality of services for granting the untrusted device access to the first service based on use of the secondary user credential, while enforcing the policy by refraining from forwarding the primary user credential to a second service of the plurality of services that would otherwise be accessible by a trusted device using the primary user credential. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer system for authenticating an untrusted device to an enterprise service, the computer system comprising:
-
one or more hardware processors; and one or more hardware storage devices having stored thereon computer-executable instructions that, when executed by the one or more hardware processors, cause the computer system to perform at least the following; receive, from an untrusted device that is outside of an enterprise network, a secondary user credential for access to a plurality of services within the enterprise network, wherein the secondary user credential is associated with the untrusted device and with a primary user credential and is indirectly usable for access to one or more of the plurality of services by the untrusted device, the primary user credential being directly usable for access to the plurality of services by trusted devices that are within the enterprise network, wherein the enterprise gateway service is configured to enforce one or more restrictions that allow the secondary user credential to be used with a particular set of untrusted devices that includes the untrusted device, while excluding use of the secondary user credential with one or more devices not in the particular set of untrusted devices, and wherein the enterprise gateway service is configured to enforce a policy that limits access that the untrusted device is granted to the plurality of services based on the secondary user credential having been used, as compared to access that the trusted devices would be granted to the plurality of services when using the primary user credential; verify that the secondary user credential was received from the untrusted device that is associated with the secondary user credential; verify that the secondary user credential is valid; and based on the secondary user credential having been received from the untrusted device that is associated with the secondary user credential and based on the secondary user credential being valid, substitute the primary user credential for the secondary user credential, and forward the primary user credential to a first service of the plurality of services for granting the untrusted device access to the first service based on use of the secondary user credential, while enforcing the policy by refraining from forwarding the primary user credential to a second service of the plurality of services that would otherwise be accessible by a trusted device using the primary user credential. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
-
-
15. One or more hardware storage devices having stored thereon computer executable instructions that, when executed by one or more processors, cause a computer system to perform at least the following:
-
at an enterprise gateway service of an enterprise network, receiving from an untrusted device that is outside of the enterprise network a secondary user credential for access to a plurality of services within the enterprise network, wherein the secondary user credential is associated with the untrusted device and with a primary user credential and is indirectly usable for access to one or more of the plurality of services by the untrusted device, the primary user credential being directly usable for access to the plurality of services by trusted devices that are within the enterprise network, wherein the enterprise gateway service is configured to enforce one or more restrictions that allow the secondary user credential to be used with a particular set of untrusted devices that includes the untrusted device, while excluding use of the secondary user credential with one or more devices not in the particular set of untrusted devices, and wherein the enterprise gateway service is configured to enforce a policy that limits access that the untrusted device is granted to the plurality of services based on the secondary user credential having been used, as compared to access that the trusted devices would be granted to the plurality of services when using the primary user credential; at the enterprise gateway service, verifying that the secondary user credential was received from the untrusted device that is associated with the secondary user credential; at the enterprise gateway service, verifying that the secondary user credential is valid; and at the enterprise gateway service, based on the secondary user credential having been received from the untrusted device that is associated with the secondary user credential and based on the secondary user credential being valid, substituting the primary user credential for the secondary user credential and forwarding the primary user credential to a first service of the plurality of services for granting the untrusted device access to the first service based on use of the secondary user credential, while enforcing the policy by refraining from forwarding the primary user credential to a second service of the plurality of services that would otherwise be accessible by a trusted device using the primary user credential. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification