Confidence-based authentication discovery for an outbound proxy
First Claim
1. A method of controlling access to a protected resource, comprising:
- receiving a request to access a protected resource from a user not currently authenticated to access the protected resource;
in response, and without additional user input, performing a confidence-based authentication discovery operation having the following sub-steps;
initiating federated single sign-on (F-SSO) flow to each of one or more known and trusted identity providers with whom the user has previously authenticated;
receiving results from the one or more F-SSO flows, each result indicating whether an identity of the user as asserted in the F-SSO flow is recognized by the identity provider with whom the user has previously authenticated; and
analyzing information returned in the results from the one or more F-SSO flows to determine, based on generating a confidence score that an identity of the user matches an identity of a user that has previously authenticated to two or more known and trusted identity providers, whether the user is permitted to access the protected resource without authenticating using additional user input; and
permitting access to the protected resource without authenticating using additional user input based on the confidence score;
wherein at least one of the receiving, initiating, analyzing and permitting steps is carried out in software executing in a hardware element.
1 Assignment
0 Petitions
Accused Products
Abstract
A confidence-based authentication discovery scheme is implemented at a proxy. The scheme assumes that some level of unauthenticated browsing is allowed prior to enforcing authentication at the proxy. Once a known and trusted set of identity providers has been accessed and the user is required to authenticate at the proxy (e.g., as a result of policy), the proxy initiates Federated Single Sign-On (F-SSO) to one or more (or, preferably, all) known sites accessed by the browser. This F-SSO operation is performed seamlessly, preferably without the user'"'"'s knowledge (after the user allows an initial trust decision between the proxy acting as a service provider and the external identity provider). The proxy collates the results and, based on the trust it has with those sites, produces a confidence score. That score is then used as input into policy around whether or not a user should be permitted to access a particular site.
-
Citations
26 Claims
-
1. A method of controlling access to a protected resource, comprising:
-
receiving a request to access a protected resource from a user not currently authenticated to access the protected resource; in response, and without additional user input, performing a confidence-based authentication discovery operation having the following sub-steps; initiating federated single sign-on (F-SSO) flow to each of one or more known and trusted identity providers with whom the user has previously authenticated; receiving results from the one or more F-SSO flows, each result indicating whether an identity of the user as asserted in the F-SSO flow is recognized by the identity provider with whom the user has previously authenticated; and analyzing information returned in the results from the one or more F-SSO flows to determine, based on generating a confidence score that an identity of the user matches an identity of a user that has previously authenticated to two or more known and trusted identity providers, whether the user is permitted to access the protected resource without authenticating using additional user input; and permitting access to the protected resource without authenticating using additional user input based on the confidence score; wherein at least one of the receiving, initiating, analyzing and permitting steps is carried out in software executing in a hardware element. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. Apparatus to control access to a protected resource, comprising:
-
a processor; computer memory holding computer program instructions executed by the processor to; receive a request to access a protected resource from a user not currently authenticated to access the protected resource; in response, and without additional user input, perform a confidence-based authentication discovery operation by; initiating a federated single sign-on (F-SSO) flow to each of one or more known and trusted identity providers with whom the user has previously authenticated; receiving results from the one or more F-SSO flows, each result indicating whether an identity of the user as asserted in the F-SSO flow is recognized by the identity provider with whom the user has previously authenticated; and analyzing information returned in the results from the one or more F-SSO flows to determine, based on generating a confidence score that an identity of the user matches an identity of a user that has previously authenticated to two or more known and trusted identity providers, whether the user is permitted to access the protected resource without authenticating using additional user input; and permit access to the protected resource without authenticating using additional user input based on the confidence score. - View Dependent Claims (11, 12, 13, 14, 15, 16, 24, 25)
-
-
17. A computer program product in a non-transitory computer readable medium for use in a data processing system to control access to a resource, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method comprising:
-
receiving a request to access a protected resource from a user not currently authenticated to access the protected resource; in response, and without additional user input, performing a confidence-based authentication discovery operation having the following sub-steps; initiating a federated single sign-on (F-SSO) flow to each of one or more known and trusted identity providers with whom the user has previously authenticated; receiving results from the one or more F-SSO flows, each result indicating whether an identity of the user as asserted in the F-SSO flow is recognized by the identity provider with whom the user has previously authenticated; and analyzing information returned in the results from the one or more F-SSO flows to determine, based on generating a confidence score that an identity of the user matches an identity of a user that has previously authenticated to two or more known and trusted identity providers, whether the user is permitted to access the protected resource without authenticating using additional user input; and permitting access to the protected resource without authenticating using additional user input based on the confidence score. - View Dependent Claims (18, 19, 20, 21, 22, 23, 26)
-
Specification