Context-based authentication of mobile devices
CAFCFirst Claim
1. A method comprising:
- storing, by an access control system, action control policies for a plurality of enterprises, wherein the access control system is external to each of the plurality of enterprises;
storing, by the access control system, action control policies for the plurality of enterprises as a mapping from contexts of requests to the action control policies, each context specifying one or more attributes describing a request received from a client device, wherein the request is for an action performed by an application hosted by a software as a services (SaaS) hosting system, each action control policy identifying actions that the client device is allowed in a given context;
receiving, by the access control system, from a first client device, a first request for interacting with the application hosted by the SaaS hosting system, the first request providing information describing a first context;
identifying a first enterprise from the plurality of enterprises, the first enterprise associated with the first client device;
determining, by the access control system, a first action control policy associated with the first enterprise for the first context based on the mapping, the first action control policy allowing a first set of actions supported by the application;
sending information describing the first action control policy to the first client device for enforcement of the first action control policy by an agent executing on the first client device;
receiving from a second client device, a second request for interacting with the application hosted by the SaaS hosting system, the second request providing information describing a second context;
identifying a second enterprise from the plurality of enterprises, the second enterprise associated with the second client device;
determining a second action control policy associated with the second enterprise for the second context based on the mapping, the second action control policy allowing a second set of actions supported by the application; and
sending information describing the second action control policy to the second client device for enforcement of the second action control policy by the agent executing on the second client device.
5 Assignments
1 Petition
Accused Products
Abstract
A system and method are disclosed for adaptive authentication. An access control system stores policies for an enterprise, where each policy specifies a type of access control. The type of access control includes one or more security rules, which may specify authentication procedures, allowable behaviors, or both. The access control system stores a mapping from contexts of requests to interact with applications and access control policies. When a user requests access to an application associated with the enterprise via a client, the access control system receives the context of the request. The access control system selects an access control policy for the context of the request. The access control system sends access control information from the access control policy selected to the client. The client interacts with the user to perform the authentication.
54 Citations
18 Claims
-
1. A method comprising:
-
storing, by an access control system, action control policies for a plurality of enterprises, wherein the access control system is external to each of the plurality of enterprises; storing, by the access control system, action control policies for the plurality of enterprises as a mapping from contexts of requests to the action control policies, each context specifying one or more attributes describing a request received from a client device, wherein the request is for an action performed by an application hosted by a software as a services (SaaS) hosting system, each action control policy identifying actions that the client device is allowed in a given context; receiving, by the access control system, from a first client device, a first request for interacting with the application hosted by the SaaS hosting system, the first request providing information describing a first context; identifying a first enterprise from the plurality of enterprises, the first enterprise associated with the first client device; determining, by the access control system, a first action control policy associated with the first enterprise for the first context based on the mapping, the first action control policy allowing a first set of actions supported by the application; sending information describing the first action control policy to the first client device for enforcement of the first action control policy by an agent executing on the first client device; receiving from a second client device, a second request for interacting with the application hosted by the SaaS hosting system, the second request providing information describing a second context; identifying a second enterprise from the plurality of enterprises, the second enterprise associated with the second client device; determining a second action control policy associated with the second enterprise for the second context based on the mapping, the second action control policy allowing a second set of actions supported by the application; and sending information describing the second action control policy to the second client device for enforcement of the second action control policy by the agent executing on the second client device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system comprising:
-
a computer processor; and a non-transitory computer readable storage medium storing computer program instructions, the instructions when executed by the computer processor causing the computer processor to perform steps comprising; storing, by an access control system, action control policies for a plurality of enterprises, wherein the access control system is external to each of the plurality of enterprises; storing action control policies for the plurality of enterprises as a mapping from contexts of requests to the action control policies, each context specifying one or more attributes describing a request received from a client device, wherein the request is for an action performed by an application hosted by a software as a services (SaaS) hosting system, each action control policy identifying actions that the client device is allowed in a given context; receiving from a first client device, a first request for interacting with the application hosted by the SaaS hosting system, the first request providing information describing a first context; identifying a first enterprise associated with the first client device based on the first request; determining a first action control policy associated with the first enterprise for the first context based on the mapping, the first action control policy allowing a first set of actions supported by the application; sending information describing the first action control policy to the first client device for enforcement of the first action control policy by an agent executing on the first client device; receiving from a second client device, a second request for interacting with the application hosted by the SaaS hosting system, the second request providing information describing a second context; identifying a second enterprise associated with the second client device based on the second request; determining a second action control policy associated with the second enterprise for the second context based on the mapping, the second action control policy allowing a second set of actions supported by the application; and sending information describing the second action control policy to the second client device for enforcement of the second action control policy by the agent executing on the second client device. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A non-transitory computer readable storage medium storing computer program instructions, the instructions when executed by a processor causing the processor to perform steps comprising:
-
storing, by an access control system, action control policies for a plurality of enterprises, wherein the access control system is external to each of the plurality of enterprises; storing, by the access control system, action control policies for the plurality of enterprises as a mapping from contexts of requests to the action control policies, each context specifying one or more attributes describing a request received from a corresponding client device, wherein the request is for an action performed by an application hosted by a software as a services (SaaS) hosting system, each action control policy identifying actions that the client device is allowed in a given context; receiving, by the access control system, from a first client device, a first request for interacting with the application hosted by the SaaS hosting system, the first request providing information describing a first context; identifying a first enterprise from the plurality of enterprises, the first enterprise associated with the first client device; determining, by the access control system, a first action control policy associated with the first enterprise for the first context based on the mapping, the first action control policy allowing a first set of actions supported by the application; sending information describing the first action control policy to the first client device for enforcement of the first action control policy by an agent executing on the first client device; receiving from a second client device, a second request for interacting with the application hosted by the SaaS hosting system, the second request providing information describing a second context; identifying a second enterprise from the plurality of enterprises, the second enterprise associated with the second client device; determining a second action control policy associated with the second enterprise for the second context based on the mapping, the second action control policy allowing a second set of actions supported by the application; and sending information describing the second action control policy to the second client device for enforcement of the second action control policy by the agent executing on the second client device.
-
Specification