System and method for pass-through authentication

US 9,450,944 B1
Filed: 10/14/2015
Issued: 09/20/2016
Est. Priority Date: 10/14/2015
Status: Active Grant

First Claim

Patent Images

1. A gateway device comprising a processor and a memory, the processor is configured to:

receive a login operation request from an external endpoint, the login operation request including a user identifier and user login credentials of a user;

construct an authentication request including the user identifier and the user login credentials;

transmit the authentication request to an internal directory service;

receive an authentication response from the internal directory service, the authentication response including an authentication identifier for the user;

store the authentication identifier in the memory without transmitting the authentication identifier to the external endpoint; and

initiate a resource operation with an internal resource, the resource operation including the gateway device authenticating as the user using the authentication identifier, the gateway device resides in an internal network, the endpoint resides in an external network separated from the internal network such that the endpoint is restricted from performing the authentication request directly with the directory service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A gateway device comprising a processor and a memory, the processor is configured to receive a login operation request from an external endpoint, the login operation request including a user identifier and user login credentials of a user. The processor is also configured to construct an authentication request including the user identifier and the user login credentials and transmit the authentication request to an internal directory service. The processor is further configured to receive an authentication response from the internal directory service, the authentication response including an authentication identifier for the user, and store the authentication identifier in the memory, the authentication identifier for use by the processor in pass-through impersonation of the user.

105 Citations

View as Search Results

17 Claims

1. A gateway device comprising a processor and a memory, the processor is configured to:
- receive a login operation request from an external endpoint, the login operation request including a user identifier and user login credentials of a user;
  
  construct an authentication request including the user identifier and the user login credentials;
  
  transmit the authentication request to an internal directory service;
  
  receive an authentication response from the internal directory service, the authentication response including an authentication identifier for the user;
  
  store the authentication identifier in the memory without transmitting the authentication identifier to the external endpoint; and
  
  initiate a resource operation with an internal resource, the resource operation including the gateway device authenticating as the user using the authentication identifier, the gateway device resides in an internal network, the endpoint resides in an external network separated from the internal network such that the endpoint is restricted from performing the authentication request directly with the directory service.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The gateway device of claim 1, wherein the authentication identifier is a Ticket to Grant Tickets (TGT).
  - 3. The gateway device of claim 1, wherein the login operation request is an application program interface (API) message formatted as a hypertext transfer protocol (HTTP) representational state transfer (REST) message.
  - 4. The gateway device of claim 1, wherein the processor is further configured to:
    - generate an external token associated with the endpoint;
      
      associate the authentication identifier with the external token; and
      
      transmit the external token to the endpoint.
  - 5. The gateway device of claim 1, wherein the processor is further configured to:
    - authorize the user based on a secondary user system; and
      
      determine a role for the user based on the user identifier.
  - 6. The gateway device of claim 1, wherein the processor is further configured to:
    - receive a resource operation request from the endpoint; and
      
      retrieve the authentication identifier associated with the resource operation request from the memory.

7. A method for pass-through authentication, the method comprising:
- receiving a login operation request from an external endpoint, the login operation request including a user identifier and user login credentials of a user;
  
  constructing an authentication request including the user identifier and the user login credentials;
  
  transmitting the authentication request to an internal directory service;
  
  receiving an authentication response from the internal directory service, the authentication response including an authentication identifier for the user;
  
  storing the authentication identifier in a memory without transmitting the authentication identifier to the external endpoint; and
  
  initiating a resource operation with an internal resource, the resource operation including a gateway device authenticating as the user using the authentication identifier, the method is performed by the gateway device residing in an internal network, wherein the endpoint resides in an external network separated from the internal network such that the endpoint is restricted from performing the authentication request directly with the directory service.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein the authentication identifier is a Ticket to Grant Tickets (TGT).
  - 9. The method of claim 7, wherein the login operation request is an application program interface (API) message formatted as a hypertext transfer protocol (HTTP) representational state transfer (REST) message.
  - 10. The method of claim 7 further comprising:
    - generating an external token associated with the endpoint;
      
      associating the authentication identifier with the external token; and
      
      transmitting the external token to the endpoint.
  - 11. The method of claim 7 further comprising:
    - authorizing the user based on a secondary user system; and
      
      determining a role for the user based on the user identifier.
  - 12. The method of claim 7 further comprising:
    - receiving a resource operation request from the endpoint;
      
      retrieving the authentication identifier associated with the resource operation request from the memory.

13. A non-transitory machine-readable storage medium storing a set of instructions that, when executed by at least one processor, causes the at least one processor to perform operations comprising:
- receiving a login operation request from an external endpoint, the login operation request including a user identifier and user login credentials of a user;
  
  constructing an authentication request including the user identifier and the user login credentials;
  
  transmitting the authentication request to an internal directory service;
  
  receiving an authentication response from the internal directory service, the authentication response including an authentication identifier for the user;
  
  storing the authentication identifier in a memory without transmitting the authentication identifier to the external endpoint; and
  
  initiating a resource operation with an internal resource, the resource operation including a gateway device authenticating as the user using the authentication identifier, the at least one processor is a part of the gateway device residing in an internal network, wherein the endpoint resides in an external network separated from the internal network such that the endpoint is restricted from performing the authentication request directly with the directory service.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The machine-readable medium of claim 13, wherein the authentication identifier is a Ticket to Grant Tickets (TGT), wherein the login operation request is an application program interface (API) message formatted as a hypertext transfer protocol (HTTP) representational state transfer (REST) message.
  - 15. The machine-readable medium of claim 13, the operations further comprising:
    - generating an external token associated with the endpoint;
      
      associating the authentication identifier with the external token; and
      
      transmitting the external token to the endpoint.
  - 16. The machine-readable medium of claim 13, the operations further comprising:
    - authorizing the user based on a secondary user system; and
      
      determining a role for the user based on the user identifier.
  - 17. The machine-readable medium of claim 13, the operations further comprising:
    - receiving a resource operation request from the endpoint;
      
      retrieving the authentication identifier associated with the resource operation request from the memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
FullArmor Corporation
Original Assignee
FullArmor Corporation
Inventors
Sousley, Matthew Randall, Davis, Charles A., Kim, Danny
Primary Examiner(s)
Chang, Kenneth

Application Number

US14/882,988
Time in Patent Office

342 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/335   for accessing specific reso...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 67/02   based on web technology, e....

System and method for pass-through authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

105 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for pass-through authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

105 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links