Context based conditional access for cloud services

US 9,749,331 B1
Filed: 05/03/2012
Issued: 08/29/2017
Est. Priority Date: 05/03/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a first authentication factor for a user in a single sign-on system, the single sign-on system to provide access to a plurality of cloud services;

receiving, from a user device over a network, a request to access a cloud service of the plurality of cloud services, the user having a plurality of user accounts for the cloud service, wherein each user account has independent access credentials associated with the account;

determining a context of the request to include a type of information to be sent to or received from the cloud service as a result of the request;

comparing, by a processing device, the context of the request to an access policy for the single sign-on system;

automatically determining a first user account of the plurality of user accounts for the cloud service based on the context of the request and the access policy; and

granting the user conditional access to the cloud service using the associated access credential for the first user account,wherein granting conditional access comprises requesting a second authentication factor for the user before granting full access to the cloud service.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cloud service access and information gateway receives a first authentication factor for a user in a single sign-on system. The single sign-on system provides access to a plurality of cloud services. The gateway receives, from a user device, a request to access a cloud service of the plurality of cloud services. The gateway compares a context of the request to an access policy for the single sign-on system and grants conditional access to the cloud service based on the access policy.

69 Citations

View as Search Results

21 Claims

1. A method comprising:
- receiving a first authentication factor for a user in a single sign-on system, the single sign-on system to provide access to a plurality of cloud services;
  
  receiving, from a user device over a network, a request to access a cloud service of the plurality of cloud services, the user having a plurality of user accounts for the cloud service, wherein each user account has independent access credentials associated with the account;
  
  determining a context of the request to include a type of information to be sent to or received from the cloud service as a result of the request;
  
  comparing, by a processing device, the context of the request to an access policy for the single sign-on system;
  
  automatically determining a first user account of the plurality of user accounts for the cloud service based on the context of the request and the access policy; and
  
  granting the user conditional access to the cloud service using the associated access credential for the first user account,wherein granting conditional access comprises requesting a second authentication factor for the user before granting full access to the cloud service.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the second authentication factor comprises at least one of a password, a pin, a pattern, a security token, a one-time password, or a biometric.
  - 3. The method of claim 1, wherein the second authentication factor is requested in response to a request from the user device for confidential information from the cloud service.
  - 4. The method of claim 1, wherein the plurality of user accounts comprises a personal account and a corporate account, both associated with the user.
  - 5. The method of claim 1, wherein the context of the request is further determined to comprise an identity of the user, a type of the user device, a type of network over which the request is received, or a type of information requested from the cloud service.
  - 6. The method of claim 1, wherein a cloud service access and information gateway determines the context of the request and compares the context to the access policy.
  - 7. The method of claim 1, wherein the access policy specifies whether to request a second authentication factor and which of a plurality of user accounts to use based on the context of the request.

8. A system, comprising:
- a memory; and
  
  a processing device coupled with the memory to;
  
  receive a first authentication factor for a user in a single sign-on system, the single sign-on system to provide access to a plurality of cloud services;
  
  receive, from a user device over a network, a request to access a cloud service of the plurality of cloud services, the user having a plurality of user accounts for the cloud service, wherein each user account has independent access credentials associated with the account;
  
  determine a context of the request to include a type of information to be sent to or received from the cloud service as a result of the request;
  
  compare the context of the request to an access policy for the single sign-on system;
  
  automatically determine a first user account of the plurality of user accounts for the cloud service based on the context of the request and the access policy; and
  
  grant the user conditional access to the cloud service using the associated access credential for the first user account,wherein granting conditional access comprises requesting a second authentication factor for the user before granting full access to the cloud service.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the second authentication factor comprises at least one of a password, a pin, a pattern, a security token, a one-time password, or a biometric.
  - 10. The system of claim 8, wherein the second authentication factor is requested in response to a request from the user device for confidential information from the cloud service.
  - 11. The system of claim 8, wherein the plurality of user accounts comprises a personal account and a corporate account, both associated with the user.
  - 12. The system of claim 8, wherein the context of the request is further determined to comprise an identity of the user, a type of the user device, a type of network over which the request is received, or a type of information requested from the cloud service.
  - 13. The system of claim 8, wherein a cloud service access and information gateway determines the context of the request and compares the context to the access policy.
  - 14. The system of claim 8, wherein the access policy specifies whether to request a second authentication factor and which of a plurality of user accounts to use based on the context of the request.

15. A non-transitory computer readable storage medium including instructions that, when executed by a processor, cause the processor to perform operations comprising:
- receiving a first authentication factor for a user in a single sign-on system, the single sign-on system to provide access to a plurality of cloud services;
  
  receiving, from a user device over a network, a request to access a cloud service of the plurality of cloud services, the user having a plurality of user accounts for the cloud service, wherein each user account has independent access credentials associated with the account;
  
  determining a context of the request to include a type of information to be sent to or received from the cloud service as a result of the request;
  
  comparing, by a processing device, the context of the request to an access policy for the single sign-on system;
  
  automatically determining a first user account of the plurality of user accounts for the cloud service based on the context of the request and the access policy; and
  
  granting the user conditional access to the cloud service using the associated access credential for the first user account,wherein granting conditional access comprises requesting a second authentication factor for the user before granting full access to the cloud service.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory computer readable storage medium of claim 15, wherein the second authentication factor comprises at least one of a password, a pin, a pattern, a security token, a one-time password, or a biometric.
  - 17. The non-transitory computer readable storage medium of claim 15, wherein the second authentication factor is requested in response to a request from the user device for confidential information from the cloud service.
  - 18. The non-transitory computer readable storage medium of claim 15, wherein the plurality of user accounts comprises a personal account and a corporate account, both associated with the user.
  - 19. The non-transitory computer readable storage medium of claim 15, wherein the context of the request is further determined to comprise an identity of the user, a type of the user device, a type of network over which the request is received, or a type of information requested from the cloud service.
  - 20. The non-transitory computer readable storage medium of claim 15, wherein a cloud service access and information gateway determines the context of the request and compares the context to the access policy.
  - 21. The non-transitory computer readable storage medium of claim 15, wherein the access policy specifies whether to request a second authentication factor and which of a plurality of user accounts to use based on the context of the request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Koeten, Robert, Popp, Nicolas
Primary Examiner(s)
Desrosiers, Evans

Application Number

US13/463,672
Time in Patent Office

1,944 Days
Field of Search

726 1, 713168
US Class Current
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 21/45   Structures or tools for the...

G06F 21/51   at application loading time...

G06F 21/54   by adding security routines...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

H04L 41/022   Multivendor or multi-standa...

H04L 41/0226   Mapping or translating mult...

H04L 41/0253   using browsers or web-pages...

H04L 41/22   comprising specially adapte...

H04L 41/28   Restricting access to netwo...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 67/30   Profiles

Context based conditional access for cloud services

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

69 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Context based conditional access for cloud services

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links