Automatic detection of authentication methods by a gateway

US 9,794,227 B2
Filed: 03/07/2014
Issued: 10/17/2017
Est. Priority Date: 03/07/2014
Status: Active Grant

First Claim

Patent Images

1. A method for implementing an authentication mechanism at a gateway comprising:

receiving a request for a first resource and a request for a second resource at the gateway;

analyzing, at the gateway, each of the request for the first resource and the request for the second resource for an indication that the first resource or the second resource requires authentication, wherein analyzing the request is performed without comparing the first resource or the second resource to a list of resources;

when the request for the first resource is determined at the gateway to contain an indication that the first resource requires authentication, thenaccessing an authentication rules database to identify an authentication process associated with the indication that the first resource requires authentication,executing the authentication process associated with the indication that the first resource requires authentication, andforwarding from the gateway the request to the first resource following the execution of the authentication process;

when the request for the second resource is determined at the gateway to contain an indication that the second resource requires authentication, thenaccessing the authentication rules database to identify an authentication process associated with the indication that the second resource requires authentication,executing the authentication process associated with the indication that the second resource requires authentication, andforwarding from the gateway the request to the first resource following the execution of the authentication process; and

when the request for the first resource is determined at the gateway not to contain the indication that the first resource requires authentication, then forwarding from the gateway the request to the first resource without execution of the authentication process; and

wherein the preceding steps are performed by at least one processor.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein is a system and method for allowing access to secure resources through a gateway without having to pre-configure the gateway with each specific URL that access is to be granted as well as maintaining the list of resources that are exposed. The gateway is configured to take incoming requests from client devices, such as the URL, and determine from the URL itself what type of authentication is required to gain access to the resource as opposed to comparing the URL with a managed list of URL'"'"'s. Once the authentication process is identified by the gateway that process is implemented. The gateway analyzes the responses from the resources that may include denials or user authentication requests from the resource to determine the authentication process to use to gain access to the resource. Once authenticated the communications traffic between the client/user and the resource is permitted through the gateway.

Citations

18 Claims

1. A method for implementing an authentication mechanism at a gateway comprising:
- receiving a request for a first resource and a request for a second resource at the gateway;
  
  analyzing, at the gateway, each of the request for the first resource and the request for the second resource for an indication that the first resource or the second resource requires authentication, wherein analyzing the request is performed without comparing the first resource or the second resource to a list of resources;
  
  when the request for the first resource is determined at the gateway to contain an indication that the first resource requires authentication, thenaccessing an authentication rules database to identify an authentication process associated with the indication that the first resource requires authentication,executing the authentication process associated with the indication that the first resource requires authentication, andforwarding from the gateway the request to the first resource following the execution of the authentication process;
  
  when the request for the second resource is determined at the gateway to contain an indication that the second resource requires authentication, thenaccessing the authentication rules database to identify an authentication process associated with the indication that the second resource requires authentication,executing the authentication process associated with the indication that the second resource requires authentication, andforwarding from the gateway the request to the first resource following the execution of the authentication process; and
  
  when the request for the first resource is determined at the gateway not to contain the indication that the first resource requires authentication, then forwarding from the gateway the request to the first resource without execution of the authentication process; and
  
  wherein the preceding steps are performed by at least one processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein executing the authentication process further comprises:
    - redirecting the client device to an authentication service for authentication.
  - 3. The method of claim 2 wherein the authentication service is located on a non-secure side of the gateway.
  - 4. The method of claim 2 wherein the authentication service is located on a secure side of the gateway.
  - 5. The method of claim 1 wherein each request includes a header and the indication comprises a portion of the header.
  - 6. The method of claim 1 further comprising:
    - receiving a response from the first resource indicating that authentication is required, the response having a second indication indicating a type of authentication required by the first resource;
      
      accessing the authentication rules database to identify a second authentication process associated with the second indication from the plurality of different authentication processes; and
      
      executing the second authentication process.
  - 7. The method of claim 6 wherein executing the second authentication process further comprises:
    - querying by the gateway the client device for information required to authenticate the client device;
      
      receiving from the client device the information;
      
      forwarding the received information from the client device to an authentication service; and
      
      receiving from the authentication service an authentication token.
  - 8. The method of claim 6 wherein executing the second authentication process further comprises:
    - redirecting the client device to an authentication service; and
      
      receiving from the client device an authentication token.
  - 9. The method of claim 1 wherein prior to forwarding the request to the first resource, further comprising:
    - receiving a second request from the client device, the second request including an authentication token obtained from the authentication process.

10. A system for controlling access from a client device to a resource comprising:
- at least one processor and at least one memory;
  
  a rules database storing at least two different authentication processes; and
  
  a gateway separating a first network from a second network, the gateway configured to receive requests from the client device on the first network for a first resource and a second resource on the second network and to select an authentication process from the rules database for each of the first resource and the second resource based on at least a portion of each request, andthe gateway configured to analyze each request without comparing each resource to a list of resources, wherein the at least a portion of each request indicates that each of the first resource and the second resource on the second network requires authentication.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The system of claim 10 wherein the gateway is a proxy server.
  - 12. The system of claim 10 wherein the gateway is a firewall.
  - 13. The system of claim 10 further comprising:
    - a rules component configured to select the authentication process from each request from the at least two different authentication processes and to provide the authentication process to the gateway.
  - 14. The system of claim 10 wherein the gateway is further configured to:
    - analyze a response received from each resource to select the authentication process based on at least a portion of the response.
  - 15. The system of claim 10 wherein the authentication process instructs the gateway to impersonate an authentication service by eliciting responses from the client device that correspond to the process used by the impersonated authentication service and to provide those responses to the authentication service.
  - 16. The system of claim 10 wherein the authentication process instructs the gateway to redirect the client device to an authentication service.
  - 17. The system of claim 10 further comprising:
    - at least two different authentication services, each of the at least two authentication services configured to generate a different type of authentication.

18. A computer readable storage device having computer executable instructions that when executed cause at least one computing device to:
- receive requests for at least two different resources disposed on a second network from a client device disposed on a first network, each request having a corresponding resource of the at least two resources;
  
  analyze each request for the at least two different resources to determine if each of the requests contains an indication that the at least two different resources require authentication, wherein analyzing the requests is performed without comparing the at least two different resources requested to a list of resources;
  
  when the requests for the at least two different resources are determined at a gateway to contain the indications that the at least two different resources require authentication, thenaccess an authentication rules database having a plurality of different authentication processes to identify an authentication process associated with each indication, andexecute the authentication process associated with each indication for each of the requests; and
  
  when the requests for the at least two different resources are determined at the gateway not to contain the indications that the at least two different resources require authentication, then forward each of the requests to the corresponding resources following the execution of the identified authentication process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Laivand, Sharon, Mendelovich, Meir, Kariv, Shai, Dolev, Ran
Primary Examiner(s)
Korsak, Oleg

Application Number

US14/201,780
Publication Number

US 20150256514A1
Time in Patent Office

1,320 Days
Field of Search

726 3
US Class Current
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0884   by delegation of authentica...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Automatic detection of authentication methods by a gateway

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic detection of authentication methods by a gateway

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links