Using an out-of-band password to provide enhanced SSO functionality
First Claim
1. A method for using an out-of-band password to provide enhanced SSO functionality, the method comprising:
- a processor of a computer system receiving notice of a user'"'"'s access request from an Identity Provider (IDP) of a Federated Single Sign-On (F-SSO) federation, wherein the access request requests access to a service provided by a Service Provider (SP) of the federation, and wherein the federation does not support Single Sign-On functionality for that service;
the processor, in response to receiving the notice, identifying and validating the user;
the processor sending a temporary password to the user, wherein the temporary password is subject to constraints selected from a group consisting of;
limiting the temporary password to a certain number of uses, limiting the temporary password to use during a single session of the secured service, limiting the temporary password to use during a specified period of time, limiting the temporary password to use during a specified period of time after the first use of the temporary password, and requiring the user to perform an additional authentication procedure when entering the temporary password;
the processor updating an information repository with a value of the temporary password;
the processor detecting that the user has entered a correct value of the temporary password;
the processor generating a single-use password; and
the processor communicating the single-use password to the user, such that the user may use the single-use password to access the service, and wherein the in-band communication is a secure communication that is communicated through a medium under control of the Service Provider to a device under control of the Service Provider.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for using a single-use password to add SSO functionality to a service of a Service Provider belonging to an F-SSO federation that does not support F-SSO functionality for the service. In response to receiving notification from an Identity Provider that a user has requested access to the service, the Service Provider uses information provided by the Identity Provider to identify and authenticate the user, and then uses standard API calls to create and send a temporary password to the user. This password may be created as a function of the user'"'"'s physical location or IP address and may be communicated out-of-band. Upon determining that the user has correctly returned the temporary password to the Service Provider, the Service Provider generates and sends the user a strong single-use password through a secure in-band communication, through which the user may access the service.
-
Citations
17 Claims
-
1. A method for using an out-of-band password to provide enhanced SSO functionality, the method comprising:
-
a processor of a computer system receiving notice of a user'"'"'s access request from an Identity Provider (IDP) of a Federated Single Sign-On (F-SSO) federation, wherein the access request requests access to a service provided by a Service Provider (SP) of the federation, and wherein the federation does not support Single Sign-On functionality for that service; the processor, in response to receiving the notice, identifying and validating the user; the processor sending a temporary password to the user, wherein the temporary password is subject to constraints selected from a group consisting of;
limiting the temporary password to a certain number of uses, limiting the temporary password to use during a single session of the secured service, limiting the temporary password to use during a specified period of time, limiting the temporary password to use during a specified period of time after the first use of the temporary password, and requiring the user to perform an additional authentication procedure when entering the temporary password;the processor updating an information repository with a value of the temporary password; the processor detecting that the user has entered a correct value of the temporary password; the processor generating a single-use password; and the processor communicating the single-use password to the user, such that the user may use the single-use password to access the service, and wherein the in-band communication is a secure communication that is communicated through a medium under control of the Service Provider to a device under control of the Service Provider. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for using an out-of-band password to provide enhanced SSO functionality comprising a processor, a memory coupled to the processor, and a computer-readable hardware storage device coupled to the processor, the storage device containing program code configured to be run by the processor via the memory to implement a method for using an out-of-band password to provide enhanced SSO functionality, the method comprising:
-
the processor receiving notice of a user'"'"'s access request from an Identity Provider (IDP) of a Federated Single Sign-On (F-SSO) federation, wherein the access request requests access to a service provided by a Service Provider (SP) of the federation, and wherein the federation does not support Single Sign-On functionality for that service; the processor, in response to receiving the notice, identifying and validating the user; the processor sending a temporary password to the user, wherein the temporary password is subject to constraints selected from a group consisting of;
limiting the temporary password to a certain number of uses, limiting the temporary password to use during a single session of the secured service, limiting the temporary password to use during a specified period of time, limiting the temporary password to use during a specified period of time after the first use of the temporary password, and requiring the user to perform an additional authentication procedure when entering the temporary password;the processor updating an information repository with a value of the temporary password; the processor detecting that the user has entered a correct value of the temporary password; the processor generating a single-use password; and the processor communicating the single-use password to the user, such that the user may use the single-use password to access the service, and wherein the in-band communication is a secure communication that is communicated through a medium under control of the Service Provider to a device under control of the Service Provider. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A computer program product, comprising a computer-readable hardware storage device having a computer-readable program code stored therein, the program code configured to be executed by a system comprising a processor, a memory coupled to the processor, and a computer-readable hardware storage device coupled to the processor, the storage device containing program code configured to be run by the processor via the memory to implement a method for using an out-of-band password to provide enhanced SSO functionality, the method comprising:
-
the processor receiving notice of a user'"'"'s access request from an Identity Provider (IDP) of a Federated Single Sign-On (F-SSO) federation, wherein the access request requests access to a service provided by a Service Provider (SP) of the federation, and wherein the federation does not support Single Sign-On functionality for that service; the processor, in response to receiving the notice, identifying and validating the user; the processor sending a temporary password to the user, wherein the temporary password is subject to constraints selected from a group consisting of;
limiting the temporary password to a certain number of uses, limiting the temporary password to use during a single session of the secured service, limiting the temporary password to use during a specified period of time, limiting the temporary password to use during a specified period of time after the first use of the temporary password, and requiring the user to perform an additional authentication procedure when entering the temporary password;the processor updating an information repository with a value of the temporary password; the processor detecting that the user has entered a correct value of the temporary password; the processor generating a single-use password; and the processor communicating the single-use password to the user, such that the user may use the single-use password to access the service, and wherein the in-band communication is a secure communication that is communicated through a medium under control of the Service Provider to a device under control of the Service Provider. - View Dependent Claims (15, 16, 17)
-
Specification