Using an out-of-band password to provide enhanced SSO functionality

US 9,807,087 B2
Filed: 11/24/2015
Issued: 10/31/2017
Est. Priority Date: 11/24/2015
Status: Active Grant

First Claim

Patent Images

1. A method for using an out-of-band password to provide enhanced SSO functionality, the method comprising:

a processor of a computer system receiving notice of a user'"'"'s access request from an Identity Provider (IDP) of a Federated Single Sign-On (F-SSO) federation, wherein the access request requests access to a service provided by a Service Provider (SP) of the federation, and wherein the federation does not support Single Sign-On functionality for that service;

the processor, in response to receiving the notice, identifying and validating the user;

the processor sending a temporary password to the user, wherein the temporary password is subject to constraints selected from a group consisting of;

limiting the temporary password to a certain number of uses, limiting the temporary password to use during a single session of the secured service, limiting the temporary password to use during a specified period of time, limiting the temporary password to use during a specified period of time after the first use of the temporary password, and requiring the user to perform an additional authentication procedure when entering the temporary password;

the processor updating an information repository with a value of the temporary password;

the processor detecting that the user has entered a correct value of the temporary password;

the processor generating a single-use password; and

the processor communicating the single-use password to the user, such that the user may use the single-use password to access the service, and wherein the in-band communication is a secure communication that is communicated through a medium under control of the Service Provider to a device under control of the Service Provider.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for using a single-use password to add SSO functionality to a service of a Service Provider belonging to an F-SSO federation that does not support F-SSO functionality for the service. In response to receiving notification from an Identity Provider that a user has requested access to the service, the Service Provider uses information provided by the Identity Provider to identify and authenticate the user, and then uses standard API calls to create and send a temporary password to the user. This password may be created as a function of the user'"'"'s physical location or IP address and may be communicated out-of-band. Upon determining that the user has correctly returned the temporary password to the Service Provider, the Service Provider generates and sends the user a strong single-use password through a secure in-band communication, through which the user may access the service.

Citations

17 Claims

1. A method for using an out-of-band password to provide enhanced SSO functionality, the method comprising:
- a processor of a computer system receiving notice of a user'"'"'s access request from an Identity Provider (IDP) of a Federated Single Sign-On (F-SSO) federation, wherein the access request requests access to a service provided by a Service Provider (SP) of the federation, and wherein the federation does not support Single Sign-On functionality for that service;
  
  the processor, in response to receiving the notice, identifying and validating the user;
  
  the processor sending a temporary password to the user, wherein the temporary password is subject to constraints selected from a group consisting of;
  
  limiting the temporary password to a certain number of uses, limiting the temporary password to use during a single session of the secured service, limiting the temporary password to use during a specified period of time, limiting the temporary password to use during a specified period of time after the first use of the temporary password, and requiring the user to perform an additional authentication procedure when entering the temporary password;
  
  the processor updating an information repository with a value of the temporary password;
  
  the processor detecting that the user has entered a correct value of the temporary password;
  
  the processor generating a single-use password; and
  
  the processor communicating the single-use password to the user, such that the user may use the single-use password to access the service, and wherein the in-band communication is a secure communication that is communicated through a medium under control of the Service Provider to a device under control of the Service Provider.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the temporary password is communicated through an out-of-band communications method.
  - 3. The method of claim 2, where the out-of-band communication method comprises a communication sent to a destination that is not part of the F-SSO federation and that is not under control of the Service Provider, and where the out-of-band communication is selected from a group consisting of:
    - a voice message;
      
      a fax;
      
      an SMS text message;
      
      an email message;
      
      a communication to a social-media service;
      
      an instant message; and
      
      a communication sent through the Internet to a software program running on a device that is accessible to the user.
  - 4. The method of claim 1, wherein the identifying and validating the user comprises:
    - the processor, in response to the receiving notice, requesting that the IDP identify and authenticate the user;
      
      the processor redirecting the user to a portal under control of the IDP;
      
      the processor receiving authentication data from the IDP, andthe processor redirecting the user to a portal under control of the SP.
  - 5. The method of claim 1, further comprising:
    - the processor storing a copy of the temporary password in an enterprise directory under control of the SP;
      
      the processor, upon receiving from the user the response to the sending, wherein the response is a password entered by the user, attempting to match the entered password with the password stored in the enterprise directory; and
      
      the processor, deeming the user to have been identified and authenticated as a result of having successfully matched the entered password to the stored password.
  - 6. The method of claim 1, wherein the Service Provider is an Information as a Service cloud-service provider, the service is a cloud-based service deployed and controlled by the Service Provider on cloud infrastructure under control of the Service Provider, and the IDP is a client of the Service Provider that controls an application deployed on cloud infrastructure under control of the Service Provider.
  - 7. The method of claim 1, further comprising:
    - the processor selecting the temporary password as a function of the user'"'"'s location, wherein the user'"'"'s location comprises an Internet Protocol address of a device by which the user entered the sign-on request.
  - 8. The method of claim 1, further comprising providing at least one support service for at least one of creating, integrating, hosting, maintaining, and deploying computer-readable program code in the computer system, wherein the computer-readable program code in combination with the computer system is configured to implement the receiving, identifying, validating, sending, updating, detecting, generating, and communicating.

9. A system for using an out-of-band password to provide enhanced SSO functionality comprising a processor, a memory coupled to the processor, and a computer-readable hardware storage device coupled to the processor, the storage device containing program code configured to be run by the processor via the memory to implement a method for using an out-of-band password to provide enhanced SSO functionality, the method comprising:
- the processor receiving notice of a user'"'"'s access request from an Identity Provider (IDP) of a Federated Single Sign-On (F-SSO) federation, wherein the access request requests access to a service provided by a Service Provider (SP) of the federation, and wherein the federation does not support Single Sign-On functionality for that service;
  
  the processor, in response to receiving the notice, identifying and validating the user;
  
  the processor sending a temporary password to the user, wherein the temporary password is subject to constraints selected from a group consisting of;
  
  limiting the temporary password to a certain number of uses, limiting the temporary password to use during a single session of the secured service, limiting the temporary password to use during a specified period of time, limiting the temporary password to use during a specified period of time after the first use of the temporary password, and requiring the user to perform an additional authentication procedure when entering the temporary password;
  
  the processor updating an information repository with a value of the temporary password;
  
  the processor detecting that the user has entered a correct value of the temporary password;
  
  the processor generating a single-use password; and
  
  the processor communicating the single-use password to the user, such that the user may use the single-use password to access the service, and wherein the in-band communication is a secure communication that is communicated through a medium under control of the Service Provider to a device under control of the Service Provider.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The system of claim 9, where the temporary password is communicated through an out-of-band communications method that comprises a communication sent to a destination that is not part of the F-SSO federation and that is not under control of the Service Provider, and where the out-of-band communication is selected from a group consisting of:
    - a voice message;
      
      a fax;
      
      an SMS text message;
      
      an email message;
      
      a communication to a social-media service;
      
      an instant message; and
      
      a communication sent through the Internet to a software program running on a device that is accessible to the user.
  - 11. The system of claim 9, wherein the identifying and validating the user comprises:
    - the processor, in response to the receiving notice, requesting that the IDP identify and authenticate the user;
      
      the processor redirecting the user to a portal under control of the IDP;
      
      the processor receiving authentication data from the IDP, andthe processor redirecting the user to a portal under control of the SP.
  - 12. The system of claim 9, further comprising:
    - the processor storing a copy of the temporary password in an enterprise directory under control of the SP;
      
      the processor, upon receiving from the user the response to the sending, wherein the response is a password entered by the user, attempting to match the entered password with the password stored in the enterprise directory; and
      
      the processor, deeming the user to have been identified and authenticated as a result of having successfully matched the entered password to the stored password.
  - 13. The system of claim 9, further comprising:
    - the processor selecting the temporary password as a function of the user'"'"'s location, wherein the user'"'"'s location comprises an Internet Protocol address of a device by which the user entered the sign-on request.

14. A computer program product, comprising a computer-readable hardware storage device having a computer-readable program code stored therein, the program code configured to be executed by a system comprising a processor, a memory coupled to the processor, and a computer-readable hardware storage device coupled to the processor, the storage device containing program code configured to be run by the processor via the memory to implement a method for using an out-of-band password to provide enhanced SSO functionality, the method comprising:
- the processor receiving notice of a user'"'"'s access request from an Identity Provider (IDP) of a Federated Single Sign-On (F-SSO) federation, wherein the access request requests access to a service provided by a Service Provider (SP) of the federation, and wherein the federation does not support Single Sign-On functionality for that service;
  
  the processor, in response to receiving the notice, identifying and validating the user;
  
  the processor sending a temporary password to the user, wherein the temporary password is subject to constraints selected from a group consisting of;
  
  limiting the temporary password to a certain number of uses, limiting the temporary password to use during a single session of the secured service, limiting the temporary password to use during a specified period of time, limiting the temporary password to use during a specified period of time after the first use of the temporary password, and requiring the user to perform an additional authentication procedure when entering the temporary password;
  
  the processor updating an information repository with a value of the temporary password;
  
  the processor detecting that the user has entered a correct value of the temporary password;
  
  the processor generating a single-use password; and
  
  the processor communicating the single-use password to the user, such that the user may use the single-use password to access the service, and wherein the in-band communication is a secure communication that is communicated through a medium under control of the Service Provider to a device under control of the Service Provider.
- View Dependent Claims (15, 16, 17)
- - 15. The computer program product of claim 14, wherein the temporary password is communicated through an out-of-band communications method that comprises a communication sent to a destination that is not part of the F-SSO federation and that is not under control of the Service Provider, and where the out-of-band communication is selected from a group consisting of:
    - a voice message;
      
      a fax;
      
      an SMS text message;
      
      an email message;
      
      a communication to a social-media service;
      
      an instant message; and
      
      a communication sent through the Internet to a software program running on a device that is accessible to the user.
  - 16. The computer program product of claim 14, wherein the identifying and validating the user comprises:
    - the processor, in response to the receiving notice, requesting that the IDP identify and authenticate the user;
      
      the processor redirecting the user to a portal under control of the IDP;
      
      the processor receiving authentication data from the IDP, andthe processor redirecting the user to a portal under control of the SP.
  - 17. The computer program product of claim 14, further comprising:
    - the processor storing a copy of the temporary password in an enterprise directory under control of the SP;
      
      the processor, upon receiving from the user the response to the sending, wherein the response is a password entered by the user, attempting to match the entered password with the password stored in the enterprise directory; and
      
      the processor, deeming the user to have been identified and authenticated as a result of having successfully matched the entered password to the stored password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated (Kyndryl Holdings, Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Hinton, Heather M., Malone, Kelly
Primary Examiner(s)
Schwartz, Darren B
Assistant Examiner(s)
GYORFI, THOMAS A

Application Number

US14/950,262
Publication Number

US 20170149770A1
Time in Patent Office

707 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/0846   using time-dependent-passwo...

H04L 63/10   for controlling access to d...

Using an out-of-band password to provide enhanced SSO functionality

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Using an out-of-band password to provide enhanced SSO functionality

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links