Single sign-on method for appliance secure shell

US 9,923,888 B2
Filed: 10/02/2015
Issued: 03/20/2018
Est. Priority Date: 10/02/2015
Status: Active Grant

First Claim

Patent Images

1. An authentication system comprising:

a third-party identity provider (IDP) configured to authenticate a plurality of users through a series of one or more Hypertext Transfer Protocol (HTTP) redirections;

a storage device hosting an application; and

a client device configured to;

send a first request to establish a secure HTTP session with the storage device in order to access the application; and

send a second request different from the first request to establish a secure shell (SSH) session, wherein the second request comprises at least an access token generated during establishing of the secure HTTP session using the third-party IDP, wherein the access token is to be used for both verifying subsequent accesses of the application from the client device via the secure HTTP session and establishing the SSH session; and

wherein in response to receiving the second request, the storage device is configured to authorize the client device to establish the SSH session although the second request lacks a password, in further response to verifying the access token corresponds to the previously established secure HTTP session.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for efficiently establishing a secure shell connection for accessing Web resources. A user attempts to establish a secure Hypertext Transfer Protocol (HTTP) session between a client computing device and a remote storage device. The storage device redirects the Web browser of the client computing device to a single sign-on (SSO) third-party identity provider for authorizing the user. After successful authorization, the client computing device receives information to use to maintain a secure HTTP session. This information is stored on the storage device. The user attempts to establish a text-based secure shell session. The user is not prompted for login credentials. However, the user is authenticated using the previously stored information and a text-based secure shell session is established.

Citations

20 Claims

1. An authentication system comprising:
- a third-party identity provider (IDP) configured to authenticate a plurality of users through a series of one or more Hypertext Transfer Protocol (HTTP) redirections;
  
  a storage device hosting an application; and
  
  a client device configured to;
  
  send a first request to establish a secure HTTP session with the storage device in order to access the application; and
  
  send a second request different from the first request to establish a secure shell (SSH) session, wherein the second request comprises at least an access token generated during establishing of the secure HTTP session using the third-party IDP, wherein the access token is to be used for both verifying subsequent accesses of the application from the client device via the secure HTTP session and establishing the SSH session; and
  
  wherein in response to receiving the second request, the storage device is configured to authorize the client device to establish the SSH session although the second request lacks a password, in further response to verifying the access token corresponds to the previously established secure HTTP session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The authentication system as recited in claim 1, wherein the storage device is further configured to send at least the access token and a client device identifier (ID) to the client device responsive to receiving from the third-party IDP an indication of successful authentication for a given user of the plurality of users on the client device requesting to access the application through a secure HTTP session.
  - 3. The authentication system as recited in claim 2, wherein the storage device is further configured to store each of the access token and the client device ID to use for verifying subsequent accesses of the application from the client device via the secure HTTP session.
  - 4. The authentication system as recited in claim 3, wherein the client device ID comprises one or more of a session cookie, an Internet Protocol (IP) address, and a media access control (MAC) address.
  - 5. The authentication system as recited in claim 2, wherein the second request from the client device to establish the SSH session further comprises the client device ID.
  - 6. The authentication system as recited in claim 3, wherein to authorize the client device to establish the SSH session, the storage device is further configured to determine whether at least the access token and the client device ID in the request matches the stored access token and the stored client device ID.
  - 7. The authentication system as recited in claim 3, wherein to authorize the client device to establish the SSH session, the storage device is further configured to forego any HTTP redirections.
  - 8. The authentication system as recited in claim 3, wherein to authorize the client device to establish the SSH session, the storage device is further configured to forego using the third-party IDP.

9. A method for executing on a processor, the method comprising:
- authenticating with a third-party identity provider (IDP) a plurality of users through a series of one or more Hypertext Transfer Protocol (HTTP) redirections;
  
  hosting an application on a storage device;
  
  sending a first request from a client device to establish a secure HTTP session with the storage device in order to access the application;
  
  sending a second request different from the first request from the client device to the storage device to establish a secure shell (SSH) session, wherein the second request comprises at least an access token generated during establishing of the secure HTTP session using the third-party IDP, wherein the access token is to be used for both verifying subsequent accesses of the application from the client device via the secure HTTP session and establishing the SSH session; and
  
  authorizing the client device to establish the SSH session although the second request lacks a password, in response to verifying the access token corresponds to the previously established secure HTTP session.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method as recited in claim 9, further comprising sending at least the access token and a client device identifier (ID) to the client device responsive to receiving from the third-party IDP an indication of successful authentication for a given user of the plurality of users on the client device requesting to access the application through a secure HTTP session.
  - 11. The method as recited in claim 10, further comprising storing each of the access token and the client device ID in the storage device to use for verifying subsequent accesses of the application from the client device via the secure HTTP session.
  - 12. The method as recited in claim 11, wherein the client device ID comprises one or more of a session cookie, an Internet Protocol (IP) address, and a media access control (MAC) address.
  - 13. The method as recited in claim 10, wherein the second request from the client device to establish the SSH session further comprises the client device ID.
  - 14. The method as recited in claim 11, wherein to authorize the client device to establish the SSH session, the method further comprises determining whether at least the access token and the client device ID in the request matches the stored access token and the stored client device ID.
  - 15. The method as recited in claim 11, wherein to authorize the client device to establish the SSH session, the method further comprises foregoing any HTTP redirections.
  - 16. The method as recited in claim 11, wherein to authorize the client device to establish the SSH session, the method further comprises foregoing using the third-party IDP.

17. A storage device comprising:
- a processor; and
  
  a memory configured to;
  
  store an application; and
  
  store program instructions executable by the processor to;
  
  send requests to a third-party identity provider (IDP) configured to authenticate a plurality of users through a series of one or more Hypertext Transfer Protocol (HTTP) redirections;
  
  receive a given request from a client device to establish a secure shell (SSH) session, wherein the given request comprises at least an access token generated during establishing of a secure HTTP session for the client device using the third-party IDP, wherein the access token is to be used for both verifying subsequent accesses of the application from the client device via the secure HTTP session and establishing the SSH session; and
  
  authorize the client device to establish the SSH session although the given request lacks a password, in further response to verifying the access token corresponds to the previously established secure HTTP session.
- View Dependent Claims (18, 19, 20)
- - 18. The storage device as recited in claim 17, wherein the program instructions are further executable by the processor to send at least the access token and a client device identifier (ID) to the client device responsive to receiving from the third-party IDP an indication of successful authentication for a given user of the plurality of users on the client device requesting to access the application through a secure HTTP session.
  - 19. The storage device as recited in claim 18, wherein the given request from the client device to establish the SSH session further comprises the client device ID.
  - 20. The storage device as recited in claim 18, wherein to authorize the client device to establish the SSH session, the program instructions are further executable to determine whether at least the first access token and the client device ID in the request matches stored values of the first access token and the stored client device ID.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Veritas Technologies, LLC (Whitehouse Group Ltd.)
Original Assignee
Veritas Technologies, LLC (Whitehouse Group Ltd.)
Inventors
Goel, Vikas, Koeten, Robert
Primary Examiner(s)
Turchen, James R

Application Number

US14/874,173
Publication Number

US 20170099280A1
Time in Patent Office

900 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/335   for accessing specific reso...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

H04L 67/025   for remote control or remot...

H04L 67/141   Setup of application sessio...

H04L 67/146   Markers for unambiguous ide...

H04L 67/53   using third party service p...

Single sign-on method for appliance secure shell

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Single sign-on method for appliance secure shell

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links