Methods and systems for multifactor authentication
First Claim
Patent Images
1. A computer-implemented method processed by a reverse proxy, the method comprising:
- intercepting, by the reverse proxy, an attempt by a first principal to access a second principal;
determining, by the reverse proxy, whether authentication credentials are available for authenticating the first principal, where the authentication credentials are defined by a policy and the policy identifies an identity service that is to authenticate the first principal and the policy also identifies the authentication mechanism to be used by that identity service, the authentication credentials are used for multifactor authentication by authenticating the first principal with some of the authentication credentials by using the authentication mechanism and the identity service defined in the policy and by authenticating the first principal to the second principal via a different authentication mechanism expected by the second principal and by using select ones of the authentication credentials, where the second principal is a legacy service that does not support multifactor authentication;
passing, by the reverse proxy, the select ones of the authentication credentials to the second principal giving access to the first principal if the authentication credentials are available, and wherein the second principal expects the select ones of the authentication credentials for access by using the different authentication mechanism of the second principal; and
redirecting, by the reverse proxy, the first principal to an identity service if the authentication credentials are unavailable for the first principal to authenticate with the identity service using the authentication mechanism defined in the policy and on successful authentication the first principal is supplied the authentication credentials.
3 Assignments
0 Petitions
Accused Products
Abstract
In various embodiments of the invention, techniques are presented for providing multifactor authentication. A first set of credentials are received, which are associated with a first principal, and at least one identifier also associated with the first principal is obtained from a second principal. Next, the first principal'"'"'s knowledge of the at least one identifier is verified and an authentication credential is generated for the first principal. The authentication credential permits the first principal to access the second principal.
-
Citations
20 Claims
-
1. A computer-implemented method processed by a reverse proxy, the method comprising:
-
intercepting, by the reverse proxy, an attempt by a first principal to access a second principal; determining, by the reverse proxy, whether authentication credentials are available for authenticating the first principal, where the authentication credentials are defined by a policy and the policy identifies an identity service that is to authenticate the first principal and the policy also identifies the authentication mechanism to be used by that identity service, the authentication credentials are used for multifactor authentication by authenticating the first principal with some of the authentication credentials by using the authentication mechanism and the identity service defined in the policy and by authenticating the first principal to the second principal via a different authentication mechanism expected by the second principal and by using select ones of the authentication credentials, where the second principal is a legacy service that does not support multifactor authentication; passing, by the reverse proxy, the select ones of the authentication credentials to the second principal giving access to the first principal if the authentication credentials are available, and wherein the second principal expects the select ones of the authentication credentials for access by using the different authentication mechanism of the second principal; and redirecting, by the reverse proxy, the first principal to an identity service if the authentication credentials are unavailable for the first principal to authenticate with the identity service using the authentication mechanism defined in the policy and on successful authentication the first principal is supplied the authentication credentials. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-implemented method to process on a computer, comprising:
-
receiving, by the computer, credentials associated with a first principal, the credentials used to authenticate the principal to a first authentication mechanism not compatible with the a second principal and a second authentication mechanism expected by the second principal, where the first principal is attempting access to the second principal and multifactor authentication is used via the first authentication mechanism and the second authentication mechanism; obtaining, by the computer, at least one identifier associated with the first principal from a second principal using at least one of the credentials and in response to a policy; verifying, by the computer, the at least one identifier with the first principal via the second authentication mechanism expected by the second principal; and generating, by the computer, an authentication credential for the first principal, granting it access to the second principal in response to verifying some of the credentials with the first authentication mechanism and the at least one identifier against select ones of the credentials using the second authentication mechanism. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system, comprising:
an identity service, having a processor and a memory the identity service is to be in communication with a first and second principal, at least one credential is to be received from the first principal, and at least one identifier associated with the first principal is to be obtained from the second principal using the at least one credential, and, if the first principal verifies the at least one identifier via the identity service, an authentication credential is to be generated by the identity service for the first principal, the authentication credential is to be subsequently used by the first principal to gain access to the second principal, and the at least one identifier is identified by the identity service pursuant to a policy, the policy defines a first authentication mechanism that the identity service authenticates the principal against and that is not supported by the second principal, also, the policy defines a second authentication mechanism that the second principal expects and that the identity service validates via the at least one identifier and the at least one credential using the second authentication mechanism, the first and second authentication mechanisms result in multifactor authentication, which the second principal does not support but which the identity service provides via the first authentication mechanism. - View Dependent Claims (16, 17, 18, 19, 20)
Specification