Methods and systems for multifactor authentication

US 7,739,744 B2
Filed: 03/31/2006
Issued: 06/15/2010
Est. Priority Date: 03/31/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method processed by a reverse proxy, the method comprising:

intercepting, by the reverse proxy, an attempt by a first principal to access a second principal;

determining, by the reverse proxy, whether authentication credentials are available for authenticating the first principal, where the authentication credentials are defined by a policy and the policy identifies an identity service that is to authenticate the first principal and the policy also identifies the authentication mechanism to be used by that identity service, the authentication credentials are used for multifactor authentication by authenticating the first principal with some of the authentication credentials by using the authentication mechanism and the identity service defined in the policy and by authenticating the first principal to the second principal via a different authentication mechanism expected by the second principal and by using select ones of the authentication credentials, where the second principal is a legacy service that does not support multifactor authentication;

passing, by the reverse proxy, the select ones of the authentication credentials to the second principal giving access to the first principal if the authentication credentials are available, and wherein the second principal expects the select ones of the authentication credentials for access by using the different authentication mechanism of the second principal; and

redirecting, by the reverse proxy, the first principal to an identity service if the authentication credentials are unavailable for the first principal to authenticate with the identity service using the authentication mechanism defined in the policy and on successful authentication the first principal is supplied the authentication credentials.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In various embodiments of the invention, techniques are presented for providing multifactor authentication. A first set of credentials are received, which are associated with a first principal, and at least one identifier also associated with the first principal is obtained from a second principal. Next, the first principal'"'"'s knowledge of the at least one identifier is verified and an authentication credential is generated for the first principal. The authentication credential permits the first principal to access the second principal.

Citations

20 Claims

1. A computer-implemented method processed by a reverse proxy, the method comprising:
- intercepting, by the reverse proxy, an attempt by a first principal to access a second principal;
  
  determining, by the reverse proxy, whether authentication credentials are available for authenticating the first principal, where the authentication credentials are defined by a policy and the policy identifies an identity service that is to authenticate the first principal and the policy also identifies the authentication mechanism to be used by that identity service, the authentication credentials are used for multifactor authentication by authenticating the first principal with some of the authentication credentials by using the authentication mechanism and the identity service defined in the policy and by authenticating the first principal to the second principal via a different authentication mechanism expected by the second principal and by using select ones of the authentication credentials, where the second principal is a legacy service that does not support multifactor authentication;
  
  passing, by the reverse proxy, the select ones of the authentication credentials to the second principal giving access to the first principal if the authentication credentials are available, and wherein the second principal expects the select ones of the authentication credentials for access by using the different authentication mechanism of the second principal; and
  
  redirecting, by the reverse proxy, the first principal to an identity service if the authentication credentials are unavailable for the first principal to authenticate with the identity service using the authentication mechanism defined in the policy and on successful authentication the first principal is supplied the authentication credentials.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising, acquiring, by the reverse proxy, the authentication credentials from the identity service in response to the redirection.
  - 3. The method of claim 2, wherein acquiring further includes obtaining the authentication credentials via a secure communications link.
  - 4. The method of claim 2 further comprising, caching, by the reverse proxy, the authentication credentials if available or if subsequently supplied by the identity service.
  - 5. The method of claim 2, further comprising:
    - accessing, by the reverse proxy, the policy associated with the second principal; and
      
      determining, in accordance with the policy and by the reverse proxy, the select authentication credentials to acquire from the identity service, if the authentication credentials are unavailable.
  - 6. The method of claim 1, wherein redirecting to an identity service further includes an intermediate redirection to a service provider.
  - 7. The method of claim 6 further comprising, acquiring, by the reverse proxy, the authentication credentials and the select authentication credentials from the service provider in response to the redirection.

8. A computer-implemented method to process on a computer, comprising:
- receiving, by the computer, credentials associated with a first principal, the credentials used to authenticate the principal to a first authentication mechanism not compatible with the a second principal and a second authentication mechanism expected by the second principal, where the first principal is attempting access to the second principal and multifactor authentication is used via the first authentication mechanism and the second authentication mechanism;
  
  obtaining, by the computer, at least one identifier associated with the first principal from a second principal using at least one of the credentials and in response to a policy;
  
  verifying, by the computer, the at least one identifier with the first principal via the second authentication mechanism expected by the second principal; and
  
  generating, by the computer, an authentication credential for the first principal, granting it access to the second principal in response to verifying some of the credentials with the first authentication mechanism and the at least one identifier against select ones of the credentials using the second authentication mechanism.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8 further comprising, receiving, by the computer, an authentication request from the first principal for access to the second principal.
  - 10. The method of claim 9 further comprising, redirecting, by the computer, the first principal to the second principal.
  - 11. The method of claim 10 further comprising, communicating, by the computer, with one or more front-end services of the second principal over a secure communications link.
  - 12. The method of claim 11 further comprising:
    - receiving, by the computer, a request associated with a second principal for a credential for authenticating the first principal;
      
      generating, by the computer, the credential for the second principal; and
      
      providing, by the computer, the credential.
  - 13. The method of claim 8, wherein obtaining further includes obtaining the at least one identifier from the second principal via an interface associated with the second principal and by posing as the first principal using the credentials to gain access to the second principal.
  - 14. The method of claim 8 further comprising:
    - accessing, by the computer, the policy associated with the second principal; and
      
      determining, in accordance with the policy and by the computer, the at least one identifier to be requested from the second principal.

15. A system, comprising:
- an identity service, having a processor and a memory the identity service is to be in communication with a first and second principal, at least one credential is to be received from the first principal, and at least one identifier associated with the first principal is to be obtained from the second principal using the at least one credential, and, if the first principal verifies the at least one identifier via the identity service, an authentication credential is to be generated by the identity service for the first principal, the authentication credential is to be subsequently used by the first principal to gain access to the second principal, and the at least one identifier is identified by the identity service pursuant to a policy, the policy defines a first authentication mechanism that the identity service authenticates the principal against and that is not supported by the second principal, also, the policy defines a second authentication mechanism that the second principal expects and that the identity service validates via the at least one identifier and the at least one credential using the second authentication mechanism, the first and second authentication mechanisms result in multifactor authentication, which the second principal does not support but which the identity service provides via the first authentication mechanism.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the identity service is to receive an authentication request from the first principal.
  - 17. The system of claim 16, wherein the authentication request is to be received by the identity service from a front-end service that first receives the authentication request from the first principal.
  - 18. The system of claim 15, wherein the identity service is to respond to a request for the authentication credential.
  - 19. The system of claim 18, wherein the authentication credential is to be provided via a secure communication'"'"'s link.
  - 20. The system of claim 15, wherein the at least one identifier is obtained from the second principal via a user interface provided by the second principal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Carter, Stephen R., Burch, Lloyd Leon
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Hailu; Teshome

Application Number

US11/395,725
Publication Number

US 20070234408A1
Time in Patent Office

1,537 Days
Field of Search

726/12
US Class Current

726/26
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2115   Third party

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/20   for managing network securi...

Methods and systems for multifactor authentication

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for multifactor authentication

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links