Systems and methods for logging out of cloud-based applications managed by single sign-on services
US-9699171-B1 · Jul 4, 2017 · US
Validating sign-out implementation for identity federation
US10803164B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10803164-B2 |
| Application number | US-201816130060-A |
| Country | US |
| Kind code | B2 |
| Filing date | Sep 13, 2018 |
| Priority date | Dec 9, 2015 |
| Publication date | Oct 13, 2020 |
| Grant date | Oct 13, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Disclosed are various embodiments for validating that relying parties of a federated identity provider have correctly implemented sign-out functionality. In one approach, a network page is received from a network site that is operated by a relying party of a federated identity provider. It is then determined whether the network page includes code that properly implements a sign-out from the federated identity provider. An action is initiated in response to determining that the network page does not include code that properly implements the sign-out from the federated identity provider.
First claim
Opening claim text (preview).
Therefore, the following is claimed: 1. A system, comprising: at least one computing device; and at least one application executable in the at least one computing device, wherein when executed the at least one application causes the at least one computing device to at least: receive a network page from a network site, wherein the network site is operated by a relying party of a federated identity provider; analyze the network page to determine whether the network page includes code that properly implements a sign-out from the federated identity provider; and initiate an action in response to determining that the network page does not include code that properly implements the sign-out from the federated identity provider. 2. The system of claim 1 , wherein when executed the at least one application is configured to cause the at least one computing device to at least crawl the network site to determine a uniform resource locator of the network page. 3. The system of claim 1 , wherein when executed the at least one application is configured to cause the at least one computing device to at least determine a uniform resource locator of the network page based at least in part on a referring uniform resource locator received by the federated identity provider during a sign-in. 4. The system of claim 1 , wherein when executed the at least one application is configured to cause the at least one computing device to at least periodically assess whether the network page properly implements the sign-out from the federated identity provider. 5. The system of claim 1 , wherein determining whether the network page includes the code that properly implements the sign-out from the federated identity provider further comprises determining whether the network page includes approved predefined code that properly implements the sign-out from the federated identity provider. 6. The system of claim 1 , wherein determining whether the network page includes the code that properly implements the sign-out from the federated identity provider further comprises: determining a potential sign-out component in the network page; activating the potential sign-out component; and determining whether a service of the federated identity provider has received a sign-out in response to activating the potential sign-out component. 7. The system of claim 1 , wherein the action comprises configuring a service of the federated identity provider to disallow sign-ins originating from the network site. 8. The system of claim 1 , wherein the action comprises generating a report indicating that the network site has not properly implemented sign-out functionality. 9. The system of claim 1 , wherein the action comprises configuring a service of the federated identity provider to assign a shorter period of session expiration to a session originating from the network site. 10. The system of claim 1 , wherein the action comprises causing a plurality of users who signed in via the network site to be automatically signed out by a service of the federated identity provider. 11. The system of claim 1 , wherein when executed the at least one application further causes the at least one computing device to at least sign-in with a user identity through the network site via the federated identity provider before receiving the network page. 12. A system, comprising: at least one computing device; and at least one application executable in the at least one computing device, wherein when executed the at least one application causes the at least one computing device to at least: record sign-out data for a relying party of a federated identity provider; determine, from the sign-out data, a quantity of sign-outs associated with the relying party; determine that the relying party has not properly implemented sign-out functionality for the federated identity provider based at least in part on the quantity of sign-outs; and initiate an action in response to determining that the relying party has not properly implemented the sign-out functionality. 13. The system of claim 12 , wherein when executed the at least one application further causes the at least one computing device to at least analyze sign-in data and the sign-out data for a plurality of relying parties to determine a baseline ratio of sign-outs to sign-ins associated with a proper implementation of the sign-out functionality. 14. The system of claim 12 , wherein when executed the at least one application further causes the at least one computing device to at least analyze the sign-out data for a plurality of relying parties to determine a baseline sign-out quantity threshold associated with a proper implementation of the sign-out functionality. 15. The system of claim 12 , wherein determining that the relying party has not properly implemented the sign-out functionality further comprises determining that the quantity of sign-outs is below a predefined threshold. 16. The system of claim 12 , wherein determining that the relying party has not properly implemented the sign-out functionality further comprises determining that a ratio of the quantity of sign-outs to a quantity of sign-ins is below a predefined threshold. 17. A method, comprising: recording, via at least one of one or more computing devices, sign-out data for individual ones of a plurality of relying parties of a federated identity provider; determining, via at least one of the one or more computing devices, from the sign-out data, a quantity of sign-outs associated with a particular relying party of the plurality of relying parties; determining, via at least one of the one or more computing devices, that the particular relying party has not properly implemented sign-out functionality for the federated identity provider based at least in part on the quantity of sign-outs associated with the particular relying party; and initiating, via at least one of the one or more computing devices, an action in response to determining that the particular relying party has not properly implemented the sign-out functionality. 18. The method of claim 17 , wherein the action comprises configuring a service of the federated identity provider to assign a shorter period of session expiration to a session originating from the particular relying party or causing a plurality of users who signed in via the relying party to be automatically signed out by the service. 19. The method of claim 17 , wherein determining that the particular relying party has not properly implemented the sign-out functionality further comprises at least one of: determining, via at least one of the one or more computing devices, that the quantity of sign-outs is below a predefined threshold; or determining, via at least one of the one or more computing devices, that a ratio of the quantity of sign-outs to a quantity of sign-ins is below a predefined threshold. 20. The method of claim 17 , wherein the sign-out data is recorded by a service of the federated identity provider.
Assignees
Inventors
Classifications
- G06F21/45Primary
Structures or tools for the administration of authentication · CPC title
providing single-sign-on or federations · CPC title
where a single sign-on provides access to a plurality of computers · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10803164B2 cover?
- Disclosed are various embodiments for validating that relying parties of a federated identity provider have correctly implemented sign-out functionality. In one approach, a network page is received from a network site that is operated by a relying party of a federated identity provider. It is then determined whether the network page includes code that properly implements a sign-out from the fed…
- Who is the assignee on this patent?
- Amazon Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/45. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Oct 13 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).