Redirect to Inspection Proxy Using Single-Sign-On Bootstrapping
US-2015200924-A1 · Jul 16, 2015 · US
Nonce handler for single sign on authentication in reverse proxy solutions
US10938801B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10938801-B2 |
| Application number | US-201816138488-A |
| Country | US |
| Kind code | B2 |
| Filing date | Sep 21, 2018 |
| Priority date | Sep 21, 2018 |
| Publication date | Mar 2, 2021 |
| Grant date | Mar 2, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Methods, systems, and media are shown for providing a reverse proxy system with SSO capability involving receiving an authentication response message from a client that includes an authentication token and a unique session identifier and determining whether the identifier is stored on the proxy service. If the session identifier is stored on the proxy service, sending the authentication response message to a service provider to which the authentication response message is directed. If the session identifier in the authentication response message is not stored on the proxy service: sending a login request message to the service provider to which the authentication response message is directed, receiving an authentication request message from the service provider that includes an other unique session identifier and redirects the authentication request message to an identity provider, storing the other session identifier, and sending the authentication request message with the other identifier to the client.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method for performing single-sign-on authentication in a system with a reverse proxy service, the method comprising: sending a first login request from a client to a service provider to initiate a first login session; responsive to the first login request, in the service provider, generating a first unique session identifier, storing the first unique session identifier, and hashing the first unique session identifier to create a first session identifier hash; sending a first authentication request message from the service provider to the client that contains the first session identifier and the first session identifier hash and redirects the first authentication request message to an identity provider; responsive to the first authentication request message, in the client, storing the first session identifier and sending a first authentication request to the identity provider; in the identity provider, authenticating the client responsive to the first authentication request, generating a first authentication token, and sending a first authentication response to the client with the first authentication token and redirecting the client to a proxy service; in the client, receiving the first authentication response with the first authentication token and redirecting the first authentication response to the proxy service with the first session identifier; in the proxy service, receiving the first authentication response and determining whether the first session identifier is stored on the proxy service; if the first session identifier is not stored on the proxy service, in the proxy service, sending a second login request to the service provider to initiate a second login session; responsive to the second login request, in the service provider, generating a second unique session identifier, storing the second unique session identifier, and hashing the second unique session identifier to create a second session identifier hash; sending a second authentication request message from the service provider to the proxy service that contains the second session identifier and the second session identifier hash and redirects the second authentication request message to the identity provider; in the proxy service, storing the second session identifier and sending the second authentication request message to the client; in the client, storing the second session identifier and sending the second authentication request message to the identity provider; in the identity provider, authenticating the client responsive to the second authentication request, generating a second authentication token, and sending a second authentication response to the client with the second authentication token and redirecting the client to the proxy service; in the client, receiving the second authentication response with the second authentication token and redirecting the second authentication response to the proxy service with the second session identifier; in the proxy service, receiving the second authentication response and determining whether the second session identifier is stored on the proxy service; and if the second session identifier is stored on the proxy service, in the proxy service, sending the second authentication response to the service provider to complete the second login session. 2. The computer-implemented method of claim 1 , where the session identifier comprises a first nonce and the second session identifier comprises a second nonce. 3. The computer-implemented method of claim 1 , where the second login request includes service provider context data that matches service provider context data in the first login request. 4. The computer-implemented method of claim 1 , where the step of authenticating the client responsive to the first authentication request, generating a first authentication token, and sending a first authentication response to client with the first authentication token and redirecting the client to a proxy service includes using proxy configuration data to identify the proxy service. 5. The computer-implemented method of claim 4 , where one or more parameters included in the first authentication request are utilized to identify the proxy service. 6. The computer-implemented method of claim 1 , where the proxy service comprises a suffix proxy service and identifying data for the suffix proxy service is appended to a universal resource corresponding to the service provider. 7. A reverse proxy system with single-sign-on authentication capability, the system comprising: one or more processors; and at least one computer storage medium having computer executable instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to: receive an authentication response message from a client that includes an authentication token and a unique session identifier; determine whether the unique session identifier in the authentication response message received from the client is stored on a proxy service; if the unique session identifier in the authentication response message received from the client is stored on the proxy service, send the authentication response message with the authentication token and the unique session identifier to a service provider to which the authentication response message is directed; and if the unique session identifier in the authentication response message received from the client is not stored on the proxy service: send a login request message to the service provider to which the authentication response message is directed, receive an authentication request message from the service provider that includes an other unique session identifier and redirects the authentication request message to an identity provider, store the other unique session identifier on the proxy service, and send the authentication request message with the other unique session identifier to the client. 8. The reverse proxy system of claim 7 , the system including the identity provider, the identity provider having one or more processors and at least one computer storage medium having computer executable instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to: receive an authentication request message from the client; authenticate user credentials included in the authentication request message from the client and generate an authentication token; determine whether a proxy service redirect is defined that is relevant to the authentication request message from the client and that identifies the proxy service for redirect; if the proxy service redirect is defined that is relevant to the authentication request message from the client, generate an authentication response message that is configured to redirect to the proxy service and includes the generated authentication token; and send the authentication response message that is configured to redirect to the proxy service and includes the generated authentication token to the client. 9. The reverse proxy system of claim 8 , where one or more parameters included in the authentication request received by the identity provider from the client are utilized by the identity provider to determine whether a proxy service redirect is defined that is relevant to the authentication request message from the client. 10. The reverse proxy system of claim 7 , where the unique session identifier comprises a first nonce and the other unique session identifier comprises a second nonce. 11. The reverse proxy system of claim 7 , where the client and the service provider are configured to operate in accord
Assignees
Inventors
Classifications
Data redirection of data network streams · CPC title
Proxies · CPC title
- H04L63/0815Primary
providing single-sign-on or federations · CPC title
where a single sign-on provides access to a plurality of computers · CPC title
using tickets, e.g. Kerberos (cryptographic mechanisms or cryptographic arrangements for entity authentication using tickets or tokens H04L9/3213) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10938801B2 cover?
- Methods, systems, and media are shown for providing a reverse proxy system with SSO capability involving receiving an authentication response message from a client that includes an authentication token and a unique session identifier and determining whether the identifier is stored on the proxy service. If the session identifier is stored on the proxy service, sending the authentication respons…
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0815. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 02 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).