Network architecture and method for reducing the number of resource requests
US-9639619-B2 · May 2, 2017 · US
Proxy authentication for single sign-on
US2016205089A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2016205089-A1 |
| Application number | US-201414912453-A |
| Country | US |
| Kind code | A1 |
| Filing date | Sep 25, 2014 |
| Priority date | Sep 25, 2013 |
| Publication date | Jul 14, 2016 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In an example, a web gateway is described, including an authentication proxy engine (PAE). The PAE authenticates a user device via, for example, a username and password, biometric data, or two-factor authentication. The web gateway then provides seamless and transparent single sign-on (SSO) for one or more web services. When the user requests a web page from the web service, the PAE inserts custom code that detects a login action. When the user logs in, a one-time token may be provided to auto-fill the username and password field. When the user submits the form, the PAE provides the actual credentials to the web service. The PAE may also provide authentication via authentication headers.
First claim
Opening claim text (preview).
1 . A computing apparatus for providing a network gateway, comprising: a first data connection operable to communicatively couple the gateway to a network service; a second data connection operable to communicatively couplet the gateway to a client device; and one or more logic elements comprising an authentication proxy engine operable for: receiving a request from the client device via the second data connection; and providing authentication data to the network service via the first data connection. 2 . The computing apparatus of claim 1 , wherein the proxy engine is further operable for: receiving an authentication validation from the network service via the first data connection; and providing the authentication validation to the client device via the second data connection. 3 . The computing apparatus of claim 1 , wherein the proxy engine is further operable for: receiving a request for a data page from the client device via the second data connection; receiving the data page from the network service via the first data connection; and forwarding the data page to the client device via the second data connection. 4 . The computing apparatus of claim 3 , wherein the proxy engine is further operable for modifying the data page request by inserting an authentication header into the data page. 5 . The computing apparatus of claim 3 , wherein the proxy engine is further operable for modifying the data page before forwarding the data page. 6 . The computing apparatus of claim 5 , wherein modifying the data page comprises inserting instructions for detecting and intercepting a login action. 7 . The computing apparatus of claim 5 , wherein the data page comprises a username or password field, and wherein modifying the data page comprises inserting a one-time random or pseudo-random token into the username or password field. 8 . The computing apparatus of claim 1 , wherein the proxy engine is further operable for authenticating the client device via the second data connection. 9 . The computing apparatus of claim 8 , wherein authenticating the client device comprises receiving biometric authentication data from the client device. 10 . The computing apparatus of claim 8 , wherein authenticating the client device comprises two-factor authentication. 11 . The computing apparatus of claim 1 , wherein the proxy engine is further operable for providing a token to the client device via the second data connection, wherein the token is different from the authentication data. 12 . The computing apparatus of claim 11 , wherein the token comprises a pseudo-username or pseudo-password. 13 . The computing apparatus of claim 1 , wherein the proxy engine is further operable for providing a learning mode. 14 . One or more computer-readable mediums having stored thereon executable instructions for providing a proxy engine operable for: receiving a request for a network service from a client device via a second data connection; providing authentication data to the network service via a first data connection; receiving an authentication validation from a network service via a first data connection; and providing the authentication validation to the client device via a second data connection. 15 . The one or more computer-readable mediums of claim 14 , wherein the proxy engine is further operable for: receiving a request for a data page from the client device via the second data connection; receiving the data page from the network service via the first data connection; and forwarding the data page to the client device via the second data connection. 16 . The one or more computer-readable mediums of claim 15 , wherein the proxy engine is further operable for modifying the data page comprising inserting an authentication header into the data page. 17 . The one or more computer-readable mediums of claim 15 , wherein the proxy engine is further operable for modifying the data page before forwarding the data page. 18 . The one or more computer-readable mediums of claim 17 , wherein modifying the data page comprises inserting instructions for detecting and intercepting a login action. 19 . The one or more computer-readable mediums of claim 17 , wherein the data page comprises a username or password field, and wherein modifying the data page comprises inserting a one-time random or pseudo-random token into the username or password field. 20 . The one or more computer-readable mediums of claim 14 , wherein the proxy engine is further operable for authenticating the client device via the second data connection. 21 . The one or more computer-readable mediums of claim 20 , wherein authenticating the client device comprises receiving biometric authentication data from the client device or two-factor authentication. 22 . The one or more computer-readable mediums of claim 14 , wherein the proxy engine is further operable for providing a token to the client device via the second data connection, wherein the token is different from the authentication data. 23 . The one or more computer-readable mediums of claim 22 , wherein the token comprises a pseudo-username or pseudo-password. 24 . A method of providing a proxy engine, comprising: communicatively coupling to a network service via a first data connection; authenticating a client device via a second data connection; receiving a login request from the client device via the second data connection; and providing authentication data to the network service via the first data connection. 25 . The method of claim 24 , wherein authenticating the client device comprises biometric authentication or two-factor authentication.
Assignees
Inventors
Classifications
- H04L63/0815Primary
providing single-sign-on or federations · CPC title
using different networks or channels, e.g. using out of band channels (cryptographic mechanisms or cryptographic arrangements for key distribution involving distinctive intermediate devices or communication paths H04L9/0827; cryptographic mechanisms or cryptographic arrangements for authentication using a plurality of channels H04L9/3215) · CPC title
- H04L63/0281Primary
Proxies · CPC title
including means for verifying the identity or authority of a user of the system {or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials} · CPC title
using biometrical features, e.g. fingerprint, retina-scan (cryptographic mechanisms or cryptographic arrangements for entity authentication using biological data H04L9/3231) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2016205089A1 cover?
- In an example, a web gateway is described, including an authentication proxy engine (PAE). The PAE authenticates a user device via, for example, a username and password, biometric data, or two-factor authentication. The web gateway then provides seamless and transparent single sign-on (SSO) for one or more web services. When the user requests a web page from the web service, the PAE inserts cus…
- Who is the assignee on this patent?
- Mcafee Inc, Mcafee Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0815. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Jul 14 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).