Cloud application control using man-in-the-middle identity brokerage
US-2016036855-A1 · Feb 4, 2016 · US
Single sign on proxy for regulating access to a cloud service
US9807079B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9807079-B2 |
| Application number | US-201514921655-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 23, 2015 |
| Priority date | Oct 23, 2014 |
| Publication date | Oct 31, 2017 |
| Grant date | Oct 31, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Embodiments disclosed herein provide systems, methods, and computer readable media for using a single sign-on proxy to regulate access to a cloud service. In a particular embodiment, a method provides receiving an authentication request from a user system directed to a SSO service and determining whether the authentication request satisfies at least one criterion for allowing access to the cloud service associated with the SSO service. Upon determining that the authentication request satisfies the at least one criterion, the method provides forwarding the authentication request to the SSO service.
First claim
Opening claim text (preview).
What is claimed is: 1. A method of regulating access to a cloud service using a single sign-on (SSO) proxy, the method comprising: in the SSO proxy: receiving an authentication request from a user system directed to a SSO service; in response to receiving the authentication request, determining whether the authentication request satisfies at least one criterion for allowing access to the cloud service associated with the SSO service, wherein determining whether the authentication request satisfies at least one criterion comprises determining whether the authentication request was received from a geographic location that satisfies a geographic location limitation included in the at least one criterion and determining whether the authentication request was received at a time that satisfies a time limitation included in the at least one criterion; upon determining that the authentication request satisfies the at least one criterion, forwarding the authentication request to the SSO service; after the SSO service authenticates the authentication request, determining that the at least one criterion is no longer satisfied; and upon determining that the at least one criterion is no longer satisfied, transferring a sign-off request to the SSO service. 2. The method of claim 1 , wherein determining whether the authentication request was received from a geographic location that satisfies the geographic location limitation comprises: identifying a network address from which the authentication request was received; and identifying the geographic location associated with the network address. 3. The method of claim 1 , wherein the at least one criterion includes a device type limitation, and the method further comprises: determining whether the user system satisfies the device type limitation. 4. The method of claim 1 , wherein the at least one criterion includes an application limitation, and the method further comprises: determining whether a Uniform Resource Locator (URL) included in the authentication request satisfies the application limitation. 5. The method of claim 1 , wherein the at least one criterion comprises a first criterion upon which satisfaction of a second criterion depends. 6. The method of claim 1 , further comprising: upon determining that the authentication request does not satisfy the at least one criterion, transferring a notification to the user system indicating that the authentication request was not forwarded to the SSO service. 7. The method of claim 6 , wherein the notification further indicates a reason that the authentication request was not forwarded to the SSO service. 8. A single sign-on (SSO) proxy system for regulating access to a cloud service, the SSO proxy system comprising: a communication interface configured to receive an authentication request from a user system directed to a SSO service; a processing system configured to, in response to the communication interface receiving the authentication request, determine whether the authentication request satisfies at least one criterion for allowing access to the cloud service associated with the SSO service, wherein to determine whether the authentication request satisfies at least one criterion the processing system determines whether the authentication request was received from a geographic location that satisfies a geographic location limitation included in the at least one criterion and determines whether the authentication request was received at a time that satisfies a time limitation included in the at least one criterion; the communication interface further configured to, upon determining that the authentication request satisfies the at least one criterion, forward the authentication request to the SSO service; the processing system further configured to, after the SSO service authenticates the authentication request, determine that the at least one criterion is no longer satisfied; and the communication interface further configured to, upon the processing system determining that the at least one criterion is no longer satisfied, transfer a sign-off request to the SSO service. 9. The SSO proxy of claim 8 , wherein the processing system configured to determine whether the authentication request was received from a geographic location that satisfies the geographic location limitation comprises: the processing system configured to identify a network address from which the authentication request was received and identify the geographic location associated with the network address. 10. The SSO proxy of claim 8 , wherein the at least one criterion includes a device type limitation, and the SSO proxy further comprises: the processing system configured to determine whether the user system satisfies the device type limitation. 11. The SSO proxy of claim 8 , wherein the at least one criterion includes an application limitation, and the SSO proxy further comprises: the processing system configured to determine whether a Uniform Resource Locator (URL) included in the authentication request satisfies the application limitation. 12. The SSO proxy of claim 8 , wherein the at least one criterion comprises a first criterion upon which satisfaction of a second criterion depends. 13. The SSO proxy of claim 8 , further comprising: the communication interface configured to transfer a notification to the user system indicating that the authentication request was not forwarded to the SSO service upon determining that the authentication request does not satisfy the at least one criterion. 14. A non-transitory computer readable storage medium having instructions stored thereon for regulating access to a cloud service, the instructions, when executed by a single sign-on (SSO) proxy system, direct the SSO proxy system to: receive an authentication request from a user system directed to a SSO service; in response to receiving the authentication request, determine whether the authentication request satisfies criteria for allowing access to the cloud service associated with the SSO service, wherein to determine whether the authentication request satisfies at least one criterion the instruct the SSO proxy system to determine whether the authentication request was received from a geographic location that satisfies a geographic location limitation included in the at least one criterion and determine whether the authentication request was received at a time that satisfies a time limitation included in the at least one criterion; upon determining that the authentication request satisfies the criteria, forward the authentication request to the SSO service; after the SSO service authenticates the authentication request, determine that the at least one criterion is no longer satisfied; and upon determining that the at least one criterion is no longer satisfied, transfer a sign-off request to the SSO service.
Assignees
Inventors
Classifications
Electricity · mapped topic
based on web technology, e.g. hypertext transfer protocol [HTTP] · CPC title
- H04L63/0815Primary
providing single-sign-on or federations · CPC title
Electricity · mapped topic
Electricity · mapped topic
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9807079B2 cover?
- Embodiments disclosed herein provide systems, methods, and computer readable media for using a single sign-on proxy to regulate access to a cloud service. In a particular embodiment, a method provides receiving an authentication request from a user system directed to a SSO service and determining whether the authentication request satisfies at least one criterion for allowing access to the clou…
- Who is the assignee on this patent?
- Palo Alto Networks Inc, Palo Alto Network Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0815. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Oct 31 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).