1. Technical Field
This disclosure relates generally to authenticating users in a network environment in which it is desired to prevent unrestricted access to accessible networks, such as the Internet.
2. Background of the Related Art
User authentication is one function that service providers offer to ensure that users accessing resources (e.g., applications, web content, etc.) are authorized to do so. To ensure that a user is not an imposter, service providers (e.g., web servers) generally ask for a user's username and password to prove identity before authorizing access to resources. Single sign-on (SSO) is an access control mechanism which enables a user to authenticate once (e.g., provide a username and password) and gain access to software resources across multiple systems. Typically, an SSO system enables user access to resources within an enterprise or an organization. Federated Single Sign-on (F-SSO) extends the concept of single sign-on across multiple enterprises, thus establishing partnerships between different organizations and enterprises. F-SSO systems typically include application level protocols that allow one enterprise (e.g., an identity provider) to supply a user's identity and other attributes to another enterprise (e.g., a service provider). In other words, an F-SSO system helps transport the user's credentials from the identity provider to the service provider using any suitable protocol. Typically, current F-SSO techniques use HTTP as the transport protocol.
HTTP outbound proxies are used in environments where users are connected to a network and can access certain resources but are required to authenticate to have access to additional resources on the network (such as the Internet). One such example is in public wireless network hot spots. Users can access the wireless network but are required to authenticate to access the Internet (via a captive portal). Another example is in a corporate network where users may be able to access the intranet but must authenticate to an in-line device (e.g., a proxy server) before being allowed to access the Internet. Some such devices allow access to certain web sites but require authentication to others. A paradigm example would be an educational environment in which an outbound proxy is used to allow teachers to access a web site (e.g., YouTube or Facebook) while preventing students from doing so.
A problem with the existing approach of requiring the user to authenticate is that this is cumbersome to the user experience. From the user's point of view, edge devices on the network that monitor the outgoing traffic should be as transparent as possible and require minimal user interaction to authenticate the user. On the other hand, enterprises or businesses typically want to write and enforce policy around what can content can and cannot be accessed from within their network environments, and they also have a need or desire to know (or to have a level of confidence) about who a user is to enforce business or other security policy. Some techniques and partial solutions associated with this problem space include requiring the user to authenticate at the in-line device, collating log-in events (e.g., from a corporate directory) and correlating them with a user's workstation IP/MAC address, making a “best-effort” assumption about the user based on a static set of MAC-to-IP address mappings within a specific network segment, and the like. More complex and expensive approaches rely upon monitoring and analyzing behavioral patterns to generate models against which current activity cannot be compared to determine whether to permit authentication.