US 12,095,785 B2
System and methods for detecting SAML forgery or manipulation attacks
Jason Crabtree, Vienna, VA (US); Richard Kelley, Woodbridge, VA (US); Angadbir Singh Salaria, Herndon, VA (US); Andrew Sellers, Monument, CO (US); Farooq Israr Ahmed Shaikh, Reston, VA (US); Randy Clayton, Frederick, MD (US); and Luka Jurukovski, Arlington, VA (US)
Assigned to QOMPLX, Reston, VA (US)
Filed by QOMPLX LLC, New York, NY (US)
Filed on Oct. 28, 2023, as Appl. No. 18/496,859.
Application 18/496,859 is a continuation of application No. 17/975,548, filed on Oct. 27, 2022, granted, now 11,818,150.
Application 17/975,548 is a continuation of application No. 17/163,073, filed on Jan. 29, 2021, granted, now 11,552,968, issued on Jan. 10, 2023.
Application 17/163,073 is a continuation in part of application No. 15/837,845, filed on Dec. 11, 2017, granted, now 11,005,824, issued on May 11, 2021.
Application 15/837,845 is a continuation in part of application No. 15/825,350, filed on Nov. 29, 2017, granted, now 10,594,714, issued on Mar. 17, 2020.
Application 15/825,350 is a continuation in part of application No. 15/725,274, filed on Oct. 4, 2017, granted, now 10,609,079, issued on Mar. 31, 2020.
Application 15/725,274 is a continuation in part of application No. 15/655,113, filed on Jul. 20, 2017, granted, now 10,735,456, issued on Aug. 4, 2020.
Application 15/655,113 is a continuation in part of application No. 15/616,427, filed on Jun. 7, 2017, abandoned.
Application 15/655,113 is a continuation in part of application No. 15/237,625, filed on Aug. 15, 2016, granted, now 10,248,910, issued on Apr. 2, 2019.
Application 15/616,427 is a continuation in part of application No. 15/206,195, filed on Jul. 8, 2016, abandoned.
Application 15/206,195 is a continuation in part of application No. 15/186,453, filed on Jun. 18, 2016, abandoned.
Application 15/186,453 is a continuation in part of application No. 15/166,158, filed on May 26, 2016, abandoned.
Application 15/166,158 is a continuation in part of application No. 15/141,752, filed on Apr. 28, 2016, granted, now 10,860,962, issued on Dec. 8, 2020.
Application 15/141,752 is a continuation in part of application No. 15/091,563, filed on Apr. 5, 2016, granted, now 10,204,147, issued on Feb. 12, 2019.
Application 15/141,752 is a continuation in part of application No. 14/986,536, filed on Dec. 31, 2015, granted, now 10,210,255, issued on Feb. 19, 2019.
Application 15/141,752 is a continuation in part of application No. 14/925,974, filed on Oct. 28, 2015, abandoned.
Application 15/616,427 is a continuation in part of application No. 14/925,974, filed on Oct. 28, 2015, abandoned.
Claims priority of provisional application 62/596,105, filed on Dec. 7, 2017.
Prior Publication US 2024/0064159 A1, Feb. 22, 2024
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); H04L 9/06 (2006.01)
CPC H04L 63/1416 (2013.01) [H04L 63/0876 (2013.01); H04L 63/1425 (2013.01); H04L 63/1466 (2013.01)] 8 Claims
OG exemplary drawing
 
1. A system for detecting Security Assertion Markup Language (SAML) forgery or manipulation attacks, comprising:
a computing system comprising a memory and a processor;
a policy manager subsystem comprising a first plurality of programming instructions stored in the memory which, when operating on the processor, causes the computing system to:
receive a plurality of network packets comprising a first authentication object for a user of a service, the first authentication object comprising a first identification string known to be generated by an identity provider associated with the service;
generate a unique identifier for the first authentication object;
provide the unique identifier to the identity provider from which the first authentication object was generated for inclusion in additional authentication objects issued to the user;
receive a request for access to the service by the user accompanied by a second authentication object comprising a second identification string;
compare a value of the second identification string of the second authentication object against a value of the second identification string of the stored record of the first authentication object;
check the second authentication object for the unique identifier; and
generate an authentication failure if the unique identifier is missing or invalid; and
a hashing subsystem comprising a second plurality of programming instructions stored in the memory of, and operating on the processor of, the computing system, wherein the second plurality of programmable instructions, when operating on the processor, cause the computing system to:
receive authentication objects from the policy manager;
calculate unique identifiers for authentication objects received by performing a plurality of calculations and transformations on each received authentication object; and
return the unique identifiers for authentication objects received to the policy manager.