Enhancing directory service authentication and authorization using contextual information

摘要

Systems and methods are provided for authenticating and authorizing network access requests using directory services in which the directory service authentication and authorization procedures are enhanced using contextual information.

主权项

1. An article of manufacture comprising computer readable program code embodied thereon, which when executed by a computer, performs a method for controlling access to a network, the method comprising:
receiving, by a gateway server, an access request from a client application running on a computing device for accessing a remote network, wherein the access request comprises a username and a user password as contextual information for use in authorizing access to the remote network,
wherein the access request comprises at least one of a first type of access request and a second type of access request, wherein the username associated with said first type of access request includes a user identifier, and wherein the username associated with said second type of access request includes a user identifier in combination with other contextual information, wherein the other contextual information comprises contextual information about the computing device and the client application requesting access to the remote network; submitting, by the gateway server, an authorization query to a directory server, wherein the authorization query comprises the contextual information contained in the access request received from the client application to access the remote network; receiving, by the gateway server, an authorization result from the directory server in response to the authorization query, the authorization result being dynamically generated in real-time by the directory server based on a determination by the directory server as to the type of access request associated with the submitted authorization query,
wherein for the first type of access request, the authorization result indicates whether the user is authorized to access the remote network based on an evaluation of the user identifier and the user password included in the submitted authorization query, andwherein for the second type of access request, the authorization result is generated by evaluating the user identifier in combination with the other contextual information included in the submitted authorization query using one or more network connection rules, wherein the authorization result comprises a connection object comprising a network connection rule which specifies at least one rule to be applied by the gateway server to establish a network connection between the client application and the remote network based on the user identifier in combination with the other contextual information; establishing, by the gateway server, a network connection between the client application and the remote network, when a successful authorization result is generated in response the first type of access request; and establishing, by the gateway server, a network connection between the client application and the remote network in accordance with the network connection rule, when a successful authorization result is generated in response the second type of access request.