Search

US-12621268-B2 - Zero trust private application access via social media based validation for government applications

US12621268B2US 12621268 B2US12621268 B2US 12621268B2US-12621268-B2

Abstract

Systems and methods include, receiving a request from a user to access an application; determining if the user meets one or more requirements, wherein responsive to the user meeting the one or more requirements, presenting the user with a login page; validating credentials of the user with one or more additional sources; responsive to successful validation of the users' credentials, authenticating the user and evaluating one or more access policies for the user; and initiating a connection between the user and the application based on the one or more access policies.

Inventors

  • John A. Chanak
  • William FEHRING
  • Richard Miles
  • Shujaat Jaffrey
  • Jose Padin
  • Matthew Moulton

Assignees

  • ZSCALER, INC.

Dates

Publication Date
20260505
Application Date
20230127

Claims (20)

  1. 1 . A method for providing zero trust private application access for applications comprising: receiving, at a cloud-based system, a request from a user to access an application; determining, by the cloud-based system, whether the user meets one or more authentication or contextual requirements; responsive to the user meeting the one or more requirements, presenting, by the cloud-based system, the user with a login page that is hosted by the cloud-based system and not by the application; validating credentials of the user with one or more additional identity sources including at least one federated identity provider configured by an administrator; responsive to successful validation of the users' credentials, authenticating the user and evaluating, at the cloud-based system, one or more access policies for the user; and initiating, by the cloud-based system, a per-session connection between the user and an application connector associated with the application, the application connector being configured to establish only outbound connections to the cloud-based system such that the application is not exposed to inbound connections, wherein the user is not placed on a network containing the application, and the application remains undiscoverable from the Internet, and a path between the user and the application is stitched only for a duration of an authorized session.
  2. 2 . The method of claim 1 , wherein the connection between the user and the application is via an application connector instantiated within a protected network environment, the application connector configured to initiate an outbound connection to the cloud-based system to enable access to the application without exposing the application to inbound connections, and wherein the application connector rejects all unsolicited inbound traffic and is not addressable from outside the protected network environment.
  3. 3 . The method of claim 1 , wherein the login page presented to the user includes selectable authentication options corresponding to a plurality of identity providers configured by an administrator, and wherein the identity providers include one or more public or private authentication sources, including at least one identity provider that is not reachable from the network containing the application.
  4. 4 . The method of claim 3 , wherein the one or more additional sources include a social media service chosen from the one or more social media services, and wherein the validating includes validating the users' credentials with the social media service.
  5. 5 . The method of claim 4 , further comprising: responsive to receiving the request, forwarding a Security Assertion Markup Language (SAML) request to a configured Identity Provider (IDP), wherein the determining, validating, and authenticating are performed by the IDP; and receiving validation from the IDP indicating that the authentication is successful.
  6. 6 . The method of claim 1 , wherein the authenticating further includes utilizing one or more of contextual access policies, and Multi-factor Authentication (MFA) in order to authenticate a user, wherein the contextual access policies are evaluated by the cloud-based system rather than by the application or the protected network environment.
  7. 7 . The method of claim 6 , wherein the contextual access policies include geo-location, network location, endpoint device posture, and social network, and wherein MFA includes soft tokens, one-time codes, push notifications, and utilization of biometric devices.
  8. 8 . The method of claim 1 , wherein the application is a government application configured for access by a citizen, and wherein access to the government application requires an assurance level defined by a government-mandated digital identity framework.
  9. 9 . A non-transitory computer-readable medium comprising instructions that, when executed, cause one or more processors to perform steps of: receiving, at a cloud-based system, a request from a user to access an application; determining, by the cloud-based system, whether the user meets one or more authentication or contextual requirements; responsive to the user meeting the one or more requirements, presenting, by the cloud-based system, the user with a login page that is hosted by the cloud-based system and not by the application; validating credentials of the user with one or more additional identity sources including at least one federated identity provider configured by an administrator; responsive to successful validation of the users' credentials, authenticating the user and evaluating, at the cloud-based system, one or more access policies for the user; and initiating, by the cloud-based system, a per-session connection between the user and an application connector associated with the application, the application connector being configured to establish only outbound connections to the cloud-based system such that the application is not exposed to inbound connections, wherein the user is not placed on a network containing the application, and the application remains undiscoverable from the Internet, and a path between the user and the application is stitched only for a duration of an authorized session.
  10. 10 . The non-transitory computer-readable medium of claim 9 , wherein the connection between the user and the application is via an application connector instantiated within a protected network environment, the application connector configured to initiate an outbound connection to the cloud-based system to enable access to the application without exposing the application to inbound connections, and wherein the application connector rejects all unsolicited inbound traffic and is not addressable from outside the protected network environment.
  11. 11 . The non-transitory computer-readable medium of claim 9 , wherein the login page presented to the user includes selectable authentication options corresponding to a plurality of identity providers configured by an administrator, and wherein the identity providers include one or more public or private authentication sources, including at least one identity provider that is not reachable from the network containing the application.
  12. 12 . The non-transitory computer-readable medium of claim 11 , wherein the one or more additional sources include a social media service chosen from the one or more social media services, and wherein the validating includes validating the users' credentials with the social media service.
  13. 13 . The non-transitory computer-readable medium of claim 12 , wherein the instructions further cause the one or more processors to perform steps of: responsive to receiving the request, forwarding a Security Assertion Markup Language (SAML) request to a configured Identity Provider (IDP), wherein the determining, validating, and authenticating are performed by the IDP; and receiving validation from the IDP indicating that the authentication is successful.
  14. 14 . The non-transitory computer-readable medium of claim 9 , wherein the authenticating further includes utilizing one or more of contextual access policies, and Multi-factor Authentication (MFA) in order to authenticate a user, wherein the contextual access policies are evaluated by the cloud-based system rather than by the application or the protected network environment.
  15. 15 . The non-transitory computer-readable medium of claim 14 , wherein the contextual access policies include geo-location, network location, endpoint device posture, and social network, and wherein MFA includes soft tokens, one-time codes, push notifications, and utilization of biometric devices.
  16. 16 . The non-transitory computer-readable medium of claim 9 , wherein the application is a government application, and wherein access to the government application requires an assurance level defined by a government-mandated digital identity framework.
  17. 17 . A cloud-based system comprising: a plurality of nodes each having at least one processor and memory comprising instructions that, when executed, cause the at least one processor to: receive, at the cloud-based system, a request from a user to access an application; determine, by the cloud-based system, whether the user meets one or more authentication or contextual requirements; responsive to the user meeting the one or more requirements, presenting, by the cloud-based system, the user with a login page that is hosted by the cloud-based system and not by the application; validate credentials of the user with one or more additional identity sources including at least one federated identity provider configured by an administrator; responsive to successful validation of the users' credentials, authenticate the user and evaluate, at the cloud-based system, one or more access policies for the user; and initiating, by the cloud-based system, a der-session connection between the user and an application connector associated with the application, the application connector being configured to establish only outbound connections to the cloud-based system such that the application is not exposed to inbound connections, wherein the user is not placed on a network containing the application, and the application remains undiscoverable from the Internet, and a path between the user and the application is stitched only for a duration of an authorized session.
  18. 18 . The cloud-based system of claim 17 , wherein the connection between the user and the application is via an application connector instantiated within a protected network environment, the application connector configured to initiate an outbound connection to the cloud-based system to enable access to the application without exposing the application to inbound connections, and wherein the application connector rejects all unsolicited inbound traffic and is not addressable from outside the protected network environment.
  19. 19 . The cloud-based system of claim 17 , wherein the authenticating further includes utilizing one or more of contextual access policies, and Multi-factor Authentication (MFA) in order to authenticate a user, wherein the contextual access policies are evaluated by the cloud-based system rather than by the application or the protected network environment.
  20. 20 . The cloud-based system of claim 19 , wherein the contextual access policies include geo-location, network location, endpoint device posture, and social network, and wherein MFA includes soft tokens, one-time codes, push notifications, and utilization of biometric devices.

Description

CROSS-REFERENCE TO RELATED APPLICATION(S) The present patent/application is a continuation-in-part of U.S. patent application Ser. No. 16/800,307, filed Feb. 25, 2020, and entitled “Secure application access systems and methods via a lightweight connector and a cloud-based system,” which is a continuation of U.S. patent application Ser. No. 15/986,874, filed May 13, 2018, and entitled “Clientless connection setup for cloud-based virtual private access systems and methods,” which is a continuation-in-part of U.S. patent application Ser. No. 15/158,153 filed May 18, 2016 (now U.S. Pat. No. 10,375,024, issued Aug. 6, 2019), and entitled “CLOUD-BASED VIRTUAL PRIVATE ACCESS SYSTEMS AND METHODS,” which is a continuation-in-part of U.S. patent application Ser. No. 14/310,348 filed Jun. 20, 2014 (now U.S. Pat. No. 9,350,710, issued May 24, 2016), and entitled “INTELLIGENT, COUD-BASED GLOBAL VIRTUAL PRIVATE NETWORK SYSTEMS AND METHODS,” the contents of each are incorporated by reference herein in their entirety. FIELD OF THE DISCLOSURE The present disclosure generally relates to computer networking systems and methods. More particularly, the present disclosure relates to systems and methods for zero trust private application access for government applications. BACKGROUND OF THE DISCLOSURE The traditional view of an enterprise network (i.e., corporate, private, etc.) included a well-defined perimeter defended by various appliances (e.g., firewalls, intrusion prevention, advanced threat detection, etc.). In this traditional view, mobile users utilize a Virtual Private Network (VPN), etc. and have their traffic backhauled into the well-defined perimeter. This worked when mobile users represented a small fraction of the users, i.e., most users were within the well-defined perimeter. However, this is no longer the case—the definition of the workplace is no longer confined to within the well-defined perimeter, and with applications moving to the cloud, the perimeter has extended to the Internet. This results in an increased risk for the enterprise data residing on unsecured and unmanaged devices as well as the security risks in access to the Internet. Cloud-based security solutions have emerged, such as Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA), available from Zscaler, Inc., the applicant and assignee of the present application. ZPA is a cloud service that provides seamless, zero trust access to private applications running on the public cloud, within the data center, within an enterprise network, etc. As described herein, ZPA is referred to as zero trust access to private applications or simply a zero trust access service. Here, applications are never exposed to the Internet, making them completely invisible to unauthorized users. The service enables the applications to connect to users via inside-out connectivity versus extending the network to them. Users are never placed on the network. This Zero Trust Network Access (ZTNA) approach supports both managed and unmanaged devices and any private application (not just web apps). This Zero Trust Network Access (ZTNA) approach provides significant security in avoiding direct exposure of applications to the Internet. Rather, this ZTNA approach dials out from a connector. However, enterprise applications contain critical resources, and it is critical that any device accessing such applications, even though a ZTNA approach, are monitored. BRIEF SUMMARY OF THE DISCLOSURE The present disclosure relates to systems and methods for zero trust private application access for government applications. In various embodiments, systems and methods include, receiving a request from a user to access an application, determining if the user meets one or more requirements, wherein responsive to the user meeting the one or more requirements, presenting the user with a login page, validating credentials of the user with one or more additional sources, responsive to successful validation of the users' credentials, authenticating the user and evaluating one or more access policies for the user, and initiating a connection between the user and the application based on the one or more access policies. The systems and methods can further include the connection between the user and the application being via an application connector. The login page can include a choice of social media services that have been configured for authentication. The one or more additional sources can include a social media service chosen from the one or more social media services, and the validating can include validating the users' credentials with the social media service. Responsive to receiving the request, the steps can include forwarding a Security Assertion Markup Language (SAML) request to a configured Identity Provider (IDP), wherein the determining, validating, and authenticating are performed by the IDP, and receiving validation from the IDP indicating that the authentication is successful. The