Abstract: Systems and methods are described for authenticating a client device through remote browser isolation (RBI). An RBI service determines that a remote browser thereof is configured to issue an authentication request to an identity provider to access a resource of a resource provider and, in response, transmits a command to an RBI frontend of a client browser executing on a client computing device. The RBI frontend receives the command and, in response, generates a browsing context that issues a client-side authentication request to the identity provider that includes information accessible to the client computing device. Responsive to issuing the client-side authentication request, the browsing context receives an authentication artifact from an access service and transmits the authentication artifact to the RBI service.

Abstract: According to examples, an apparatus may include a processor that may identify a navigation event responsive to a URL being entered into an address bar of a web browser, the URL having a domain and a URL component, and may determine whether the web browser received an instruction to navigate to a return URL, in which the return URL includes a suffix domain for a proxy and does not include the URL component. The processor may also, based on a determination that the web browser received the instruction to navigate to the return URL, generate a modified URL by appending the suffix domain to the URL to restore context of the URL for the proxy and navigate the web browser to the modified URL.

Abstract: The disclosure is generally directed towards a client device agent (e.g., a network agent) learning that a service domain is authenticated via a corresponding suffix proxy domain. The network agent may then direct a service domain request to the suffix proxy domain. The learning process generally involves evaluating headers in URL redirection communications between the client device and an authentication service, such as an identity provider (IDP). Based on a session control policy, the IDP may “bounce” the user to a proxy service (e.g., a suffix proxy). Accordingly, the IDP may include a “bouncer”. The network agent generally learns from the headers that a request to a service domain gets redirected (e.g., bounced) to a suffix proxy domain. The agent intercepts subsequent requests to the service domain, updates the request URL, and sends the updated request to the suffix proxy domain.

Abstract: According to examples, an apparatus may include a processor that may identify a navigation event responsive to a URL being entered into an address bar of a web browser, the URL having a domain and a URL component, and may determine whether the web browser received an instruction to navigate to a return URL, in which the return URL includes a suffix domain for a proxy and does not include the URL component. The processor may also, based on a determination that the web browser received the instruction to navigate to the return URL, generate a modified URL by appending the suffix domain to the URL to restore context of the URL for the proxy and navigate the web browser to the modified URL.

Abstract: According to examples, an apparatus may include a processor that may identify a navigation event responsive to a URL being entered into an address bar of a web browser, the URL having a domain and a URL component, and may determine whether the web browser received an instruction to navigate to a return URL, in which the return URL includes a suffix domain for a proxy and does not include the URL component. The processor may also, based on a determination that the web browser received the instruction to navigate to the return URL, generate a modified URL by appending the suffix domain to the URL to restore context of the URL for the proxy and navigate the web browser to the modified URL.

Abstract: According to examples, an apparatus may include a processor that may identify a navigation event responsive to a URL being entered into an address bar of a web browser, the URL having a domain and a URL component, and may determine whether the web browser received an instruction to navigate to a return URL, in which the return URL includes a suffix domain for a proxy and does not include the URL component. The processor may also, based on a determination that the web browser received the instruction to navigate to the return URL, generate a modified URL by appending the suffix domain to the URL to restore context of the URL for the proxy and navigate the web browser to the modified URL.

Abstract: Securing inter-frame communication within a web page. First, receipt of a request from a client for accessing a web page document is detected. The request includes a URL that identifies the web page document. The web page document has a tree structure that includes a top parent object and multiple child objects. The multiple child objects include at least a first child object associated with a first domain and a second child object associated with a second domain. The web page document is retrieved from a location corresponding to the URL. The code of the retrieved web page document is then modified to enable secure communication between modified code of the first child object and modified code of the second object. Finally, the modified web page document is sent to the client.

Abstract: A security service to verify a network resource accessed from a resource address in an application at client device is disclosed. The resource address is converted into a proxy address with a suffix domain of a proxy server. The proxy server is coupled to the client device. The network resource is verified at the proxy server.

Abstract: Securing inter-frame communication within a web page. First, receipt of a request from a client for accessing a web page document is detected. The request includes a URL that identifies the web page document. The web page document has a tree structure that includes a top parent object and multiple child objects. The multiple child objects include at least a first child object associated with a first domain and a second child object associated with a second domain. The web page document is retrieved from a location corresponding to the URL. The code of the retrieved web page document is then modified to enable secure communication between modified code of the first child object and modified code of the second object. Finally, the modified web page document is sent to the client.

Abstract: Methods, systems, and media are shown for providing a reverse proxy system with SSO capability involving receiving an authentication response message from a client that includes an authentication token and a unique session identifier and determining whether the identifier is stored on the proxy service. If the session identifier is stored on the proxy service, sending the authentication response message to a service provider to which the authentication response message is directed. If the session identifier in the authentication response message is not stored on the proxy service: sending a login request message to the service provider to which the authentication response message is directed, receiving an authentication request message from the service provider that includes an other unique session identifier and redirects the authentication request message to an identity provider, storing the other session identifier, and sending the authentication request message with the other identifier to the client.

Abstract: A proxy server to retrieve a web address received from a client to a webserver is disclosed. The proxy server can include a reverse proxy server. The web address is converted into proxy address at the proxy server. The proxy address is wrapped into a wrapper domain with a wrapping frame.

Abstract: A proxy server to retrieve a web address received from a client to a webserver is disclosed. The proxy server can include a reverse proxy server. The web address is converted into proxy address at the proxy server. The proxy address is wrapped into a wrapper domain with a wrapping frame.

Abstract: Methods, systems, and media are shown for providing a reverse proxy system with SSO capability involving receiving an authentication response message from a client that includes an authentication token and a unique session identifier and determining whether the identifier is stored on the proxy service. If the session identifier is stored on the proxy service, sending the authentication response message to a service provider to which the authentication response message is directed. If the session identifier in the authentication response message is not stored on the proxy service: sending a login request message to the service provider to which the authentication response message is directed, receiving an authentication request message from the service provider that includes an other unique session identifier and redirects the authentication request message to an identity provider, storing the other session identifier, and sending the authentication request message with the other identifier to the client.