Identity proxy to provide access control and single sign on
First Claim
1. A method of providing secure access to a cloud-based service, comprising:
- receiving a request associated with a client app on a device to connect to a security proxy associated with the cloud-based service, wherein the security proxy is remote from the cloud-based service; and
determining whether a security posture associated with the device is compliant;
establishing, by a tunnel server associated with the security proxy, a secure tunnel between the device and the security proxy in response to determining that the security posture associated with the device is compliant;
determining by the security proxy that the requesting client app is authorized to access the cloud-based service from the device based on information associated with the device;
obtaining, by the security proxy from an identity provider associated with the cloud-based service, a security token signed by the identity provider;
providing, by the tunnel server, the security token to the client app, wherein the security token is to be used by the client app to authenticate to the cloud-based service; and
monitoring, by the tunnel server, a compliance posture of the device and blocking access to the cloud-based service based at least in part on an indication that the compliance posture of the device has changed.
4 Assignments
0 Petitions
Accused Products
Abstract
Techniques to provide secure access to a cloud-based service are disclosed. In various embodiments, a request is received from a client app on a device to connect to a security proxy associated with the cloud-based service. A secure tunnel connection between the device and a node with which the security proxy is associated is used to establish the requested connection to the security proxy. Information associated with the secure tunnel is used to determine that the requesting client app is authorized to access the cloud-based service from the device and to obtain from an identity provider associated with the cloud-based service a security token to be used by the client app to authenticate to the cloud-based service.
32 Citations
18 Claims
-
1. A method of providing secure access to a cloud-based service, comprising:
-
receiving a request associated with a client app on a device to connect to a security proxy associated with the cloud-based service, wherein the security proxy is remote from the cloud-based service; and determining whether a security posture associated with the device is compliant; establishing, by a tunnel server associated with the security proxy, a secure tunnel between the device and the security proxy in response to determining that the security posture associated with the device is compliant; determining by the security proxy that the requesting client app is authorized to access the cloud-based service from the device based on information associated with the device; obtaining, by the security proxy from an identity provider associated with the cloud-based service, a security token signed by the identity provider; providing, by the tunnel server, the security token to the client app, wherein the security token is to be used by the client app to authenticate to the cloud-based service; and monitoring, by the tunnel server, a compliance posture of the device and blocking access to the cloud-based service based at least in part on an indication that the compliance posture of the device has changed. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system to provide secure access to a cloud-based service, comprising:
-
a communication interface; and a hardware processor coupled to the communication interface and configured to; receive via the communication interface a request associated with a client app on a device to connect to a security proxy associated with the cloud-based service, wherein the security proxy is remote from the cloud-based service; and determine whether a security posture associated with the device is compliant; establish, by a tunnel server associated with the security proxy, a secure tunnel between the device and the security proxy in response to determining that the security posture associated with the device is compliant; determine, by the security proxy, that the requesting client app is authorized to access the cloud-based service from the device based on information associated with the device; obtain, by the security proxy from an identity provider associated with the cloud-based service, a security token signed by the identity provider; provide, by the tunnel server, the security token to the client app, wherein the security token is to be used by the client app to authenticate to the cloud-based service; and monitor, by the tunnel server, a compliance posture of the device and blocking access to the cloud-based service based at least in part on an indication that the compliance posture of the device has changed. - View Dependent Claims (16, 17)
-
-
18. A computer program product to provide secure access to a cloud-based service, the computer program product being embodied in a non-transitory computer readable storage device and comprising computer instructions for:
-
determining whether a security posture associated with the device is compliant; establishing, by a tunnel server associated with the security proxy, a secure tunnel between the device and the security proxy in response to determining that the security posture associated with the device is compliant; determining, by the security proxy, that the requesting client app is authorized to access the cloud-based service from the device based on information associated with the device; obtaining, by the security proxy from an identity provider associated with the cloud-based service, a security token signed by the identity provider; providing, by the tunnel sever, the security token to the client app, wherein the security token is to be used by the client app to authenticate to the cloud-based service; and monitoring, by the tunnel server, a compliance posture of the device and blocking access to the cloud-based service based at least in part on an indication that the compliance posture of the device has changed.
-
Specification