Identity proxy to provide access control and single sign on

US 10,116,663 B2
Filed: 04/25/2018
Issued: 10/30/2018
Est. Priority Date: 01/26/2015
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

receive a request associated with a client app on a device to connect to the system, wherein the system is associated with a cloud-based service, wherein the system is remote from the cloud-based service;

establish a secure tunnel between the device and the system;

determine that the requesting client app is authorized to access the cloud-based service;

obtain a security token trusted by the cloud-based service;

provide the security token to the client app, wherein the security token is to be used by the client app to access to the cloud-based service and cached by the device, wherein the cached security token allows one or more other client apps on the device to be authenticated to one or more corresponding cloud-based services using the secure tunnel;

monitoring a compliance posture of the device; and

blocking access to the cloud-based service based at least in part on an indication that the compliance posture of the device has changed; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques to provide secure access to a cloud-based service are disclosed. In various embodiments, a request is received from a client app on a device to connect to a security proxy associated with the cloud-based service. A secure tunnel connection between the device and a node with which the security proxy is associated is used to establish the requested connection to the security proxy. Information associated with the secure tunnel is used to determine that the requesting client app is authorized to access the cloud-based service from the device and to obtain from an identity provider associated with the cloud-based service a security token to be used by the client app to authenticate to the cloud-based service.

Citations

20 Claims

1. A system, comprising:
- a processor configured to;
  
  receive a request associated with a client app on a device to connect to the system, wherein the system is associated with a cloud-based service, wherein the system is remote from the cloud-based service;
  
  establish a secure tunnel between the device and the system;
  
  determine that the requesting client app is authorized to access the cloud-based service;
  
  obtain a security token trusted by the cloud-based service;
  
  provide the security token to the client app, wherein the security token is to be used by the client app to access to the cloud-based service and cached by the device, wherein the cached security token allows one or more other client apps on the device to be authenticated to one or more corresponding cloud-based services using the secure tunnel;
  
  monitoring a compliance posture of the device; and
  
  blocking access to the cloud-based service based at least in part on an indication that the compliance posture of the device has changed; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, wherein the request is sent by the client app in response to a redirect message received from the cloud-based service.
  - 3. The system of claim 2, wherein the redirect message includes a URL or other locator associated with a security proxy.
  - 4. The system of claim 1, wherein the security proxy is associated with the system and the secure tunnel is established between the device and a tunnel server running on the system.
  - 5. The system of claim 1, wherein to establish the secure tunnel, the processor is configured to receive from the device a security certificate.
  - 6. The system of claim 5, wherein the processor is further configured to use information comprising the security certificate to determine one or more of device, app, user, and certificate information.
  - 7. The system of claim 5, wherein the processor is further configured to use information associated with the security certificate to determine that the requesting client app is authorized to access the cloud-based service.
  - 8. The system of claim 1, wherein a security proxy of the system is configured to use the information associated with the device to determine that the requesting client app is authorized to access the cloud-based service from the device at least in part by performing a compliance check with respect to the device.
  - 9. The system of claim 1, wherein a secure proxy of the system comprises an identity provider proxy configured to have a chained identity provider or other trust-based relationship to the identity provider associated with the cloud-based service.
  - 10. The system of claim 9, wherein the processor is further configured to determine that the secure tunnel has already been established and to establish the requested connection to the identity provider proxy on behalf of the requesting client app without requiring any further credential to be provided.
  - 11. The system of claim 8, wherein the security token comprises a Security Assertion Markup Language (SAML) assertion.
  - 12. The system of claim 8, wherein the security proxy comprises a delegated identity provider.
  - 13. The system of claim 8, wherein the security proxy comprises a service provider proxy.
  - 14. The system of claim 13, wherein the processor is configured to sign the security token as and on behalf of an identity provider proxy associated with the cloud-based service.

15. A method of providing secure access to a cloud-based service, comprising:
- receiving a request associated with a client app on a device to connect to a security proxy server associated with the cloud-based service, wherein the security proxy server is remote from the cloud-based service; and
  
  establishing a secure tunnel between the device and the security proxy server;
  
  determining by the security proxy server that the requesting client app is authorized to access the cloud-based service;
  
  obtaining, by the security proxy server from an identity provider associated with the cloud-based service, a security token trusted by the cloud-based service;
  
  providing, by the security proxy server, the security token to the client app, wherein the security token is to be used by the client app to access to the cloud-based service and cached by the device, wherein the cached security token allows one or more other client apps on the device to be authenticated to one or more corresponding cloud-based services using the secure tunnel; and
  
  monitoring, by the security proxy server, a compliance posture of the device; and
  
  blocking access to the cloud-based service based at least in part on an indication that the compliance posture of the device has changed.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15, wherein the request is sent by the client app in response to a redirect message received from the cloud-based service.
  - 17. The method of claim 16, wherein the redirect message includes a URL or other locator associated with the security proxy.
  - 18. The method of claim 15, wherein the security proxy is associated with the system and the secure tunnel is established between the device and a tunnel server running on the system.
  - 19. The method of claim 15, wherein establishing the secure tunnel includes receiving from the device a security certificate.

20. A computer program product to provide secure access to a cloud-based service, the computer program product being embodied in a non-transitory computer readable storage device and comprising computer instructions for:
- receiving a request associated with a client app on a device to connect to a security proxy server associated with a cloud-based service, wherein the security proxy server is remote from the cloud-based service;
  
  establishing a secure tunnel between the device and the security proxy server;
  
  determining, by the security proxy server, that the requesting client app is authorized to access the cloud-based service from the deviceobtaining, by the security proxy server from an identity provider associated with the cloud-based service, a security token signed by the identity provider;
  
  providing, by the security proxy server, the security token to the client app, wherein the security token is to be used by the client app to access to the cloud-based service and cached by the device, wherein the cached security token allows one or more other client apps on the device to be authenticated to one or more corresponding cloud-based services using the secure tunnel; and
  
  monitoring, by the security proxy server, a compliance posture of the device; and
  
  blocking access to the cloud-based service based at least in part on an indication that the compliance posture of the device has changed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ivanti, Inc. (Ivanti Software, Inc.)
Original Assignee
MobileIron, Inc.
Inventors
Karunakaran, Kumara Das, Pawar, Vijay, Liu, Jian
Primary Examiner(s)
Turchen, James
Assistant Examiner(s)
Jackson, Jenise

Application Number

US15/962,291
Publication Number

US 20180248884A1
Time in Patent Office

188 Days
Field of Search

726 4
US Class Current
CPC Class Codes

G06F 21/33   using certificates

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04W 12/06   Authentication

H04W 12/37   Managing security policies ...

Identity proxy to provide access control and single sign on

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Identity proxy to provide access control and single sign on

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links