Methods for load balancing in a federated identity environment and devices thereof

US 10,567,492 B1
Filed: 01/04/2018
Issued: 02/18/2020
Est. Priority Date: 05/11/2017
Status: Active Grant

First Claim

Patent Images

1. A method for load balancing in a federated identity environment implemented by a network traffic management system comprising one or more identity provider server devices, service provider server devices, backend application server devices or client devices, the method comprising:

receiving a redirected authentication request from a client requesting access to an intended service provider server device of a plurality of service provider server devices, the authentication request originating from the intended service provider server device and being redirected through the client;

generating a token in response to successfully authenticating the authentication request;

comparing one or more network parameter values of the intended service provider server device against one or more network parameter values associated with each of the other service provider server devices of the plurality of service provider server devices;

selecting a different service provider server device from among the other service provider server devices based on the comparison and one or more selection rules; and

in response to successfully authenticating the authentication request, redirecting the client request to the selected different service provider server device instead of the intended service provider server device, and sending the generated token for accessing one or more applications associated with the selected different service provider server device to the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, non-transitory computer readable media, network traffic management apparatuses, and network traffic management systems performing load balancing in a federated identity environment. An enhanced identity service provider server receives a redirected user authentication from a client device. Upon successfully authenticating the user of the client device a token is generated. Further another service provider server is selected based on a comparison of one or more network parameters and the client device is redirected with the token to the another selected service provider server. Based on a validation of the token the client device accesses applications protected by the selected another service provider server.

Citations

20 Claims

1. A method for load balancing in a federated identity environment implemented by a network traffic management system comprising one or more identity provider server devices, service provider server devices, backend application server devices or client devices, the method comprising:
- receiving a redirected authentication request from a client requesting access to an intended service provider server device of a plurality of service provider server devices, the authentication request originating from the intended service provider server device and being redirected through the client;
  
  generating a token in response to successfully authenticating the authentication request;
  
  comparing one or more network parameter values of the intended service provider server device against one or more network parameter values associated with each of the other service provider server devices of the plurality of service provider server devices;
  
  selecting a different service provider server device from among the other service provider server devices based on the comparison and one or more selection rules; and
  
  in response to successfully authenticating the authentication request, redirecting the client request to the selected different service provider server device instead of the intended service provider server device, and sending the generated token for accessing one or more applications associated with the selected different service provider server device to the client.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the one or more network parameter values of a respective service provider server device comprises a current load parameter value indicative of a load capacity of the respective service provider server device.
  - 3. The method of claim 1, wherein the one or more network parameter values of a respective service provider server device comprises a health parameter value indicative of a hardware failure of the respective service provider server device.
  - 4. The method of claim 1, wherein the one or more network parameter values of a respective service provider server device comprises a geographic location parameter value indicative of a distance between a geographic location of the intended service provider server device and the respective service provider server device.
  - 5. The method of claim 1, further comprising registering a uniform resource identifier (URI) for each of the plurality of service provider server devices with an identity provider, and wherein the client request is redirected to the selected different service provider server device using the registered URI of the selected different service provider server device.

6. An identity provider apparatus, comprising a memory with programmed instructions stored thereon and one or more processors configured to be capable of executing the stored programmed instructions to:
- receive a redirected authentication request from a client requesting access to an intended service provider server device of a plurality of service provider server devices, the authentication request originating from the intended service provider server device and being redirected through the client;
  
  generate a token in response to successfully authenticating the authentication request;
  
  compare one or more network parameter values of the intended service provider server device against one or more network parameter values associated with each of the other service provider server devices of the plurality of service provider server devices;
  
  select a different service provider server device from among the other service provider server devices based on the comparison and one or more selection rules; and
  
  in response to successfully authenticating the authentication request, redirect the client request to the selected different service provider server device instead of the intended service provider server device, and sending the generated token for accessing one or more applications associated with the selected different service provider server device to the client.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The apparatus of claim 6, wherein the one or more network parameter values of a respective service provider server device comprises a current load parameter value indicative of a load capacity of the respective service provider server device.
  - 8. The apparatus of claim 7, wherein the one or more network parameter values of a respective service provider server device comprises a health parameter value indicative of a hardware failure of the respective service provider server device.
  - 9. The apparatus of claim 7, wherein the one or more network parameter values of a respective service provider server device comprises a geographic location parameter value indicative of a distance between a geographic location of the intended service provider server device and the respective service provider server device.
  - 10. The apparatus of claim 7, wherein the one or more processors are further configured to be capable of executing the stored programmed instructions to:
    - register a uniform resource identifier (URI) for each of the plurality of service provider server devices with the identity provider apparatus, and wherein the client request is redirected to the selected different service provider server device using the registered URI of the selected different service provider server device.

11. A non-transitory computer readable medium having stored thereon instructions for load balancing in a federated identity environment comprising executable code which when executed by one or more processors, causes the one or more processors to:
- receive a redirected authentication request from a client requesting access to an intended service provider server device of a plurality of service provider server devices, the authentication request originating from the intended service provider server device and being redirected through the client;
  
  generate a token in response to successfully authenticating the authentication request;
  
  compare one or more network parameter values of the intended service provider server device against one or more network parameter values associated with each of the other service provider server devices of the plurality of service provider server devices;
  
  select a different service provider server device from among the other service provider server devices based on the comparison and one or more selection rules; and
  
  in response to successfully authenticating the authentication request, redirect the client request to the selected different service provider server device instead of the intended service provider server device, and sending the generated token for accessing one or more applications associated with the selected different service provider server device to the client.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The non-transitory computer readable medium of claim 11, wherein the one or more network parameter values of a respective service provider server device comprises a current load parameter value indicative of a load capacity of the respective service provider server device.
  - 13. The non-transitory computer readable medium of claim 12, wherein the one or more network parameter values of a respective service provider server device comprises a health parameter value indicative of a hardware failure of the respective service provider server device.
  - 14. The non-transitory computer readable medium of claim 12, wherein the one or more network parameter values of a respective service provider server device comprises a geographic location parameter value indicative of a distance between a geographic location of the intended service provider server device and the respective service provider server device.
  - 15. The non-transitory computer readable medium of claim 12, wherein the executable code when executed by the one or more processors further causes the one or more processors to:
    - register a uniform resource identifier (URI) for each of the plurality of service provider server devices with an identity provider, and wherein the client request is redirected to the selected different service provider server device using the registered URI of the selected different service provider server device.

16. A network traffic management system, comprising one or more traffic management apparatuses, client devices, or server devices, the network traffic management system comprising memory comprising programmed instructions stored thereon and one or more processors configured to be capable of executing the stored programmed instructions to:
- receive a redirected authentication request from a client requesting access to an intended service provider server device of a plurality of service provider server devices, the authentication request originating from the intended service provider server device and being redirected through the client;
  
  generate a token in response to successfully authenticating the authentication request;
  
  compare one or more network parameter values of the intended service provider server device against one or more network parameter values associated with each of the other service provider server devices of the plurality of service provider server devices;
  
  select a different service provider server device from among the other service provider server devices based on the comparison and one or more selection rules; and
  
  in response to successfully authenticating the authentication request, redirect the client request to the selected different service provider server device instead of the intended service provider server device, and sending the generated token for accessing one or more applications associated with the selected different service provider server device to the client.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The network traffic management system of claim 16, wherein the one or more network parameter values of a respective service provider server device comprises a current load parameter value indicative of a load capacity of the respective service provider server device.
  - 18. The network traffic management system of claim 17, wherein the one or more network parameter values of a respective service provider server device comprises a health parameter value indicative of a hardware failure of the respective service provider server device.
  - 19. The network traffic management system of claim 17, wherein the one or more network parameter values of a respective service provider server device comprises a geographic location parameter value indicative of a distance between a geographic location of the intended service provider server device and the respective service provider server device.
  - 20. The network traffic management system of claim 17, wherein the one or more processors are further configured to be capable of executing the stored programmed instructions to:
    - register a uniform resource identifier (URI) for each of the plurality of service provider server devices with an identity provider, and wherein the client request is redirected to the selected different service provider server device using the registered URI of the selected different service provider server device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F5 Networks, Inc. (F5 Incorporated)
Original Assignee
F5 Networks, Inc. (F5 Incorporated)
Inventors
Natarajan, Ravi, Amdahl, Saxon
Primary Examiner(s)
Kim, Hee Soo

Application Number

US15/861,910
Time in Patent Office

775 Days
Field of Search

709226
US Class Current
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 67/1008   based on parameters of serv...

H04L 67/1021   based on client or server l...

H04L 67/1036   Load balancing of requests ...

H04L 9/3213   using tickets or tokens, e....

Methods for load balancing in a federated identity environment and devices thereof

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for load balancing in a federated identity environment and devices thereof

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links