Mechanisms to Use Network Session Identifiers for Software-As-A-Service Authentication

US 20130111549A1
Filed: 10/27/2011
Published: 05/02/2013
Est. Priority Date: 10/27/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a network access device of a network, receiving a request from a client device to establish a network session;

sending identity information of the client device to a session directory database that is configured to store identity information of a plurality of client devices associated with the network access device;

receiving a request from the client device to access an identity provider device that provides identity assertion services to the client device;

inserting a network session identifier into the request from the client device to access the identity provider device, wherein the network session identifier is a unique identifier that identifies the network; and

forwarding the request with the inserted network session identifier to the identity provider device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for authenticating a subject of a client device to access a software-as-a-service (SaaS) server. A network access device receives a request from a client device to establish a network session and transfers identity information of the subject, the client device and the network session to a session directory database. A request is sent to access an application on a SaaS server. If it does not contain an identity assertion that identifies the subject, the request is redirected to an identity provider device (IdP), to provide identity assertion services to the subject. A network session identifier is inserted into the request by a network access device and the request is forwarded to the IdP. The IdP uses the network session identifier to query the session directory database for the identity information to be used for a security assertion of the subject to the SaaS server.

72 Citations

View as Search Results

21 Claims

1. A method comprising:
- at a network access device of a network, receiving a request from a client device to establish a network session;
  
  sending identity information of the client device to a session directory database that is configured to store identity information of a plurality of client devices associated with the network access device;
  
  receiving a request from the client device to access an identity provider device that provides identity assertion services to the client device;
  
  inserting a network session identifier into the request from the client device to access the identity provider device, wherein the network session identifier is a unique identifier that identifies the network; and
  
  forwarding the request with the inserted network session identifier to the identity provider device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - authenticating a subject of the client device to obtain authentication information associated with the subject of the client device; and
      
      sending the authentication information associated with the subject of the client device to the session directory.
  - 3. The method of claim 1, wherein receiving a request comprises receiving a uniform resource locator (URL) request from the client device to access the identity provider device.
  - 4. The method of claim 3, wherein receiving the URL request comprises receiving the URL request as a result of a redirect from an identity boundary device in response to a client device requesting access to application services outside of the enterprise network.
  - 5. The method of claim 3, wherein inserting comprises inserting the network session identifier information to a hypertext transfer protocol (HTTP) header of the URL request.
  - 6. The method of claim 1, wherein inserting comprises inserting the network session identifier that comprises a pseudorandom number that is unique to the network.
  - 7. The method of claim 1, wherein inserting comprises inserting the network session identifier such that it is not revealed to the client device.
  - 8. The method of claim 1, wherein receiving comprises receiving the request originating from a subject of the client device to access the identity provider device.

9. A method comprising:
- at an identity provider device in a network that provides identity assertion services, receiving a request from a network access device originating from a client device to access the identity provider device;
  
  extracting a network session identifier from the request, wherein the network session identifier is unique to the network;
  
  querying a session directory database to obtain information associated with the network session identifier;
  
  receiving the information associated with the network session identifier from the session directory database;
  
  generating a security assertion using the information associated with the network session identifier; and
  
  sending the security assertion to the client device.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9, wherein the request comprises a uniform resource locator (URL) request from the network access device originating from the client device for the client device to access the identity provider device.
  - 11. The method of claim 10, wherein extracting comprises extracting the network session identifier from a hypertext transfer protocol (HTTP) header of the URL request.
  - 12. The method of claim 10, wherein generating comprises generating a security assertion markup language (SAML) assertion.

13. One or more computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
- receive a request from a client device in a network to establish a network session;
  
  send identity information of the client device to a session directory database that is configured to store identity information of a plurality of client devices associated with the network access device;
  
  receive a request from the client device to access an identity provider device that provides identity assertion services to the client device;
  
  insert a network session identifier into the request from the client device to access the identity provider device, wherein the network session identifier is a unique identifier that identifies a network; and
  
  forward the request with the inserted network session identifier to the identity provider device.
- View Dependent Claims (14, 15)
- - 14. The computer readable storage media of claim 13, further comprising instructions operable to:
    - authenticate a subject of the client device to obtain authentication information associated with the subject of the client device; and
      
      send the authentication information associated with the subject of the client device to the session directory.
  - 15. The computer readable storage media of claim 13, wherein the instructions operable to insert comprise instructions operable to insert the network session identifier such that the network session identifier is not reveal to the client device.

16. One or more computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
- receive an access request from a network access device originating from a client device in a network to access an identity provider device;
  
  extract a network session identifier from the request, wherein the network session identifier is unique to the network;
  
  query a session directory database to obtain information associated with the network session identifier;
  
  receive the information associated with the network session identifier from the session directory;
  
  generate a security assertion using the information associated with the network session identifier; and
  
  send the security assertion to the client device.
- View Dependent Claims (17)
- - 17. The computer readable storage media of claim 16, further comprising instructions operable to determine after receiving the request from the network access device whether the request contains network session identifier information to be extracted from the request.

18. An apparatus comprising:
- a network interface unit configured to enable communications over a network;
  
  a switch unit coupled to the network interface unit;
  
  a memory; and
  
  a processor coupled to the switch unit and the memory and configured to;
  
  receive a request from a client device to establish a network session;
  
  send identity information of the client device to a session directory database that is configured to store identity information of a plurality of client devices;
  
  receive a request from the client device to access an identity provider device that provides identity assertion services to the client device;
  
  insert a network session identifier into the request from the client device to access the identity provider device, wherein the network session identifier is a unique identifier; and
  
  forward the request with the inserted network session identifier to the identity provider device.
- View Dependent Claims (19)
- - 19. The apparatus of claim 18, wherein the processor is further configured to:
    - authenticate the subject of the client device to obtain authentication information associated with the subject of the client device; and
      
      send the authentication information associated with the subject of the client device to the session directory.

20. An apparatus comprising:
- a network interface unit configured to enable communications over a network;
  
  a memory; and
  
  a processor coupled to the network interface unit and the memory and configured to;
  
  receive a request from a network access device originating from a client device;
  
  extract a network session identifier from the request, wherein the network session identifier is unique to the network;
  
  query a session directory database to obtain information associated with the network session identifier;
  
  receive the information associated with the network session identifier from the session directory;
  
  generate a security assertion using the information associated with the network session identifier; and
  
  send the security assertion to the client device.
- View Dependent Claims (21)
- - 21. The apparatus of claim 20, wherein the processor is further configured to determine, after receiving the request from the network access device, whether the request contains network session identifier information to be extracted from the request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Sowatskey, Nathan, Cam-Winget, Nancy, Ansari, Morteza, Wierenga, Klaas, Salowey, Joseph, Thomson, Susan E., Jones, David

Granted Patent

US 8,949,938 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/0823 using certificates cryptogr...

Mechanisms to Use Network Session Identifiers for Software-As-A-Service Authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

72 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Mechanisms to Use Network Session Identifiers for Software-As-A-Service Authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

72 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links