Mechanisms to Use Network Session Identifiers for Software-As-A-Service Authentication
First Claim
1. A method comprising:
- at a network access device of a network, receiving a request from a client device to establish a network session;
sending identity information of the client device to a session directory database that is configured to store identity information of a plurality of client devices associated with the network access device;
receiving a request from the client device to access an identity provider device that provides identity assertion services to the client device;
inserting a network session identifier into the request from the client device to access the identity provider device, wherein the network session identifier is a unique identifier that identifies the network; and
forwarding the request with the inserted network session identifier to the identity provider device.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are provided for authenticating a subject of a client device to access a software-as-a-service (SaaS) server. A network access device receives a request from a client device to establish a network session and transfers identity information of the subject, the client device and the network session to a session directory database. A request is sent to access an application on a SaaS server. If it does not contain an identity assertion that identifies the subject, the request is redirected to an identity provider device (IdP), to provide identity assertion services to the subject. A network session identifier is inserted into the request by a network access device and the request is forwarded to the IdP. The IdP uses the network session identifier to query the session directory database for the identity information to be used for a security assertion of the subject to the SaaS server.
72 Citations
21 Claims
-
1. A method comprising:
-
at a network access device of a network, receiving a request from a client device to establish a network session; sending identity information of the client device to a session directory database that is configured to store identity information of a plurality of client devices associated with the network access device; receiving a request from the client device to access an identity provider device that provides identity assertion services to the client device; inserting a network session identifier into the request from the client device to access the identity provider device, wherein the network session identifier is a unique identifier that identifies the network; and forwarding the request with the inserted network session identifier to the identity provider device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method comprising:
-
at an identity provider device in a network that provides identity assertion services, receiving a request from a network access device originating from a client device to access the identity provider device; extracting a network session identifier from the request, wherein the network session identifier is unique to the network; querying a session directory database to obtain information associated with the network session identifier; receiving the information associated with the network session identifier from the session directory database; generating a security assertion using the information associated with the network session identifier; and sending the security assertion to the client device. - View Dependent Claims (10, 11, 12)
-
-
13. One or more computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
-
receive a request from a client device in a network to establish a network session; send identity information of the client device to a session directory database that is configured to store identity information of a plurality of client devices associated with the network access device; receive a request from the client device to access an identity provider device that provides identity assertion services to the client device; insert a network session identifier into the request from the client device to access the identity provider device, wherein the network session identifier is a unique identifier that identifies a network; and forward the request with the inserted network session identifier to the identity provider device. - View Dependent Claims (14, 15)
-
-
16. One or more computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
-
receive an access request from a network access device originating from a client device in a network to access an identity provider device; extract a network session identifier from the request, wherein the network session identifier is unique to the network; query a session directory database to obtain information associated with the network session identifier; receive the information associated with the network session identifier from the session directory; generate a security assertion using the information associated with the network session identifier; and send the security assertion to the client device. - View Dependent Claims (17)
-
-
18. An apparatus comprising:
-
a network interface unit configured to enable communications over a network; a switch unit coupled to the network interface unit; a memory; and a processor coupled to the switch unit and the memory and configured to; receive a request from a client device to establish a network session; send identity information of the client device to a session directory database that is configured to store identity information of a plurality of client devices; receive a request from the client device to access an identity provider device that provides identity assertion services to the client device; insert a network session identifier into the request from the client device to access the identity provider device, wherein the network session identifier is a unique identifier; and forward the request with the inserted network session identifier to the identity provider device. - View Dependent Claims (19)
-
-
20. An apparatus comprising:
-
a network interface unit configured to enable communications over a network; a memory; and a processor coupled to the network interface unit and the memory and configured to; receive a request from a network access device originating from a client device; extract a network session identifier from the request, wherein the network session identifier is unique to the network; query a session directory database to obtain information associated with the network session identifier; receive the information associated with the network session identifier from the session directory; generate a security assertion using the information associated with the network session identifier; and send the security assertion to the client device. - View Dependent Claims (21)
-
Specification