Mechanisms to Use Network Session Identifiers for Software-As-A-Service Authentication
First Claim
1. A method comprising:
- at a network access device of a network, receiving a request from a client device to access an identity provider device that provides identity assertion services to the client device, wherein the identity assertion services include identity and context information associated with a subject of the client device;
obtaining a unique network session identifier that identifies a network session and the subject of the client device that has authenticated with the network access device to access the network session;
inserting the network session identifier into the request from the client device to access the identity provider device such that the network session identifier is available only to the identity provider device and the network session identifier is not revealed to the subject of the client device; and
forwarding the request with the inserted network session identifier to the identity provider device, wherein the identity provider device generates an encrypted security assertion of an identity of the subject associated with the network session, wherein the encrypted security assertion is signed using a certificate shared by the identity provider device and a server, and the identity provider device forwards the encrypted security assertion to the client device for insertion into a request from the client device to access the server.
0 Assignments
0 Petitions
Accused Products
Abstract
Techniques are provided for authenticating a subject of a client device to access a software-as-a-service (SaaS) server. A network access device receives a request from a client device to establish a network session and transfers identity information of the subject, the client device and the network session to a session directory database. A request is sent to access an application on a SaaS server. If it does not contain an identity assertion that identifies the subject, the request is redirected to an identity provider device, to provide identity assertion services to the subject. A network session identifier is inserted into the request by a network access device and the request is forwarded to the identity provider device. The identity provider device uses the network session identifier to query the session directory database for the identity information to be used for a security assertion of the subject to the SaaS server.
18 Citations
23 Claims
-
1. A method comprising:
-
at a network access device of a network, receiving a request from a client device to access an identity provider device that provides identity assertion services to the client device, wherein the identity assertion services include identity and context information associated with a subject of the client device; obtaining a unique network session identifier that identifies a network session and the subject of the client device that has authenticated with the network access device to access the network session; inserting the network session identifier into the request from the client device to access the identity provider device such that the network session identifier is available only to the identity provider device and the network session identifier is not revealed to the subject of the client device; and forwarding the request with the inserted network session identifier to the identity provider device, wherein the identity provider device generates an encrypted security assertion of an identity of the subject associated with the network session, wherein the encrypted security assertion is signed using a certificate shared by the identity provider device and a server, and the identity provider device forwards the encrypted security assertion to the client device for insertion into a request from the client device to access the server. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method comprising:
-
at an identity provider device in a network that provides identity assertion services which include identity and context information associated with a subject of a client device, extracting a network session identifier from a request to access the identity provider device, wherein the request is from a network access device and originates from the client device seeking to access a server, wherein the network session identifier is unique to the network access device and uniquely identifies a network session for the subject of the client device that has authenticated with the network access device; generating an encrypted security assertion of an identity of the subject associated with the network session, wherein generating the encrypted security assertion includes using the information associated with the network session identifier that uniquely identifies the subject, wherein the encrypted security assertion is signed using a certificate shared by the identity provider device and the server; and sending the encrypted security assertion to the client device. - View Dependent Claims (9, 10, 11)
-
-
12. One or more non-transitory computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
-
receive a request from a client device to access an identity provider device that provides identity assertion services to the client device, wherein the identity assertion services include identity and context information associated with a subject of the client device; obtain a unique network session identifier that identifies a network session and the subject of the client device that has authenticated with a network access device to access the network session; insert the network session identifier into the request from the client device to access the identity provider device such that the network session identifier is available only to the identity provider device and the network session identifier is not revealed to the subject of the client device; and forward the request with the inserted network session identifier to the identity provider device, wherein the identity provider device generates an encrypted security assertion of an identity of the subject associated with the network session, where the encrypted security assertion is signed using a certificate shared by the identity provider device and a server, and the identity provider device forwards the encrypted security assertion to the client device for insertion into a request from the client device to access the server. - View Dependent Claims (13, 14)
-
-
15. One or more non-transitory computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
-
extract a network session identifier from a request to access an identity provider device, the request from a network access device and originating from a client device seeking to access a server, wherein the identity provider device provides identity assertion services which include identity and context information associated with a subject of the client device, wherein the network session identifier is unique to the network access device and uniquely identifies a network session for the subject of the client device that has authenticated with the network access device; generate an encrypted security assertion of an identity of the subject associated with the network session, wherein the instructions operable to generate the encrypted security assertion are further operable to use the information associated with the network session identifier to generate the encrypted security assertion, wherein the encrypted security assertion is signed using a certificate shared by the identity provider device and the server; and send the encrypted security assertion to the client device. - View Dependent Claims (16, 17)
-
-
18. An apparatus comprising:
-
a network interface unit configured to enable communications over a network; a switch unit coupled to the network interface unit; a memory; and a processor coupled to the switch unit and the memory and configured to; receive a request from a client device to access an identity provider device that provides identity assertion services to the client device, wherein the identity assertion services include identity and context information associated with a subject of the client device; obtain from a session directory database a unique network session identifier that identifies a network session and identifies the subject of the client device that has authenticated with a network access device to access the network session; insert the network session identifier into the request from the client device to access the identity provider device such that the network session identifier is available only to the identity provider device and the network session identifier is not revealed to the subject of the client device; and forward the request with the inserted network session identifier to the identity provider device to cause the identity provider device to generate an encrypted security assertion of an identity of a user associated with the network session, where the encrypted security assertion is signed using a certificate shared by the identity provider device and a server, and the identity provider device forwards the encrypted security assertion to the client device for insertion into a request from the client device to access the server. - View Dependent Claims (19, 20)
-
-
21. An apparatus comprising:
-
a network interface unit configured to enable communications over a network; a memory; and a processor coupled to the network interface unit and the memory and configured to; extract a network session identifier from a request to access the apparatus, wherein the request is from a network access device and originates from a client device seeking to access a server, wherein the network session identifier is unique to the network access device and uniquely identifies a network session for a subject of the client device that has authenticated with the network access device; generate an encrypted security assertion of an identity of the subject associated with the network session such that the information associated with the network session identifier is utilized, wherein the encrypted security assertion is signed using a certificate shared by the identity provider device and the server; and send the encrypted security assertion to the client device. - View Dependent Claims (22, 23)
-
Specification