SECURE MOBILE CLIENT WITH ASSERTIONS FOR ACCESS TO SERVICE PROVIDER APPLICATIONS

US 20150381625A1
Filed: 09/03/2015
Published: 12/31/2015
Est. Priority Date: 08/09/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving from a client device a request to access a Software-as-a-Service (SaaS) application, the request including an assertion created by a SaaS access control application on the client device;

evaluating the assertion; and

generating a response to the client device based on the evaluating.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A Software-as-a-Service (SaaS) access control application on a client device is configured with a certificate that identifies a user, and with configuration information for one or more SaaS applications to access, and including an IDP identifier for the SaaS application. The SaaS access control application includes software to be inserted into a network software stack of the client device and software configured to serve as an identity provider for assertions. A request, made by an application on the client device to a SaaS service provider identified by a Universal Resource Locator (URL) provided during configuration of the SaaS access control application, is intercepted within the network software stack of the client device. The SaaS access control application generates an assertion based on the certificate and configuration information. The requesting application is caused to make a request to the SaaS service provider with the assertion embedded in the request.

6 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving from a client device a request to access a Software-as-a-Service (SaaS) application, the request including an assertion created by a SaaS access control application on the client device;
  
  evaluating the assertion; and
  
  generating a response to the client device based on the evaluating.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein generating the response comprises sending a message denying or granting access to a SaaS application.
  - 3. The method of claim 1, wherein generating the response comprises presenting a web page to the client device that contains data and options commensurate with a level of assurance associated with the assertion.
  - 4. The method of claim 1, wherein generating the response comprises replying to the client device to cause the SaaS access control application to redirect the client device to a web page hosted by a secure identity provider, wherein the web page is configured to solicit entry of credentials from a user of the client device.
  - 5. The method of claim 4, further comprising the SaaS access control application discovering the secure identity provider using information contained in the assertion embedded in the request.
  - 6. The method of claim 4, wherein the secure identity provider is an enterprise identity provider that has a relationship with the SaaS application.
  - 7. The method of claim 4, wherein the secure identity provider is a cloud-hosted identity provider associated with the SaaS application with which the user has a relationship.
  - 8. The method of claim 4, further comprising the SaaS access control application storing information representing a level of assurance required for access to resources controlled by a particular one of a plurality of SaaS applications, wherein generating the response from the SaaS access control application to the SaaS application is based on the assertion received from the security identity provider for the particular SaaS application and the level assurance associated with the particular SaaS application.

9. An apparatus comprising:
- a network interface unit configured to enable communications over a network including a client device that is seeking access to a Software-as-a-Service (SaaS) application; and
  
  a processor coupled to the network interface unit, wherein the processor is configured to;
  
  receive from the client device a request to access the SaaS application, the request including an assertion created by a SaaS access control application on the client device;
  
  evaluate the assertion; and
  
  generate a response to the client device based on the evaluation of the assertion.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The apparatus of claim 9, wherein the processor is configured to generate and send a message containing the response, wherein the message denies or grants access to the SaaS application.
  - 11. The apparatus of claim 9, wherein the processor is configured to present, as the response, a web page to the client device that contains data and options commensurate with a level of assurance associated with the assertion.
  - 12. The apparatus of claim 9, wherein the processor is configured to generate the response by replying to the client device to cause the SaaS access control application to redirect the client device to a web page hosted by a secure identity provider, wherein the web page is configured to solicit entry of credentials from a user of the client device.
  - 13. The apparatus of claim 12, wherein the processor is further configured to discover the secure identity provider using information contained in the assertion embedded in the request.
  - 14. The apparatus of claim 12, wherein the processor is further configured to store information representing a level of assurance required for access to resources controlled by a particular one of a plurality of SaaS applications, and to generate the response from the SaaS access control application to the SaaS application based on the assertion received from the security identity provider for the particular SaaS application and the level assurance associated with the particular SaaS application.

15. One or more non-transitory computer readable storage media encoded with executable instructions that, when executed by a processor, cause the processor to:
- receive from a client device a request to access a Software-as-a-Service (SaaS) application, the request including an assertion created by a SaaS access control application on the client device;
  
  evaluate the assertion; and
  
  generate a response to the client device based on the evaluation.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer readable storage media of claim 15, wherein the instructions to generate the response comprise instructions to send a message denying or granting access to a SaaS application.
  - 17. The non-transitory computer readable storage media of claim 15, wherein the instructions to generate the response comprise instructions to present a web page to the client device that contains data and options commensurate with a level of assurance associated with the assertion.
  - 18. The non-transitory computer readable storage media of claim 15, wherein the instructions to generate the response comprises instructions to generate and send a reply to the client device to cause the SaaS access control application to redirect the client device to a web page hosted by a secure identity provider, wherein the web page is configured to solicit entry of credentials from a user of the client device.
  - 19. The non-transitory computer readable storage media of claim 18, further comprising instructions that, when executed by the processor, cause the processor to discover the secure identity provider using information contained in the assertion embedded in the request.
  - 20. The non-transitory computer readable storage media of claim 18, further comprising instructions that, when executed by the processor, cause the processor to store information representing a level of assurance required for access to resources controlled by a particular one of a plurality of SaaS applications, and to generate the response from the SaaS access control application to the SaaS application based on the assertion received from the security identity provider for the particular SaaS application and the level assurance associated with the particular SaaS application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Sowatskey, Nathan

Granted Patent

US 9,876,799 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/335   for accessing specific reso...

G06F 21/445   by mutual authentication, e...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/168   above the transport layer

SECURE MOBILE CLIENT WITH ASSERTIONS FOR ACCESS TO SERVICE PROVIDER APPLICATIONS

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

6 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE MOBILE CLIENT WITH ASSERTIONS FOR ACCESS TO SERVICE PROVIDER APPLICATIONS

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links