Virtual single sign-on for certificate-protected resources
First Claim
1. A method comprising:
- receiving, with a secure gateway device that provides secure access to a resource network comprising a plurality of different certificate-protected resources, a first message from a client device coupled to the secure gateway device through an access network, wherein the first message comprises a request to access a first certificate-protected resource and an identifier for a user that is associated with the client device;
in response to receiving the first message with the secure gateway device, initiating a protocol handshake between the secure gateway device and the first certificate-protected resource to establish a secure channel;
mapping, with the secure gateway device, the identifier and the first certificate-protected resource specified within the request to a first digital certificate within a certificate repository of digital certificates of the secure gateway device, wherein the digital certificates stored within the repository of the secure gateway device are specific to individual ones of the plurality of different certificate-protected resources;
receiving, with the secure gateway device, a certificate request from the first certificate-protected resource as part of the protocol handshake;
in response to receiving the certificate request, sending the first digital certificate from the secure gateway device to the first certificate-protected resource via the resource network to authenticate the secure gateway device to the first certificate-protected resource on behalf of the client device; and
subsequent to authenticating the secure gateway device to the first certificate-protected resource, forwarding application data received with the secure gateway device from the first certificate-protected resource to the client device via the access network.
12 Assignments
0 Petitions
Accused Products
Abstract
In general, the invention is directed to techniques for enabling single sign-on (SSO) for a client seeking access to multiple resources protected by a certificate-based authentication scheme. For example, as described herein, a secure gateway comprises a certificate repository to store a digital certificate as well as a policy that includes one or more policy rules. A network interface of the secure gateway receives a message from a client device, wherein the message comprises a request to access a protected resource and an identifier for the requesting agent. The secure gateway also comprises a resource authentication module to map the identifier and the protected resource to the digital certificate based on the policy. The resource authentication module retrieves the digital certificate from the certificate repository and sends the digital certificate to the protected resource to authenticate the secure gateway to the protected resource.
-
Citations
16 Claims
-
1. A method comprising:
-
receiving, with a secure gateway device that provides secure access to a resource network comprising a plurality of different certificate-protected resources, a first message from a client device coupled to the secure gateway device through an access network, wherein the first message comprises a request to access a first certificate-protected resource and an identifier for a user that is associated with the client device; in response to receiving the first message with the secure gateway device, initiating a protocol handshake between the secure gateway device and the first certificate-protected resource to establish a secure channel; mapping, with the secure gateway device, the identifier and the first certificate-protected resource specified within the request to a first digital certificate within a certificate repository of digital certificates of the secure gateway device, wherein the digital certificates stored within the repository of the secure gateway device are specific to individual ones of the plurality of different certificate-protected resources; receiving, with the secure gateway device, a certificate request from the first certificate-protected resource as part of the protocol handshake; in response to receiving the certificate request, sending the first digital certificate from the secure gateway device to the first certificate-protected resource via the resource network to authenticate the secure gateway device to the first certificate-protected resource on behalf of the client device; and subsequent to authenticating the secure gateway device to the first certificate-protected resource, forwarding application data received with the secure gateway device from the first certificate-protected resource to the client device via the access network. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A secure gateway device that provides secure access to a resource network comprising a plurality of different certificate-protected resources, the secure gateway device comprising:
-
a processor; a certificate repository to store a plurality of digital certificates, wherein the digital certificates are specific to individual ones of a plurality of different certificate-protected resources; a network interface to receive a first message from a client device coupled to the secure gateway device through an access network, wherein the first message comprises a request to access a first certificate-protected resource and an identifier for a user that is associated with the client device; a policy comprising one or more policy rules; an encryption module to initiate, in response to the first message, a protocol handshake with the first certificate-protected resource to establish a secure channel; a resource authentication module to map the identifier and the first certificate-protected resource to a first digital certificate stored by the certificate repository based at least on the policy, wherein the resource authentication module receives a certificate request from the first certificate-protected resource as part of the protocol handshake, wherein the resource authentication module, in response to the certificate request, retrieves the first digital certificate from the certificate repository and sends the first digital certificate to the first certificate-protected resource via the resource network to authenticate the secure gateway device to the first certificate-protected resource on behalf of the client device, and wherein, subsequent to authenticating to the first certificate-protected resource, the secure gateway device forwards application data received from the first certificate-protected resource to the client device via the access network. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer-readable storage medium comprising instructions for causing one or more programmable processors to:
-
receive, with a secure gateway device that provides secure access to a resource network comprising a plurality of different certificate-protected resources, a first message from a client device coupled to the secure gateway device through an access network, wherein the first message comprises a request to access a first certificate-protected resource and an identifier for a user that is associated with the client device; initiate, in response to receiving the first message and by the secure gateway device, a protocol handshake between the secure gateway device and the first certificate-protected resource to establish a secure channel; map, with the secure gateway device, the identifier and the first certificate-protected resource specified within the request to a first digital certificate within a certificate repository of digital certificates of the secure gateway device, wherein the digital certificates stored within the repository of the secure gateway device are specific to individual ones of the plurality of different certificate-protected resources; receive, with the secure gateway device, a certificate request from the first certificate-protected resource as part of the protocol handshake; in response to the certificate request, send the first digital certificate from the secure gateway device to the first certificate-protected resource via the resource network to authenticate the secure gateway device to the first certificate-protected resource on behalf of the client device; and subsequent to authenticating the secure gateway device to the first certificate-protected resource, forward application data received from the first certificate-protected resource to the client device via the access network. - View Dependent Claims (16)
-
Specification