Virtual single sign-on for certificate-protected resources

US 8,549,300 B1
Filed: 02/23/2010
Issued: 10/01/2013
Est. Priority Date: 02/23/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, with a secure gateway device that provides secure access to a resource network comprising a plurality of different certificate-protected resources, a first message from a client device coupled to the secure gateway device through an access network, wherein the first message comprises a request to access a first certificate-protected resource and an identifier for a user that is associated with the client device;

in response to receiving the first message with the secure gateway device, initiating a protocol handshake between the secure gateway device and the first certificate-protected resource to establish a secure channel;

mapping, with the secure gateway device, the identifier and the first certificate-protected resource specified within the request to a first digital certificate within a certificate repository of digital certificates of the secure gateway device, wherein the digital certificates stored within the repository of the secure gateway device are specific to individual ones of the plurality of different certificate-protected resources;

receiving, with the secure gateway device, a certificate request from the first certificate-protected resource as part of the protocol handshake;

in response to receiving the certificate request, sending the first digital certificate from the secure gateway device to the first certificate-protected resource via the resource network to authenticate the secure gateway device to the first certificate-protected resource on behalf of the client device; and

subsequent to authenticating the secure gateway device to the first certificate-protected resource, forwarding application data received with the secure gateway device from the first certificate-protected resource to the client device via the access network.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, the invention is directed to techniques for enabling single sign-on (SSO) for a client seeking access to multiple resources protected by a certificate-based authentication scheme. For example, as described herein, a secure gateway comprises a certificate repository to store a digital certificate as well as a policy that includes one or more policy rules. A network interface of the secure gateway receives a message from a client device, wherein the message comprises a request to access a protected resource and an identifier for the requesting agent. The secure gateway also comprises a resource authentication module to map the identifier and the protected resource to the digital certificate based on the policy. The resource authentication module retrieves the digital certificate from the certificate repository and sends the digital certificate to the protected resource to authenticate the secure gateway to the protected resource.

119 Citations

16 Claims

1. A method comprising:
- receiving, with a secure gateway device that provides secure access to a resource network comprising a plurality of different certificate-protected resources, a first message from a client device coupled to the secure gateway device through an access network, wherein the first message comprises a request to access a first certificate-protected resource and an identifier for a user that is associated with the client device;
  
  in response to receiving the first message with the secure gateway device, initiating a protocol handshake between the secure gateway device and the first certificate-protected resource to establish a secure channel;
  
  mapping, with the secure gateway device, the identifier and the first certificate-protected resource specified within the request to a first digital certificate within a certificate repository of digital certificates of the secure gateway device, wherein the digital certificates stored within the repository of the secure gateway device are specific to individual ones of the plurality of different certificate-protected resources;
  
  receiving, with the secure gateway device, a certificate request from the first certificate-protected resource as part of the protocol handshake;
  
  in response to receiving the certificate request, sending the first digital certificate from the secure gateway device to the first certificate-protected resource via the resource network to authenticate the secure gateway device to the first certificate-protected resource on behalf of the client device; and
  
  subsequent to authenticating the secure gateway device to the first certificate-protected resource, forwarding application data received with the secure gateway device from the first certificate-protected resource to the client device via the access network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the secure channel comprises a secure sockets layer tunnel.
  - 3. The method of claim 1, wherein the protocol handshake further comprises:
    - generating, with the secure gateway device, a hash of protocol handshake parameters;
      
      encrypting, with the secure gateway device, the hash using a private key corresponding to a public key of the first digital certificate; and
      
      sending the encrypted hash from the secure gateway device to the first certificate-protected resource.
  - 4. The method of claim 1, further comprising:
    - receiving the first digital certificate via a management interface of the secure gateway device;
      
      storing the first digital certificate in the certificate repository of the secure gateway device;
      
      receiving, with the secure gateway device, a policy rule that maps the identifier and the first certificate-protected resource to the first digital certificate; and
      
      mapping the identifier and the first certificate-protected resource to the first digital certificate based on the policy rule.
  - 5. The method of claim 4, wherein the policy rule maps a key comprising the identifier and a first certificate-protected resource identifier to the first digital certificate.
  - 6. The method of claim 1, further comprising:
    - responsive to receiving the first message, authenticating the user.
  - 7. The method of claim 6, further comprisingreceiving, with the secure gateway device, a second message from the client device, wherein the second message comprises a request to access a second certificate-protected resource and the identifier;
    - determining, with the secure gateway device, that the user is currently authenticated;
      
      mapping, with the secure gateway device, the identifier and the second certificate-protected resource to a second digital certificate; and
      
      sending the second digital certificate from the secure gateway device to the second certificate-protected resource via the resource network to authenticate the secure gateway device to the second certificate-protected resource on behalf of the client device.

8. A secure gateway device that provides secure access to a resource network comprising a plurality of different certificate-protected resources, the secure gateway device comprising:
- a processor;
  
  a certificate repository to store a plurality of digital certificates, wherein the digital certificates are specific to individual ones of a plurality of different certificate-protected resources;
  
  a network interface to receive a first message from a client device coupled to the secure gateway device through an access network, wherein the first message comprises a request to access a first certificate-protected resource and an identifier for a user that is associated with the client device;
  
  a policy comprising one or more policy rules;
  
  an encryption module to initiate, in response to the first message, a protocol handshake with the first certificate-protected resource to establish a secure channel;
  
  a resource authentication module to map the identifier and the first certificate-protected resource to a first digital certificate stored by the certificate repository based at least on the policy,wherein the resource authentication module receives a certificate request from the first certificate-protected resource as part of the protocol handshake,wherein the resource authentication module, in response to the certificate request, retrieves the first digital certificate from the certificate repository and sends the first digital certificate to the first certificate-protected resource via the resource network to authenticate the secure gateway device to the first certificate-protected resource on behalf of the client device, andwherein, subsequent to authenticating to the first certificate-protected resource, the secure gateway device forwards application data received from the first certificate-protected resource to the client device via the access network.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The secure gateway of claim 8, wherein the secure channel comprises a secure sockets layer tunnel.
  - 10. The secure gateway of claim 8,wherein the certificate repository additionally stores a private key corresponding to a public key of the first digital certificate,wherein the resource authentication module generates a hash of protocol handshake parameters as part of the protocol handshake,wherein the encryption module encrypts the hash using the private key as part of the protocol handshake, andwherein the resource authentication module sends the encrypted hash to the first certificate-protected resource as part of the protocol handshake.
  - 11. The secure gateway of claim 8, further comprising:
    - a management interface to;
      
      receive the first digital certificate;
      
      store the first digital certificate in the certificate repository;
      
      receive a policy rule that maps the identifier and the first certificate-protected resource to the first digital certificate, andadd the policy rule to the policy, andwherein the resource authentication module maps the identifier and the first certificate-protected resource to the first digital certificate based on the policy rule.
  - 12. The secure gateway of claim 8, further comprising a user authentication module to authenticate the user responsive to receiving the first message.
  - 13. The secure gateway of claim 12,wherein the network interface receives a second message from the client device, wherein the second message comprises a request to access a second certificate-protected resource and an identifier for the requesting agent,wherein the user authentication module determines that the user is currently authenticated,wherein the resource authentication module maps the identifier and the second certificate-protected resource to a second digital certificate, andwherein the resource authentication module sends the second digital certificate to the second certificate-protected resource via the resource network to authenticate the secure gateway device to the second certificate-protected resource on behalf of the client device.
  - 14. The secure gateway of claim 13,wherein the identifier maps to the first digital certificate and the second digital certificate stored by the certificate repository,wherein the first digital certificate authenticates the user to the first certificate-protected resource, andwherein the second digital certificate authenticates the user to the second certificate-protected resource.

15. A computer-readable storage medium comprising instructions for causing one or more programmable processors to:
- receive, with a secure gateway device that provides secure access to a resource network comprising a plurality of different certificate-protected resources, a first message from a client device coupled to the secure gateway device through an access network, wherein the first message comprises a request to access a first certificate-protected resource and an identifier for a user that is associated with the client device;
  
  initiate, in response to receiving the first message and by the secure gateway device, a protocol handshake between the secure gateway device and the first certificate-protected resource to establish a secure channel;
  
  map, with the secure gateway device, the identifier and the first certificate-protected resource specified within the request to a first digital certificate within a certificate repository of digital certificates of the secure gateway device, wherein the digital certificates stored within the repository of the secure gateway device are specific to individual ones of the plurality of different certificate-protected resources;
  
  receive, with the secure gateway device, a certificate request from the first certificate-protected resource as part of the protocol handshake;
  
  in response to the certificate request, send the first digital certificate from the secure gateway device to the first certificate-protected resource via the resource network to authenticate the secure gateway device to the first certificate-protected resource on behalf of the client device; and
  
  subsequent to authenticating the secure gateway device to the first certificate-protected resource, forward application data received from the first certificate-protected resource to the client device via the access network.
- View Dependent Claims (16)
- - 16. The computer-readable storage medium of claim 15, wherein the instructions further cause the one or more processors to:
    - authenticate the requesting agent in response to receiving the first message;
      
      receive, with the secure gateway device, a second message from the client device, wherein the second message comprises a request to access a second certificate-protected resource and the identifier;
      
      determine that the requesting agent is currently authenticated;
      
      map, with the secure gateway device, the identifier and the second certificate-protected resource to a second digital certificate within the certificate repository; and
      
      send the second digital certificate from the secure gateway device to the second certificate-protected resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Juniper Networks Incorporated
Inventors
Kumar, Kartik, Wood, James
Primary Examiner(s)
MOORTHY, ARAVIND K

Application Number

US12/711,094
Time in Patent Office

1,316 Days
Field of Search

713/175, 713/153, 713/168, 726/4, 726/11, 726/12, 726/23
US Class Current

713/175
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

Virtual single sign-on for certificate-protected resources

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual single sign-on for certificate-protected resources

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links