Secure mobile client with assertions for access to service provider applications
First Claim
1. A method comprising:
- configuring a Software-as-a-Service (SaaS) access control application, which executes on a client device, with a certificate that identifies a user, configuration information for one or more SaaS applications to access and information to identify an identity provider for a given SaaS application, the SaaS access control application including software to be inserted into a network software stack that executes on the client device and further including embedded identity provider software configured to serve as an identity provider for assertions;
intercepting, within the network software stack of the client device, a request made by an application on the client device to a SaaS service provider identified by a Universal Resource Locator (URL) provided during configuration of the SaaS access control application;
redirecting the request made by the application back to the application causing the application to make an identity provider request to the embedded identity provider software executing on the client device;
generating, by the embedded identity provider software, an assertion based on the certificate and on configuration information provided during configuration of the SaaS access control application; and
causing the application to make a request to the SaaS service provider with the assertion embedded in the request.
1 Assignment
0 Petitions
Accused Products
Abstract
A Software-as-a-Service (SaaS) access control application on a client device is configured with a certificate that identifies a user, and with configuration information for one or more SaaS applications to access, and including an IDP identifier for the SaaS application. The SaaS access control application includes software to be inserted into a network software stack of the client device and software configured to serve as an identity provider for assertions. A request, made by an application on the client device to a SaaS service provider identified by a Universal Resource Locator (URL) provided during configuration of the SaaS access control application, is intercepted within the network software stack of the client device. The SaaS access control application generates an assertion based on the certificate and configuration information. The requesting application is caused to make a request to the SaaS service provider with the assertion embedded in the request.
51 Citations
25 Claims
-
1. A method comprising:
-
configuring a Software-as-a-Service (SaaS) access control application, which executes on a client device, with a certificate that identifies a user, configuration information for one or more SaaS applications to access and information to identify an identity provider for a given SaaS application, the SaaS access control application including software to be inserted into a network software stack that executes on the client device and further including embedded identity provider software configured to serve as an identity provider for assertions; intercepting, within the network software stack of the client device, a request made by an application on the client device to a SaaS service provider identified by a Universal Resource Locator (URL) provided during configuration of the SaaS access control application; redirecting the request made by the application back to the application causing the application to make an identity provider request to the embedded identity provider software executing on the client device; generating, by the embedded identity provider software, an assertion based on the certificate and on configuration information provided during configuration of the SaaS access control application; and causing the application to make a request to the SaaS service provider with the assertion embedded in the request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. One or more non-transitory computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
-
configure a Software-as-a-Service (SaaS) access control application, which executes on a client device, with a certificate that identifies a user, configuration information for one or more SaaS applications to access and information to identify an identity provider of a given SaaS application, the SaaS access control application including software to be inserted into a network software stack that executes on the client device and further including embedded identity provider software configured to serve as an identity provider for assertions; intercept, within the network software stack of the client device, a request made by an application on the client device to a SaaS service provider identified by a Universal Resource Locator (URL) provided during configuration of the SaaS access control application; redirect the request made by the application back to the application causing the application to make an identity provider request to the embedded identity provider software executing on the client device; generate, by the embedded identity provider software, an assertion based on the certificate and on configuration information provided during configuration of the SaaS access control application; and cause the application to make a request to the SaaS service provider with the assertion embedded in the request. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A device comprising:
-
a network interface unit configured to enable network communications over a network; a memory; and a processor coupled to the network interface unit and to the memory, wherein the processor is configured to; configure a Software-as-a-Service (SaaS) access control application stored in the memory of the device with a certificate that identifies a user, configuration information for one or more SaaS applications to access and information to identify an identity provider for a given SaaS application, the SaaS access control application including software to be inserted into a network software stack that is stored in the memory of the device and further including embedded identity provider software configured to serve as an identity provider for assertions; intercept, within the network software stack, a request made by an application on the device to a SaaS service provider identified by a Universal Resource Locator (URL) provided during configuration of the SaaS access control application; redirect the request made by the application back to the application causing the application to make an identity provider request to the embedded identity provider software executing on the client device; generate, by the embedded identity provider software, an assertion based on the certificate and on configuration information provided during configuration of the SaaS access control application; and cause the application to make a request to the SaaS service provider with the assertion embedded in the request. - View Dependent Claims (22, 23, 24, 25)
-
Specification