Redirect to inspection proxy using single-sign-on bootstrapping

US 9,294,462 B2
Filed: 01/15/2014
Issued: 03/22/2016
Est. Priority Date: 01/15/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

on the basis of an authentication request generated in response to a user of a client device attempting to initiate a user session with an application managed by a service provider and the service provider redirecting the attempted user session of the client device to an identity provider, generating an authentication response based on credentials received from the user, the authentication response including an assertion on behalf of the user;

rewriting a delivery resource locator for the assertion to a resource locator of a proxy in order to redirect the assertion to the proxy and to cause the client device to access service provider web pages and linked content through the proxy; and

sending to the client device the authentication response together with the resource locator of the proxy in order to cause the client device to send the assertion to the proxy that decodes the re-written resource locator and sends the assertion to the service provider so the proxy rewrites and sends the service provider web pages and linked content to the client device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication request is generated when a user of a client device attempts to initiate a user session with an application managed by a service provider. An authentication response is generated based on credentials received from the user. The authentication response includes an assertion on behalf of the user. A delivery resource locator for the assertion is rewritten to a resource locator of a proxy in order to redirect the assertion to the proxy. The authentication response is sent to the client device together with the resource locator of the proxy in order to cause the client device to send the assertion to the proxy that decodes the re-written resource locator and sends the assertion to the service provider.

Citations

20 Claims

1. A method comprising:
- on the basis of an authentication request generated in response to a user of a client device attempting to initiate a user session with an application managed by a service provider and the service provider redirecting the attempted user session of the client device to an identity provider, generating an authentication response based on credentials received from the user, the authentication response including an assertion on behalf of the user;
  
  rewriting a delivery resource locator for the assertion to a resource locator of a proxy in order to redirect the assertion to the proxy and to cause the client device to access service provider web pages and linked content through the proxy; and
  
  sending to the client device the authentication response together with the resource locator of the proxy in order to cause the client device to send the assertion to the proxy that decodes the re-written resource locator and sends the assertion to the service provider so the proxy rewrites and sends the service provider web pages and linked content to the client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein generating, rewriting and sending are performed by the identity provider.
  - 3. The method of claim 2, further comprising the identity provider authenticating the user session to the proxy.
  - 4. The method of claim 2, wherein authenticating the user session to the proxy comprises sharing a session cookie between the identity provider and the proxy.
  - 5. The method of claim 2, wherein authenticating comprises the proxy analyzing the assertion to determine whether the user session is authenticated.
  - 6. The method of claim 2, further comprising the identity provider receiving the authentication request from the client device.
  - 7. The method of claim 1, wherein rewriting is performed so that access through the proxy is obfuscated and embedded in a resource locator for the proxy.
  - 8. The method of claim 1, further comprising encrypting the assertion with a shared secret also known by the proxy, thereby requiring the proxy to decrypt the assertion before forwarding the assertion to the service provider.
  - 9. The method of claim 1, further comprising generating the assertion so as to require the proxy to rewrite and re-sign it before it can be accepted by the service provider.
  - 10. The method of claim 1, wherein the proxy receives the service provider web pages and linked content from the service provider, content rewrites the received the service provider web pages and linked content, and sends rewritten service provider web pages and linked content to the client device.

11. A method comprising:
- receiving at an identity provider an authentication request generated in response to a user of a client device attempting to initiate a user session with an application managed by a service provider and the service provider redirecting the attempted user session of the client device to an identity provider;
  
  generating an authentication response based on credentials received from the user, the response including an assertion on behalf of the user;
  
  rewriting a delivery resource locator for the assertion to a resource locator of a proxy in order to redirect the assertion to the proxy and to cause the client device to access service provider web pages and linked content through the proxy; and
  
  sending to the client device the authentication response together with the resource locator of the proxy in order to cause the client device to send the assertion to the proxy so the proxy rewrites and sends the service provider web pages and linked content to the client device.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein rewriting is performed so that access through the proxy is obfuscated.
  - 13. The method of claim 12, wherein rewriting comprises rewriting a resource locator for the proxy.
  - 14. The method of claim 11, further comprising encrypting the assertion with a shared secret also known by the proxy, thereby requiring the proxy to decrypt the assertion before forwarding the assertion to the service provider.
  - 15. The method of claim 11, wherein the proxy receives the service provider web pages and linked content from the service provider, content rewrites the received the service provider web pages and linked content, and sends rewritten service provider web pages and linked content to the client device.

16. An apparatus comprising:
- a network interface unit configured to send and receive communications over a network;
  
  a processor coupled to the network interface unit, wherein the processor is configured to;
  
  on the basis of an authentication request generated in response to a user of a client device attempting to initiate a user session with an application managed by a service provider and the service provider redirecting the attempted user session of the client device to an identity provider, generate an authentication response based on credentials received from the user, the response including an assertion on behalf of the user;
  
  rewrite a delivery resource locator for the assertion to a resource locator of a proxy in order to redirect the assertion to the proxy and to cause the client device to access service provider web pages and linked content through the proxy; and
  
  supply the authentication response to the network interface unit to be sent to the client device together with the resource locator of the proxy in order to cause the client device to send the assertion to the proxy so the proxy rewrites and sends the service provider web pages and linked content to the client device.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus of claim 16, wherein the processor is configured to rewrite the resource locator so that access through the proxy is obfuscated and embedded in a resource locator for the proxy.
  - 18. The apparatus of claim 16, wherein the processor is configured to encrypt the assertion with a shared secret also known by the proxy.
  - 19. The apparatus of claim 16, wherein the processor is configured to generate the assertion so as to require the proxy to rewrite and re-sign it before it can be accepted by the service provider.
  - 20. A system comprising the apparatus of claim 16, wherein the proxy is configured to:
    - receive the service provider web pages and linked content from the service provider;
      
      content rewrite the received the service provider web pages and linked content; and
      
      send rewritten service provider web pages and linked content to the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Parla, Vincent E., McGrew, David, Kielbasinski, Andrzej
Primary Examiner(s)
Hailu, Teshome

Application Number

US14/155,865
Publication Number

US 20150200924A1
Time in Patent Office

797 Days
Field of Search

726/7
US Class Current

1/1
CPC Class Codes

H04L 63/04   for providing a confidentia...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0884   by delegation of authentica...

Redirect to inspection proxy using single-sign-on bootstrapping

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Redirect to inspection proxy using single-sign-on bootstrapping

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links