Mechanisms to use network session identifiers for software-as-a-service authentication

US 9,356,928 B2
Filed: 12/16/2014
Issued: 05/31/2016
Est. Priority Date: 10/27/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

associating, at a network access device of a network, a unique network session identifier with a client device when the client device connects to the network access device;

receiving a request from the client device to access an identity provider device that provides identity assertion services to the client device, wherein the identity assertion services include identity and context information associated with a subject of the client device, wherein receiving the request comprises receiving a Uniform Resource Locator (URL) request from the client device to access the identity provider device, wherein receiving the URL request comprises receiving the URL request as a result of a redirect from an identity boundary device in response to the client device requesting access to software-as-a-service (SaaS) services outside of an enterprise network;

obtaining the unique network session identifier that identifies a network session and the subject of the client device that has authenticated with the network access device to access the network session;

inserting the unique network session identifier into the request from the client device to access the identity provider device; and

forwarding the request with the inserted unique network session identifier to the identity provider device, wherein the identity provider device generates an encrypted security assertion of an identity of the subject associated with the network session based on the unique network session identifier, wherein the encrypted security assertion is signed using a certificate shared by the identity provider device and a server, and the identity provider device forwards the encrypted security assertion to the client device for insertion into a request from the client device to access the server, wherein the unique network session identifier is never sent to the client device such that the unique network session identifier is available only to the identity provider device and the unique network session identifier is not revealed to the client device or to the subject of the client device that requests access to an application or information on the server.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for authenticating a subject of a client device to access a software-as-a-service (SaaS) server. A network access device receives a request from a client device to establish a network session and transfers identity information of the subject, the client device and the network session to a session directory database. A request is sent to access an application on a SaaS server. If it does not contain an identity assertion that identifies the subject, the request is redirected to an identity provider device, to provide identity assertion services to the subject. A network session identifier is inserted into the request by a network access device and the request is forwarded to the identity provider device. The identity provider device uses the network session identifier to query the session directory database for the identity information to be used for a security assertion of the subject to the SaaS server.

41 Citations

16 Claims

1. A method comprising:
- associating, at a network access device of a network, a unique network session identifier with a client device when the client device connects to the network access device;
  
  receiving a request from the client device to access an identity provider device that provides identity assertion services to the client device, wherein the identity assertion services include identity and context information associated with a subject of the client device, wherein receiving the request comprises receiving a Uniform Resource Locator (URL) request from the client device to access the identity provider device, wherein receiving the URL request comprises receiving the URL request as a result of a redirect from an identity boundary device in response to the client device requesting access to software-as-a-service (SaaS) services outside of an enterprise network;
  
  obtaining the unique network session identifier that identifies a network session and the subject of the client device that has authenticated with the network access device to access the network session;
  
  inserting the unique network session identifier into the request from the client device to access the identity provider device; and
  
  forwarding the request with the inserted unique network session identifier to the identity provider device, wherein the identity provider device generates an encrypted security assertion of an identity of the subject associated with the network session based on the unique network session identifier, wherein the encrypted security assertion is signed using a certificate shared by the identity provider device and a server, and the identity provider device forwards the encrypted security assertion to the client device for insertion into a request from the client device to access the server, wherein the unique network session identifier is never sent to the client device such that the unique network session identifier is available only to the identity provider device and the unique network session identifier is not revealed to the client device or to the subject of the client device that requests access to an application or information on the server.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - authenticating the subject of the client device to obtain authentication information associated with the subject of the client device; and
      
      sending the authentication information associated with the subject of the client device to a session directory database.
  - 3. The method of claim 1, wherein inserting comprises inserting the unique network session identifier into a hypertext transfer protocol (HTTP) header of the URL request.
  - 4. The method of claim 1, wherein inserting comprises inserting the unique network session identifier that comprises a pseudorandom number that is unique to the network.
  - 5. The method of claim 1, wherein receiving comprises receiving the request originating from the subject of the client device to access the identity provider device.

6. A method comprising:
- extracting, at an identity provider device in a network that provides identity assertion services which include identity and context information associated with a subject of a client device, a network session identifier from a request to access the identity provider device, wherein the request comprises a Uniform Resource Locator (URL) request, from the network access device and originating from the client device, for the client device to access the identity provider device, wherein the URL request is received as a result of a redirect from an identity boundary device in response to the client device requesting access to software-as-a-service (SaaS) services outside of an enterprise network, wherein a unique network session identifier is associated with the client device when the client device connects to a network access device, wherein the request is from the network access device and originates from the client device seeking to access a server, wherein the unique network session identifier is unique to the network access device and uniquely identifies a network session for the subject of the client device that has authenticated with the network access device;
  
  generating an encrypted security assertion of an identity of the subject associated with the network session based on the unique network session identifier such that the information associated with the unique network session identifier that uniquely identifies the subject is utilized to generate the encrypted security assertion, wherein the encrypted security assertion is signed using a certificate shared by the identity provider device and the server; and
  
  sending the encrypted security assertion to the client device, wherein the unique network session identifier is never sent to the client device such that the network session identifier is available only to the identity provider device and the unique network session identifier is not revealed to the client device or to the subject of the client device that requests access to an application or information on the server.
- View Dependent Claims (7, 8)
- - 7. The method of claim 6, wherein extracting comprises extracting the unique network session identifier from a hypertext transfer protocol (HTTP) header of the URL request.
  - 8. The method of claim 6, wherein generating comprises generating a security assertion markup language (SAML) assertion.

9. One or more non-transitory computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
- associate a unique network session identifier with a client device when the client device connects to the network access device;
  
  receive a request from the client device to access an identity provider device that provides identity assertion services to the client device, wherein the identity assertion services include identity and context information associated with a subject of the client device, wherein the request comprises a Uniform Resource Locator (URL) request, from the network access device and originating from the client device, for the client device to access the identity provider device, wherein the URL request is received as a result of a redirect from an identity boundary device in response to the client device requesting access to software-as-a-service (SaaS) services outside of an enterprise network;
  
  obtain the unique network session identifier that identifies a network session and the subject of the client device that has authenticated with the network access device to access the network session;
  
  insert the unique network session identifier into the request from the client device to access the identity provider device; and
  
  forward the request with the inserted unique network session identifier to the identity provider device, wherein the identity provider device generates an encrypted security assertion of an identity of the subject associated with the network session based on the unique network session identifier, where the encrypted security assertion is signed using a certificate shared by the identity provider device and a server, and the identity provider device forwards the encrypted security assertion to the client device for insertion into a request from the client device to access the server, wherein the unique network session identifier is never forwarded to the client device such that the unique network session identifier is available only to the identity provider device and the unique network session identifier is not revealed to the client device or to the subject of the client device that requests access to an application or information on the server.
- View Dependent Claims (10)
- - 10. The computer readable storage media of claim 9, further comprising instructions operable to:
    - authenticate the subject of the client device to obtain authentication information associated with the subject of the client device; and
      
      send the authentication information associated with the subject of the client device to a session directory database.

11. One or more non-transitory computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
- extract a network session identifier from a request to access an identity provider device, wherein the network session identifier is associated with a client device when the client device connects to a network access device, wherein the request is from the network access device and originates from the client device seeking to access a server, wherein the identity provider device provides identity assertion services include identity and context information associated with a subject of the client device, wherein the request comprises a Uniform Resource Locator (URL) request, from the network access device and originating from the client device, for the client device to access the identity provider device, wherein the URL request is received as a result of a redirect from an identity boundary device in response to the client device requesting access to software-as-a-service (SaaS) services outside of an enterprise network, wherein the network session identifier is unique to the network access device and uniquely identifies a network session for the subject of the client device that has authenticated with the network access device;
  
  generate an encrypted security assertion of an identity of the subject associated with the network session based on the network session identifier such that the information associated with the network session identifier is utilized to generate the encrypted security assertion, wherein the encrypted security assertion is signed using a certificate shared by the identity provider device and the server; and
  
  send the encrypted security assertion to the client device, wherein the network session identifier is never sent to the client device such that the network session identifier is available only to the identity provider device and the network session identifier is not revealed to the client device or to the subject of the client device that requests access to an application or information on the server.
- View Dependent Claims (12)
- - 12. The computer readable storage media of claim 11, further comprising instructions operable to determine, after receiving the request from the network access device, whether the request contains network session identifier information to be extracted from the request.

13. An apparatus comprising:
- a network interface unit configured to enable communications over a network;
  
  a switch unit coupled to the network interface unit;
  
  a memory; and
  
  a processor coupled to the switch unit and the memory and configured to;
  
  associate a unique network session identifier with a client device when the client device connects to the network access device;
  
  receive a request from the client device to access an identity provider device that provides identity assertion services to the client device, wherein the identity assertion services include identity and context information associated with a subject of the client device, wherein the request comprises a Uniform Resource Locator (URL) request, from the network access device and originating from the client device, for the client device to access the identity provider device, wherein the URL request is received as a result of a redirect from an identity boundary device in response to the client device requesting access to software-as-a-service (SaaS) services outside of an enterprise network;
  
  obtain from a session directory database the unique network session identifier that identifies a network session and identifies the subject of the client device that has authenticated with the network access device to access the network session;
  
  insert the unique network session identifier into the request from the client device to access the identity provider device; and
  
  forward the request with the inserted unique network session identifier to the identity provider device to cause the identity provider device to generate an encrypted security assertion of an identity of a user associated with the network session based on the unique network session identifier, where the encrypted security assertion is signed using a certificate shared by the identity provider device and a server, and the identity provider device forwards the encrypted security assertion to the client device for insertion into a request from the client device to access the server, wherein the unique network session identifier is never forwarded to the client device such that the unique network session identifier is available only to the identity provider device and the unique network session identifier is not revealed to the client device or to the subject of the client device that requests access to an application or information on the server.
- View Dependent Claims (14)
- - 14. The apparatus of claim 13, wherein the processor is further configured to:
    - authenticate the subject of the client device to obtain authentication information associated with the subject of the client device; and
      
      send the authentication information associated with the subject of the client device to the session directory.

15. An apparatus comprising:
- a network interface unit configured to enable communications over a network;
  
  a memory; and
  
  a processor coupled to the network interface unit and the memory and configured to;
  
  extract a unique network session identifier from a request to access the apparatus, wherein the unique network session identifier is associated with a client device when the client device connects to a network access device, wherein the request is from the network access device and originates from the client device seeking to access a server, wherein the request comprises a Uniform Resource Locator (URL) request, from the network access device and originating from the client device, for the client device to access the identity provider device, wherein the URL request is received as a result of a redirect from an identity boundary device in response to the client device requesting access to software-as-a-service (SaaS) services outside of an enterprise network, wherein the unique network session identifier is unique to the network access device and uniquely identifies a network session for a subject of the client device that has authenticated with the network access device;
  
  generate an encrypted security assertion of an identity of the subject associated with the network session based on the unique network session identifier such that the information associated with the network session identifier is utilized to generate the encrypted security assertion, wherein the encrypted security assertion is signed using a certificate shared by the identity provider device and the server; and
  
  send the encrypted security assertion to the client device, wherein the unique network session identifier is never sent to the client device such that the unique network session identifier is available only to the identity provider device and the unique network session identifier is not revealed to the client device or to the subject of the client device that requests access to an application or information on the server.
- View Dependent Claims (16)
- - 16. The apparatus of claim 15, wherein the processor is further configured to determine, after receiving the request from the network access device, whether the request contains network session identifier information to be extracted from the request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Sowatskey, Nathan, Cam-Winget, Nancy, Thomson, Susan E., Jones, David, Ansari, Morteza, Wierenga, Klaas, Salowey, Joseph
Primary Examiner(s)
Gelagay, Shewaye
Assistant Examiner(s)
LE, KHOI V

Application Number

US14/572,075
Publication Number

US 20150106617A1
Time in Patent Office

532 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/0823 using certificates cryptogr...

Mechanisms to use network session identifiers for software-as-a-service authentication

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Mechanisms to use network session identifiers for software-as-a-service authentication

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links