Secure mobile client with assertions for access to service provider applications

US 9,876,799 B2
Filed: 09/03/2015
Issued: 01/23/2018
Est. Priority Date: 08/09/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, from a client device, a request to access a Software-as-a-Service (SaaS) application, the request including an assertion created by the client device;

discovering a secure identity provider using information contained in the assertion;

sending a response to the client device, wherein the response redirects the client device to a web page hosted by the secure identity provider, wherein the secure identity provider validates credentials of a user of the client device and, when the credentials are valid, provides a secure identity provider assertion to the client device;

receiving, from the client device, another request to access the SaaS application, the other request including the secure identity provider assertion; and

based on the secure identity provider assertion, sending another response to the client device denying or granting access to the SaaS application.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A Software-as-a-Service (SaaS) access control application on a client device is configured with a certificate that identifies a user, and with configuration information for one or more SaaS applications to access, and including an IDP identifier for the SaaS application. The SaaS access control application includes software to be inserted into a network software stack of the client device and software configured to serve as an identity provider for assertions. A request, made by an application on the client device to a SaaS service provider identified by a Universal Resource Locator (URL) provided during configuration of the SaaS access control application, is intercepted within the network software stack of the client device. The SaaS access control application generates an assertion based on the certificate and configuration information. The requesting application is caused to make a request to the SaaS service provider with the assertion embedded in the request.

Citations

20 Claims

1. A method comprising:
- receiving, from a client device, a request to access a Software-as-a-Service (SaaS) application, the request including an assertion created by the client device;
  
  discovering a secure identity provider using information contained in the assertion;
  
  sending a response to the client device, wherein the response redirects the client device to a web page hosted by the secure identity provider, wherein the secure identity provider validates credentials of a user of the client device and, when the credentials are valid, provides a secure identity provider assertion to the client device;
  
  receiving, from the client device, another request to access the SaaS application, the other request including the secure identity provider assertion; and
  
  based on the secure identity provider assertion, sending another response to the client device denying or granting access to the SaaS application.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the web page is configured to solicit entry of the credentials from the user of the client device.
  - 3. The method of claim 1, wherein the secure identity provider is an enterprise identity provider that has a relationship with the SaaS application.
  - 4. The method of claim 3, wherein discovering the secure identity provider includes discovering the secure identity provider based on a mapping from an enterprise name in the assertion to an Internet Protocol address or a Uniform Resource Locator of the secure identity provider.
  - 5. The method of claim 1, wherein the secure identity provider is a cloud-hosted identity provider associated with the SaaS application with which the user of the client device has a relationship.
  - 6. The method of claim 5, wherein discovering the secure identity provider includes discovering the secure identity provider based on a mapping from a service provider name in the assertion to an Internet Protocol address or a Uniform Resource Locator of the secure identity provider.
  - 7. The method of claim 1, further comprising:
    - storing information representing a level of assurance for access to resources controlled by the SaaS application,wherein sending the other response includes sending the other response based on the level of assurance.

8. An apparatus comprising:
- a network interface configured to enable communications over a network including a client device that is seeking access to a Software-as-a-Service (SaaS) application;
  
  a memory; and
  
  a processor coupled to the network interface and the memory, wherein the processor is configured to;
  
  receive, from the client device, a request to access the SaaS application, the request including an assertion created by the client device;
  
  discover a secure identity provider using information contained in the assertion;
  
  send a response to the client device, wherein the response redirects the client device to a web page hosted by the secure identity provider, wherein the secure identity provider validates credentials of a user of the client device and, when the credentials are valid, provides a secure identity provider assertion to the client device;
  
  receive, from the client device, another request to access the SaaS application, the other request including the secure identity provider assertion; and
  
  based on the secure identity provider assertion, send another response to the client device denying or granting access to the SaaS application.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, wherein the web page is configured to solicit entry of the credentials from the user of the client device.
  - 10. The apparatus of claim 8, wherein the processor is further configured to:
    - store information representing a level of assurance for access to resources controlled by the SaaS application,wherein the processor is configured to send the other response by sending the response based on the level of assurance.
  - 11. The apparatus of claim 8, wherein the secure identity provider is an enterprise identity provider that has a relationship with the SaaS application.
  - 12. The apparatus of claim 11, wherein the processor is configured to discover the secure identity provider by discovering the secure identity provider based on a mapping from an enterprise name in the assertion to an Internet Protocol address or a Uniform Resource Locator of the secure identity provider.
  - 13. The apparatus of claim 8, wherein the secure identity provider is a cloud-hosted identity provider associated with the SaaS application with which the user of the client device has a relationship.
  - 14. The apparatus of claim 13, wherein the processor is configured to discover the secure identity provider by discovering the secure identity provider based on a mapping from a service provider name in the assertion to an Internet Protocol address or a Uniform Resource Locator of the secure identity provider.

15. One or more non-transitory computer readable storage media encoded with executable instructions that, when executed by a processor, cause the processor to:
- receive, from a client device, a request to access a Software-as-a-Service (SaaS) application, the request including an assertion created by the client device;
  
  discover a secure identity provider using information contained in the assertion;
  
  send a response to the client device, wherein the response redirects the client device to a web page hosted by the secure identity provider, wherein the secure identity provider validates credentials of a user of the client device and, when the credentials are valid, provides a secure identity provider assertion to the client device;
  
  receive, from the client device, another request to access the SaaS application, the other request including the secure identity provider assertion; and
  
  based on the secure identity provider assertion, send another response to the client device denying or granting access to the SaaS application.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer readable storage media of claim 15, wherein the web page is configured to solicit entry of the credentials from the user of the client device.
  - 17. The non-transitory computer readable storage media of claim 15, further comprising instructions that, when executed by the processor, cause the processor to:
    - store information representing a level of assurance for access to resources controlled by the SaaS application,wherein the instructions that cause the processor to send the other response include instructions that cause the processor to send the other response based on the level of assurance.
  - 18. The non-transitory computer readable storage media of claim 15, wherein the secure identity provider is an enterprise identity provider that has a relationship with the SaaS application.
  - 19. The non-transitory computer readable storage media of claim 18, wherein the instructions that cause the processor to discover the secure identity provider include instructions that cause the processor to discover the secure identity provider based on a mapping from an enterprise name in the assertion to an Internet Protocol address or a Uniform Resource Locator of the secure identity provider.
  - 20. The non-transitory computer readable storage media of claim 15, wherein the secure identity provider is a cloud-hosted identity provider associated with the SaaS application with which the user of the client device has a relationship.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Sowatskey, Nathan
Primary Examiner(s)
ABYANEH, ALI S

Application Number

US14/844,363
Publication Number

US 20150381625A1
Time in Patent Office

873 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/335   for accessing specific reso...

G06F 21/445   by mutual authentication, e...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/168   above the transport layer

Secure mobile client with assertions for access to service provider applications

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure mobile client with assertions for access to service provider applications

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links