Secure mobile client with assertions for access to service provider applications
First Claim
1. A method comprising:
- receiving, from a client device, a request to access a Software-as-a-Service (SaaS) application, the request including an assertion created by the client device;
discovering a secure identity provider using information contained in the assertion;
sending a response to the client device, wherein the response redirects the client device to a web page hosted by the secure identity provider, wherein the secure identity provider validates credentials of a user of the client device and, when the credentials are valid, provides a secure identity provider assertion to the client device;
receiving, from the client device, another request to access the SaaS application, the other request including the secure identity provider assertion; and
based on the secure identity provider assertion, sending another response to the client device denying or granting access to the SaaS application.
0 Assignments
0 Petitions
Accused Products
Abstract
A Software-as-a-Service (SaaS) access control application on a client device is configured with a certificate that identifies a user, and with configuration information for one or more SaaS applications to access, and including an IDP identifier for the SaaS application. The SaaS access control application includes software to be inserted into a network software stack of the client device and software configured to serve as an identity provider for assertions. A request, made by an application on the client device to a SaaS service provider identified by a Universal Resource Locator (URL) provided during configuration of the SaaS access control application, is intercepted within the network software stack of the client device. The SaaS access control application generates an assertion based on the certificate and configuration information. The requesting application is caused to make a request to the SaaS service provider with the assertion embedded in the request.
-
Citations
20 Claims
-
1. A method comprising:
-
receiving, from a client device, a request to access a Software-as-a-Service (SaaS) application, the request including an assertion created by the client device; discovering a secure identity provider using information contained in the assertion; sending a response to the client device, wherein the response redirects the client device to a web page hosted by the secure identity provider, wherein the secure identity provider validates credentials of a user of the client device and, when the credentials are valid, provides a secure identity provider assertion to the client device; receiving, from the client device, another request to access the SaaS application, the other request including the secure identity provider assertion; and based on the secure identity provider assertion, sending another response to the client device denying or granting access to the SaaS application. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus comprising:
-
a network interface configured to enable communications over a network including a client device that is seeking access to a Software-as-a-Service (SaaS) application; a memory; and a processor coupled to the network interface and the memory, wherein the processor is configured to; receive, from the client device, a request to access the SaaS application, the request including an assertion created by the client device; discover a secure identity provider using information contained in the assertion; send a response to the client device, wherein the response redirects the client device to a web page hosted by the secure identity provider, wherein the secure identity provider validates credentials of a user of the client device and, when the credentials are valid, provides a secure identity provider assertion to the client device; receive, from the client device, another request to access the SaaS application, the other request including the secure identity provider assertion; and based on the secure identity provider assertion, send another response to the client device denying or granting access to the SaaS application. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. One or more non-transitory computer readable storage media encoded with executable instructions that, when executed by a processor, cause the processor to:
-
receive, from a client device, a request to access a Software-as-a-Service (SaaS) application, the request including an assertion created by the client device; discover a secure identity provider using information contained in the assertion; send a response to the client device, wherein the response redirects the client device to a web page hosted by the secure identity provider, wherein the secure identity provider validates credentials of a user of the client device and, when the credentials are valid, provides a secure identity provider assertion to the client device; receive, from the client device, another request to access the SaaS application, the other request including the secure identity provider assertion; and based on the secure identity provider assertion, send another response to the client device denying or granting access to the SaaS application. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification