System and method for proxying HTTP single sign on across network domains

US 10,015,286 B1
Filed: 06/23/2010
Issued: 07/03/2018
Est. Priority Date: 06/23/2010
Status: Active Grant

First Claim

Patent Images

1. A method, the comprising:

authenticating, by a network traffic management device and utilizing a first security protocol, a user of a remote client device in response to receiving a login request from the remote client device to access a secured network domain, wherein the login request includes a client certificate, which is encrypted in the first security protocol;

establishing, by the network traffic management device, a first connection between the remote client device and the secured network domain after the user has been verified to access the secured network domain;

receiving, by the network traffic management device, a service request from the remote client device to obtain a network service from a resource server in the secured network domain, transitioning, by the network traffic management device, to a second security protocol, sending, by the network traffic management device, a ticket granting request that is specific to the type of service request to a dedicated server, obtaining, by the network traffic management device, a service ticket from the dedicated server in the secured network domain for the service request in the second security protocol, locally storing, by the network traffic management device, the service ticket to allow the service ticket to be repeatedly used to request and access services within the secured domain, and providing, by the network traffic management device, access to the network service using the service ticket in response to the service request;

receiving, by the network traffic management device, another service request from the remote client device to obtain the network service from the resource server in the secured network domain; and

providing, by the network traffic management device, access to the network service using the stored service ticket in response to the another service request received from the remote client device to obtain the network service from the resource server and without communicating with the dedicated server from which the service ticket was previously obtained or authenticating the user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method to establish and maintain access between a secured network and a remote client device communicating with different security protocols. Once the system and method verify that the remote client device had the requisite credentials to access the secured network domain, the system and method are delegated to fetch a service ticket to one or more dedicated servers on behalf of remote client device. The system and method receives a service ticket from the dedicated server and forwards the service ticket to the remote client device to use the service.

497 Citations

20 Claims

1. A method, the comprising:
- authenticating, by a network traffic management device and utilizing a first security protocol, a user of a remote client device in response to receiving a login request from the remote client device to access a secured network domain, wherein the login request includes a client certificate, which is encrypted in the first security protocol;
  
  establishing, by the network traffic management device, a first connection between the remote client device and the secured network domain after the user has been verified to access the secured network domain;
  
  receiving, by the network traffic management device, a service request from the remote client device to obtain a network service from a resource server in the secured network domain, transitioning, by the network traffic management device, to a second security protocol, sending, by the network traffic management device, a ticket granting request that is specific to the type of service request to a dedicated server, obtaining, by the network traffic management device, a service ticket from the dedicated server in the secured network domain for the service request in the second security protocol, locally storing, by the network traffic management device, the service ticket to allow the service ticket to be repeatedly used to request and access services within the secured domain, and providing, by the network traffic management device, access to the network service using the service ticket in response to the service request;
  
  receiving, by the network traffic management device, another service request from the remote client device to obtain the network service from the resource server in the secured network domain; and
  
  providing, by the network traffic management device, access to the network service using the stored service ticket in response to the another service request received from the remote client device to obtain the network service from the resource server and without communicating with the dedicated server from which the service ticket was previously obtained or authenticating the user.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the service ticket is valid for an amount of time and the method further comprises:
    - storing the service ticket from the dedicated server for the service request as associated with the amount of time;
      
      determining when the service ticket is valid based on the amount of time; and
      
      sending the service ticket to the remote client device in response to the another service request, when the determining indicates the service ticket is valid based on the amount of time.
  - 3. The method of claim 1, wherein the second security protocol is a Kerberos-based authentication protocol or the client certificate is within a Common Access Card (CAC).
  - 4. The method of claim 1, wherein the first security protocol is different than the second security protocol.
  - 5. The method of claim 1, wherein the network service is a password protected web page.

6. A non-transitory machine readable medium having stored thereon instructions for establishing access between a secured network and a remote client device, comprising machine executable code which when executed by one or more processors, causes the one or more processors to:
- authenticate, utilizing a first security protocol, a user of a remote client device in response to receiving a login request from the remote client device to access a secured network domain, wherein the login request includes a client certificate, which is encrypted in the first security protocol;
  
  establish a first connection between the remote client device and the secured network domain after the user has been verified to access the secured network domain;
  
  receive a service request from the remote client device to obtain a network service from a resource server in the secured network domain, transition to a second security protocol, send a ticket granting request that is specific to the type of service request to a dedicated server, obtain a service ticket from a dedicated server in the secured network domain for the service request in the second security protocol locally store the service ticket to allow the service ticket to be repeatedly used to request and access services within the secured domain, and provide access to the network service using the service ticket in response to the service request;
  
  receive another service request from the remote client device to obtain the network service from the resource server in the secured network domain; and
  
  provide access to the network service using the stored service ticket in response to the another service request received from the remote client device to obtain the network service from the resource server and without communicating with the dedicated server from which the service ticket was previously obtained or authenticating the user.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The machine readable medium of claim 6, wherein service ticket is valid for an amount of time and the machine executable code when executed by the one or more processors further causes the one or more processors to perform:
    - store the service ticket from the dedicated server for the service request as associated with the predetermined amount of time;
      
      determine when the service ticket is valid based on the predetermined amount of time; and
      
      send the service ticket to the remote client device in response to the another service request, when the determining indicates the service ticket is valid based on the predetermined amount of time.
  - 8. The machine readable medium of claim 6, wherein the second security protocol is a Kerberos-based authentication protocol or the client certificate is within a Common Access Card (CAC).
  - 9. The machine readable medium of claim 6, wherein the first security protocol is different than the second security protocol.
  - 10. The machine readable medium of claim 6, wherein the network service is a password protected web page.

11. A network traffic management device comprising memory comprising programmed instructions stored thereon and at least one processor coupled to the memory and configured to be capable of executing the stored programmed instructions to:
- authenticate, utilizing a first security protocol, a user of a remote client device in response to receiving a login request from the remote client device to access a secured network domain, wherein the login request includes a client certificate, which is encrypted in the first security protocol;
  
  establish a first connection between the remote client device and the secured network domain after the user has been verified to access the secured network domain;
  
  receive a service request from the remote client device to obtain a network service from a resource server in the secured network domain, transition to a second security protocol, send a ticket granting request that is specific to the type of service request to a dedicated server, obtain a service ticket from a dedicated server in the secured network domain for the service request in the second security protocol, locally store the service ticket to allow the service ticket to be repeatedly used to request and access services within the secured domain, and provide access to the network service using the service ticket in response to the service request;
  
  receive another service request from the remote client device to obtain the network service from the resource server in the secured network domain; and
  
  provide access to the network service using the stored service ticket in response to the another service request received from the remote client device to obtain the network service from the resource server and without communicating with the dedicated server from which the service ticket was previously obtained or authenticating the user.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The device as set forth in claim 11 wherein the service ticket is valid for an amount of time and the processor is further configured to be capable of executing the stored programmed instructions to:
    - store the service ticket from the dedicated server for the service request as associated with the amount of time;
      
      determine when the service ticket is valid based on the amount of time; and
      
      send the service ticket to the remote client device in response to the another service request, when the determining indicates the service ticket is valid based on the amount of time.
  - 13. The device as set forth in claim 11 wherein the second security protocol is a Kerberos-based authentication protocol or the client certificate is within a Common Access Card (CAC).
  - 14. The device as set forth in claim 11 wherein the first security protocol is different than the second security protocol.
  - 15. The device as set forth in claim 11 wherein the network service is a password protected web page.

16. A network traffic management system comprising one or more network traffic management devices, dedicated servers, or resource servers, the network traffic management system comprising memory comprising programmed instructions stored thereon and one or more processors configured to be capable of executing the stored programmed instructions to:
- authenticate, utilizing a first security protocol, a user of a remote client device in response to receiving a login request from the remote client device to access a secured network domain, wherein the login request includes a client certificate, which is encrypted in the first security protocol;
  
  establish a first connection between the remote client device and the secured network domain after the user has been verified to access the secured network domain;
  
  receive a service request from the remote client device to obtain a network service from a resource server in the secured network domain, transition to a second security protocol, send a ticket granting request that is specific to the type of service request to a dedicated server, obtain a service ticket from the dedicated server in the secured network domain for the service request in the second security protocol, locally store the service ticket to allow the service ticket to be repeatedly used to request and access services within the secured domain, and provide access to the network service using the service ticket in response to the service request;
  
  receive another service request from the remote client device to obtain the network service from the resource server in the secured network domain; and
  
  provide access to the network service using the stored service ticket in response to the another service request received from the remote client device to obtain the network service from the resource server and without communicating with the dedicated server from which the service ticket was previously obtained or authenticating the user.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein the service ticket is valid for an amount of time and the one or more processors are further configured to be capable of executing the stored programmed instructions to:
    - store the service ticket from the dedicated server for the service request as associated with the amount of time;
      
      determine when the service ticket is valid based on the amount of time; and
      
      send the service ticket to the remote client device in response to the another service request, when the determining indicates the service ticket is valid based on the amount of time.
  - 18. The system of claim 16, wherein the second security protocol is a Kerberos-based authentication protocol or the client certificate is within a Common Access Card (CAC).
  - 19. The system of claim 16, wherein the first security protocol is different than the second security protocol.
  - 20. The system of claim 16, wherein the network service is a password protected web page.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F5 Networks, Inc. (F5 Incorporated)
Original Assignee
F5 Networks, Inc. (F5 Incorporated)
Inventors
Costlow, Jeff J.
Primary Examiner(s)
Garcia, Gary S

Application Number

US12/822,146
Time in Patent Office

2,932 Days
Field of Search

713168, 713151, 713162, 709223, 709224, 709226, 709213, 709220, 709228, 709239, 709243, 709245, 380259, 705 50, 726 4, 726 8
US Class Current
CPC Class Codes

G06F 15/17306   Intercommunication techniques

G06F 16/94   Hypermedia Hyperlinking G06...

G06F 16/958   Organisation or management ...

G06F 40/134   Hyperlinking

H04L 67/142   Managing session states for...

H04L 67/146   Markers for unambiguous ide...

H04L 67/563   Data redirection of data ne...

H04L 69/14   Multichannel or multilink p...

H04L 69/24   Negotiation of communicatio...

H04L 9/08   Key distribution or managem...

H04L 9/0819   Key transport or distributi...

H04L 9/321   involving a third party or ...

System and method for proxying HTTP single sign on across network domains

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

497 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

System and method for proxying HTTP single sign on across network domains

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

497 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others