Redirect to inspection proxy using single-sign-on bootstrapping

US 9,894,055 B2
Filed: 01/29/2016
Issued: 02/13/2018
Est. Priority Date: 01/15/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

based on an authentication request generated in response to a user of a client device attempting to initiate a user session with a service provider and the user session being redirected by the service provider to an identity provider and the identity provider redirecting the user session to a proxy server, receiving, by the proxy server, a session cookie used to authenticate the user session from the identity provider;

sending, by the proxy server, an assertion on behalf of the user to the service provider;

receiving, by the proxy server, resource requests for service provider web pages and linked content from the client device;

forwarding, by the proxy server, the resource requests to the service provider;

receiving, at the proxy server, the service provider web pages and linked content from the service provider;

rewriting, by the proxy server, the service provider web pages and linked content to cause the client device to access the service provider web pages and linked content through the proxy server; and

sending, by the proxy server, rewritten service provider web pages and linked content to the client device.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication request is generated when a user of a client device attempts to initiate a user session with an application managed by a service provider. An authentication response is generated based on credentials received from the user. The authentication response includes an assertion on behalf of the user. A delivery resource locator for the assertion is rewritten to a resource locator of a proxy in order to redirect the assertion to the proxy. The authentication response is sent to the client device together with the resource locator of the proxy in order to cause the client device to send the assertion to the proxy that decodes the re-written resource locator and sends the assertion to the service provider.

27 Citations

20 Claims

1. A method comprising:
- based on an authentication request generated in response to a user of a client device attempting to initiate a user session with a service provider and the user session being redirected by the service provider to an identity provider and the identity provider redirecting the user session to a proxy server, receiving, by the proxy server, a session cookie used to authenticate the user session from the identity provider;
  
  sending, by the proxy server, an assertion on behalf of the user to the service provider;
  
  receiving, by the proxy server, resource requests for service provider web pages and linked content from the client device;
  
  forwarding, by the proxy server, the resource requests to the service provider;
  
  receiving, at the proxy server, the service provider web pages and linked content from the service provider;
  
  rewriting, by the proxy server, the service provider web pages and linked content to cause the client device to access the service provider web pages and linked content through the proxy server; and
  
  sending, by the proxy server, rewritten service provider web pages and linked content to the client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein rewriting comprises rewriting the service provider web pages and linked content to a resource locator served by the proxy server, and wherein sending comprises sending the resource locator to the client device.
  - 3. The method of claim 1, wherein the service provider web pages and linked content comprises content generated by one or more service provider applications.
  - 4. The method of claim 1, further comprising analyzing the assertion to determine whether the user session is authenticated.
  - 5. The method of claim 1, further comprising receiving, from the service provider, an access grant indicating that the user is to be given access to the service provider.
  - 6. The method of claim 1, wherein the service provider web pages and linked content of the service provider are enrolled by an enterprise associated with an enterprise network.
  - 7. The method of claim 6, wherein the client device requests the service provider web pages and linked content while residing off-premises from the enterprise network.

8. An apparatus comprising:
- a network interface unit configured to send and receive communications over a network;
  
  a processor coupled to the network interface unit, wherein the processor is configured to;
  
  on the basis of an authentication request generated in response to a user of a client device attempting to initiate a user session with a service provider and the user session being redirected by the service provider to an identity provider and the identity provider redirecting the user session to a proxy server, receive from the identity provider a session cookie used to authenticate the user session;
  
  send an assertion on behalf of the user to the service provider;
  
  receive resource requests for service provider web pages and linked content from the client device;
  
  forward the resource requests to the service provider;
  
  receive the service provider web pages and linked content from the service provider;
  
  rewrite the service provider web pages and linked content to cause the client device to access the service provider web pages and linked content through the proxy server; and
  
  send rewritten service provider web pages and linked content to the client device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, wherein the processor is configured to rewrite the service provider web pages and linked content to a resource locator served by the proxy server, and wherein the processor is configured to send the resource locator to the client device.
  - 10. The apparatus of claim 8, wherein the service provider web pages and linked content comprises content generated by one or more service provider applications.
  - 11. The apparatus of claim 8, wherein the processor is configured to analyze the assertion to determine whether the user session is authenticated.
  - 12. The apparatus of claim 8, wherein the processor is further configured to receive, from the service provider, an access grant indicating that the user is to be given access to the service provider.
  - 13. The apparatus of claim 8, wherein the service provider web pages and linked content of the service provider are enrolled by an enterprise associated with an enterprise network.
  - 14. The apparatus of claim 13, wherein the client device requests the service provider web pages and linked content while residing off-premises from the enterprise network.

15. One or more non-transitory computer readable storage media encoded with software comprising computer executable instructions, and when the software is executed, operable to:
- receive, by a proxy server, a session cookie from an identity provider, the session cookie being used to authenticate a user session of a user of a client device after an authentication request is generated in response to the user attempting to initiate the user session with a service provider and the user session is redirected by the service provider to the identity provider and the identity provider redirecting the user session to the proxy server;
  
  send, by the proxy server, an assertion on behalf of the user to the service provider;
  
  receive, by the proxy server, resource requests for service provider web pages and linked content from the client device;
  
  forward, by the proxy server, the resource requests to the service provider;
  
  receive, at the proxy server, the service provider web pages and linked content from the service provider;
  
  rewrite, by the proxy server, the service provider web pages and linked content to cause the client device to access the service provider web pages and linked content through the proxy server; and
  
  send, by the proxy server, rewritten service provider web pages and linked content to the client device.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer readable storage media of claim 15, wherein the instructions operable to rewrite comprises instructions operable to rewrite the service provider web pages and linked content to a resource locator served by the proxy server, and wherein the instructions operable to send comprises instructions operable to send the resource locator to the client device.
  - 17. The computer readable storage media of claim 15, wherein the service provider web pages and linked content comprises content generated by one or more service provider applications.
  - 18. The computer readable storage media of claim 15, wherein the instructions are further operable to:
    - analyze the assertion to determine whether the user session is authenticated.
  - 19. The computer readable storage media of claim 15, wherein the instructions are further operable to:
    - receive, from the service provider, an access grant indicating that the user is to be given access to the service provider.
  - 20. The computer readable storage media of claim 15, wherein the service provider web pages and linked content of the service provider are enrolled by an enterprise associated with an enterprise network, and the client device requests the service provider web pages and linked content while residing off-premises from the enterprise network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Parla, Vincent E., McGrew, David, Kielbasinski, Andrzej
Primary Examiner(s)
Hailu, Teshome

Application Number

US15/010,003
Publication Number

US 20160149898A1
Time in Patent Office

746 Days
Field of Search

726 7
US Class Current
CPC Class Codes

H04L 63/04   for providing a confidentia...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0884   by delegation of authentica...

Redirect to inspection proxy using single-sign-on bootstrapping

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Redirect to inspection proxy using single-sign-on bootstrapping

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links