| 发明名称 | Mechanisms to use network session identifiers for software-as-a-service authentication | ||
| 摘要 | Techniques are provided for authenticating a subject of a client device to access a software-as-a-service (SaaS) server. A network access device receives a request from a client device to establish a network session and transfers identity information of the subject, the client device and the network session to a session directory database. A request is sent to access an application on a SaaS server. If it does not contain an identity assertion that identifies the subject, the request is redirected to an identity provider device (IdP), to provide identity assertion services to the subject. A network session identifier is inserted into the request by a network access device and the request is forwarded to the IdP. The IdP uses the network session identifier to query the session directory database for the identity information to be used for a security assertion of the subject to the SaaS server. | ||
| 申请公布号 | US8949938(B2) | 申请公布日期 | 2015.02.03 |
| 申请号 | US201113282875 | 申请日期 | 2011.10.27 |
| 申请人 | Cisco Technology, Inc. | 发明人 | Sowatskey Nathan;Cam-Winget Nancy;Thomson Susan E.;Jones David;Ansari Morteza;Wierenga Klaas;Salowey Joseph |
| 分类号 | G06F7/04;H04L29/06 | 主分类号 | G06F7/04 |
| 代理机构 | Edell, Shapiro & Finnan, LLC | 代理人 | Edell, Shapiro & Finnan, LLC |
| 主权项 | 1. A method comprising: at a network access device of a network, receiving a request from a client device to establish a network session to access a server; sending identity information of the client device to a session directory database that is configured to store identity information of a plurality of client devices associated with the network access device; receiving a request from the client device to access an identity provider device that provides identity assertion services to the client device, wherein the identity assertion services include identity and context information associated with a subject of the client device; obtaining from the session directory database a unique network session identifier that identifies a network session and the subject of the client device that has authenticated with the network access device to access the network session; inserting the network session identifier into the request from the client device to access the identity provider device such that the network session identifier is available only to the identity provider device and the network session identifier is not revealed to the subject of the client device; and forwarding the request with the inserted network session identifier to the identity provider device, wherein the identity provider device generates an encrypted security assertion of an identity of a user associated with the network session, where the encrypted security assertion is signed using a certificate shared by the identity provider device and the server, and the identity provider device forwards the encrypted security assertion to the client device for insertion into a request from the client device to access the server. | ||
| 地址 | San Jose CA US | ||