The present disclosure relates to authenticating a network user for access to software services provided by a server.
Software-as-a-service (SaaS) is a software distribution model where applications hosted by remote servers are accessed by user clients over a network. In order to access the SaaS applications, a client may need to assert proper identification to a SaaS server. SaaS server authentication is subject to issues of managing online client identities and the ability to manage corporate access to SaaS systems. In general, an identity provider authenticates a user to a network using a form-based authentication. The user, for example, may authenticate with a network device (e.g., laptop, personal computer, Internet Protocol phone, etc.) and may also authenticate to the network.
Overview
Techniques are provided for asserting an identity of a client device with a server. A request is received from a client device to access processes hosted by the server. Network identifier information associated with the client device is obtained from the request. Confirmation of authentication of the client device is requested from an identity authentication server using the network identifier information. Access is provided to the client device for the processes hosted by the server when authentication of the client device is confirmed by the identity authentication server.
Enterprise network 104 comprises the identity authentication server 120, a client device 130, and session database 145. Identity authentication server 120 communicates with session database 145 to store information related to users/clients (e.g., client device 130) that authenticate with identity authentication server 120. For example, session database 145 may contain session data 150 that includes network identifier information, for each user/client device. In one example, the network identifier information comprises a random number assigned to client device 130, which can later be correlated to an active client device session (e.g., by SaaS server 110). In another example, the network identifier information comprises an Internet Protocol (IP) address and/or media access control (MAC) address and a user name for each user/client device. For example, data associated with client device 130 may be stored in session database 145 with a corresponding random number, IP address, MAC address and user name that is used when client device 130 authenticates with identity authentication server 120, as described herein. Though session data 150 shows a randomly assigned number (as described above), IP address and MAC address information associated with corresponding user names stored in session database 145, it should be appreciated that any network identifier that identifies client device 130 may be stored as session data 150, and that any such network identifier can be configured to be appended as parameters to hypertext transfer protocol (HTTP) headers, and so used by SaaS server 110 to lookup identity information in identity authentication server 120. It should also be appreciated that the techniques described herein are not limited to HTTP headers, and that other protocols could be used to carry the network information to a SaaS server, as described herein.
In general, client device 130 authenticates with identity authentication server 120, and information (e.g., data 150) pertaining to the authentication is stored in session database 145. Client device 130 also communicates with SaaS server 110 in order to request access to applications and/or information hosted by SaaS server 110. SaaS server 110 is configured to communicate with identity authentication server 120 to receive information pertaining to the authentication of client device 130, as described herein.
Turning to
The functions of processor 220 may be implemented by logic encoded in one or more tangible computer readable storage media (e.g., embedded logic such as an application specific integrated circuit, digital signal processor instructions, software that is executed by a processor, etc), wherein memory 230 stores data used for the operations described herein and stores software or processor executable instructions that are executed to carry out the operations described herein.
SaaS authentication and identification query logic 232 may take any of a variety of forms, so as to be encoded in one or more tangible computer readable memory media or storage device for execution, such as fixed logic or programmable logic (e.g., software/computer instructions executed by a processor) and the processor 220 may be an application specific integrated circuit (ASIC) that comprises fixed digital logic, or a combination thereof. For example, the processor 220 may be embodied by digital logic gates in a fixed or programmable digital logic integrated circuit, which digital logic gates are configured to perform SaaS authentication and identification query logic 232. In general, SaaS authentication and identification query logic 232 may be embodied in one or more computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to perform the operations described herein for the process logic 232.
As described above, SaaS server 110 may host applications and may store information accessible to network clients (e.g., client device 130) that are verified or confirmed as being authenticated by virtue of an assertion from identity authentication server 120. SaaS application processes shown at 234 are meant to include applications and information hosted by SaaS server 110 that are also stored in memory 230. In general, client device 130 can access and utilize SaaS application processes 234 after client device 130 is confirmed as being authenticated by assertion according to the techniques described herein.
Reference is now made to
Client device 130 also, as described below, communicates with an identity boundary device 328. Identity boundary device 328 may be any device that is configured to receive access requests from client device 130 and to transmit these requests to SaaS server 110. Identity boundary device 328 communicates with SaaS server 110, which in turn, communicates with identity authentication server 120, for example, to verify or confirm authentication of client device 130, by receipt of an assertion, as described herein. The SaaS server 110 can directly request confirmation of authentication from the identity authentication server 120 as shown at 333 and described hereinafter. The communications between these network entities is now described in more detail, in reference to
Client device 130 initiates a connection 312 to authenticate with NAD 314. Connection 312 is also shown in
After client device 130 authenticates with NAD 314, NAD 314 authenticates with identity authentication server 120 at 318 as part of the Access Control authentication process. Identity authentication server 120 may utilize, for example, a remote authentication dial-in user service (RADIUS) protocol to perform authentication, authorization and accounting (AAA) operations in order to authenticate NAD 314 and associated client device 130 with identity authentication server 120. The AAA operations may be performed, for example, on a centralized server or may be performed within identity authentication server 120. For simplicity,
After the Access Control authentication process has been completed (i.e., after operations 312, 318 and 320 have been performed), identity authentication server 120, at 324, stores the authentication information (e.g., IP address and associated user name) of client device 130 in session database 145. As described above, session database 145 may store data 150 (in
As stated above, SaaS server 110 may host SaaS application processes 234 comprising, for example, software applications and/or information. Client device 130 may access the application processes by sending a request for access to SaaS server 110. However, before SaaS server 110 provides access to client device 130, SaaS server 110 needs to obtain an assertion that client device 130 has authenticated with identity authentication server 120. For example, the SaaS server 110 may obtain a Security Assertion Markup Language (SAML) assertion, though it should be appreciated that any authentication and authorization assertion may be used. The assertion may contain, for example, an identity associated with client device 130. The assertion is populated based on the identity used when client device 130 authenticates with identity authentication server 120, which would typically be a user name associated with user 316 of client device 130, as stored in session database 145. Thus, the identity contained within the assertion obtained by SaaS server 110 may, for example, be the same user name associated with user 316 of client device 130. The request to access SaaS server 110 by client device 130 and the verification of authentication of client device 110 is now described.
After client device 130 has authenticated with NAD 314 and identity authentication server 120, client device 130 subsequently sends a request 326 to identity boundary device 328. Identity boundary device 328 may receive request 326 directly from client device 130 (e.g., via an authentication request or attribute query) or may receive request 326 by intercepting a request that is intended for SaaS server 110. In one example, request 326 may be received by identity boundary device 328 if it is in a data path between client device 130 and SaaS server 110. In another example, request 326 may be received by identity boundary device 328 if a network router redirects request 326 (for example, through a web cache communication protocol (WCCP)) to identity boundary device 328.
After identity boundary device 328 receives request 326 from client device 130, identity boundary device 328 appends, at 330, a network identifier associated with client device 130 to a header of request 326. For example, identity boundary device 328 may append the randomly assigned number, IP address or MAC address associated with client device 130 to an HTTP header of request 326. After identity boundary device 328 appends the network identifier information to a header of request 326, at 332, the request with the network identifier information (e.g., the randomly assigned number, IP address and/or MAC address associated with client device 130) is sent to SaaS server 110. In one example, identity boundary device 328 transparently appends the network identifier to the header of request 326, and accordingly, since identity boundary device 328 is transparent in the communication path between client device 130 and SaaS server 110, identity boundary device 328 may not communicate directly with SaaS server 110. Instead, client device 130 may receive request 326 with the network identifier information added by identity boundary device 328, and may send this request directly to SaaS server 110. It should be appreciated that identity boundary device 328 is configured to evaluate uniform resource locators (URLs) associated with request 326 in order to determine whether to append the network identifier to the header of request 326 (i.e., into the URL address), and whether to effect redirection to the client device or retransmit the request to the SaaS server 110.
After SaaS server 110 receives the request with the network identifier information, SaaS server 110 needs to obtain an assertion that client device 130 has authenticated with identity authentication server 120. Accordingly, SaaS server 110 requests confirmation of authentication of client device 130 from identity authentication server 120 using the network identifier information. In one example, SaaS server 110 may request confirmation of authentication directly from identity authentication server 120 as indicated by connection 333 in
At 334, SaaS server 110 initiates a redirect (e.g., an HTTP redirect) to client device 130 for a request for authentication from identity authentication server 120. For example, a web browser of client device 130 may support a single sign-on (SSO) profile as part of the SAML request to allow user 316 of client device 130 to access both identity authentication server 120 and SaaS server 110. In one example, the SaaS server 110 can query the identity boundary device 328 directly for a request for authentication via, for example, an external IP address of the identity authentication server 120, and the identity boundary device 328 can, in turn, query the identity authentication sever 120. When client device 130 receives the redirected authentication request 334, client device 130 (via, e.g., a SSO supported web browser) responds to the redirected authentication request 334 by sending an authentication request 336 to identity authentication server 120. Upon receiving authentication request 336, identity authentication server 120, at 338, correlates network identifier information contained within authentication request 336 with data stored in session database 145 for client device 130. For example, if authentication request 336 contains an IP address associated with client device 130, identity authentication server 120 can evaluate data in session database 145 to determine whether or not a client device with that IP address has been authenticated by identity authentication server 120. If an identity associated with client device 130 has been authenticated by identity authentication server 120, identity authentication server 120, at 340, creates a signed assertion indicating that the identity associated with client device 130 has been authenticated. For example, identity authentication serve 120 may create a SAML assertion and may encode within the SAML assertion the mechanism of authentication. This allows a level of assurance for SaaS server 110 to know the degree to which it can rely on the authentication mechanism. For example, different SaaS servers 110 may require different levels of assurance for different sets of data or services.
In one example, the signed assertion may be a SAML assertion. SAML is a protocol used for exchanging assertions about authentication and attributes associated with a client device. A service provider (e.g., SaaS server 110) can use SAML to query an identity provider (e.g., identity authentication server 120) for authentication associated with a particular client device. In response to the query, the identity provider may provide authentication information to the service provider. This authentication information allows the service provider to establish a trust relationship with the identity provider, which allows the service provider to rely upon the identity provider assertions as being true. For example, if the identity provider indicates that a client device has been authenticated, the service provider will grant the client device access, with appropriate access controls based on the client device status.
After creating the signed assertion, identity authentication server 120 transmits signed assertion, at 342, to client device 130 using, for example, an HTTP secure (HTTPS) protocol. Client device 130, at 344, transmits the signed assertions to SaaS server 110. Thus, SaaS server 110 is able to obtain an assertion that client device 130 has been authenticated by identity authentication server 120, and accordingly, SaaS server 110 can permit client device 130 to access SaaS application processes 234 hosted by SaaS server 110.
Thus, by receiving authentication information (e.g., a signed assertion) from identity authentication server 120, SaaS server 110 can enable a single sign-on for client device 130, allowing client device 130 to access SaaS application processes 234 without having to authenticate again.
Reference is now made to
It should be appreciated that the techniques described above in connection with all embodiments may be performed by one or more computer readable storage media that is encoded with software comprising computer executable instructions to perform the methods and steps described herein.
In sum, a method is provided comprising: at a server, receiving a request from a client device to access processes hosted by the server; obtaining from the request network identifier information associated with the client device; requesting confirmation of authentication of the client device using the network identifier information from an identity authentication server; and providing access to the client device for the processes hosted by the server when authentication of the client device is confirmed by the identity authentication server.
In addition, one or more computer readable storage media is provided encoded with software comprising computer executable instructions and when the software is executed operable to: receive a request from a client device to access processes hosted by a server; obtain from the request network identifier information associated with the client device; request confirmation of authentication of the client device using the network identifier information from an identity authentication server; and provide access to the client device for the processes hosted by the server when authentication of the client device is confirmed by the identity authentication server.
Further, an apparatus is provided comprising a network interface device configured to enable communications over a network, a memory and a processor. The processor is coupled to the network interface device and the memory and is configured to receive a request from a client device to access processes hosted by a server; obtain from the request network identifier information associated with the client device; request confirmation of authentication of the client device using the network identifier information from an identity authentication server; and provide access to the client device for the processes hosted by the server when authentication of the client device is confirmed by the identity authentication server.
The above description is intended by way of example only. Various modifications and structural changes may be made therein without departing from the scope of the concepts described herein and within the scope and range of equivalents of the claims.