公开(公告)号：US20180337920A1

公开(公告)日：2018-11-22

申请号：US15597332

申请日：2017-05-17

Applicant: Cisco Technology, Inc.

Inventor： Steven Richard Stites ,  Morteza Ansari ,  Syam Sundar V Appala ,  Prashanth Patil

IPC: H04L29/06 ,  G06F21/62 ,  G06F21/60

Abstract: A device obtains access to an application resource from a remote application server based on an authenticated device identifier. The device sends a request to access the application resource provided by the remote application server. The device receives a first message from the remote application server directing the device to send an authentication message to a device identity server. The authentication message requests an authenticated device identity for the device. The device attaches metadata associated with the device to the authentication message and sends the authentication message with the attached metadata to the device identity server. The device receives the authenticated device identity from the device identity server and sends the authenticated device identity to the remote application. The device obtains access to the application resource from the remote application server based on the authenticated device identity.

公开(公告)号：US20150106617A1

公开(公告)日：2015-04-16

申请号：US14572075

申请日：2014-12-16

Applicant: Cisco Technology, Inc.

Inventor： Nathan Sowatskey ,  Nancy Cam-Winget ,  Susan E. Thomson ,  David Jones ,  Morteza Ansari ,  Klaas Wierenga ,  Joseph Salowey

IPC: H04L29/06

CPC classification number: H04L63/0823 ,  H04L63/08

Abstract: Techniques are provided for authenticating a subject of a client device to access a software-as-a-service (SaaS) server. A network access device receives a request from a client device to establish a network session and transfers identity information of the subject, the client device and the network session to a session directory database. A request is sent to access an application on a SaaS server. If it does not contain an identity assertion that identifies the subject, the request is redirected to an identity provider device, to provide identity assertion services to the subject. A network session identifier is inserted into the request by a network access device and the request is forwarded to the identity provider device. The identity provider device uses the network session identifier to query the session directory database for the identity information to be used for a security assertion of the subject to the SaaS server.

Abstract translation: 提供了用于验证客户端设备的主体以访问软件即服务（SaaS）服务器的技术。 网络接入设备从客户端设备接收建立网络会话的请求，并将主体，客户端设备和网络会话的身份信息传送到会话目录数据库。 发送请求以访问SaaS服务器上的应用程序。 如果它不包含识别主题的身份断言，则将请求重定向到身份提供者设备，以向主题提供身份声明服务。 网络会话标识符被网络接入设备插入到请求中，该请求被转发给身份提供者设备。 身份提供者设备使用网络会话标识符来查询会话目录数据库，以获得要用于SaaS服务器的对象的安全断言的身份信息。

公开(公告)号：US11233742B2

公开(公告)日：2022-01-25

申请号：US16674693

申请日：2019-11-05

Applicant: Cisco Technology, Inc.

Inventor： Samir Dilipkumar Saklikar ,  Jayaraman Iyer ,  Robin Edgard Martherus ,  Morteza Ansari ,  Jyoti Verma

IPC: H04L12/813 ,  H04L12/24 ,  H04L12/26 ,  H04L29/08

Abstract: One or more lower-level attributes of a first network policy are translated to one or more higher-level attributes of the first network policy, and one or more lower-level attributes of a second network policy are translated to one or more higher-level attributes of the second network policy. The first network policy controls how first network traffic is handled, and the second network policy controls how second network traffic is handled. The one or more higher-level attributes of the first network policy are compared with the one or more higher-level attributes of the second network policy. Based on the comparing, it is determined whether the first network traffic and the second network traffic are handled in a functionally equivalent manner. If not, the first network policy is dynamically updated to generate an updated first network policy that causes the first network traffic to be handled in the functionally equivalent manner.

公开(公告)号：US09356928B2

公开(公告)日：2016-05-31

申请号：US14572075

申请日：2014-12-16

Applicant: Cisco Technology, Inc.

Inventor： Nathan Sowatskey ,  Nancy Cam-Winget ,  Susan E. Thomson ,  David Jones ,  Morteza Ansari ,  Klaas Wierenga ,  Joseph Salowey

IPC: H04L29/06

CPC classification number: H04L63/0823 ,  H04L63/08

Abstract: Techniques are provided for authenticating a subject of a client device to access a software-as-a-service (SaaS) server. A network access device receives a request from a client device to establish a network session and transfers identity information of the subject, the client device and the network session to a session directory database. A request is sent to access an application on a SaaS server. If it does not contain an identity assertion that identifies the subject, the request is redirected to an identity provider device, to provide identity assertion services to the subject. A network session identifier is inserted into the request by a network access device and the request is forwarded to the identity provider device. The identity provider device uses the network session identifier to query the session directory database for the identity information to be used for a security assertion of the subject to the SaaS server.

Abstract translation: 提供了用于验证客户端设备的主体以访问软件即服务（SaaS）服务器的技术。 网络接入设备从客户端设备接收建立网络会话的请求，并将主体，客户端设备和网络会话的身份信息传送到会话目录数据库。 发送请求以访问SaaS服务器上的应用程序。 如果它不包含识别主题的身份断言，则将请求重定向到身份提供者设备，以向主题提供身份声明服务。 网络会话标识符被网络接入设备插入到请求中，该请求被转发给身份提供者设备。 身份提供者设备使用网络会话标识符来查询会话目录数据库，以获得要用于SaaS服务器的对象的安全断言的身份信息。

公开(公告)号：US20210135995A1

公开(公告)日：2021-05-06

申请号：US16674693

申请日：2019-11-05

Applicant: Cisco Technology, Inc.

Inventor： Samir Dilipkumar Saklikar ,  Jayaraman Iyer ,  Robin Edgard Martherus ,  Morteza Ansari ,  Jyoti Verma

IPC: H04L12/813 ,  H04L12/26 ,  H04L12/24

Abstract: One or more lower-level attributes of a first network policy are translated to one or more higher-level attributes of the first network policy, and one or more lower-level attributes of a second network policy are translated to one or more higher-level attributes of the second network policy. The first network policy controls how first network traffic is handled, and the second network policy controls how second network traffic is handled. The one or more higher-level attributes of the first network policy are compared with the one or more higher-level attributes of the second network policy. Based on the comparing, it is determined whether the first network traffic and the second network traffic are handled in a functionally equivalent manner. If not, the first network policy is dynamically updated to generate an updated first network policy that causes the first network traffic to be handled in the functionally equivalent manner.

公开(公告)号：US10540507B2

公开(公告)日：2020-01-21

申请号：US15597332

申请日：2017-05-17

Applicant: Cisco Technology, Inc.

Inventor： Steven Richard Stites ,  Morteza Ansari ,  Syam Sundar V Appala ,  Prashanth Patil

IPC: G06F21/60 ,  G06F16/90

Abstract: A device obtains access to an application resource from a remote application server based on an authenticated device identifier. The device sends a request to access the application resource provided by the remote application server. The device receives a first message from the remote application server directing the device to send an authentication message to a device identity server. The authentication message requests an authenticated device identity for the device. The device attaches metadata associated with the device to the authentication message and sends the authentication message with the attached metadata to the device identity server. The device receives the authenticated device identity from the device identity server and sends the authenticated device identity to the remote application. The device obtains access to the application resource from the remote application server based on the authenticated device identity.