US 11,057,367 B2
Assertion proxy for single sign-on access to cloud applications
Kartik Kumar Chatnalli Deshpande Sridhar, Sunnyvale, CA (US); Lebin Cheng, Saratoga, CA (US); and Krishna Narayanaswamy, Saratoga, CA (US)
Assigned to Netskope, Inc., Santa Clara, CA (US)
Filed by Netskope, Inc., Santa Clara, CA (US)
Filed on Feb. 4, 2020, as Appl. No. 16/782,027.
Application 16/782,027 is a continuation of application No. 16/362,549, filed on Mar. 22, 2019, granted, now 10,659,450.
Application 16/362,549 is a continuation of application No. 15/795,957, filed on Oct. 27, 2017, granted, now 10,243,946, issued on Mar. 26, 2019.
Claims priority of provisional application 62/417,939, filed on Nov. 4, 2016.
Prior Publication US 2020/0177578 A1, Jun. 4, 2020
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 29/06 (2006.01); H04L 29/08 (2006.01); H04L 9/32 (2006.01); H04L 9/14 (2006.01); H04L 9/30 (2006.01)
CPC H04L 63/0815 (2013.01) [H04L 9/14 (2013.01); H04L 9/30 (2013.01); H04L 9/3226 (2013.01); H04L 9/3247 (2013.01); H04L 9/3265 (2013.01); H04L 67/02 (2013.01); H04L 67/10 (2013.01); H04L 67/28 (2013.01); H04L 63/0281 (2013.01); H04L 63/0442 (2013.01); H04L 63/0464 (2013.01); H04L 63/0823 (2013.01)] 17 Claims
OG exemplary drawing
 
1. A system, comprising:
a processor coupled to a memory storing instructions that when executed by the processor implement an assertion proxy hosted by a cloud access service broker (CASB) separately from service providers and identity service providers providing SSO authentication to service providers, the assertion proxy configured to
receive, from an identity provider (IDP), an assertion that is generated when a user logs into a service provider (SP);
verify the received assertion in dependence upon the IDP's public key;
evaluate the verified assertion against one or more security policies; and
allow or block access to the SP based on information in the evaluated assertion by forwarding the evaluated assertion to the SP and causing establishment of a single sign-on (SSO) authenticated session without modifying the assertion; thereby managing a trust relationship between the assertion proxy, the IDP and the SP.