Many modern computing applications are provided as cloud computing applications or software-as-a-service (SaaS) applications. For example, users associated with an enterprise or other organization may access applications, services, and data provided by third-party cloud service providers. Typical enterprise systems rely on network infrastructure to authenticate devices that access remote cloud applications. For example, enterprise systems may allow access to cloud applications for devices that are physically connected to a corporate intranet. As another example, enterprise systems may require mobile clients outside of the corporate intranet to connect to a virtual private network (VPN) prior to accessing the cloud application. In such systems, the VPN, firewall, and/or other enterprise network edge infrastructure is used to provide device authentication.
The security assertion markup language (SAML) version 2.0 standard, approved by OASIS®, defines a web browser single-sign-on (SSO) profile. In a typical implementation of the SAML web browser SSO profile, a cloud server may redirect a user agent to an identity provider located behind an enterprise firewall. In those implementations, the user agent may only access the identity provider after joining the enterprise VPN. Thus, in those implementations of the SAML web browser SSO profile, the enterprise network edge infrastructure is also used for device authentication.