Enterprises may use web-based resources and applications to expand the range of software services provided by an enterprise network. For example, an enterprise may use a web-based email and calendar program to provide email and calendar services for the organization. Such web-based resources and applications typically require minimal overhead, if any, in terms of additional hardware, software and/or administration needed, thereby providing time and cost savings to the enterprise in comparison to installing such resources and applications onto a network server or onto individual network devices.
Some service providers that host web-based resources and applications support security assertions which allow an enterprise to use a separate identity provider in order to perform authentication and authorization of enterprise network users who attempt to access the web-based resources. For example, when a user's web browser requests access to a web-based resource, the web-based resource may redirect the browser to an identity provider to verify that the user is properly authenticated and/or authorized to use the internal resource of the enterprise. In response to the redirect, the browser may be required to forward a security assertion request to the identity provider. After the identity provider verifies proper security credentials for the user, the identity provider may formulate a security assertion indicating that user has been properly authenticated and/or is authorized to use the resource, and send the security assertion to the user's browser. The user's browser then forwards the security assertion to the service provider, which upon receiving the security assertion, allows the user to access the protected resource. In this way, an enterprise may allow users to access web-based resources and applications while retaining full control over the authentication and authorization of the enterprise network users accessing the web-based resources.
One example protocol for exchanging authentication and authorization information with an identity provider is the Security Assertion Markup Language (SAML) protocol, which provides an XML-based messaging format. Further details of the SAML protocol can be found in “Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0,” Organization for the Advancement of Structured Information Standards (OASIS), Mar. 15, 2005; “Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0,” OASIS, Mar. 15, 2005; and “Security Assertion Markup Language (SAML) V2.0 Technical Overview,” OASIS, Mar. 25, 2008; the entire content of each of which is incorporated herein by reference.
Enterprises may use virtual private networks (VPN) to allow employees to securely communicate with enterprise resources over public networks. For example, an enterprise may deploy a VPN gateway to provide secure access to the enterprise resources. The use of a VPN provides assurances that others on the public network cannot intercept, read, or reuse communications sent on the VPN. An employee using a client device at a remote location may establish a secure communication session (i.e., a VPN tunneling session) with the VPN gateway through a public network, such as the Internet. To establishing the tunneling session with the VPN gateway, the user may provide authentication credentials (e.g., a username-password combination) to authenticate with the VPN gateway. Upon authentication of the user, software applications executing on the client device and the VPN gateway may negotiate security parameters (e.g., encryption mechanisms, keys, certificates and like) for the tunneling session.
A VPN handler executing on the client device typically handles establishing and maintaining the secure VPN tunnel. The VPN handler typically either executes as a software application separate from the web browser or resides at a layer of the networking stack which is lower than that of the web browser, thereby being transparent to the web browser. As a result, the user is often required to authenticate multiple times in computing environments requiring security assertions for individual access to web resources. For example, the user typically must first authenticate to the VPN gateway to establish the secure tunneling session for the VPN and then re-authenticate to the identity provider when accessing a SAML-protected web resource.