Selective policy-driven interception of encrypted network traffic utilizing a domain name service and a single-sign on service

Assignee

• Cisco Technology, Inc. · US

Inventors

• Alessandro Duminuco · Milano, IT
• Hendrikus G. P. Bosch · Aalsmeer, NL
• Jeffrey Napper · Delft, NL
• Vinny Parla · Felsen, US
• Julien Barbot · Princeton, US
• Sape Jurriën Mullender · Amsterdam, NL

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/0815
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

Techniques for utilizing an enterprise traffic interception service (TIS) to enforce policies that mandate how clients access software as a service (SaaS) offered by service providers and selectively intercept enterprise network traffic utilizing a domain name service (DNS) and a single sign-on (SSO) service on a per-client per-service basis. The TIS may include a DNS server, an identity provider service, a TLS inspecting proxy, and/or a policy server. The DNS server may handle requests to resolve an address of a service, and identify a policy, stored in the policy server, to redirect the client based on the identity of the client and the service. The identity provider service may later query the policy server during client authorization for the service to verify that the client request is in line with the policy and allow or deny access to the service.