Abstract: A request generated by an unmanaged app to access a resource is received from a mobile device. A notification is sent to the mobile device. A device level VPN connection to the mobile device is established. A unique identifier is associated with the device level VPN. App level traffic received via the device level VPN is tagged with the unique identifier. Access to the resource is allowed in response to the request based at least in part on a determination based on the tags that app level traffic from a trusted app and app level traffic from the unmanaged app are associated with the same mobile device.

Abstract: In an embodiment, a system for asserting a mobile identity to users and devices in an enterprise authentication system includes a communication interface and a processor coupled to the interface. The processor is configured to receive, via the communication interface and from a first device, a request to authenticate a user to a service using a unique identity associated with a second device. The processor is configured to determine, based at least in part on the unique identity, an identity certificate associated with the request, generate an identity assertion based at least in part on the identity certificate, and provide the identity assertion via the communication interface to a requesting node with which the request to authenticate is associated.

Abstract: A request generated by an unmanaged app to access a resource is received from a mobile device. A notification is sent to the mobile device. A device level VPN connection to the mobile device is established. A unique identifier is associated with the device level VPN. App level traffic received via the device level VPN is tagged with the unique identifier. Access to the resource is allowed in response to the request based at least in part on a determination based on the tags that app level traffic from a trusted app and app level traffic from the unmanaged app are associated with the same mobile device.

Abstract: Techniques to provide secure access to a cloud service are disclosed. In various embodiments, enterprise mobility management (EMM) data associated with a set of enterprise users of mobile devices associated with an enterprise is received. Cloud service data associated with use of a cloud service of the cloud service provider by users associated with the enterprise is received and correlated with the EMM data. Usage of the cloud service by said users associated with the enterprise is analyzed, including one or both of access of the cloud service using one or more unmanaged devices and access of the cloud service using one or more unmanaged mobile apps.

Abstract: A request generated by an unmanaged app to access a resource is received from a mobile device. A notification is sent to the mobile device. A device level VPN connection to the mobile device is established. A unique identifier is associated with the device level VPN. App level traffic received via the device level VPN is tagged with the unique identifier. Access to the resource is allowed in response to the request based at least in part on a determination based on the tags that app level traffic from a trusted app and app level traffic from the unmanaged app are associated with the same mobile device.

Abstract: Techniques are disclosed to provide VPN and identity based authentication to cloud-based services. In various embodiments, a request to authenticate a user to a service is received. A user identity associated with one or both of the user and the request is determined based at least in part on data comprising the request. An identity assertion is generated based at least in part on the user identity. The identity assertion is provided to a requesting node with which the request to authenticate is associated.

Abstract: Techniques to provide secure access to a cloud-based service are disclosed. In various embodiments, a request is received from a client app on a device to connect to a security proxy associated with the cloud-based service. A secure tunnel connection between the device and a node with which the security proxy is associated is used to establish the requested connection to the security proxy. Information associated with the secure tunnel is used to determine that the requesting client app is authorized to access the cloud-based service from the device and to obtain from an identity provider associated with the cloud-based service a security token to be used by the client app to authenticate to the cloud-based service.

Abstract: Techniques are disclosed to provide VPN and identity based authentication to cloud-based services. In various embodiments, a request to authenticate a user to a service is received. A user identity associated with one or both of the user and the request is determined based at least in part on data comprising the request. An identity assertion is generated based at least in part on the user identity. The identity assertion is provided to a requesting node with which the request to authenticate is associated.

Abstract: Techniques are disclosed to provide VPN and identity based authentication to cloud-based services. In various embodiments, a request to authenticate a user to a service is received. A user identity associated with one or both of the user and the request is determined based at least in part on data comprising the request. An identity assertion is generated based at least in part on the user identity. The identity assertion is provided to a requesting node with which the request to authenticate is associated.

Abstract: In an embodiment, a system for asserting a mobile identity to users and devices in an enterprise authentication system includes a communication interface and a processor coupled to the interface. The processor is configured to receive, via the communication interface and from a first device, a request to authenticate a user to a service using a unique identity associated with a second device. The processor is configured to determine, based at least in part on the unique identity, an identity certificate associated with the request, generate an identity assertion based at least in part on the identity certificate, and provide the identity assertion via the communication interface to a requesting node with which the request to authenticate is associated.

Abstract: In an embodiment, a system for asserting a mobile identity to users and devices in an enterprise authentication system includes a communication interface and a processor coupled to the interface. The processor is configured to receive, via the communication interface and from a first device, a request to authenticate a user to a service using a unique identity associated with a second device. The processor is configured to determine, based at least in part on the unique identity, an identity certificate associated with the request, generate an identity assertion based at least in part on the identity certificate, and provide the identity assertion via the communication interface to a requesting node with which the request to authenticate is associated.

Abstract: Techniques to provide secure access to a cloud-based service are disclosed. In various embodiments, a request is received from a client app on a device to connect to a security proxy associated with the cloud-based service. A secure tunnel connection between the device and a node with which the security proxy is associated is used to establish the requested connection to the security proxy. Information associated with the secure tunnel is used to determine that the requesting client app is authorized to access the cloud-based service from the device and to obtain from an identity provider associated with the cloud-based service a security token to be used by the client app to authenticate to the cloud-based service.

Abstract: Techniques to provide secure mobile access to a cloud-based service are disclosed. In various embodiments, a request to access the cloud-based service is received from a mobile device. A security certificate associated with the request is used to synthesize a basic authentication header associated with the request. The synthesized basic authentication header is sent to the cloud-based service on behalf of the mobile device.

Abstract: A request generated by an unmanaged app to access a resource is received from a mobile device. A notification is sent to the mobile device. A device level VPN connection to the mobile device is established. A unique identifier is associated with the device level VPN. App level traffic received via the device level VPN is tagged with the unique identifier. Access to the resource is allowed in response to the request based at least in part on a determination based on the tags that app level traffic from a trusted app and app level traffic from the unmanaged app are associated with the same mobile device.

Abstract: Techniques to provide secure access to a cloud-based service are disclosed. In various embodiments, a request is received from a client app on a device to connect to a security proxy associated with the cloud-based service. A secure tunnel connection between the device and a node with which the security proxy is associated is used to establish the requested connection to the security proxy. Information associated with the secure tunnel is used to determine that the requesting client app is authorized to access the cloud-based service from the device and to obtain from an identity provider associated with the cloud-based service a security token to be used by the client app to authenticate to the cloud-based service.

Abstract: A method, apparatus and computer program product for performing load balancing of SNDs and FNDs is presented. The presently disclosed method and apparatus for providing load balancing solves the problem of improper wireless traffic distribution in an enterprise network that may cause overload on some FNDs while some others are lightly loaded. The presently described methods and apparatus, by use of a single command, allow a user to restore the FNDs and SNDs to a preplanned topology or balance the load on controllers without overriding the manual assignments specified by the user.

Abstract: Techniques described herein convert mobile traffic between different types of VPN protocols, including IP and Transport. In an embodiment, a security proxy associated with a server receives a packet associated with a client app on a device, the packet including a source identifier and a destination identifier. The security proxy reassigns a tunnel identifier as the source and a node identifier as the destination, then stores a correlation of the tunnel identifier, the source identifier, and the destination identifier. The security proxy forwards the packet to the node inside the security proxy, and determines the destination identifier based on the correlation. The node then forwards the packet to the destination. This allows for multiple devices to use a same source identifier, e.g., same IP address. In some embodiments, a secure connection is established and/or the device and server are mutually authenticated prior to the processing of the packets.

Abstract: Techniques to provide secure access to a cloud-based service are disclosed. In various embodiments, a request is received from a client app on a device to connect to a security proxy associated with the cloud-based service. A secure tunnel connection between the device and a node with which the security proxy is associated is used to establish the requested connection to the security proxy. Information associated with the secure tunnel is used to determine that the requesting client app is authorized to access the cloud-based service from the device and to obtain from an identity provider associated with the cloud-based service a security token to be used by the client app to authenticate to the cloud-based service.

Abstract: Techniques to provide secure mobile access to a cloud-based service are disclosed. In various embodiments, a request to access the cloud-based service is received from a mobile device. A security certificate associated with the request is used to synthesize a basic authentication header associated with the request. The synthesized basic authentication header is sent to the cloud-based service on behalf of the mobile device.

Abstract: Techniques to provide secure access to a cloud-based service are disclosed. In various embodiments, a request is received from a client app on a device to connect to a security proxy associated with the cloud-based service. A secure tunnel connection between the device and a node with which the security proxy is associated is used to establish the requested connection to the security proxy. Information associated with the secure tunnel is used to determine that the requesting client app is authorized to access the cloud-based service from the device and to obtain from an identity provider associated with the cloud-based service a security token to be used by the client app to authenticate to the cloud-based service.