Abstract: Operations include transmitting, on behalf of a first application, a first request to a first service provider, the first request requesting first services from the first service provider, intercepting, at a local agent, a first redirect message from the first service provider to an identity provider, receiving an identity provider cookie from the identity provider based on a validation of credentials during the authentication process, storing a copy of the identity provider cookie, transmitting, on behalf of a second application, a second request to a second service provider, the second request requesting second services from the second service provider, intercepting a second redirect message from the second service provider to the identity provider, adding the identity provider cookie to the second redirect message, and receiving validation to access the second service provider from the identity provider based on the identity provider cookie stored by the local agent.

Abstract: Techniques for using a single sign-on (SSO) service as a software defined networking (SDN) controller for a virtual private network environment. The techniques disclosed herein may include receiving, at a first authentication service, first data including a first request to authenticate a user of a client device to access an application. The techniques may also include sending, to the client device, second data representing a second request configured to prompt a second authentication service to authenticate the user of the client device. Additionally, the first authentication service may receive an indication that the user was authenticated by the second authentication service and determine, based at least in part on an attribute associated with at least one of the client device or the application, whether the client device is to access the application using an unsecured connection or, alternatively, access the application using a secured connection.

Abstract: In one embodiment, a method includes detecting a request to route traffic to a service associated with an application. The method also includes identifying an application identifier associated with the application and selecting, using the application identifier, a label from a plurality of labels included in a routing table. The label includes one or more routes. The method further includes routing the traffic to the service associated with the application using the label.

Abstract: This disclosure describes techniques for dynamically changing a user authorization with a service provider during an ongoing user session. The changing user authorization may be used to address changing confidence in an identity of a user consuming a service provided by the service provider. The changing user authorization may also be used to adjust a scope of a service to which a user has access. The present techniques may allow single-sign-on type protocols to accomplish the flexible and dynamic change-of-authorization functionality of some traditional protocols to handle ongoing client-server sessions, rather than simply revoking authorization for access to the service. For this reason, the present techniques are able to integrate advantages of traditional protocols with newer, single-sign-on-type protocols.

Abstract: An example method is provided in one example embodiment and may include receiving traffic associated with at least one of a mobile network and a Gi-Local Area Network (Gi-LAN), wherein the traffic comprises one or more packets; determining a classification of the traffic to a service chain, wherein the service chain comprises one or more service functions associated at least one of one or more mobile network services and one or more Gi-LAN services; routing the traffic through the service chain; and routing the traffic to a network using one of a plurality of egress interfaces, wherein each egress interface of the plurality of egress interfaces is associated with at least one of the one or more mobile network services and the one or more Gi-LAN services.

Abstract: A method is provided in one example embodiment and may include determining at a parent content node that a plurality of recipient content nodes are to receive a same content; generating, based on a determination that the same content is available at the parent content node, a multi-delivery header comprising a plurality of identifiers, wherein each identifier of the plurality of identifiers indicates each recipient content node that is to receive the same content; appending the multi-delivery header to one or more packets of an Internet Protocol (IP) flow associated with the same content; and transmitting packets for the IP flow to each of the plurality of the recipient content nodes.

Abstract: Systems, methods, and computer-readable storage media are provided for managing application traffic. A routing policy defines the data flow path between the client device (which uses a virtual private network (VPN) client) and the appropriate network-based service. Based on various factors associated with the user, the client device, and the destination (e.g. network-based service), the routing policy will direct the VPN client to communicate with either a public DNS (via the public Internet) or to a private DNS (via the private Intranet). The resulting IP addresses will be used to establish a particular route (either over a public Internet or private Intranet) between the client device and the network-based service in accordance to the routing policy.

Abstract: An identity provider (IdP) service interoperates with a Virtual Private Network (VPN) client. The IdP service receives a login request originating from the VPN client to establish a VPN tunnel between the VPN client and a VPN host, the login request indicating a user of the VPN client. The IdP service provides a response to the login request. The response includes at least both first information including an indication that the user of the VPN client is an authorized user and second information including an indication of a VPN policy for the VPN tunnel, the VPN policy including a VPN client policy to be utilized during the VPN tunnel by the VPN client and a VPN host policy to be utilized during the VPN tunnel by the VPN host.

Abstract: An example method is provided in one example embodiment and may include receiving traffic associated with at least one of a mobile network and a Gi-Local Area Network (Gi-LAN), wherein the traffic comprises one or more packets; determining a classification of the traffic to a service chain, wherein the service chain comprises one or more service functions associated at least one of one or more mobile network services and one or more Gi-LAN services; routing the traffic through the service chain; and routing the traffic to a network using one of a plurality of egress interfaces, wherein each egress interface of the plurality of egress interfaces is associated with at least one of the one or more mobile network services and the one or more Gi-LAN services.

Abstract: An IP multicast group may include a plurality of group members corresponding to a plurality of host receivers that are connected to router nodes of a multicast distribution tree and joined in the multicast group. At least some of the router nodes may store a plurality of group member indicator bits associated with the multicast group. Each group member indicator bit may be assigned to a respective one of the group members and indicate whether the respective group member is reachable downstream from the router node. During IP multicast, the router node may receive an IP multicast message having a destination address field, a source address field, and a payload field. The payload field may include one or more data items of a multicast data stream. The destination address field may include a multicast group address for addressing communications to the multicast group.

Abstract: In one example embodiment, a server generates a candidate instantiation of virtual applications among a plurality of hosts in a data center to support a multicast stream. The server provides, to a first set of agents corresponding to a first set of the plurality of hosts, a command to initiate a test multicast stream. The server provides, to a second set of agents corresponding to a second set of the plurality of hosts, a command to join the test multicast stream. The server obtains, from the second set of agents, a message indicating whether the second set of agents received the test multicast stream. If the message indicates that the second set of agents received the test multicast stream, the server causes the virtual applications to be instantiated in accordance with the candidate instantiation of the virtual applications.

Abstract: Dynamically tailored trust for secure application-server networking and advanced enterprise security is provided. A system can individually assess the security posture of each application connecting to the Internet from each client device in an enterprise. For each application, the system tailors a security mode of the Internet connection based on the security posture of the application. Assessment of the security posture of an application is a comprehensive inventory of the security of the application, the security of the device hosting the application, the rights and security of the user, security attributes of the intended service or website being accessed, the security of the communication channel, and so forth. A network-based controller communicates with an agent running within a secure boot mode of each client device to select a security mode for application-service connection, including lean-trust direct access to the Internet, secure VPN-like access, or no access to the Internet.

Abstract: Disclosed are concepts for provided for managing application traffic. A method includes receiving a request to access a service from an application, confirming an entity of a user of the application and, based on the confirmation, generating, via an authentication service, a routing policy for data flows between the application and the service. The routing policy defines a mandated path between the application and the service. The method also can include storing proof-of-transit data in the traffic flow for tracking an actual path from the application to the service and determining whether the data path complies with the mandated path defined in the policy. When the determination indicates that the actual path followed the mandated path defined in the routing policy, the method includes granting access to the user for the service. When the actual path differs from the mandated path, the method includes denying access to the user.

Abstract: In one embodiment, a method includes detecting a request to route traffic to a service associated with an application. The method also includes identifying an application identifier associated with the application and selecting, using the application identifier, a label from a plurality of labels included in a routing table. The label includes one or more routes. The method further includes routing the traffic to the service associated with the application using the label.

Abstract: In one embodiment, secure service chaining can be implemented efficiently for content delivery systems. An orchestrator can determine a service chain for processing a request from a client for content. The orchestrator can determine a capability identifying nodes of the service chain. The orchestrator can then transmit, to the client, a redirect message having the capability, wherein the redirect message redirects the request to a first node of the service chain. The nodes of the service chain can verify the capability and carry out the service chain. Service functions can be applied to the traffic flow associated with delivering the content to the user.

Abstract: Systems, methods, and computer-readable storage media are provided for managing application traffic. A routing policy defines the data flow path between the client device (which uses a virtual private network (VPN) client) and the appropriate network-based service. Based on various factors associated with the user, the client device, and the destination (e.g. network-based service), the routing policy will direct the VPN client to communicate with either a public DNS (via the public Internet) or to a private DNS (via the private Intranet). The resulting IP addresses will be used to establish a particular route (either over a public Internet or private Intranet) between the client device and the network-based service in accordance to the routing policy.

Abstract: Disclosed are concepts for provided for managing application traffic. A method includes receiving a request to access a service from an application, confirming an entity of a user of the application and, based on the confirmation, generating, via an authentication service, a routing policy for data flows between the application and the service. The routing policy defines a mandated path between the application and the service. The method also can include storing proof-of-transit data in the traffic flow for tracking an actual path from the application to the service and determining whether the data path complies with the mandated path defined in the policy. When the determination indicates that the actual path followed the mandated path defined in the routing policy, the method includes granting access to the user for the service. When the actual path differs from the mandated path, the method includes denying access to the user.

Abstract: In one example embodiment, a server generates a candidate instantiation of virtual applications among a plurality of hosts in a data center to support a multicast stream. The server provides, to a first set of agents corresponding to a first set of the plurality of hosts, a command to initiate a test multicast stream. The server provides, to a second set of agents corresponding to a second set of the plurality of hosts, a command to join the test multicast stream. The server obtains, from the second set of agents, a message indicating whether the second set of agents received the test multicast stream. If the message indicates that the second set of agents received the test multicast stream, the server causes the virtual applications to be instantiated in accordance with the candidate instantiation of the virtual applications.

Abstract: Disclosed are concepts for provided for managing application traffic. A method includes receiving a request to access a service from an application, confirming an entity of a user of the application and, based on the confirmation, generating, via an authentication service, a routing policy for data flows between the application and the service. The routing policy defines a mandated path between the application and the service. The method also can include storing proof-of-transit data in the traffic flow for tracking an actual path from the application to the service and determining whether the data path complies with the mandated path defined in the policy. When the determination indicates that the actual path followed the mandated path defined in the routing policy, the method includes granting access to the user for the service. When the actual path differs from the mandated path, the method includes denying access to the user.

Abstract: A method is provided in one example embodiment and may include determining at a parent content node that a plurality of recipient content nodes are to receive a same content; generating, based on a determination that the same content is available at the parent content node, a multi-delivery header comprising a plurality of identifiers, wherein each identifier of the plurality of identifiers indicates each recipient content node that is to receive the same content; appending the multi-delivery header to one or more packets of an Internet Protocol (IP) flow associated with the same content; and transmitting packets for the IP flow to each of the plurality of the recipient content nodes.