Device enrollment in a cloud service using an authenticated application

US 10,156,842 B2
Filed: 04/08/2016
Issued: 12/18/2018
Est. Priority Date: 12/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method for negotiating machine access to a cloud-based application using an edge manager device;

the method comprising;

establishing, at an edge manager device in a cloud computing environment, a first client corresponding to a first application that is executed externally to the cloud computing environment, the first application configured to register identification information about one or more external devices with the edge manager device using the first client, to permit later data access to the edge manager device by the one or more external devices;

using the edge manager device, providing a first request via a first network to an authorization service application to obtain client identification and client secret information for use by the first client;

receiving the client identification and client secret information at the edge manager device from the authorization service application via the first network, wherein the client identification and client secret information are selected by the authorization service application to permit later data access to the edge manager device by the first client; and

using the edge manager device, providing the client identification and client secret information to the first client via a second network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In various example embodiments, systems and methods for administering machine access to a cloud service are presented. An edge manager device in a cloud computing environment can establish a first client for a first application that is executed externally to the cloud computing environment. The edge manager device can provide a first request via a first network to an authorization service application to obtain client identification and client secret information for use by the first client. The edge manager device can receive the client identification and client secret information from the authorization service application via the first network. The client identification and client secret information can be selected by the authorization service application to permit later data access to the edge manager device by the first client. The edge manager device can provide the client identification and client secret information to the first client via a second network.

Citations

20 Claims

1. A method for negotiating machine access to a cloud-based application using an edge manager device;
- the method comprising;
  
  establishing, at an edge manager device in a cloud computing environment, a first client corresponding to a first application that is executed externally to the cloud computing environment, the first application configured to register identification information about one or more external devices with the edge manager device using the first client, to permit later data access to the edge manager device by the one or more external devices;
  
  using the edge manager device, providing a first request via a first network to an authorization service application to obtain client identification and client secret information for use by the first client;
  
  receiving the client identification and client secret information at the edge manager device from the authorization service application via the first network, wherein the client identification and client secret information are selected by the authorization service application to permit later data access to the edge manager device by the first client; and
  
  using the edge manager device, providing the client identification and client secret information to the first client via a second network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising receiving, at the edge manager device and from the first client via the third network, a request to pre-register a first external device with the edge manager device, the request including first device identification information for the first external device.
  - 3. The method of claim 2, further comprising using the edge manager device, updating a cloud-based device registry database to include the first device identification information for the first external device.
  - 4. The method of claim 3, further comprising receiving, at the edge manager device and via a third network, the first device identification information and a certificate signing request (CSR) from the first external device.
  - 5. The method of claim 4, wherein the receiving the first device identification information and the CSR from the first external device includes receiving a JSON web token from the first external device.
  - 6. The method of claim 4, wherein the receiving the first device identification information and the CSR from the first external device further includes receiving at least one of a MAC address, IP address, OS version, or BIOS version corresponding to the first external device.
  - 7. The method of claim 4, further comprising:
    - using the edge manager device, establishing credential data for use by the first external device to access a first cloud-based application; and
      
      using the edge manager device, providing the credential data to the first external device via the third network.
  - 8. The method of claim 7, wherein the establishing the credential data for use by the first external device includes, using the edge manager device, requesting device credential data from the authorization service application via the first network.
  - 9. The method of claim 8, further comprising using the edge manager device, providing the CSR to a registration authority application via the first network and, in return, receiving a signed certificate at the edge manager device.
  - 10. The method of claim 9, further comprising using the edge manager device, providing the signed certificate to the first external device via the third network.
  - 11. The method of claim 8, further comprising receiving, at the edge manager device and in response to the requesting the device credential data, an OAuth2 token for use by the first external device to establish a secure data communication link between the first external device and the first cloud-based application.
  - 12. The method of claim 11, further comprising using the edge manager device, providing the OAuth2 token to the first external device.
  - 13. The method of claim 1, further comprising receiving, at the edge manager device and from the first client via the second network, one or more requests to pre-register a plurality of external devices with the edge manager device, the one or more requests including respective device identification information for each of the plurality of external devices;
    - andusing the edge manager device, adding the respective device information for each of plurality of external devices to a cloud-based device registry database.
  - 14. The method of claim 13, further comprising:
    - receiving, at the edge manager device via a third network, a device enrollment request from a first external device of the plurality of external devices, the device enrollment request including first device identification information corresponding to the first external device; and
      
      using the edge manager device, querying the cloud-based device registry database to determine whether the first external device is pre-registered with the edge manager device.
  - 15. The method of claim 14, further comprising using the edge manager device to obtain, from the authorization service application, device-specific identification and secret information for use by the first external device to access a cloud-based application service.
  - 16. The method of claim 13, further comprising:
    - receiving, at the edge manager device via a third network, a device enrollment request from a first external device other than the plurality of external devices, the device enrollment request including first device identification information corresponding to the first external device; and
      
      using the edge manager device, returning a denial of access indication to the first external device when the first device identification information does not correspond to the device identification information for any one of the plurality of external devices.

17. A method for administering machine access to a cloud service application, the method comprising:
- using an authenticated application outside of a cloud environment, assigning first identification information for use by a first machine, including providing the first identification information to the first machine and to a cloud-based enrollment service application via separate networks;
  
  receiving, via a network and at the enrollment service application, an enrollment request from the first machine, the enrollment request including the assigned first identification information corresponding to the first machine; and
  
  determining, using the enrollment service application, whether the received first identification information corresponds to valid identification information based on a comparison of the received first identification information and previously-known valid identification information, wherein when the received first identification information is determined to correspond to the previously-known valid identification information, returning a certificate from the enrollment service application to the first machine, the certificate for use by the first machine to obtain data access to one or more cloud-based applications.
- View Dependent Claims (18, 19)
- - 18. The method of claim 17, further comprising enrolling the authenticated application with a cloud service, including using the enrollment service application to provide credential data to the authenticated application, the credential data configured to permit the authenticated application data access to one or more cloud-based applications.
  - 19. The method of claim 17, further comprising using the first machine, generating a certificate signing request (CSR) and providing the CSR and the first identification information from the first machine to the cloud-based enrollment service application via a network.

20. A method for using a device-based authentication certificate to obtain data access to a cloud-based destination application, the method comprising:
- using an edge manager device, receiving, via a first network, a first token and first data access request from a first machine wherein the first machine is outside of the cloud, the edge manager device configured to administer data access for the first machine to one or more cloud-based applications;
  
  using the edge manager device, querying a device registry database via a second network to determine whether an authentication certificate associated with the first token is previously known to correspond with the first machine;
  
  receiving an indication via the second network whether the authentication certificate is previously known to correspond with the first machine and, when the authentication certificate is previously known to correspond with the first machine, using the edge manager device, providing the first token and information about the first machine from the edge manager device to a cloud-based authorization service application via a third network;
  
  using the cloud-based authorization service application, verifying the first token against a cloud-based device registry, generating an OAuth2 token for use by the first machine when the first token is verified, and providing the OAuth2 token to the edge manager device via the third network; and
  
  using the edge manager device, providing the OAuth2 token to the first machine via the first network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GE Digital Holdings LLC (GE Vernova, Inc.)
Original Assignee
General Electric Company
Inventors
Wu, Jiaqi, Lammers, Greg
Primary Examiner(s)
Gergiso, Techane

Application Number

US15/094,737
Publication Number

US 20170195332A1
Time in Patent Office

984 Days
Field of Search
US Class Current
CPC Class Codes

G05B 19/41885   characterised by modeling, ...

G05B 2219/23005   Expert design system, uses ...

G05B 2219/33139   Design of industrial commun...

G06F 2203/04806   Zoom, i.e. interaction tech...

G06F 3/0482   Interaction with lists of s...

G06F 3/04842   Selection of displayed obje...

G06F 3/04845   for image manipulation, e.g...

G06F 3/04847   Interaction techniques to c...

G06F 3/04883   for inputting data by handw...

G06Q 10/04   Forecasting or optimisation...

G06Q 10/06   Resources, workflows, human...

H04L 41/12   Discovery or management of ...

H04L 43/045   for graphical visualisation...

H04L 63/0823   using certificates cryptogr...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/18   using different networks or...

H04L 67/10   in which an application is ...

Y02P 90/80   Management or planning

Device enrollment in a cloud service using an authenticated application

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Device enrollment in a cloud service using an authenticated application

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links