Step-up authentication for single sign-on

US 10,171,241 B2
Filed: 02/13/2017
Issued: 01/01/2019
Est. Priority Date: 10/31/2014
Status: Active Grant

First Claim

Patent Images

1. A method for providing step-up authentication in a system providing single-sign on to a plurality of applications on a computing device, comprising:

receiving a request to authenticate a user of the computing device for a first application using a primary token associated with a single-sign on capability;

determining that the primary token is insufficient to authenticate the user for the first application;

requesting a token agent executing on the computing device to perform a step-up authentication of the user;

updating the primary token to reflect the step-up authentication of the user after receiving an indication of a successful step-up authentication of the user from the token agent;

providing the updated primary token to the computing device;

receiving, from the computing device, a resubmission of the request to authenticate the user for the first application, the resubmitted request including the updated primary token reflecting the step-up authentication; and

transmitting a secondary token to the token agent executing on the computing device based on granting access to the first application, wherein the secondary token authenticates the user for the first application, and wherein granting access to the first application is based on receiving the resubmitted requesting including the updated primary token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating a user seeking access to first and second resources that have different authentication levels. The method includes receiving a primary token that is associated with a first authentication event of the user and authenticates the user to access the first resource, and receiving a first request to access the second resource. The method further includes receiving first credentials of the user. The method further includes, responsive to validating the first credentials, generating a second authentication event, associating the second authentication event with the primary token, and issuing a first secondary token that authenticates the user to access the second resource.

19 Citations

View as Search Results

19 Claims

1. A method for providing step-up authentication in a system providing single-sign on to a plurality of applications on a computing device, comprising:
- receiving a request to authenticate a user of the computing device for a first application using a primary token associated with a single-sign on capability;
  
  determining that the primary token is insufficient to authenticate the user for the first application;
  
  requesting a token agent executing on the computing device to perform a step-up authentication of the user;
  
  updating the primary token to reflect the step-up authentication of the user after receiving an indication of a successful step-up authentication of the user from the token agent;
  
  providing the updated primary token to the computing device;
  
  receiving, from the computing device, a resubmission of the request to authenticate the user for the first application, the resubmitted request including the updated primary token reflecting the step-up authentication; and
  
  transmitting a secondary token to the token agent executing on the computing device based on granting access to the first application, wherein the secondary token authenticates the user for the first application, and wherein granting access to the first application is based on receiving the resubmitted requesting including the updated primary token.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein updating the primary token is performed by an authentication service remote from the computing device.
  - 3. The method of claim 1, wherein the token agent is not a browser.
  - 4. The method of claim 1, further comprising:
    - revoking the secondary token to revoke single-sign-on access without impacting the primary token.
  - 5. The method of claim 1, wherein the request to authenticate includes an identifier for the first application and the method further comprises:
    - receiving a second request to authenticate the user for a second application using the updated primary token, the second request including an identifier for the second application;
      
      determining that the second request requires step-up authentication;
      
      accessing the step-up authentication credentials from the updated primary token without requesting an additional step-up authentication from the user; and
      
      granting the second request to authenticate the user for the second application based on the step-up authentication credentials in the updated primary token.
  - 6. The method of claim 1, wherein:
    - the primary token comprises a JSON web token; and
      
      updating the primary token comprises storing information used for the step-up authentication in an AuthContext field of the JSON web token.
  - 7. The method of claim 1, further comprising:
    - re-using the step-up authentication for accessing the first application as a step-up authentication event for a plurality of additional applications without requesting additional user input.

8. An authentication server, having a hardware processor and a memory store, for providing step-up authentication with single sign-on, the authentication server configured to:
- receive a request from a computing device to authenticate a user of the computing device for a first application using a primary token associated with a single-sign on capability;
  
  determine that the primary token is insufficient to authenticate the user for the first application;
  
  request a token agent executing on the computing device to perform a step-up authentication of the user;
  
  update the primary token to reflect the step-up authentication of the user after receiving an indication of a successful step-up authentication of the user from the token agent;
  
  provide the updated primary token to the computing device;
  
  receive, from the computing device, a resubmission of the request to authenticate the user for the first application, the resubmitted request including the updated primary token reflecting the step-up authentication; and
  
  transmit a secondary token to the token agent executing on the computing device based on granting access to the first application, wherein the secondary token authenticates the user for the first application, and wherein granting access to the first application is based on receiving the resubmitted requested including the updated primary token.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The server of claim 8, wherein the token agent is not a browser.
  - 10. The server of claim 8, wherein the authentication server is configured to revoke the secondary token to revoke single-sign-on access without impacting the primary token.
  - 11. The server of claim 8, wherein the request to authenticate includes an identifier for the first application, wherein the authentication server is further configured to:
    - receive a second request to authenticate the user for a second application using the updated primary token, the second request including an identifier for the second application;
      
      determine that the second request requires step-up authentication;
      
      access the step-up authentication credentials from the updated primary token without requesting an additional step-up authentication from the user; and
      
      grant the second request to authenticate the user for the second application based on the step-up authentication credentials in the updated primary token.
  - 12. The server of claim 8, wherein:
    - the primary token comprises a JSON web token; and
      
      updating the primary token comprises storing information used for the step-up authentication in an AuthContext field of the JSON web token.
  - 13. The server of claim 8, wherein the authentication server is further configured to:
    - re-use the step-up authentication for accessing the first application as a step-up authentication event for a plurality of additional applications without requesting additional user input.

14. A non-transitory, computer-readable medium comprising instruction which, when executed by a processor, provide step-up authentication with single-sign by executing a series of steps comprising:
- receiving a request to authenticate a user of the computing device for a first application using a primary token associated with a single-sign on capability;
  
  determining that the primary token is insufficient to authenticate the user for the first application;
  
  requesting a token agent executing on the computing device to perform a step-up authentication of the user;
  
  updating the primary token to reflect the step-up authentication of the user after receiving an indication of a successful step-up authentication of the user from the token agent;
  
  providing the updated primary token to the computing device;
  
  receiving, from the computing device, a resubmission of the request to authenticate the user for the first application, the resubmitted request including the updated primary token reflecting the step-up authentication; and
  
  transmitting a secondary token to the token agent executing on the computing device based on granting access to the first application, wherein the secondary token authenticates the user for the first application, and wherein granting access to the first application is based on receiving the resubmitted requesting including the updated primary token.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The non-transitory, computer-readable medium of claim 14, wherein updating the primary token is performed by an authentication service remote from the computing device.
  - 16. The non-transitory, computer-readable medium of claim 14, wherein the token agent is not a browser.
  - 17. The non-transitory, computer-readable medium of claim 16, wherein the instructions further execute a step comprising revoking the secondary token to revoke single-sign-on access without impacting the primary token.
  - 18. The non-transitory, computer-readable medium of claim 14, wherein the request to authenticate includes an identifier for the first application and the steps further comprise:
    - receiving a second request to authenticate the user for a second application using the updated primary token, the second request including an identifier for the second application;
      
      determining that the second request requires step-up authentication;
      
      accessing the step-up authentication credentials from the updated primary token without requesting an additional step-up authentication from the user; and
      
      granting the second request to authenticate the user for the second application based on the step-up authentication credentials in the updated primary token.
  - 19. The non-transitory, computer-readable medium of claim 14, wherein the steps further comprise:
    - re-using the step-up authentication for accessing the first application as a step-up authentication event for a plurality of additional applications without requesting additional user input.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Xu, Emily Hong, Ladda, Shraddha, Olds, Dale Robert
Primary Examiner(s)
Herzog, Madhuri R

Application Number

US15/430,748
Publication Number

US 20170170963A1
Time in Patent Office

687 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/62   Protecting access to data v...

G06F 2211/003   Mutual Authentication Bi-Di...

G06F 2211/009   Trust

H04L 2463/082   applying multi-factor authe...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 9/32   including means for verifyi...

H04L 9/3213   using tickets or tokens, e....

H04W 12/068   using credential vaults, e....

H04W 12/084   using delegated authorisati...

H04W 12/30   Security of mobile devices;...

H04W 12/66   Trust-dependent, e.g. using...

Step-up authentication for single sign-on

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

19 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Step-up authentication for single sign-on

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others