Multi-factor authentication for managed applications using single sign-on technology

US 10,187,374 B2
Filed: 10/29/2015
Issued: 01/22/2019
Est. Priority Date: 10/29/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program, when executed by the at least one computing device, being configured to cause the at least one computing device to at least:

receive an authentication request for a first client application executed in a client device;

receive data generated by a single sign-on credential from the client device as part of a single sign-on process, the single sign-on credential being configured to be used by a plurality of client applications of the client device;

verify the data generated by the single sign-on credential;

determine whether at least one supplementary authentication factor is required from a second client application by;

determining a version of an operating system of the client device; and

determining that the at least one second authentication factor should be requested when the version of the operating system corresponds to a particular operating system version;

when the at least one supplementary authentication factor is required, and prior to sending an authentication token to the first client application;

request the at least one supplementary authentication factor from the second client application;

receive the at least one supplementary authentication factor from the second client application; and

verify the at least one supplementary authentication factor prior to allowing the first client application to be authenticated in the single sign-on process;

in response to verifying the data generated by the single sign-on credential and verifying the at least one supplementary authentication factor from the second client application, generate the authentication token; and

send the authentication token to the first client application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various examples for facilitating multi-factor authentication for client applications that are configured to use single sign-on technology. An authentication request for a first client application executed in a client device is received by an identity provider. The identity provider then receives data generated by a single sign-on credential from the client device. The single sign-on credential is configured to be used by multiple client applications of the client device. The data generated by the single sign-on credential is verified by the identity provider. The identity provider requests one or more supplementary authentication factors from a second client application. The identity provider then receives the supplementary authentication factor(s) from the second client application and verifies the supplementary authentication factor(s). The identity provider generates an authentication token and sends the token to the first client application.

Citations

20 Claims

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program, when executed by the at least one computing device, being configured to cause the at least one computing device to at least:
- receive an authentication request for a first client application executed in a client device;
  
  receive data generated by a single sign-on credential from the client device as part of a single sign-on process, the single sign-on credential being configured to be used by a plurality of client applications of the client device;
  
  verify the data generated by the single sign-on credential;
  
  determine whether at least one supplementary authentication factor is required from a second client application by;
  
  determining a version of an operating system of the client device; and
  
  determining that the at least one second authentication factor should be requested when the version of the operating system corresponds to a particular operating system version;
  
  when the at least one supplementary authentication factor is required, and prior to sending an authentication token to the first client application;
  
  request the at least one supplementary authentication factor from the second client application;
  
  receive the at least one supplementary authentication factor from the second client application; and
  
  verify the at least one supplementary authentication factor prior to allowing the first client application to be authenticated in the single sign-on process;
  
  in response to verifying the data generated by the single sign-on credential and verifying the at least one supplementary authentication factor from the second client application, generate the authentication token; and
  
  send the authentication token to the first client application.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the single sign-on credential comprises at least one of:
    - a secure certificate or a Kerberos profile.
  - 3. The non-transitory computer-readable medium of claim 1, wherein the second client application is executed in the client device.
  - 4. The non-transitory computer-readable medium of claim 1, wherein the second client application is executed in a different client device.
  - 5. The non-transitory computer-readable medium of claim 1, wherein the first client application does not natively support authentication using the at least one supplemental authentication factor.
  - 6. The non-transitory computer-readable medium of claim 1, wherein the at least one supplementary authentication factor comprises at least one of:
    - a one-time password, a smartcard, or a biometric identifier.
  - 7. The non-transitory computer-readable medium of claim 1, wherein the program, when executed by the at least one computing device, is further configured to cause the at least one computing device to:
    - send a response to the authentication request to the first client application, the response requesting authentication by the single sign-on credential, wherein the authentication request is redirected from a service provider for which authentication is desired.

8. A system, comprising:
- at least one computing device; and
  
  an identity provider service executable by the at least one computing device, the identity provider service configured to cause the at least one computing device to at least;
  
  receive an authentication request for a first client application executed in a client device;
  
  receive data generated by a single sign-on credential from the client device as part of a single sign-on process, the single sign-on credential being configured to be used by a plurality of client applications of the client device;
  
  verify the data generated by the single sign-on credential;
  
  determine whether at least one supplementary authentication factor is required from a second client application by;
  
  determining a version of an operating system of the client device; and
  
  determining that the at least one second authentication factor should be requested when the version of the operating system corresponds to a particular operating system version;
  
  when the at least one supplementary authentication factor is required, and prior to sending an authentication token to the first client application;
  
  request the at least one supplementary authentication factor from the second client application;
  
  receive the at least one supplementary authentication factor from the second client application; and
  
  verify the at least one supplementary authentication factor prior to allowing the first client application to be authenticated in the single sign-on process;
  
  in response to verifying the data generated by the single sign-on credential and verifying the at least one supplementary authentication factor from the second client application, generate the authentication token; and
  
  send the authentication token to the first client application.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The system of claim 8, wherein the single sign-on credential comprises data generated by at least one of:
    - a secure certificate or a Kerberos profile.
  - 10. The system of claim 8, wherein the authentication token is sent within a security assertion markup language (SAML) identity assertion.
  - 11. The system of claim 8, wherein the first client application does not natively support authentication using the at least one supplemental authentication factor.
  - 12. The system of claim 8, wherein the at least one supplementary authentication factor comprises at least one of:
    - a one-time password, a smartcard, or a biometric identifier.

13. A method, comprising:
- receiving an authentication request for a first client application executed in a client device;
  
  receiving data generated by a single sign-on credential from the client device as part of a single sign-on process, the single sign-on credential being configured to be used by a plurality of client applications of the client device;
  
  verifying the data generated by the single sign-on credential;
  
  determining whether at least one supplementary authentication factor is required from a second client application by;
  
  determining a version of an operating system of the client device; and
  
  determining that the at least one second authentication factor should be requested when the version of the operating system corresponds to a particular operating system version;
  
  when the at least one supplementary authentication factor is required, and prior to sending an authentication token to the first client application;
  
  requesting the at least one supplementary authentication factor from the second client application;
  
  receiving the at least one supplementary authentication factor from the second client application; and
  
  verifying the at least one supplementary authentication factor prior to allowing the first client application to be authenticated in the single sign-on process;
  
  in response to verifying the data generated by the single sign-on credential and verifying the at least one supplementary authentication factor from the second client application, generating the authentication token; and
  
  sending the authentication token to the first client application.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, wherein the single sign-on credential comprises at least one of:
    - a secure certificate or a Kerberos profile.
  - 15. The method of claim 14, wherein the first client application is configured to request a session token from a service provider using the authentication token.
  - 16. The method of claim 13, wherein the first client application does not natively support authentication using the at least one supplemental authentication factor.
  - 17. The method of claim 13, wherein the at least one supplementary authentication factor comprises at least one of:
    - a one-time password, a smartcard, or a biometric identifier.
  - 18. The method of claim 13, further comprising:
    - sending a response to the authentication request to the first client application, the response requesting authentication by the single sign-on credential, wherein the authentication request is redirected from a service provider for which authentication is desired.
  - 19. The method of claim 13, wherein the at least one supplemental authentication factor is requested in response to the data generated by the single sign-on credential being verified.
  - 20. The method of claim 13, further comprising determining that the at least one supplemental authentication factor is necessary based at least in part on the first client application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Omnissa, LLC
Original Assignee
AirWatch LLC (Broadcom, Inc.)
Inventors
Brannon, Jonathan Blake
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Jackson, Jenise E

Application Number

US14/926,769
Publication Number

US 20170126661A1
Time in Patent Office

1,181 Days
Field of Search

726 7
US Class Current
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

Multi-factor authentication for managed applications using single sign-on technology

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-factor authentication for managed applications using single sign-on technology

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links