Mobile single-sign-on authentication using browser as intermediary
First Claim
1. A non-transitory computer storage medium which stores a client application comprising executable code that directs a mobile computing device to perform a process comprising:
- directing, by an authentication module, an independent browser, executable on the mobile computing device, to access a uniform resource locator (URL) associated with an authentication appliance configured to verify, with an identity database, authentication information received from the browser and configured to transmit a browser-accessible token to the browser,wherein the authentication information is associated with a user of the mobile device, andwherein the authentication appliance is configured to provide single-sign-on (SSO) services that comprise accepting, for purposes of authentication, in lieu of the authentication information, a previously created valid browser-accessible token that was the result of a previous authentication between the authentication appliance and one of;
a mobile client application or the independent browser;
receiving, with the authentication module, from the authentication appliance, a client application identity that indicates the user of the mobile device and that the user of the mobile device has been authenticated by the authentication appliance; and
using the client application identity to obtain access to a network-based application service provided by a third party service provider that has a trust relationship with the authentication appliance.
6 Assignments
0 Petitions
Accused Products
Abstract
Features are disclosed for authentication of mobile device applications using a native, independent browser using a single-sign-on system. An authentication module within the mobile application can direct the mobile device'"'"'s native browser to a URL to initiate authentication with an authentication appliance. The mobile browser can receive and store a browser-accessible token to indicate previous authentication performed by the user. The mobile application can receive from the application appliance and store a client application ID token that may be presented to network services for access. A second mobile device application may direct the same browser to the authentication appliance. The authentication appliance may inspect the persistent browser-accessible token and issue a second client application ID identity to the second application without collecting additional authentication information, or collecting additional authentication information that is different from the first authentication information.
-
Citations
14 Claims
-
1. A non-transitory computer storage medium which stores a client application comprising executable code that directs a mobile computing device to perform a process comprising:
-
directing, by an authentication module, an independent browser, executable on the mobile computing device, to access a uniform resource locator (URL) associated with an authentication appliance configured to verify, with an identity database, authentication information received from the browser and configured to transmit a browser-accessible token to the browser, wherein the authentication information is associated with a user of the mobile device, and wherein the authentication appliance is configured to provide single-sign-on (SSO) services that comprise accepting, for purposes of authentication, in lieu of the authentication information, a previously created valid browser-accessible token that was the result of a previous authentication between the authentication appliance and one of;
a mobile client application or the independent browser;receiving, with the authentication module, from the authentication appliance, a client application identity that indicates the user of the mobile device and that the user of the mobile device has been authenticated by the authentication appliance; and using the client application identity to obtain access to a network-based application service provided by a third party service provider that has a trust relationship with the authentication appliance. - View Dependent Claims (2, 3, 4)
-
-
5. A system for implementing a single-sign-on process, comprising:
-
an authentication server; a first mobile application installed on a mobile device, the first mobile application configured to communicate with the authentication server via a browser application installed on the mobile device; and a second mobile application installed on the mobile device, the second mobile application configured to communicate with the authentication server via the browser application installed on the mobile device; wherein the first mobile application is configured to invoke the browser application and to cause the browser application to access a uniform resource locator (URL) corresponding to the authentication server; wherein the authentication server is responsive to the browser application accessing the URL by implementing a first authentication process in which a user of the mobile device, via the browser application, authenticates with the authentication server and in which the authentication server provides to the mobile device access credentials that enable the first mobile application to access a network resource provided by a third party service provider that has a trust relationship with the authentication server, the access credentials comprising a browser-accessible token; wherein the second mobile application is configured to initiate a second authentication process in which the browser application sends the browser-accessible token to the authentication server, and in which the authentication server uses the browser-accessible token as received from the browser application to issue a client application identity to the second mobile application without requiring the user to re-authenticate with the authentication server, wherein the second mobile application is configured to use the client application identity to access the network resource; and wherein the browser application is separate from the first and second mobile applications. - View Dependent Claims (6, 7, 8, 9, 10, 11)
-
-
12. A single-sign-on process, comprising:
-
executing a first authentication process between a first mobile application on a mobile device and an authentication server, wherein executing the first authentication process comprises; by the first mobile application, causing a browser application on the mobile device to access a uniform resource locator of the authentication server; authenticating a user of the mobile device using login information received by the authentication server from the browser application; sending access credentials from the authentication server to the browser application for storage on the mobile device, the access credentials enabling the first mobile application to access a network resource provided by a third party service provider that has a trust relationship with the authentication server, the access credentials comprising a browser-accessible token; and subsequently, executing a second authentication process between a second mobile application on the mobile device and the authentication server, wherein executing the second authentication process comprises; by the second mobile application, causing the browser application to send the browser-accessible token to the authentication server; and by the authentication server, using at least the browser accessible token to determine whether to grant the second mobile application access to the network resource, wherein the authentication server, in response to determining to grant the second mobile application access to the network resource, issues to the second mobile application a client application identity that is used by the second mobile application to access the network resource; wherein the browser application is separate from the first and second mobile applications. - View Dependent Claims (13, 14)
-
Specification