Single sign-on framework for browser-based applications and native applications

US 10,218,691 B2
Filed: 11/30/2016
Issued: 02/26/2019
Est. Priority Date: 11/30/2016
Status: Active Grant

First Claim

Patent Images

1. A system for providing a single sign-on capability to at least one application installed on a client device, comprising:

the client device; and

an identity provider application executable by the client device, the identity provider application causing the client device to at least;

register the identity provider application as a local identity provider on the client device using an application programming interface (API) associated with an operating system of the client device, wherein the identity provider application specifies a particular identity provider server address for an identity provider service for which the identity provider application is the local identity provider;

obtain a user credential associated with a user account;

authenticate the user credential for the user account with the identity provider service;

obtain a request to validate an installation of an application installed on the client device based upon the user account;

validate the installation of the application based upon at least one parameter embedded within the request, the installation of the application being validated by extracting a package family name from the request to authenticate the installation of the application, generating a session identifier associated with the request to authenticate the installation of the application and providing the session identifier and an encryption key to the installation of the application;

request an authentication key from the identity provider service; and

provide the authentication key to the application, wherein the application authenticates the user account with the identity provider service using the authentication key.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various approaches for providing single sign-on capabilities for a user on a client device. A user'"'"'s credentials can be authenticated by an identity provider application. The identity provider application can facilitate single sign-on capabilities for browser-based applications and native applications on the client device.

Citations

20 Claims

1. A system for providing a single sign-on capability to at least one application installed on a client device, comprising:
- the client device; and
  
  an identity provider application executable by the client device, the identity provider application causing the client device to at least;
  
  register the identity provider application as a local identity provider on the client device using an application programming interface (API) associated with an operating system of the client device, wherein the identity provider application specifies a particular identity provider server address for an identity provider service for which the identity provider application is the local identity provider;
  
  obtain a user credential associated with a user account;
  
  authenticate the user credential for the user account with the identity provider service;
  
  obtain a request to validate an installation of an application installed on the client device based upon the user account;
  
  validate the installation of the application based upon at least one parameter embedded within the request, the installation of the application being validated by extracting a package family name from the request to authenticate the installation of the application, generating a session identifier associated with the request to authenticate the installation of the application and providing the session identifier and an encryption key to the installation of the application;
  
  request an authentication key from the identity provider service; and
  
  provide the authentication key to the application, wherein the application authenticates the user account with the identity provider service using the authentication key.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the encryption key comprises a symmetric key or data from which the symmetric key is generated by the application.
  - 3. The system of claim 2, wherein the installation of the application is further validated by:
    - receiving the session identifier and the package family name encrypted by the symmetric key;
      
      decrypting the session identifier and the package family name; and
      
      validating the package family name associated with the application stored in session data associated with the session identifier.
  - 4. The system of claim 3, wherein validating the package family name associated with the application stored in session data associated with the session identifier comprises validating the package family name is a whitelisted package family name.
  - 5. The system of claim 2, wherein the authentication key is provided to the application through an application program interface (API) call associated with the operating system.
  - 6. The system of claim 5, wherein the authentication key is provided to the application in an encrypted form, wherein the authentication key is further encrypted using the symmetric key.
  - 7. The system of claim 1, wherein the authentication key comprises a hash message authentication code (HMAC) key generated by the identity provider service.

8. A method for providing a single sign-on capability to at least one application installed on a client device, comprising:
- registering an identity provider application as a local identity provider on the client device using an application programming interface (API) associated with an operating system of the client device, wherein the identity provider application specifies a particular identity provider server address for an identity provider service for which the identity provider application is the local identity provider;
  
  obtaining a user credential associated with a user account,authenticating the user credential for the user account with the identity provider service;
  
  obtaining a request to validate an installation of an application installed on the client device based upon the user account;
  
  validating the installation of the application based upon at least one parameter embedded within the request, the installation of the application validated by extracting a package family name from the request to authenticate the installation of the application, generating a session identifier associated with the request to authenticate the installation of the application, and providing the session identifier and an encryption key to the installation of the application;
  
  requesting an authentication key from the identity provider service;
  
  providing the authentication key to the application, wherein the application authenticates the user account with the identity provider service using the authentication key.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the encryption key comprises a symmetric key or data from which the symmetric key is generated by the application.
  - 10. The method of claim 9, wherein the installation of the application is further validated by:
    - receiving the session identifier and the package family name encrypted by the symmetric key;
      
      decrypting the session identifier and the package family name; and
      
      validating the package family name associated with the application stored in session data associated with the session identifier.
  - 11. The method of claim 10, wherein validating the package family name associated with the application stored in session data associated with the session identifier comprises validating the package family name is a whitelisted package family name.
  - 12. The method of claim 9, wherein the authentication key is provided to the application through an application program interface (API) call associated with the operating system.
  - 13. The method of claim 12, wherein the authentication key is provided to the application in an encrypted form, wherein the authentication key is further encrypted using the symmetric key.
  - 14. The method of claim 8, wherein the authentication key comprises a hash message authentication code (HMAC) key generated by the identity provider service.

15. A non-transitory computer-readable medium comprising machine-readable instructions providing a single sign-on capability to at least one application installed on a client device, wherein when executed by a processor of the client device, the machine-readable instructions cause the client device to at least:
- register an identity provider application as a local identity provider on the client device using an application programming interface (API) associated with an operating system of the client device, wherein the identity provider application specifics a particular identity provider server address for an identity provider service for which the identity provider application is the local identity provider;
  
  obtain a user credential associated with a user account;
  
  authenticate the user credential for the user account with the identity provider service;
  
  obtain a request to validate an installation of an application installed on the client device based upon the user account;
  
  validate the installation of the application based upon at least one parameter embedded within the request, the installation of the application validated by extracting a package family name from the request to authenticate the installation of the application, generating a session identifier associated with the request to authenticate the installation of the application, and providing the session identifier and an encryption key to the installation of the application;
  
  request an authentication key from the identity provider service; and
  
  provide the authentication key to the application, wherein the application authenticates the user account with the identity provider service using the authentication key.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable medium of claim 15, wherein the encryption key comprises a symmetric key or data from which the symmetric key is generated by the application.
  - 17. The non-transitory computer-readable medium of claim 16, wherein the installation of the application is further validated by:
    - receiving the session identifier and the package family name encrypted by the symmetric key;
      
      decrypting the session identifier and the package family name; and
      
      validating the package family name associated with the application stored in session data associated with the session identifier.
  - 18. The non-transitory computer-readable medium of claim 17, wherein validating the package family name associated with the application stored in session data associated with the session identifier comprises validating the package family name is a whitelisted package family name.
  - 19. The non-transitory computer-readable medium of claim 16, wherein the authentication key is provided to the application through an application program interface (API) call associated with the operating system.
  - 20. The non-transitory computer-readable medium of claim 15, wherein the authentication key comprises a hash message authentication code (HMAC) key generated by the identity provider service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Omnissa, LLC
Original Assignee
AirWatch LLC (Broadcom, Inc.)
Inventors
Hande, Yogesh Govind, Shantharam, Shravan, Regula, Kalyan, Murthy, Varun, Sundaram, Bhuvanesh Shanmuga, Deriso, Jonathon
Primary Examiner(s)
Paliwal, Yogesh

Application Number

US15/365,585
Publication Number

US 20180152440A1
Time in Patent Office

818 Days
Field of Search

726 7
US Class Current
CPC Class Codes

H04L 63/0435   wherein the sending and rec...

H04L 63/0815   providing single-sign-on or...

H04L 9/0822   using key encryption key

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3242   involving keyed hash functi...

Single sign-on framework for browser-based applications and native applications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Single sign-on framework for browser-based applications and native applications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links