System and method for mobile single sign-on integration

US 10,230,715 B2
Filed: 03/11/2015
Issued: 03/12/2019
Est. Priority Date: 04/12/2013
Status: Active Grant

First Claim

Patent Images

1. A service provider computer system for providing web services to mobile devices using single sign-on (SSO) credentials managed by a client-side computer system, the system comprising:

non-transitory computer memory storing executable computer instructions;

a programmable processor, the programmable processor executing at least a portion of the stored executable computer instructions to perform at least the following;

selecting an authentication protocol from a plurality of supported authentication protocols based on at least one of a client identifier communicated from a mobile device, an authentication token, and an attribute of the mobile device;

validating the authentication token in accordance with the selected authentication protocol;

generating an authorization access token;

processing a service request received from the mobile device, the service request containing the authorization access token; and

servicing the service request in response to the authorization access token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Improved methods and systems for integrating client-side single sign-on (SSO) authentication security infrastructure with a mobile authorization protocol are disclosed that provide clients with secured SSO mobile access to third-party services. Embodiments of the present invention leverage SSO authentication protocols that are utilized at many client-side systems already and integrate these SSO authentication protocols with a mobile SSO authorization protocol, thereby effectively extending the SSO framework to mobile service requests of web services at third-party service provider systems. Embodiments of the present invention provide a secure and automated solution which may be implemented in any existing client-side SSO frameworks with minimum cost and time, while providing a lightweight and secure solution that provides users using either native applications or mobile web application to access third-party web services.

Citations

37 Claims

1. A service provider computer system for providing web services to mobile devices using single sign-on (SSO) credentials managed by a client-side computer system, the system comprising:
- non-transitory computer memory storing executable computer instructions;
  
  a programmable processor, the programmable processor executing at least a portion of the stored executable computer instructions to perform at least the following;
  
  selecting an authentication protocol from a plurality of supported authentication protocols based on at least one of a client identifier communicated from a mobile device, an authentication token, and an attribute of the mobile device;
  
  validating the authentication token in accordance with the selected authentication protocol;
  
  generating an authorization access token;
  
  processing a service request received from the mobile device, the service request containing the authorization access token; and
  
  servicing the service request in response to the authorization access token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 24, 25, 26, 27, 28)
- - 2. The system of claim 1, wherein the authentication token is generated based on the SSO protocol supported by a client system associated with the mobile device.
  - 3. The system of claim 1, wherein the programmable processor executes at least a portion of the stored executable computer instructions to further perform the following:
    - receiving, at a service provider system, a request to access web services using the mobile device; and
      
      redirecting the mobile device to a web-identification authentication service at the client-side computer system to authenticate the identity of the user.
  - 4. The system of claim 3, wherein the step of redirecting is performed in response to receiving the identification of a specified client associated with the user.
  - 5. The system of claim 4, wherein the web-identification authentication service or the client-side computer system is selected based on the specified client.
  - 6. The system of claim 3, wherein the request is received from an application executing on the mobile device.
  - 7. The system of claim 6, wherein the application is not a web browser application.
  - 8. The system of claim 3, wherein the step of redirecting causes the client-side computer system to generate the authentication token and communicate to the mobile device a message containing the authentication token and a redirect function call that, when processed by a processor at the mobile device, causes the mobile device to automatically communicate the authentication token the service provider system.
  - 9. The system of claim 1, wherein the programmable processor executes at least a portion of the stored executable computer instructions to further perform the following:
    - generating an authorization code in response to the step of processing the authentication token; and
      
      communicating the authorization code to the mobile device.
  - 10. The system of claim 9, wherein the authorization code, when processed by a processor at the mobile device, causes the mobile device to communicate the authorization code to the service provider system to request the authorization access token.
  - 11. The system of claim 10, wherein the authorization token causes the mobile device to communicate the authorization code to the service provider system to request the authorization access token automatically.
  - 12. The system of claim 10, wherein the programmable processor executes at least a portion of the stored executable computer instructions to further perform the following:
    - receiving the authorization code; and
      
      validating the authorization code;
      
      wherein the step of generating the authorization access token is in response to validating the authorization code.
  - 13. The system of claim 1, wherein the authorization access token is generated in accordance with a mobile SSO protocol.
  - 14. The system of claim 1, wherein the service provider system services mobile service requests from a plurality of users associated with a plurality of client-side computer systems.
  - 15. The system of claim 1, wherein the programmable processor executes at least a portion of the stored executable computer instructions to further perform the following:
    - generating and communicating to the mobile device a refresh token;
      
      receiving a request for a second authorization access token after the expiration of the authorization access token, the request containing the refresh token; and
      
      generating a second authorization access token.
  - 24. The system of claim 1, wherein the plurality of supported authentication protocols includes at least one of the following:
    - SAML 1.1;
      
      SAML 2.0; and
      
      a custom authentication protocol supported by the client.
  - 25. The system of claim 3, wherein the redirecting causes the mobile device to display a web-page provided by the web-identification authentication service to authenticate the identity of the user.
  - 26. The system of claim 1, wherein the system further performs the operation of processing a service request received from an application executing on a non-mobile device.
  - 27. The system of claim 3, wherein the service provider system and the client-side computer system do not communicate with each other.
  - 28. The system of claim 15, wherein the expiration of the authorization access token is customized by the client.

16. A client-side web-identification authentication computer system for providing web services to mobile devices using single sign-on (SSO) credentials, the system comprising:
- non-transitory computer memory;
  
  a processor, the processor executing at least a portion of stored executable computer instructions to perform at least the following;
  
  receiving, from the service provider system or from a mobile device, a request to authenticate an identity of a user;
  
  authenticating the identity of the user;
  
  generating an authentication token based on the step of authenticating;
  
  communicating the authentication token;
  
  wherein the authentication token causes the service provider system to perform at least the following;
  
  select an authentication protocol from a plurality of supported authentication protocols based on at least one of a client identifier communicated from the mobile device, the authentication token, and an attribute of the mobile device;
  
  validate the authentication token in accordance with the selected authentication protocol;
  
  generate an authorization access token;
  
  process a service request received from the mobile device, the service request containing the authorization access token; and
  
  service the service request in response to the authorization access token.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 29, 30, 31, 32, 33)
- - 17. The system of claim 16, wherein the request to authenticate an identity of a user is received from the mobile device, the mobile device communicating the request in response to a redirect instruction received from the service provider system.
  - 18. The system of claim 17, wherein receiving the request causes the processor to generate the authentication token and communicate to the mobile device a message containing the authentication token and a redirect function call that, when processed by a processor at the mobile device, causes the mobile device to automatically communicate the authentication token the service provider system.
  - 19. The system of claim 16, wherein the authentication token causes the service provider system to further perform the following:
    - generating an authorization code in response to the step of processing the authentication token and communicating the authorization code to a mobile device.
  - 20. The system of claim 16, wherein the authorization code, when processed by a processor at the mobile device, causes the mobile device to communicate the authorization code to the service provider system to request the authorization access token.
  - 21. The system of claim 16, wherein the authentication token causes the service provider system to further receive the authorization code and validate the authorization code to generate the authorization access token.
  - 22. The system of claim 16, wherein the authentication token causes the service provider system to generate a refresh token that is communicated to the mobile device and generates a second authorization access token in response to a request for the second authorization access token after the expiration of the authorization access token, the request containing the refresh token.
  - 29. The system of claim 16, wherein the plurality of supported authentication protocols includes at least one of the following:
    - SAML 1.1;
      
      SAML 2.0; and
      
      a custom authentication protocol supported by the client.
  - 30. The system of claim 16, wherein the authentication token further causes the service provider system to process a service request received from an application executing on a non-mobile device.
  - 31. The system of claim 16, wherein the system further performs the operation of displaying a web-page at the mobile device to authenticate the identity of the user in response to receiving the request to authenticate an identity of a user.
  - 32. The system of claim 16, wherein the service provider system and client-side web-identification authentication computer system do not communicate with each other.
  - 33. The system of claim 22, wherein the expiration of the authorization access token is customized by the client.

23. A mobile device for providing web services using single sign-on (SSO) credentials, the mobile device comprising:
- a non-transitory computer memory;
  
  a processor, the processor executing at least a portion of stored executable computer instructions to perform at least the following;
  
  receiving, at the mobile device, a request to access at least one service at a service provider computer system;
  
  communicating the request to the service provider computer system;
  
  verifying the identity of a user associated with the mobile device;
  
  receiving, in response to the step of verifying, an authentication token from a client-side web-identification authentication computer system;
  
  automatically communicating the authentication token to the service provider computer system; and
  
  wherein the authentication token causes the service provider computer system to perform at least the following;
  
  select an authentication protocol from a plurality of supported authentication protocols based on at least one of a client identifier communicated from the mobile device, and the authentication token, and an attribute of the mobile device;
  
  validate the authentication token in accordance with the selected authentication protocol;
  
  generate an authorization access token;
  
  process a service request received from the mobile device, the service request containing the authorization access token; and
  
  service the service request in response to the authorization access token.
- View Dependent Claims (34, 35, 36)
- - 34. The mobile device of claim 23, wherein the plurality of supported authentication protocols includes at least one of the following:
    - SAML 1.1;
      
      SAML 2.0; and
      
      a custom authentication protocol supported by the client.
  - 35. The mobile device of claim 23, wherein the service provider system also processes process a service request received from an application executing on a non-mobile device.
  - 36. The mobile device of claim 23, wherein the mobile device further performs the operation of displaying a web-page to authenticate the identity of the user.

37. A service provider computer system for providing web services to mobile devices using single sign-on (SSO) credentials managed by a client-side computer system, the system comprising:
- non-transitory computer memory storing executable computer instructions;
  
  a programmable processor, the programmable processor executing at least a portion of the stored executable computer instructions to perform at least the following;
  
  receiving, at the service provider system, a request to access web services using a mobile device;
  
  redirecting the mobile device to a web-identification authentication service at the client-side computer system to authenticate the identity of the user, wherein the step of redirecting causes the client-side computer system to generate an authentication token and communicate to the mobile device a message containing the authentication token and a redirect function call that, when processed by a processor at the mobile device, causes the mobile device to automatically communicate the authentication token the service provider system;
  
  selecting an authentication protocol from a plurality of supported authentication protocols based on at least one of the authentication token, a client identifier, and an attribute of the mobile device;
  
  validating the authentication token in accordance with the selected authentication protocol;
  
  generating an authorization access token;
  
  processing a service request received from the mobile device, the service request containing the authorization access token; and
  
  servicing the service request in response to the authorization access token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Globoforce Limited (Globoforce Group Plc)
Original Assignee
Globoforce Limited (Globoforce Group Plc)
Inventors
Hyland, Jonathan, Fitzpatrick, Eddie
Primary Examiner(s)
Getachew, Abiy

Application Number

US14/644,707
Publication Number

US 20150188909A1
Time in Patent Office

1,462 Days
Field of Search

726 4, 726 9, 726 8
US Class Current
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/0815   providing single-sign-on or...

H04L 63/0861   using biometrical features,...

H04L 63/18   using different networks or...

System and method for mobile single sign-on integration

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for mobile single sign-on integration

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links