Single sign-on framework for browser-based applications and native applications

US 10,320,771 B2
Filed: 11/30/2016
Issued: 06/11/2019
Est. Priority Date: 11/30/2016
Status: Active Grant

First Claim

Patent Images

1. A system for providing a single sign-on capability to a browser-based application accessed by a browser:

a client device comprising a processor and a memory, the client device executing the browser and configured to at least;

store an authentication key on the client device in response to a previous authentication of credentials associated with a user account;

transmit a request to authenticate access to the browser-based application from the client device to an identity provider server in response to the browser-based application accessing a link that requires federated user authentication;

receive an authentication challenge embedded in a tbauth request from the identity provider server in response to the request to authenticate access, the tbauth request including a uniform resource identifier (URI) for which an identity provider application on the client device is registered as a local identity provider;

retrieve the authentication key;

transmit the authentication key and the authentication challenge to the identity provider server; and

obtain an indication that the user account is authenticated by the identity provider server.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various approaches for providing single sign-on capabilities for a user on a client device. A user'"'"'s credentials can be authenticated by an identity provider application. The identity provider application can facilitate single sign-on capabilities for browser-based applications and native applications on the client device.

Citations

17 Claims

1. A system for providing a single sign-on capability to a browser-based application accessed by a browser:
- a client device comprising a processor and a memory, the client device executing the browser and configured to at least;
  
  store an authentication key on the client device in response to a previous authentication of credentials associated with a user account;
  
  transmit a request to authenticate access to the browser-based application from the client device to an identity provider server in response to the browser-based application accessing a link that requires federated user authentication;
  
  receive an authentication challenge embedded in a tbauth request from the identity provider server in response to the request to authenticate access, the tbauth request including a uniform resource identifier (URI) for which an identity provider application on the client device is registered as a local identity provider;
  
  retrieve the authentication key;
  
  transmit the authentication key and the authentication challenge to the identity provider server; and
  
  obtain an indication that the user account is authenticated by the identity provider server.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the client device is further configured to at least:
    - obtain a request to perform the previous authentication of the user account;
      
      transmit at least one of a username and a password of the user account to the identity provider server;
      
      obtain the authentication key from the identity provider server; and
      
      store the authentication key on the client device.
  - 3. The system of claim 1, wherein the client device is further configured to at least redirect to a website that has federated authentication to the identity provider server in response to obtaining the indication that the user account is authenticated.
  - 4. The system of claim 1, wherein the indication that the user account is authenticated comprises an authentication token or a cookie.
  - 5. The system of claim 4, wherein the client device is further configured to store the authentication token or the cookie in a token store using an application programming interface (API) associated with an operating system executed by the client device.
  - 6. The system of claim 1, wherein the authentication key is retrieved from a token store by the identity provider application, wherein the identity provider application registers as a local identity provider using an application programming interface (API) associated with an operating system of the client device, wherein the identity provider application specifies a particular identity provider server address for the identity provider server for which the identity provider application is the local identity provider.

7. A method for providing a single sign-on capability to a browser-based application accessed by a browser on a client device, comprising:
- storing an authentication key on the client device in response to a previous authentication of credentials associated with a user account;
  
  transmitting a request to authenticate access to the browser-based application from the client device to an identity provider server in response to the browser-based application accessing a link that requires federated user authentication;
  
  receiving an authentication challenge embedded in a tbauth request from the identity provider server in response to the request to authenticate access, the tbauth request including a uniform resource identifier (URI) for which an identity provider application on the client device is registered as a local identity provider;
  
  retrieving the authentication key;
  
  transmitting the authentication key and the authentication challenge to the identity provider server; and
  
  obtaining an indication that the user account is authenticated by the identity provider server.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, further comprising:
    - obtaining a request to perform the previous authentication of the user account;
      
      transmitting at least one of a username and a password of the user account to the identity provider server;
      
      obtaining the authentication key from the identity provider server; and
      
      storing the authentication key on the client device.
  - 9. The method of claim 7, further comprising redirecting to a website that has federated authentication to the identity provider server in response to obtaining the indication that the user account is authenticated.
  - 10. The method of claim 7, wherein the indication that the user account is authenticated comprises an authentication token or a cookie.
  - 11. The method of claim 10, further comprising storing the authentication token or the cookie in a token store using an application programming interface (API) associated with an operating system executed by the client device.
  - 12. The method of claim 7, wherein the authentication key is retrieved from a token store by the identity provider application, wherein the identity provider application registers as a local identity provider using an application programming interface (API) associated with an operating system of the client device, wherein the identity provider application specifies a particular identity provider server address for the identity provider server for which the identity provider application is the local identity provider.

13. A non-transitory computer-readable medium comprising machine-readable instructions providing a single sign-on capability to a browser-based application accessed by a browser on a client device, wherein when executed by a processor of the client device, the machine-readable instructions cause the client device to at least:
- store an authentication key on the client device in response to a previous authentication of credentials associated with a user account;
  
  transmit a request to authenticate access to the browser-based application from the client device to an identity provider server in response to the browser-based application accessing a link that requires federated user authentication;
  
  receive an authentication challenge embedded in a tbauth request from the identity provider server in response to the request to authenticate access, the tbauth request including a uniform resource identifier (URI) for which an identity provider application on the client device is registered as a local identity provider;
  
  retrieve the authentication key;
  
  transmit the authentication key and the authentication challenge to the identity provider server; and
  
  obtain an indication that the user account is authenticated by the identity provider server.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The non-transitory computer-readable medium of claim 13, wherein the instructions further cause the client device to at least:
    - obtain a request to perform the previous authentication of the user account;
      
      transmit at least one of a username and a password of the user account to the identity provider server;
      
      obtain the authentication key from the identity provider server; and
      
      store the authentication key on the client device.
  - 15. The non-transitory computer-readable medium of claim 13, wherein the indication that the user account is authenticated comprises an authentication token or a cookie.
  - 16. The non-transitory computer-readable medium of claim 15, wherein the machine-readable instructions further cause the computing device to at least store the authentication token or the cookie in a token store using an application programming interface (API) associated with an operating system executed by the client device.
  - 17. The non-transitory computer-readable medium of claim 13, wherein the authentication key is retrieved from a token store by the identity provider application, wherein the identity provider application registers as a local identity provider using an application programming interface (API) associated with an operating system of the client device, wherein the identity provider application specifies a particular identity provider server address for the identity provider server for which the identity provider application is the local identity provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Omnissa, LLC
Original Assignee
AirWatch LLC (Broadcom, Inc.)
Inventors
Hande, Yogesh Govind, Shantharam, Shravan, Regula, Kalyan, Murthy, Varun, Sundaram, Bhuvanesh Shanmuga, Deriso, Jonathon
Primary Examiner(s)
Avery, Jeremiah L

Application Number

US15/365,524
Publication Number

US 20180152439A1
Time in Patent Office

923 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0435   wherein the sending and rec...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 67/02   based on web technology, e....

Single sign-on framework for browser-based applications and native applications

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Single sign-on framework for browser-based applications and native applications

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links