Actively federated mobile authentication

US 10,382,434 B2
Filed: 10/05/2017
Issued: 08/13/2019
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A method performed by a client computing device, the method comprising:

sending a user credential over a computer network to an identity provider having an established trust relationship with a hosted service that is hosted by a computing system that is remote from the client computing device,the user credential being associated with a user of the client computing device;

receiving, from the identity provider over the computer network, a first token including authentication information configured to authenticate a service request with, the hosted service;

sending the, first token to a trust broker that has an established trust relationship with the identity provider;

receiving, from the trust broker in response to the first token, a second token including a form of authentication information that is different than the first token and is configured to authenticate a service relay to send the service request to the hosted service;

sending, to the service relay, the service request with the second token; and

receiving, from the service relay, a service response indicative of authentication of the client computing device by the hosted service based on the second token.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To make a trusted web service call, a client application sends a series of messages to obtain tokens that allow service requests to pass through a service relay. The user obtains a first security token by providing the user'"'"'s credentials. A second token is obtained from a trust broker that validates the first token. Both tokens are then sent with a service request to a service relay. The service relay validates the second token and then passes the first token and the service request to a connector service. The connector service validates the first token and passes the service request to a target back end service. The connector service acts as the user when communicating with the back end service. Service responses are routed back to the user through the connector service and the service relay.

34 Citations

12 Claims

1. A method performed by a client computing device, the method comprising:
- sending a user credential over a computer network to an identity provider having an established trust relationship with a hosted service that is hosted by a computing system that is remote from the client computing device,the user credential being associated with a user of the client computing device;
  
  receiving, from the identity provider over the computer network, a first token including authentication information configured to authenticate a service request with, the hosted service;
  
  sending the, first token to a trust broker that has an established trust relationship with the identity provider;
  
  receiving, from the trust broker in response to the first token, a second token including a form of authentication information that is different than the first token and is configured to authenticate a service relay to send the service request to the hosted service;
  
  sending, to the service relay, the service request with the second token; and
  
  receiving, from the service relay, a service response indicative of authentication of the client computing device by the hosted service based on the second token.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the hosted service comprises a firewall-protected network that is protected by a firewall, and the service relay is configured to communicate across the firewall.
  - 3. The method of claim 1, wherein the hosted service comprises an enterprise service.
  - 4. The method of claim 1, wherein the client computing device comprises a mobile device.

5. A client computing device comprising:
- a processor; and
  
  memory storing instructions executable by the processor, wherein the instructions, when executed, configure the client computing device to;
  
  send a user credential over a computer network to an identity provider having an established trust relationship with a hosted service, that is hosted by a system that is remote from the client computing, device;
  
  receive, from the identity provider, a first token including authentication information configured to authenticate a service request with the hosted, service;
  
  send, to a service relay, the service request with the first token; and
  
  receive, from the service relay, a service response indicative of authentication of the client computing device by the hosted service based on the first token.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The client computing device, of claim 5, wherein the hosted service comprises a firewall-protected network that is protected by a firewall, and the service relay is configured to communicate across the firewall.
  - 7. The client computing device of claim 5, wherein the hosted service comprises an enterprise service.
  - 8. The client computing device of claim 7, wherein the enterprise service comprises at least one of:
    - a back office service configured to, process the service request;
      
      ora connector service configured to expose a web service endpoint for a back office service.
  - 9. The client computing device of claim 5, wherein the instructions, when executed, configure the client computing device to:
    - send the first token to a trust broker that has an established trust relationship with the identity provider;
      
      receive, from the trust broker in response to the first token, a second token including an additional form of authentication information that is different than the first token and is configured to authenticate a service relay to send the service request and the first token to the hosted service; and
      
      send, to the service relay, the service request with both the first token and the second token.
  - 10. The client computing device of claim 5, wherein the client computing device comprises a mobile device.
  - 11. The Client computing device of claim 5, wherein the hosted service comprises a connector service configured to extract user identity information from the first token.
  - 12. The client computing device of claim 5, wherein the hosted service comprises a group of different systems configured to provide one or more services.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Young, Kyle Stapley, Drollinger, Robert Aron, O'Brien, Robert, Runde, David J., Pandya, Jagruti Dushyant, El Khoury, Georges
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Murphy, J. Brant

Application Number

US15/725,800
Publication Number

US 20180219862A1
Time in Patent Office

677 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0869   for achieving mutual authen...

H04L 63/0884   by delegation of authentica...

H04L 67/02   based on web technology, e....

H04L 67/56   Provisioning of proxy servi...

Actively federated mobile authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Actively federated mobile authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links