Security object creation, validation, and assertion for single sign on authentication

US 10,404,678 B2
Filed: 02/25/2015
Issued: 09/03/2019
Est. Priority Date: 02/26/2014
Status: Active Grant

First Claim

Patent Images

1. A system for providing single-sign-on (SSO) credentials for a user on a mobile device to multiple network resources, the system comprising:

one or more hardware processors;

a computer-readable memory; and

an authentication system comprising executable instructions stored in the computer-readable memory, wherein the one or more processors are programmed to at least;

receive, over a network, a request to access a first network resource by a mobile device associated with a user, wherein the first network resource is hosted by a server and accessible by a plurality of users of an organization, wherein the plurality of users of the organization comprises the user, wherein the request includes a security object associated with the mobile device, and wherein the authentication system is configured to accept, as the security object, an existing smart card identifier, an NFC object identifier, a Bluetooth object identifier, a hard OATH token, a mobile soft OATH token, and a characteristic of the mobile device;

validate the security object as authentic by at least;

determining, from the security object, a security object identifier; and

determining that the security object identifier is associated with the mobile device and the user in an identity database associated with the organization;

in response to a determination that the security object identifier is associated with the mobile device and the user in the identity database, authenticate the user and the mobile device by at least;

receiving a redirect request from the mobile device, wherein the redirect request was received by the mobile device from the server that hosts the first network resource, and wherein the redirect request comprises an identification of the user included in the redirect request by the server that hosts the first network resource;

receiving a second authentication factor from the mobile device; and

validating the second authentication factor by comparing the second authentication factor with user data associated with the user, the user data accessed from the identity database;

in response to a successful authentication of the mobile device and the user, determine an identity assertion format acceptable to the first network resource;

create an identity assertion object related to the user in the determined identify assertion format based on the identification of the user included in the redirect request by the server that hosts the first network resource, the identity assertion object being distinct from the security object and the object identifier; and

provide, to the first network resource, the identity assertion object related to the user, wherein the identity assertion object is configured to allow the user to gain access to the first network resource.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security object creation and validation system provides an additional factor of authentication. An authentication system as described herein provides secure two-factor authentication, such as for IT resources in an organization. The authentication system can perform generation of a security object (such as an X.509 object, Java object, persistent browser token, or other digital certificate); registration of the generated security object or of an existing security object (such as a near field communication identifier, smart card identifier, OATH token, etc.); validation of the security object as part of an authentication process; and assertion of the identity of the security object to native network resources (such as web resources, network resources, cloud resources, mobile applications, and the like) that may accept the security object. The authentication system may provide user interfaces to allow users and administrators to manage registered device inventory and revoke security objects.

Citations

18 Claims

1. A system for providing single-sign-on (SSO) credentials for a user on a mobile device to multiple network resources, the system comprising:
- one or more hardware processors;
  
  a computer-readable memory; and
  
  an authentication system comprising executable instructions stored in the computer-readable memory, wherein the one or more processors are programmed to at least;
  
  receive, over a network, a request to access a first network resource by a mobile device associated with a user, wherein the first network resource is hosted by a server and accessible by a plurality of users of an organization, wherein the plurality of users of the organization comprises the user, wherein the request includes a security object associated with the mobile device, and wherein the authentication system is configured to accept, as the security object, an existing smart card identifier, an NFC object identifier, a Bluetooth object identifier, a hard OATH token, a mobile soft OATH token, and a characteristic of the mobile device;
  
  validate the security object as authentic by at least;
  
  determining, from the security object, a security object identifier; and
  
  determining that the security object identifier is associated with the mobile device and the user in an identity database associated with the organization;
  
  in response to a determination that the security object identifier is associated with the mobile device and the user in the identity database, authenticate the user and the mobile device by at least;
  
  receiving a redirect request from the mobile device, wherein the redirect request was received by the mobile device from the server that hosts the first network resource, and wherein the redirect request comprises an identification of the user included in the redirect request by the server that hosts the first network resource;
  
  receiving a second authentication factor from the mobile device; and
  
  validating the second authentication factor by comparing the second authentication factor with user data associated with the user, the user data accessed from the identity database;
  
  in response to a successful authentication of the mobile device and the user, determine an identity assertion format acceptable to the first network resource;
  
  create an identity assertion object related to the user in the determined identify assertion format based on the identification of the user included in the redirect request by the server that hosts the first network resource, the identity assertion object being distinct from the security object and the object identifier; and
  
  provide, to the first network resource, the identity assertion object related to the user, wherein the identity assertion object is configured to allow the user to gain access to the first network resource.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the authentication system is configured to accept as the characteristic of the mobile device, a serial number of the mobile device, a UDID of the mobile device, an advertiser ID of the mobile device, or a hash fingerprint of the mobile device derived from a combination of characteristics of the mobile device.
  - 3. The system of claim 1, wherein the security object is an X.509 soft identifier, an X.509 Smart Card identifier, a Java object, or a persistent browser token.
  - 4. The system of claim 1, wherein the authentication system is configured to create the security object for the mobile device.
  - 5. The system of claim 1, wherein the authentication system is configured to determine the identity assertion format acceptable to the first network resource by locating the identity assertion format associated with the first network resource in a stored mapping of a plurality of network resources to a plurality of identity assertion formats.
  - 6. The system of claim 1, wherein the authentication system is configured to accept, as the second factor of authentication, a short message service (“
    - SMS”
      
      ) one-time password, a telephony-based one-time password, an email-based one-time password, a knowledge-based response to a knowledge-based question, or a push notification-based one-time password.

7. A computerized method for providing single-sign-on (SSO) credentials for a user on a mobile device to multiple network resources, the method comprising:
- by an authentication system comprising computer hardware and memory, the authentication system configured with specific executable instructions;
  
  receiving, over a network, a request to access a first network resource by a mobile device associated with a user, wherein the first network resource is hosted by a server and accessible by a plurality of users of an organization, wherein the plurality of users of the organization comprises the user, wherein the request includes a security object associated with the mobile device, and wherein the authentication system is configured to accept, as the security object, an existing smart card identifier, an NFC object identifier, a Bluetooth object identifier, a hard OATH token, a mobile soft OATH token, and a characteristic of the mobile device;
  
  validating the security object as authentic by at least;
  
  determining, from the security object, a security object identifier; and
  
  determining that the security object identifier is associated with the mobile device and the user in an identity database associated with the organization;
  
  in response to a determination that the security object identifier is associated with the mobile device and the user in the identity database, authenticating the user and the mobile device by at least;
  
  receiving a redirect request from the mobile device, wherein the redirect request was received by the mobile device from the server that hosts the first network resource, and wherein the redirect request comprises an identification of the user included in the redirect request by the server that hosts the first network resource;
  
  receiving a second authentication factor from the mobile device; and
  
  validating the second authentication factor by comparing the second authentication factor with user data associated with the user, the user data accessed from the identity database;
  
  in response to a successful authentication of the mobile device and the user, determining an identity assertion format acceptable to the first network resource;
  
  creating an identity assertion object related to the user in the determined identify assertion format based on the identification of the user included in the redirect request by the server that hosts the first network resource, the identity assertion object being distinct from the security object and the object identifier; and
  
  providing, to the first network resource, the identity assertion object related to the user, wherein the identity assertion object is configured to allow the user to gain access to the first network resource.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computerized method of claim 7, wherein the authentication system is configured to accept as the characteristic of the mobile device, a serial number of the mobile device, a UDID of the mobile device, an advertiser ID of the mobile device, or a hash fingerprint of the mobile device derived from a combination of characteristics of the mobile device.
  - 9. The computerized method of claim 7, wherein the security object is an X.509 soft identifier, an X.509 Smart Card identifier, a Java object, or a persistent browser token.
  - 10. The computerized method of claim 7, wherein the authentication system is configured to create the security object for the mobile device.
  - 11. The computerized method of claim 7, wherein the authentication system is configured to determine the identity assertion format acceptable to the first network resource by locating the identity assertion format associated with the first network resource in a stored mapping of a plurality of network resources to a plurality of identity assertion formats.
  - 12. The computerized method of claim 7, wherein the authentication system is configured to accept, as the second factor of authentication, a short message service (“
    - SMS”
      
      ) one-time password, a telephony-based one-time password, an email-based one-time password, a knowledge-based response to a knowledge-based question, or a push notification-based one-time password.

13. Non-transitory physical computer storage comprising computer-executable instructions stored thereon that, when executed by a hardware processor, are configured to perform operations comprising:
- receiving, by an authentication system, a request to access a first network resource by a user computing device associated with a user, wherein the first network resource is hosted by a server and accessible by a plurality of users of an organization, wherein the plurality of users of the organization comprises the user, wherein the request includes a security object associated with the user computing device, and wherein the authentication system is configured to accept, as the security object, an existing smart card identifier, an NFC object identifier, a Bluetooth object identifier, a hard OATH token, a mobile soft OATH token, and a characteristic of the user computing device;
  
  validating the security object as authentic by at least;
  
  determining, from the security object, a security object identifier; and
  
  determining that the security object identifier is associated with the user computing device and the user in an identity database associated with the organization;
  
  in response to a determination that the security object identifier is associated with the user computing device and the user in the identity database,receiving a redirect request from the user computing device, wherein the redirect request was received by the user computing device from the server that hosts the first network resource, and wherein the redirect request comprises an identification of the user included in the redirect request by the server that hosts the first network resource, andauthenticating the user and the user computing device;
  
  in response to a successful authentication of the user computing device and the user, determining an identity assertion format acceptable to the first network resource;
  
  creating an identity assertion object related to the user in the determined identify assertion format based on the identification of the user included in the redirect request by the server that hosts the first network resource, the identity assertion object being distinct from the security object and the object identifier; and
  
  providing, to the first network resource, the identity assertion object related to the user, wherein the identity assertion object is configured to allow the user to gain access to the first network resource.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory physical computer storage of claim 13, wherein the authentication system is configured to accept as the characteristic of the user computing device, a serial number of the user computing device, a UDID of the user computing device, an advertiser ID of the user computing device, or a hash fingerprint of the user computing device derived from a combination of characteristics of the user computing device.
  - 15. The non-transitory physical computer storage of claim 13, wherein the security object is an X.509 soft identifier, an X.509 Smart Card identifier, a Java object, or a persistent browser token.
  - 16. The non-transitory physical computer storage of claim 13, wherein the authentication system is configured to create the security object for the user computing device.
  - 17. The non-transitory physical computer storage of claim 13, wherein the authentication system is configured to determine the identity assertion format acceptable to the first network resource by locating the identity assertion format associated with the first network resource in a stored mapping of a plurality of network resources to a plurality of identity assertion formats.
  - 18. The non-transitory physical computer storage of claim 13, wherein the authentication system is configured to accept, as the second factor of authentication, a short message service (“
    - SMS”
      
      ) one-time password, a telephony-based one-time password, an email-based one-time password, a knowledge-based response to a knowledge-based question, or a push notification-based one-time password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureAuth Incorporated
Original Assignee
SecureAuth Incorporated
Inventors
Grajek, Garret Florian, Quach, Allen Yu, Lo, Jeffrey Chiwai, Tung, Shu Jen
Primary Examiner(s)
Feild, Lynn D
Assistant Examiner(s)
Lakhia, Viral S

Application Number

US14/631,543
Publication Number

US 20150244706A1
Time in Patent Office

1,651 Days
Field of Search

726 4- 8, 713150-155
US Class Current
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

H04W 12/069 using certificates or pre-s...

Security object creation, validation, and assertion for single sign on authentication

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Security object creation, validation, and assertion for single sign on authentication

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links