×

Security object creation, validation, and assertion for single sign on authentication

  • US 10,404,678 B2
  • Filed: 02/25/2015
  • Issued: 09/03/2019
  • Est. Priority Date: 02/26/2014
  • Status: Active Grant
First Claim
Patent Images

1. A system for providing single-sign-on (SSO) credentials for a user on a mobile device to multiple network resources, the system comprising:

  • one or more hardware processors;

    a computer-readable memory; and

    an authentication system comprising executable instructions stored in the computer-readable memory, wherein the one or more processors are programmed to at least;

    receive, over a network, a request to access a first network resource by a mobile device associated with a user, wherein the first network resource is hosted by a server and accessible by a plurality of users of an organization, wherein the plurality of users of the organization comprises the user, wherein the request includes a security object associated with the mobile device, and wherein the authentication system is configured to accept, as the security object, an existing smart card identifier, an NFC object identifier, a Bluetooth object identifier, a hard OATH token, a mobile soft OATH token, and a characteristic of the mobile device;

    validate the security object as authentic by at least;

    determining, from the security object, a security object identifier; and

    determining that the security object identifier is associated with the mobile device and the user in an identity database associated with the organization;

    in response to a determination that the security object identifier is associated with the mobile device and the user in the identity database, authenticate the user and the mobile device by at least;

    receiving a redirect request from the mobile device, wherein the redirect request was received by the mobile device from the server that hosts the first network resource, and wherein the redirect request comprises an identification of the user included in the redirect request by the server that hosts the first network resource;

    receiving a second authentication factor from the mobile device; and

    validating the second authentication factor by comparing the second authentication factor with user data associated with the user, the user data accessed from the identity database;

    in response to a successful authentication of the mobile device and the user, determine an identity assertion format acceptable to the first network resource;

    create an identity assertion object related to the user in the determined identify assertion format based on the identification of the user included in the redirect request by the server that hosts the first network resource, the identity assertion object being distinct from the security object and the object identifier; and

    provide, to the first network resource, the identity assertion object related to the user, wherein the identity assertion object is configured to allow the user to gain access to the first network resource.

View all claims
  • 8 Assignments
Timeline View
Assignment View
    ×
    ×