Technologies for authentication and single-sign-on using device security assertions

US 10,462,121 B2
Filed: 07/26/2017
Issued: 10/29/2019
Est. Priority Date: 03/27/2015
Status: Active Grant

First Claim

Patent Images

1. A computing device for remote device authentication, the computing device comprising:

a user authentication module to;

receive an authentication request from a client computing device;

transmit an authentication challenge to the client computing device in response to receipt of the authentication request; and

receive an authentication challenge response from an embedded technology access server of the client computing device in response to transmission of the authentication challenge, wherein the authentication challenge response includes a resource access token indicative of a security assertion of the client computing device, wherein the security assertion comprises an indication of trustworthiness assigned to the client computing device, and wherein the embedded technology access server is executed by a manageability engine of the client computing device; and

a device verification module to determine whether the client computing device is trusted based on the security assertion indicated by the resource access token of the authentication challenge response;

wherein the user authentication module is further to transmit a successful authentication response to the client computing device in response to a determination that the client computing device is trusted.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies for remote device authentication include a client computing device, an identity provider, and an application server in communication over a network. The identity provider sends an authentication challenge to the client. A capability proxy of the client intercepts an authentication challenge response and retrieves one or more security assertions from a secure environment of the client computing device. The capability proxy may be an embedded web server providing an HTTP interface to platform features of the client. The client sends a resource access token based on the security assertions to the identity provider. The identity provider verifies the resource access token and authenticates the client computing device based on the resource access token in addition to user authentication factors such as username and password. The identity provider sends an authentication response to the client, which forwards the authentication response to the application server. Other embodiments are described and claimed.

19 Citations

View as Search Results

20 Claims

1. A computing device for remote device authentication, the computing device comprising:
- a user authentication module to;
  
  receive an authentication request from a client computing device;
  
  transmit an authentication challenge to the client computing device in response to receipt of the authentication request; and
  
  receive an authentication challenge response from an embedded technology access server of the client computing device in response to transmission of the authentication challenge, wherein the authentication challenge response includes a resource access token indicative of a security assertion of the client computing device, wherein the security assertion comprises an indication of trustworthiness assigned to the client computing device, and wherein the embedded technology access server is executed by a manageability engine of the client computing device; and
  
  a device verification module to determine whether the client computing device is trusted based on the security assertion indicated by the resource access token of the authentication challenge response;
  
  wherein the user authentication module is further to transmit a successful authentication response to the client computing device in response to a determination that the client computing device is trusted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computing device of claim 1, wherein:
    - to receive the authentication request from the client computing device comprises to receive the authentication request via a public network connection with the client computing device;
      
      to transmit the authentication challenge to the client computing device comprises to transmit the authentication challenge to the client computing device via the public network connection;
      
      to receive the authentication challenge response from the client computing device comprises to receive the authentication challenge response from the client computing device via the public network connection; and
      
      to transmit the successful authentication response to the client computing device comprises to transmit the successful authentication response to the client computing device via the public network connection.
  - 3. The computing device of claim 1, wherein the authentication request comprises a security assertion markup language request and the authentication response comprises a security assertion markup language response.
  - 4. The computing device of claim 1, wherein the authentication challenge comprises an interactive form.
  - 5. The computing device of claim 1, wherein to determine whether the client computing device is trusted comprises to determine whether the client computing device is subject to a device management policy based on the resource access token.
  - 6. The computing device of claim 1, wherein to determine whether the client computing device is trusted comprises to determine a device trust level assertion associated with the client computing device based on the resource access token.
  - 7. The computing device of claim 1, wherein to determine whether the client computing device is trusted based on the resource access token of the authentication challenge response comprises to process the resource access token using an encryption key associated with the client computing device.
  - 8. The computing device of claim 1, wherein:
    - the user authentication module is further to authenticate a user of the client computing device using the authentication challenge response; and
      
      to transmit the successful authentication response further comprises to transmit the successful authentication response in response to authentication of the user.

9. A method for remote device authentication, the method comprising:
- receiving, by a computing device, an authentication request from a client computing device;
  
  transmitting, by the computing device, an authentication challenge to the client computing device in response to receiving the authentication request;
  
  receiving, by the computing device, an authentication challenge response from an embedded technology access server of the client computing device in response to transmitting the authentication challenge, wherein the authentication challenge response includes a resource access token indicative of a security assertion of the client computing device, wherein the security assertion comprises an indication of trustworthiness assigned to the client computing device, and wherein the embedded technology access server is executed by a manageability engine of the client computing device;
  
  determining, by the computing device, whether the client computing device is trusted based on the security assertion indicated by the resource access token of the authentication challenge response; and
  
  transmitting, by the computing device, a successful authentication response to the client computing device in response to determining that the client computing device is trusted.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9, wherein:
    - receiving the authentication request from the client computing device comprises receiving the authentication request via a public network connection with the client computing device;
      
      transmitting the authentication challenge to the client computing device comprises transmitting the authentication challenge to the client computing device via the public network connection;
      
      receiving the authentication challenge response from the client computing device comprises receiving the authentication challenge response from the client computing device via the public network connection; and
      
      transmitting the successful authentication response to the client computing device comprises transmitting the successful authentication response to the client computing device via the public network connection.
  - 11. The method of claim 9, wherein transmitting the authentication challenge comprises transmitting an interactive form to the client computing device.
  - 12. The method of claim 9, wherein determining whether the client computing device is trusted comprises determining whether the client computing device is subject to a device management policy based on the resource access token.
  - 13. The method of claim 9, wherein determining whether the client computing device is trusted comprises determining a device trust level assertion associated with the client computing device based on the resource access token.
  - 14. The method of claim 9, wherein determining whether the client computing device is trusted based on the resource access token of the authentication challenge response comprises processing the resource access token using an encryption key associated with the client computing device.

15. One or more non-transitory, computer-readable storage media comprising a plurality of instructions that in response to being executed cause a computing device to:
- receive an authentication request from a client computing device;
  
  transmit an authentication challenge to the client computing device in response to receiving the authentication request;
  
  receive an authentication challenge response from an embedded technology access server of the client computing device in response to transmitting the authentication challenge, wherein the authentication challenge response includes a resource access token indicative of a security assertion of the client computing device, wherein the security assertion comprises an indication of trustworthiness assigned to the client computing device, and wherein the embedded technology access server is executed by a manageability engine of the client computing device;
  
  determine whether the client computing device is trusted based on the security assertion indicated by the resource access token of the authentication challenge response; and
  
  transmit a successful authentication response to the client computing device in response to determining that the client computing device is trusted.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The one or more non-transitory, computer-readable storage media of claim 15, wherein:
    - to receive the authentication request from the client computing device comprises to receive the authentication request via a public network connection with the client computing device;
      
      to transmit the authentication challenge to the client computing device comprises to transmit the authentication challenge to the client computing device via the public network connection;
      
      to receive the authentication challenge response from the client computing device comprises to receive the authentication challenge response from the client computing device via the public network connection; and
      
      to transmit the successful authentication response to the client computing device comprises to transmit the successful authentication response to the client computing device via the public network connection.
  - 17. The one or more non-transitory, computer-readable storage media of claim 15, wherein to transmit the authentication challenge comprises to transmit an interactive form to the client computing device.
  - 18. The one or more non-transitory, computer-readable storage media of claim 15, wherein to determine whether the client computing device is trusted comprises to determine whether the client computing device is subject to a device management policy based on the resource access token.
  - 19. The one or more non-transitory, computer-readable storage media of claim 15, wherein to determine whether the client computing device is trusted comprises to determine a device trust level assertion associated with the client computing device based on the resource access token.
  - 20. The one or more non-transitory, computer-readable storage media of claim 15, wherein to determine whether the client computing device is trusted based on the resource access token of the authentication challenge response comprises to process the resource access token using an encryption key associated with the client computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Li, Hong, Sharma, Suman, Vicente, John B., Gimenez, Luis A., Ashley, Carlton D., Malpani, Navneet
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Teng, Louis C

Application Number

US15/660,523
Publication Number

US 20170324731A1
Time in Patent Office

825 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 21/44   Program or device authentic...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 67/02   based on web technology, e....

Technologies for authentication and single-sign-on using device security assertions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

19 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Technologies for authentication and single-sign-on using device security assertions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links