Secure single sign-on to software applications

US 10,470,040 B2
Filed: 08/27/2017
Issued: 11/05/2019
Est. Priority Date: 08/27/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for facilitating single sign-on to third-party applications on a client device, the method comprising:

receiving a security policy of an organization to which a user of the client device belongs;

receiving, by an identity provider (IDP) from a remote third-party application being used on the client device by the user, a request for identity verification of the user;

generating, by the IDP, a token comprising a public token portion and a corresponding private token portion;

providing, by the IDP to the remote third-party application, a client script implemented in a browser scripting language;

requesting, by the client script, the token;

receiving, by the client script from the IDP, the token;

requesting, by the client script, invocation of an application of the client device to perform verification of the identity of the user, the invocation using an authenticatable link specifying a network domain and being interpreted by an operating system of the client device;

identifying, by the operating system of the client device querying a service running at the network domain of specified by the authenticatable link, that a trusted broker application of the client device is an application registered by the network domain for use with the network domain;

verifying, by the trusted broker application, that the remote third-party application is authorized for use with single sign-on, and that the client device conforms to the security policy;

providing, by the trusted broker application to the IDP, the public token portion and an indication that the user is authorized to use single sign-on with the remote third-party application and that the client device conforms to the security policy;

associating, by the IDP, the public token portion with the user; and

initiating, by the identity provider, authentication of the user by the remote third-party application, the initiating comprising sending an identifier indicating verification of an identity of the user to the remote third-party application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

After an initial user sign-on with an identity provider, and in response to an intention of the user to use a third-party application executing on a client device of the user and requiring user sign-on, the identity provider provides a client script to the third-party application. The client script facilitates user and application authentication and invokes a trusted broker application that interacts with the identity provider to enable the user to use the third-party application. The use of the trusted broker application provided by the identity provider frees the authors of third-party applications from the need to modify their applications to explicitly sign in with the identify provider. For enhanced security, conformance to an organizational security policy is verified at time of sign-on, and an authenticatable link is used to invoke the third-party application to foil attempts by malicious software to substitute another application.

59 Citations

View as Search Results

12 Claims

1. A computer-implemented method for facilitating single sign-on to third-party applications on a client device, the method comprising:
- receiving a security policy of an organization to which a user of the client device belongs;
  
  receiving, by an identity provider (IDP) from a remote third-party application being used on the client device by the user, a request for identity verification of the user;
  
  generating, by the IDP, a token comprising a public token portion and a corresponding private token portion;
  
  providing, by the IDP to the remote third-party application, a client script implemented in a browser scripting language;
  
  requesting, by the client script, the token;
  
  receiving, by the client script from the IDP, the token;
  
  requesting, by the client script, invocation of an application of the client device to perform verification of the identity of the user, the invocation using an authenticatable link specifying a network domain and being interpreted by an operating system of the client device;
  
  identifying, by the operating system of the client device querying a service running at the network domain of specified by the authenticatable link, that a trusted broker application of the client device is an application registered by the network domain for use with the network domain;
  
  verifying, by the trusted broker application, that the remote third-party application is authorized for use with single sign-on, and that the client device conforms to the security policy;
  
  providing, by the trusted broker application to the IDP, the public token portion and an indication that the user is authorized to use single sign-on with the remote third-party application and that the client device conforms to the security policy;
  
  associating, by the IDP, the public token portion with the user; and
  
  initiating, by the identity provider, authentication of the user by the remote third-party application, the initiating comprising sending an identifier indicating verification of an identity of the user to the remote third-party application.

2. A computer-implemented method for facilitating single sign-on to third-party applications, the method performed by a client device and comprising:
- receiving a security policy of an organization to which a user of the client device belongs;
  
  receiving a request from the user to initiate single sign-on to a third-party application;
  
  requesting an identity provider (IDP) to verify an identity of the user; and
  
  responsive to requesting the IDP to verify the identity of the user;
  
  receiving a client script from the IDP;
  
  requesting, by the client script, invocation of an application of the client device to perform verification of the identity of the user, the invocation using an authenticatable link specifying a network domain and being interpreted by an operating system of the client device;
  
  identifying, by the operating system of the client device querying a service running at the network domain of specified by the authenticatable link, that a trusted broker application of the client device is an application registered by the network domain for use with the network domain;
  
  verifying, by the trusted broker application, that the user is authorized to use single sign-on with the third-party application, and that the client device conforms to the security policy; and
  
  providing, by the trusted broker application to the IDP, an indication that the user is authorized to use single sign-on with the third-party application and that the client device conforms to the security policy.
- View Dependent Claims (3, 4, 5, 6, 7, 8)
- - 3. The computer-implemented method of claim 2, further comprising obtaining, by the client script from the IDP responsive to requesting the IDP to verify the identity of the user, a token comprising a public token portion and a corresponding private token portion.
  - 4. The computer-implemented method of claim 3, further comprising providing, by the trusted broker application to the IDP along with the indication that the user is authorized, the public token portion.
  - 5. The computer-implemented method of claim 4, further comprising:
    - the trusted broker application of the client device polling the IDP to determine whether the user has been verified to be authorized to use the third-party application, the polling comprising the trusted broker application providing the IDP with the private token portion.
  - 6. The computer-implemented method of claim 2, further comprising:
    - responsive to receiving a notification from the IDP that the user is authorized to use the third-party application, invoking the third-party application.
  - 7. The computer-implemented method of claim 6, wherein invoking the third-party application uses an application uniform resource locator interpreted by an operating system of the client device.
  - 8. The computer-implemented method of claim 6, further comprising:
    - receiving, by the third-party application from the IDP, an initiation of an authentication flow, the initiation comprising an indication of verification that the user is authorized to use single sign-on with the third-party application.

9. A non-transitory computer-readable storage medium storing instructions that when executed by a computer processor of a client device perform actions comprising:
- receiving a security policy of an organization to which a user of the client device belongs;
  
  receiving, by an identity provider (IDP) from a remote third-party application being used on the client device by the user, a request for identity verification of the user;
  
  generating, by the IDP, a token comprising a public token portion and a corresponding private token portion;
  
  providing, by the IDP to the remote third-party application, a client script implemented in a browser scripting language;
  
  requesting, by the client script, the token;
  
  receiving, by the client script from the IDP, the token;
  
  requesting, by the client script, invocation of an application of the client device to perform verification of the identity of the user, the invocation using an authenticatable link specifying a network domain and being interpreted by an operating system of the client device;
  
  identifying, by the operating system of the client device querying a service running at the network domain of specified by the authenticatable link, that a trusted broker application of the client device is an application registered by the network domain for use with the network domain;
  
  verifying, by the trusted broker application, that the remote third-party application is authorized for use with single sign-on, and that the client device conforms to the security policy;
  
  providing, by the trusted broker application to the IDP, the public token portion and an indication that the user is authorized to use single sign-on with the remote third-party application and that the client device conforms to the security policy;
  
  associating, by the IDP, the public token portion with the user; and
  
  initiating, by the identity provider, authentication of the user by the remote third-party application, the initiating comprising sending an identifier indicating verification of an identity of the user to the remote third-party application.
- View Dependent Claims (10, 11, 12)
- - 10. The non-transitory computer-readable storage medium of claim 9, the actions further comprising:
    - the trusted broker application of the client device polling the IDP to determine whether the user has been verified to be authorized to use the third-party application, the polling comprising the trusted broker application providing the IDP with the private token portion.
  - 11. The non-transitory computer-readable storage medium of claim 9, the actions further comprising:
    - responsive to receiving a notification from the IDP that the user is authorized to use the third-party application, invoking the third-party application.
  - 12. The non-transitory computer-readable storage medium of claim 11, the actions further comprising:
    - receiving, by the third-party application from the IDP, an initiation of an authentication flow, the initiation comprising an indication of verification that the user is authorized to use single sign-on with the third-party application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Okta Incorporated
Original Assignee
Okta Incorporated
Inventors
Belote, Thomas M., Karaa, Hassen, Wang, Christine, Jayaraman, Vinoth, Powell, Marc, Shen, Shaolin, Makhani, Naveed, Garg, Ankit
Primary Examiner(s)
Bechtel, Kevin
Assistant Examiner(s)
Farooqui, Quazi

Application Number

US15/687,528
Publication Number

US 20190069168A1
Time in Patent Office

800 Days
Field of Search

726 17, 726 2, 713155, 713159, 713161
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/41   where a single sign-on prov...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04W 12/06   Authentication

Secure single sign-on to software applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

59 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Secure single sign-on to software applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links