Secure single sign-on to software applications
First Claim
1. A computer-implemented method for facilitating single sign-on to third-party applications on a client device, the method comprising:
- receiving a security policy of an organization to which a user of the client device belongs;
receiving, by an identity provider (IDP) from a remote third-party application being used on the client device by the user, a request for identity verification of the user;
generating, by the IDP, a token comprising a public token portion and a corresponding private token portion;
providing, by the IDP to the remote third-party application, a client script implemented in a browser scripting language;
requesting, by the client script, the token;
receiving, by the client script from the IDP, the token;
requesting, by the client script, invocation of an application of the client device to perform verification of the identity of the user, the invocation using an authenticatable link specifying a network domain and being interpreted by an operating system of the client device;
identifying, by the operating system of the client device querying a service running at the network domain of specified by the authenticatable link, that a trusted broker application of the client device is an application registered by the network domain for use with the network domain;
verifying, by the trusted broker application, that the remote third-party application is authorized for use with single sign-on, and that the client device conforms to the security policy;
providing, by the trusted broker application to the IDP, the public token portion and an indication that the user is authorized to use single sign-on with the remote third-party application and that the client device conforms to the security policy;
associating, by the IDP, the public token portion with the user; and
initiating, by the identity provider, authentication of the user by the remote third-party application, the initiating comprising sending an identifier indicating verification of an identity of the user to the remote third-party application.
1 Assignment
0 Petitions
Accused Products
Abstract
After an initial user sign-on with an identity provider, and in response to an intention of the user to use a third-party application executing on a client device of the user and requiring user sign-on, the identity provider provides a client script to the third-party application. The client script facilitates user and application authentication and invokes a trusted broker application that interacts with the identity provider to enable the user to use the third-party application. The use of the trusted broker application provided by the identity provider frees the authors of third-party applications from the need to modify their applications to explicitly sign in with the identify provider. For enhanced security, conformance to an organizational security policy is verified at time of sign-on, and an authenticatable link is used to invoke the third-party application to foil attempts by malicious software to substitute another application.
-
Citations
12 Claims
-
1. A computer-implemented method for facilitating single sign-on to third-party applications on a client device, the method comprising:
-
receiving a security policy of an organization to which a user of the client device belongs; receiving, by an identity provider (IDP) from a remote third-party application being used on the client device by the user, a request for identity verification of the user; generating, by the IDP, a token comprising a public token portion and a corresponding private token portion; providing, by the IDP to the remote third-party application, a client script implemented in a browser scripting language; requesting, by the client script, the token; receiving, by the client script from the IDP, the token; requesting, by the client script, invocation of an application of the client device to perform verification of the identity of the user, the invocation using an authenticatable link specifying a network domain and being interpreted by an operating system of the client device; identifying, by the operating system of the client device querying a service running at the network domain of specified by the authenticatable link, that a trusted broker application of the client device is an application registered by the network domain for use with the network domain; verifying, by the trusted broker application, that the remote third-party application is authorized for use with single sign-on, and that the client device conforms to the security policy; providing, by the trusted broker application to the IDP, the public token portion and an indication that the user is authorized to use single sign-on with the remote third-party application and that the client device conforms to the security policy; associating, by the IDP, the public token portion with the user; and initiating, by the identity provider, authentication of the user by the remote third-party application, the initiating comprising sending an identifier indicating verification of an identity of the user to the remote third-party application.
-
-
2. A computer-implemented method for facilitating single sign-on to third-party applications, the method performed by a client device and comprising:
-
receiving a security policy of an organization to which a user of the client device belongs; receiving a request from the user to initiate single sign-on to a third-party application; requesting an identity provider (IDP) to verify an identity of the user; and responsive to requesting the IDP to verify the identity of the user; receiving a client script from the IDP; requesting, by the client script, invocation of an application of the client device to perform verification of the identity of the user, the invocation using an authenticatable link specifying a network domain and being interpreted by an operating system of the client device; identifying, by the operating system of the client device querying a service running at the network domain of specified by the authenticatable link, that a trusted broker application of the client device is an application registered by the network domain for use with the network domain; verifying, by the trusted broker application, that the user is authorized to use single sign-on with the third-party application, and that the client device conforms to the security policy; and providing, by the trusted broker application to the IDP, an indication that the user is authorized to use single sign-on with the third-party application and that the client device conforms to the security policy. - View Dependent Claims (3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer-readable storage medium storing instructions that when executed by a computer processor of a client device perform actions comprising:
-
receiving a security policy of an organization to which a user of the client device belongs; receiving, by an identity provider (IDP) from a remote third-party application being used on the client device by the user, a request for identity verification of the user; generating, by the IDP, a token comprising a public token portion and a corresponding private token portion; providing, by the IDP to the remote third-party application, a client script implemented in a browser scripting language; requesting, by the client script, the token; receiving, by the client script from the IDP, the token; requesting, by the client script, invocation of an application of the client device to perform verification of the identity of the user, the invocation using an authenticatable link specifying a network domain and being interpreted by an operating system of the client device; identifying, by the operating system of the client device querying a service running at the network domain of specified by the authenticatable link, that a trusted broker application of the client device is an application registered by the network domain for use with the network domain; verifying, by the trusted broker application, that the remote third-party application is authorized for use with single sign-on, and that the client device conforms to the security policy; providing, by the trusted broker application to the IDP, the public token portion and an indication that the user is authorized to use single sign-on with the remote third-party application and that the client device conforms to the security policy; associating, by the IDP, the public token portion with the user; and initiating, by the identity provider, authentication of the user by the remote third-party application, the initiating comprising sending an identifier indicating verification of an identity of the user to the remote third-party application. - View Dependent Claims (10, 11, 12)
-
Specification