MOBILE MULTIFACTOR SINGLE-SIGN-ON AUTHENTICATION
First Claim
1. A non-transitory computer storage medium which stores a non-browser mobile client application comprising executable code that directs a mobile computing device to perform a process comprising:
- directing, by an authentication module, an independent browser, executable on the mobile computing device, to access a uniform resource locator (URL) associated with an authentication appliance configured to verify, with an identity database, authentication information received from the browser and configured to transmit a browser-accessible token to the browser,wherein the non-browser mobile client application comprises the authentication module,wherein the independent browser has not been specifically configured to provide identity information for non-browser mobile applications,wherein the authentication information is associated with a user of the mobile device, andwherein the authentication appliance is configured to provide single-sign-on (SSO) services that comprise accepting, for purposes of authentication, in lieu of the authentication information, a previously created valid browser-accessible token that was the result of a previous authentication between the authentication appliance and a second non-browser mobile client application;
receiving, at the authentication module, from the independent browser, a URL string comprising a client application identity distinct from the previously created valid browser-accessible token, that indicates the user of the mobile device and that the user of the mobile device has been authenticated by the authentication appliance, the URL string configured to invoke the non-browser mobile client application upon receipt by the independent browser, the independent browser receiving the URL string from the authentication appliance in response to authenticating the user,wherein at least a portion of the URL string is uniquely associated with the non-browser mobile client application; and
using the client application identity obtain access to a non-browser network-based application service associated with the non-browser mobile client application.
9 Assignments
0 Petitions
Accused Products
Abstract
Features are disclosed for authentication of mobile device applications using a native, independent browser using a single-sign-on system. An authentication module within the mobile application can direct the mobile device'"'"'s native browser to a URL to initiate authentication with an authentication appliance. The mobile browser can receive and store a browser-accessible token to indicate previous authentication performed by the user. The mobile application can receive from the application appliance and store a client application ID token that may be presented to network services for access. A second mobile device application may direct the same browser to the authentication appliance. The authentication appliance may inspect the persistent browser-accessible token and issue a second client application ID identity to the second application without collecting additional authentication information, or collecting additional authentication information that is different from the first authentication information.
-
Citations
30 Claims
-
1. A non-transitory computer storage medium which stores a non-browser mobile client application comprising executable code that directs a mobile computing device to perform a process comprising:
-
directing, by an authentication module, an independent browser, executable on the mobile computing device, to access a uniform resource locator (URL) associated with an authentication appliance configured to verify, with an identity database, authentication information received from the browser and configured to transmit a browser-accessible token to the browser, wherein the non-browser mobile client application comprises the authentication module, wherein the independent browser has not been specifically configured to provide identity information for non-browser mobile applications, wherein the authentication information is associated with a user of the mobile device, and wherein the authentication appliance is configured to provide single-sign-on (SSO) services that comprise accepting, for purposes of authentication, in lieu of the authentication information, a previously created valid browser-accessible token that was the result of a previous authentication between the authentication appliance and a second non-browser mobile client application; receiving, at the authentication module, from the independent browser, a URL string comprising a client application identity distinct from the previously created valid browser-accessible token, that indicates the user of the mobile device and that the user of the mobile device has been authenticated by the authentication appliance, the URL string configured to invoke the non-browser mobile client application upon receipt by the independent browser, the independent browser receiving the URL string from the authentication appliance in response to authenticating the user, wherein at least a portion of the URL string is uniquely associated with the non-browser mobile client application; and using the client application identity obtain access to a non-browser network-based application service associated with the non-browser mobile client application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for providing single-sign-on (SSO) authentication to a user on a mobile device, the system comprising:
-
one or more processors; a computer-readable memory; and an authentication server comprising executable instructions stored in the computer-readable memory, wherein the one or more processors are programmed to at least; receive, from an independent browser on a mobile device, a first request to access a first uniform resource locator (URL) associated with a first non-browser mobile application; authenticate the user interacting with the mobile device by; receiving first authentication information related to the user from the independent browser, verifying the first authentication information with an identity database, identify a first URL mapping configured to invoke the first non-browser mobile application; send, to the independent browser, (1) the first URL mapping configured to invoke the first non-browser mobile application, (2) a browser-based token and (3) a first client application identity that the first non-browser mobile application will consume, wherein the browser-based token is distinct from the first client application identity; receive, from the independent browser on the mobile device, a second request to access a second URL associated with a second non-browser mobile application, wherein the second request comprises the browser-based token, wherein the second URL is distinct form the first URL, and wherein the first non-browser mobile application is distinct from the second non-browser mobile application; verify, with the identity database, non-revocation of the browser-based token; and identify a second URL mapping configured to invoke the second non-browser mobile application; and send, to the independent browser, (1) the second URL mapping and (2) a second client application identity, distinct from the browser based token, for the second non-browser client application to consume, wherein the independent browser has not been specifically configured to provide identity information for non-browser mobile applications. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A computer-implemented method for providing single-sign-on (SSO) authentication to a user of a client application on a mobile device, the computer-implemented method comprising:
-
receiving, from an independent browser on a mobile device, a first request to access a first uniform resource locator (URL) associated with a first non-browser mobile application executing on the mobile device; authenticating the user interacting with the mobile device at least partly by;
receiving first authentication information related to the user from the independent browser, and verifying the first authentication information with an identity database;identifying a first URL mapping ping configured to invoke the first non-browser mobile application; sending, to the independent browser, a browser-based token, the first URL mapping, and a first client application identity for use by the first non-browser mobile application; receiving, from the independent browser on the mobile device, a second request to access a second uniform resource locator (URL) associated with a second non-browser mobile application executing on the mobile device, wherein the second request comprises the browser-based token; verifying, with the identity database, non-revocation of the browser-based token; identifying a second URL mapping configured to invoke the second non-browser mobile application; and sending, to the independent browser, a second client application identity for use by the second non-browser mobile application and the second URL mapping, said method performed in its entirety by a computer system that is separate from the mobile device, wherein the independent browser has not been specifically configured to provide identity information for non-browser mobile applications. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
-
-
24. A non-transitory computer storage medium which stores a program comprising executable code that directs a computing device to perform a process that provides single-sign-on (SSO) authentication to a user of a mobile device, comprising:
-
receiving, from an independent browser on a mobile device, a first request to access a first uniform resource locator (URL) associated with a first non-browser mobile application executing on a mobile device; authenticating the user interacting with the mobile device by; receiving first authentication information related to the user from the independent browser, verifying the first authentication information with an identity database; identifying a first URL mapping configured to invoke the first non-browser mobile application; sending, to the independent browser, a browser-based token, the first URL mapping, and a first client application identity for use by the first non-browser mobile application; receiving, from the independent browser on the mobile device, a second request to access a second uniform resource locator (URL) associated with a second non-browser mobile application executing on the mobile device, wherein the second request comprises the browser-based token; verifying, with the identity database, non-revocation of the browser-based token; identifying a second URL mapping configured to invoke the first non-browser mobile application; and sending, to the independent browser, a second client application identity for use by the second non-browser mobile application and the second URL mapping, wherein the independent browser has not been specifically configured to provide identity information for non-browser mobile applications. - View Dependent Claims (25, 26, 27, 28, 29, 30)
-
Specification