SECURITY OBJECT CREATION, VALIDATION, AND ASSERTION FOR SINGLE SIGN ON AUTHENTICATION
First Claim
1. A system for providing single-sign-on (SSO) credentials for a user on a mobile device to multiple network resources, the system comprising:
- one or more hardware processors;
a computer-readable memory; and
an authentication system comprising executable instructions stored in the computer-readable memory, wherein the one or more processors are programmed to at least;
receive, over a network, a request to access a first network resource by a mobile device associated with a user, wherein the first network resource is accessible by a plurality of users of an organization, wherein the plurality of users of the organization comprises the user, and wherein the request includes a security object associated with the mobile device;
validate the security object as authentic by;
determining, from the security object, a security object identifier;
determining that the security object identifier is associated with the mobile device and the user in an identity database associated with the organization;
when a determination is made that the security object identifier is associated with the mobile device and the user in the identity database, authenticate the user and the mobile device by;
receiving a second authentication factor from the mobile device;
validating the second authentication factor by comparing the second authentication factor with user data associated with the user, the user data accessed from the identity database;
when a successful authentication of the mobile device and the user is made, determine an identity assertion format acceptable to the first network resource;
create an identity assertion object related to the user in the determined identify assertion format, the identity assertion object being distinct from the security object and the object identifier; and
provide, to the first network resource, the identity assertion object related to the user, wherein the identity assertion object is configured to allow the user to gain access to the first network resource.
5 Assignments
0 Petitions
Accused Products
Abstract
A security object creation and validation system provides an additional factor of authentication. An authentication system as described herein provides secure two-factor authentication, such as for IT resources in an organization. The authentication system can perform generation of a security object (such as an X.509 object, Java object, persistent browser token, or other digital certificate); registration of the generated security object or of an existing security object (such as a near field communication identifier, smart card identifier, OATH token, etc.); validation of the security object as part of an authentication process; and assertion of the identity of the security object to native network resources (such as web resources, network resources, cloud resources, mobile applications, and the like) that may accept the security object. The authentication system may provide user interfaces to allow users and administrators to manage registered device inventory and revoke security objects.
121 Citations
21 Claims
-
1. A system for providing single-sign-on (SSO) credentials for a user on a mobile device to multiple network resources, the system comprising:
-
one or more hardware processors; a computer-readable memory; and an authentication system comprising executable instructions stored in the computer-readable memory, wherein the one or more processors are programmed to at least; receive, over a network, a request to access a first network resource by a mobile device associated with a user, wherein the first network resource is accessible by a plurality of users of an organization, wherein the plurality of users of the organization comprises the user, and wherein the request includes a security object associated with the mobile device; validate the security object as authentic by; determining, from the security object, a security object identifier; determining that the security object identifier is associated with the mobile device and the user in an identity database associated with the organization; when a determination is made that the security object identifier is associated with the mobile device and the user in the identity database, authenticate the user and the mobile device by; receiving a second authentication factor from the mobile device; validating the second authentication factor by comparing the second authentication factor with user data associated with the user, the user data accessed from the identity database; when a successful authentication of the mobile device and the user is made, determine an identity assertion format acceptable to the first network resource; create an identity assertion object related to the user in the determined identify assertion format, the identity assertion object being distinct from the security object and the object identifier; and provide, to the first network resource, the identity assertion object related to the user, wherein the identity assertion object is configured to allow the user to gain access to the first network resource. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computerized method for providing single-sign-on (SSO) credentials for a user on a mobile device to multiple network resources, the method comprising:
by an authentication system comprising computer hardware and memory, the authentication system configured with specific executable instructions; receiving, over a network, a request to access a first network resource by a mobile device associated with a user, wherein the first network resource is accessible by a plurality of users of an organization, wherein the plurality of users of the organization comprises the user, and wherein the request includes a security object associated with the mobile device; validating the security object as authentic by; determining, from the security object, a security object identifier; determining that the security object identifier is associated with the mobile device and the user in an identity database associated with the organization; when a determination is made that the security object identifier is associated with the mobile device and the user in the identity database, authenticating the user and the mobile device by; receiving a second authentication factor from the mobile device; validating the second authentication factor by comparing the second authentication factor with user data associated with the user, the user data accessed from the identity database; when a successful authentication of the mobile device and the user is made, determining an identity assertion format acceptable to the first network resource; creating an identity assertion object related to the user in the determined identify assertion format, the identity assertion object being distinct from the security object and the object identifier; and providing, to the first network resource, the identity assertion object related to the user, wherein the identity assertion object is configured to allow the user to gain access to the first network resource. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. Non-transitory physical computer storage comprising computer-executable instructions stored thereon that, when executed by a hardware processor, are configured to perform operations comprising:
-
receiving, by an authentication system, a request to access a first network resource by a user computing device associated with a user, wherein the first network resource is accessible by a plurality of users of an organization, wherein the plurality of users of the organization comprises the user, and wherein the request includes a security object associated with the user computing device; validating the security object as authentic by; determining, from the security object, a security object identifier; determining that the security object identifier is associated with the user computing device and the user in an identity database associated with the organization; when a determination is made that the security object identifier is associated with the user computing device and the user in the identity database, authenticating the user and the user computing device; when a successful authentication of the user computing device and the user is made, determining an identity assertion format acceptable to the first network resource; creating an identity assertion object related to the user in the determined identify assertion format, the identity assertion object being distinct from the security object and the object identifier; and providing, to the first network resource, the identity assertion object related to the user, wherein the identity assertion object is configured to allow the user to gain access to the first network resource. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification