FACILITATING SINGLE SIGN-ON TO SOFTWARE APPLICATIONS

US 20150326562A1
Filed: 05/04/2015
Published: 11/12/2015
Est. Priority Date: 05/06/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for facilitating single sign-on to third-party applications, the method comprising:

receiving, by an identity provider (IDP) from a remote third-party application being used on a client device by a user, a request for identity verification of the user;

generating, by the IDP, a token comprising a public token portion and a corresponding private token portion;

providing, by the IDP to the remote third-party application, a client script implemented in a browser scripting language;

requesting, by the client script, the token;

receiving, by the client script from the IDP, the token;

invoking, by the client script, a trusted broker application executing on the client device, the invocation using an application uniform resource locator (URL) and including the public token portion;

verifying, by the trusted broker application, that the third-party application is authorized for use with single sign-on;

providing, by the trusted broker application, the public token portion to the IDP;

associating, by the IDP, the public token portion with the user; and

initiating, by the identity provider, authentication of the user by the third-party application, the initiating comprising sending an identifier indicating verification of an identity of the user to the third-party application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

After an initial user sign-on with an identity provider, and in response to an intention of the user to use a third-party application executing on a client device of the user and requiring user sign-on, the identity provider provides a client script to the third-party application. The client script facilitates user and application authentication and invokes a trusted broker application that interacts with the identity provider to enable the user to use the third-party application. The use of the trusted broker application provided by the identity provider frees the authors of third-party applications from the need to modify their applications to explicitly sign in with the identify provider.

68 Citations

View as Search Results

16 Claims

1. A computer-implemented method for facilitating single sign-on to third-party applications, the method comprising:
- receiving, by an identity provider (IDP) from a remote third-party application being used on a client device by a user, a request for identity verification of the user;
  
  generating, by the IDP, a token comprising a public token portion and a corresponding private token portion;
  
  providing, by the IDP to the remote third-party application, a client script implemented in a browser scripting language;
  
  requesting, by the client script, the token;
  
  receiving, by the client script from the IDP, the token;
  
  invoking, by the client script, a trusted broker application executing on the client device, the invocation using an application uniform resource locator (URL) and including the public token portion;
  
  verifying, by the trusted broker application, that the third-party application is authorized for use with single sign-on;
  
  providing, by the trusted broker application, the public token portion to the IDP;
  
  associating, by the IDP, the public token portion with the user; and
  
  initiating, by the identity provider, authentication of the user by the third-party application, the initiating comprising sending an identifier indicating verification of an identity of the user to the third-party application.

2. A computer-implemented method for facilitating single sign-on to third-party applications, the method performed by a client device and comprising:
- receiving a request from a user to initiate single sign-on to a third-party application;
  
  requesting an identity provider (IDP) to verify an identity of the user; and
  
  responsive to requesting the IDP to verify the identity of the user;
  
  receiving a client script from the IDP;
  
  obtaining, by the client script from the IDP, a token comprising a public token portion and a corresponding private token portion;
  
  verifying that the user is authorized to use single sign-on with the third-party application; and
  
  providing, to the IDP, the public token portion and an indication that the user is authorized to use single sign-on with the third-party application.
- View Dependent Claims (3, 4, 5, 6, 7)
- - 3. The computer-implemented method of claim 2, further comprising the client script invoking a trusted broker application of the client device to perform the verifying, the invoking using an application uniform resource locator interpreted by an operating system of the client device.
  - 4. The computer-implemented method of claim 2, further comprising:
    - responsive to receiving a notification from the IDP that the user is authorized to use the third-party application, invoking the third-party application.
  - 5. The computer-implemented method of claim 4, wherein invoking the third-party application uses an application uniform resource locator interpreted by an operating system of the client device.
  - 6. The computer-implemented method of claim 4, further comprising:
    - receiving, by the third-party application from the IDP, an initiation of an authentication flow, the initiation comprising an indication of verification that the user is authorized to use single sign-on with the third-party application.
  - 7. The computer-implemented method of claim 2, further comprising:
    - a trusted broker application of the client device polling the IDP to determine whether the user has been verified to be authorized to use the third-party application, the polling comprising the trusted broker application providing the IDP with the private token portion.

8. A computer-implemented method performed by an identity provider for facilitating single sign-on to a third-party application, the method comprising:
- receiving a request of a remote client to verify of an identity of a user of a client device as being authorized to use single sign-on for the third-party application;
  
  generating a token comprising a public token portion and a corresponding private token portion;
  
  providing a client script to the client device;
  
  receiving, from the client script executing on the client device, a request for the token;
  
  providing the token to the client script; and
  
  verifying that the user is authorized to use single sign-on for the third-party application.
- View Dependent Claims (9, 10)
- - 9. The computer-implemented method of claim 8, wherein verifying that the user is authorized to use single sign-on for the third-party application comprises:
    - receiving from the trusted broker application;
      
      the public token portion, and an indication that the user is authorized to use single sign-on for the third-party application; and
      
      verifying, by matching the received public token portion with the private token portion, that the indication is from the trusted broker application.
  - 10. The computer-implemented method of claim 8, further comprising initiating authentication of the user by the third-party application, the initiating comprising sending an identifier indicating verification of the user'"'"'s identity to the third-party application.

11. A non-transitory computer-readable storage medium comprising instructions executable by a processor, the instructions comprising:
- instructions for receiving a request from a user to initiate single sign-on to a third-party application;
  
  instructions for requesting an identity provider (IDP) to verify an identity of the user; and
  
  instructions for, responsive to requesting the IDP to verify the identity of the user;
  
  receiving a client script from the IDP;
  
  obtaining, by the client script from the IDP, a token comprising a public token portion and a corresponding private token portion;
  
  verifying that the user is authorized to use single sign-on with the third-party application; and
  
  providing, to the IDP, the public token portion and an indication that the user is authorized to use single sign-on with the third-party application.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The non-transitory computer-readable storage medium of claim 11, the instructions further comprising the client script invoking a trusted broker application of the client device to perform the verifying, the invoking using an application uniform resource locator interpreted by an operating system of a client device on which the instructions execute.
  - 13. The non-transitory computer-readable storage medium of claim 11, the instructions further comprising:
    - instructions for, responsive to receiving a notification from the IDP that the user is authorized to use the third-party application, invoking the third-party application.
  - 14. The non-transitory computer-readable storage medium of claim 13, wherein invoking the third-party application uses an application uniform resource locator interpreted by an operating system of the client device.
  - 15. The non-transitory computer-readable storage medium of claim 13, the instructions further comprising:
    - instructions for receiving, by the third-party application from the IDP, an initiation of an authentication flow, the initiation comprising an indication of verification that the user is authorized to use single sign-on with the third-party application.
  - 16. The non-transitory computer-readable storage medium of claim 11, the instructions further comprising:
    - instructions for polling the IDP to determine whether the user has been verified to be authorized to use the third-party application, the polling comprising the trusted broker application providing the IDP with the private token portion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Okta Incorporated
Original Assignee
Okta Incorporated
Inventors
Belote, Thomas M., Karaa, Hassen, Wang, Christine, Jayaraman, Vinoth

Granted Patent

US 9,548,976 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/0815   providing single-sign-on or...

H04L 67/34   involving the movement of s...

H04L 67/53   using third party service p...

FACILITATING SINGLE SIGN-ON TO SOFTWARE APPLICATIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

68 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

FACILITATING SINGLE SIGN-ON TO SOFTWARE APPLICATIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others