FEDERATED FULL DOMAIN LOGON

US 20160094543A1
Filed: 09/30/2015
Published: 03/31/2016
Est. Priority Date: 09/30/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

storing a certificate at a credential mapper of a server device;

corresponding, by the server device, a token to the certificate stored at the credential mapper;

receiving, at the server device and from a client device, the token;

determining, at the server device, whether the client device has authenticated with an identity providing device based on the token received from the client device; and

in response to determining that the client device has authenticated with the identity providing device, providing a temporary certificate for granting the client device access to a domain.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for faster and more efficient smart card logon and for giving a client device full domain access in a remote computing environment are described herein. Components used to implement fast smart card logon may also be used to implement a federated full domain logon. A virtual smart card credential, which may be ephemeral, may be issued based on the acceptance of an external authentication event. Example external authentication events include logon at a Security Assertion Markup Language (SAML) Identity Provider, smart card authentication over TLS or SSL, and alternative authentication credentials such as biometrics or one-time password (OTP) without AD password. Moreover, the certificate operation interception components from fast smart card logon may be used to enable interaction with the virtual smart card without fully emulating a smart card at the PC/SC API level. The virtual smart card may be created locally at the authentication server or on a separate server that may be highly protected.

48 Citations

View as Search Results

20 Claims

1. A method comprising:
- storing a certificate at a credential mapper of a server device;
  
  corresponding, by the server device, a token to the certificate stored at the credential mapper;
  
  receiving, at the server device and from a client device, the token;
  
  determining, at the server device, whether the client device has authenticated with an identity providing device based on the token received from the client device; and
  
  in response to determining that the client device has authenticated with the identity providing device, providing a temporary certificate for granting the client device access to a domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein determining whether the client device has authenticated with the identity providing device comprises:
    - sending, by the server device to the identity providing device, information from the token received from the client device; and
      
      receiving, from the identity providing device, confirmation that the client device has authenticated with the identity providing device.
  - 3. The method of claim 1, wherein determining whether the client device has authenticated with the identity providing device comprises performing one or more of the following:
    - determining, by the credential mapper of the server device, whether the token received from the client device corresponds to a token issued by the identity providing device;
      
      determining, by a gateway service of the server device, whether the token received from the client device corresponds to the token issued by the identity providing device;
      
      ordetermining, by an application store of the server device, whether the token received from the client device corresponds to the token issued by the identity providing device.
  - 4. The method of claim 1, further comprising:
    - linking the temporary certificate to a proof key at the client device, wherein the providing the temporary certificate comprises providing the temporary certificate in response to a determination that the client device has the proof key.
  - 5. The method of claim 1, further comprising:
    - prior to providing the temporary certificate, generating the temporary certificate based on the certificate stored at the credential mapper in response to determining that the client device has authenticated with the identity providing device based on the token.
  - 6. The method of claim 1, wherein the temporary certificate comprises a time-limited certificate.
  - 7. The method of claim 1, wherein the temporary certificate comprises a smart card class certificate.

8. An apparatus comprising:
- a processor; and
  
  memory storing computer-executable instructions that, when executed by the processor, cause the apparatus to;
  
  store a certificate at a credential mapper of the apparatus;
  
  correspond a token to the certificate stored at the credential mapper;
  
  receive, from a client device, the token;
  
  determine whether the client device has authenticated with an identity providing device based on the token received from the client device; and
  
  in response to determining that the client device has authenticated with the identity providing device, provide a temporary certificate for granting the client device access to a domain.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, wherein determining whether the client device has authenticated with the identity providing device comprises:
    - send, to the identity providing device, information from the token received from the client device; and
      
      receive, from the identity providing device, confirmation that the client device has authenticated with the identity providing device.
  - 10. The apparatus of claim 8, wherein determining whether the client device has authenticated with the identity providing device comprises performing one or more of the following:
    - determining, by the credential mapper of the apparatus, whether the token received from the client device corresponds to a token issued by the identity providing device;
      
      determining, by a gateway service of the apparatus, whether the token received from the client device corresponds to the token issued by the identity providing device;
      
      ordetermining, by an application store of the server device, whether the token received from the client device corresponds to the token issued by the identity providing device.
  - 11. The apparatus of claim 8, wherein the memory stores computer-executable instructions that, when executed by the processor, cause the apparatus to:
    - link the temporary certificate to a proof key at the client device, wherein the providing the temporary certificate comprises providing the temporary certificate in response to a determination that the client device has the proof key.
  - 12. The apparatus of claim 8, wherein the memory stores computer-executable instructions that, when executed by the processor, cause the apparatus to:
    - prior to providing the temporary certificate, generate the temporary certificate based on the certificate stored at the credential mapper in response to determining that the client device has authenticated with the identity providing device based on the token.
  - 13. The apparatus of claim 8, wherein the temporary certificate comprises a time-limited certificate.
  - 14. The apparatus of claim 8, wherein the temporary certificate comprises a smart card class certificate.

15. A method comprising:
- sending, by a client device and to an identity providing device, credentials for authenticating the client device with the identity providing device;
  
  receiving, at the client device and from the identity providing device, a token indicating that the client device is authenticated with the identity providing device;
  
  sending, by the client device and to a server device, the token; and
  
  in response to the client device receiving an indication from the server device that the client device has been granted access to a domain based on the token, using a temporary certificate to access the domain.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, wherein the server device uses the token to determine whether the client device is authenticated with the identity providing device.
  - 17. The method of claim 15, wherein the token is linked to a certificate stored at a credential mapper of the server device.
  - 18. The method of claim 17, wherein the temporary certificate is generated based on the certificate stored at the credential mapper.
  - 19. The method of claim 15, wherein the temporary certificate comprises a time-limited certificate.
  - 20. The method of claim 15, wherein the temporary certificate comprises a smart card class certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Innes, Andrew, Mayers, Chris

Granted Patent

US 10,122,703 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/33   using certificates

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04L 63/0876   based on the identity of th...

H04L 9/3228   One-time or temporary data,...

H04L 9/3234   involving additional secure...

H04L 9/3263   involving certificates, e.g...

FEDERATED FULL DOMAIN LOGON

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

48 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

FEDERATED FULL DOMAIN LOGON

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links