LATE BINDING AUTHENTICATION

US 20160105422A1
Filed: 10/13/2014
Published: 04/14/2016
Est. Priority Date: 10/13/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, by a device, a request for authenticating a resource for access to a service;

generating a late-binding token (LBT) that is associated with the request;

sending the LBT to a second device associated with the resource;

binding the resource to the LBT upon receipt and validation of the LBT, the LBT received back from the second device; and

communicating a message to the second device that binding is complete and that the resource can access and is capable of authenticating to the service for access with a supplied valid authentication response.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A late-binding token (LBT) is securely generated and provided to a device application. When the LBT is presented and validated, a resource associated with the presentation is bound to the LBT and authenticated for access to a service and provided valid credentials for accessing that service.

8 Citations

20 Claims

1. A method, comprising:
- receiving, by a device, a request for authenticating a resource for access to a service;
  
  generating a late-binding token (LBT) that is associated with the request;
  
  sending the LBT to a second device associated with the resource;
  
  binding the resource to the LBT upon receipt and validation of the LBT, the LBT received back from the second device; and
  
  communicating a message to the second device that binding is complete and that the resource can access and is capable of authenticating to the service for access with a supplied valid authentication response.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein receiving further includes receiving the request from the service.
  - 3. The method of claim 1, wherein generating further includes creating the LBT to include:
    - a random number, an identifier for the service, and a Hashed Message Authentication Code (HMAC) for the random number and the identifier.
  - 4. The method of claim 3, wherein creating further includes adding a Time-To-Live (TTL) attribute and a state description to the LBT and updating the HMAC to include the TTL attribute and the state description.
  - 5. The method of claim 4 further comprising, encrypting the LBT.
  - 6. The method of claim 1, wherein sending further includes hiding at least a portion of the LBT in a hidden Hypertext Markup Language (HTML) form with a script sent to the second device.
  - 7. The method of claim 1, wherein binding further includes independently re-generating at least a portion of the LBT and comparing that portion with a corresponding portion included in the LBT to validate the LBT.
  - 8. The method of claim 1, wherein binding further includes receiving a credential for accessing the service with the LBT sent back from the second device.
  - 9. The method of claim 8, wherein receiving further includes assigning access rights to the resource for accessing the service based on the credential.
  - 10. The method of claim 8, wherein receiving further includes obtaining the credential as an authentication token recognized by the service for access to the service.
  - 11. The method of claim 1, wherein communicating further includes using the message to automatically trigger re-sending, by the second device, a portion of the LBT, and verifying that the portion is associated with the resource, and providing to the second device the valid authentication response for accessing the service when the portion is verified.

12. A method, comprising:
- requesting, by a device, an access session with a remote service of a second device;
  
  receiving an authentication token and a late-binding token (LBT);
  
  sending to an identity provider of a third device;
  
  a resource identifier for a resource requesting access to the service, the authentication token, and the LBT;
  
  obtaining from the identity provider a message indicating that the LBT for the resource is bound to the authentication token; and
  
  acquiring a valid authentication response from the identity provider for the resource to participate in the access session with the service as an authenticated resource.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The method of claim 12, wherein receiving further includes obtaining the authentication token as a token generated by the service.
  - 14. The method of claim 13, wherein receiving further includes obtaining the LBT as a second token generated by the identity provider.
  - 15. The method of claim 12, wherein sending further includes providing the resource identifier as a particular resource that is already authenticated to the identity provider for Single-Sign On (SSO) services.
  - 16. The method of claim 12, wherein obtaining further includes automatically sending at least a portion of the LBT back to the identity provider to confirm the resource is authenticated to the identity provider.
  - 17. The method of claim 16, wherein automatically sending further includes initiating a script embedded in a Hypertext Markup Language (HTML) form upon receipt of the message to locate the portion in a hidden field of the HTML form and send the portion to the identity provider.
  - 18. The method of claim 12, wherein acquiring further includes redirecting a browser being operated by the resource on the device to the access session with the valid authentication response.

19. A system, comprising:
- a processor;
  
  a late-binding authenticator configured and adapted to;
  
  i) execute on the processor and ii) provide authentication of a resource authenticated to the late-binding authenticator with authentication credentials to a service using a late-binding token (LBT) when the resource requests access to the service.
- View Dependent Claims (20)
- - 20. The system of claim 19, wherein the late-binding authenticator is further adapted and configured to:
    - iii) interact with one or more applications processing a device associated with the resource and interact with one or more other applications processing on a second device associated with the service, and wherein the processor is on a third device different from the device associated with the resource and also different from the second device associated with the service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetIQ Corporation (Open Text Corporation)
Original Assignee
NetIQ Corporation (Open Text Corporation)
Inventors
Burch, Lloyd Leon, Mahajan, Atul, Jensen, Stuart, Masoud, Baha

Granted Patent

US 9,401,912 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04W 12/069   using certificates or pre-s...

LATE BINDING AUTHENTICATION

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

8 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

LATE BINDING AUTHENTICATION

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others