STEP-UP AUTHENTICATION FOR SINGLE SIGN-ON

US 20160127352A1
Filed: 10/31/2014
Published: 05/05/2016
Est. Priority Date: 10/31/2014
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a user seeking access to first and second resources that have different authentication levels, comprising:

receiving at an authentication server from a computing device of the user, a primary token that is associated with a first authentication event of the user and authenticates the user to access the first resource;

receiving at the authentication server from the computing device of the user, a first request to access the second resource;

receiving at the authentication server from the computing device of the user, first credentials of the user;

validating at the authentication server the first credentials;

responsive to validating the first credentials, generating at the authentication server a second authentication event and storing the second authentication event that includes an authentication method and an authentication time within the primary token;

receiving at the authentication server from the computing device of the user, the first request to access the second resource and the primary token; and

issuing a first secondary token that authenticates the user to access the second resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating a user seeking access to first and second resources that have different authentication levels. The method includes receiving a primary token that is associated with a first authentication event of the user and authenticates the user to access the first resource, and receiving a first request to access the second resource. The method further includes receiving first credentials of the user. The method further includes, responsive to validating the first credentials, generating a second authentication event, associating the second authentication event with the primary token, and issuing a first secondary token that authenticates the user to access the second resource.

56 Citations

View as Search Results

20 Claims

1. A method for authenticating a user seeking access to first and second resources that have different authentication levels, comprising:
- receiving at an authentication server from a computing device of the user, a primary token that is associated with a first authentication event of the user and authenticates the user to access the first resource;
  
  receiving at the authentication server from the computing device of the user, a first request to access the second resource;
  
  receiving at the authentication server from the computing device of the user, first credentials of the user;
  
  validating at the authentication server the first credentials;
  
  responsive to validating the first credentials, generating at the authentication server a second authentication event and storing the second authentication event that includes an authentication method and an authentication time within the primary token;
  
  receiving at the authentication server from the computing device of the user, the first request to access the second resource and the primary token; and
  
  issuing a first secondary token that authenticates the user to access the second resource.
- View Dependent Claims (4, 5, 6, 7, 8, 9)
- - 4. The method of claim 1, further comprising, prior to receiving the first credentials, determining, based on an access policy associated with the primary token, that an authentication level associated with the first authentication event is insufficient to access the second resource, and requesting the first credentials.
  - 5. The method of claim 4, further comprising, prior to receiving the first credentials, issuing a one-time access (OTA) token, and receiving the OTA token to establish a secure connection with a browser, wherein the first credentials are received via the secure connection.
  - 6. The method of claim 1, further comprising:
    - receiving the primary token and a second request for the second resource, wherein the first request is associated with a first application and the second request is associated with a second application;
      
      determining, based on the second authentication event associated with the primary token, that a second secondary token that authenticates the user to access the second resource should be issued for the second application; and
      
      issuing the second secondary token.
  - 7. The method of claim 6, further comprising:
    - receiving a first application identification (ID) with the first request for the second resource; and
      
      receiving a second application ID with the second request for the second resource,wherein the first application ID corresponds to the first application and the first secondary token, and the second application ID corresponds to the second application and the second secondary token.
  - 8. The method of claim 1, further comprising:
    - receiving the primary token and a request to access a third resource, wherein the second resource and the third resource are associated with different authentication levels;
      
      receiving second credentials of the user; and
      
      responsive to validating the second credentials, generating a third authentication event, associating the third authentication event with the primary token, and issuing a third secondary token that authenticates the user to access the third resource.
  - 9. The method of claim 8, further comprising, prior to receiving the second credentials, determining, based on an access policy associated with the primary token, that a first authentication level associated with the first authentication event and a second authentication level associated with the second authentication event are insufficient to access the third resource.

2. (canceled)

3. (canceled)

10. A non-transitory computer-readable storage medium comprising instructions that, when executed in a computing device, authenticates a user seeking access to first and second resources that have different authentication levels, by performing the steps of:
- receiving at an authentication server from a computing device of the user, a primary token that is associated with a first authentication event of the user and authenticates the user to access the first resource;
  
  receiving at the authentication server from a computing device of the user, a first request to access the second resource;
  
  receiving at the authentication server from a computing device of the user, first credentials of the user;
  
  validating at the authentication server the first credentials;
  
  responsive to validating the first credentials, generating at the authentication server a second authentication event and storing the second authentication event that includes an authentication method and an authentication time within the primary token;
  
  receiving at the authentication server from the computing device of the user, the first request to access the second resource and the primary token; and
  
  issuing a first secondary token that authenticates the user to access the second resource.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The non-transitory computer-readable storage medium of claim 10, further comprising instructions that, when executed in the computing device, perform the step of, prior to receiving the first credentials, determining, based on an access policy associated with the primary token, that an authentication level associated with the first authentication event is insufficient to access the second resource, and requesting the first credentials.
  - 14. The non-transitory computer-readable storage medium of claim 13, further comprising instructions that, when executed in the computing device, perform the steps of, prior to receiving the first credentials, issuing a one-time access (OTA) token, and receiving the OTA token to establish a secure connection with a browser, wherein the first credentials are received via the secure connection.
  - 15. The non-transitory computer-readable storage medium of claim 10, further comprising instructions that, when executed in the computing device, perform the steps of:
    - receiving the primary token and a second request for the second resource, wherein the first request is associated with a first application and the second request is associated with a second application;
      
      determining, based on the second authentication event associated with the primary token, that a second secondary token that authenticates the user to access the second resource should be issued for the second application; and
      
      issuing the second secondary token.
  - 16. The non-transitory computer-readable storage medium of claim 15, further comprising instructions that, when executed in the computing device, perform the steps of:
    - receiving a first application identification (ID) with the first request for the second resource; and
      
      receiving a second application ID with the second request for the second resource,wherein the first application ID corresponds to the first application and the first secondary token, and the second application ID corresponds to the second application and the second secondary token.
  - 17. The non-transitory computer-readable storage medium of claim 10, further comprising instructions that, when executed in the computing device, perform the steps of:
    - receiving the primary token and a request to access a third resource, wherein the second resource and the third resource are associated with different authentication levels;
      
      receiving second credentials of the user; and
      
      responsive to validating the second credentials, generating a third authentication event, associating the third authentication event with the primary token, and issuing a third secondary token that authenticates the user to access the third resource.
  - 18. The non-transitory computer-readable storage medium of claim 17, further comprising instructions that, when executed in the computing device, perform the step of, prior to receiving the second credentials, determining, based on an access policy associated with the primary token, that a first authentication level associated with the first authentication event and a second authentication level associated with the second authentication event are insufficient to access the third resource.

11. (canceled)

12. (canceled)

19. A computer system for authenticating a user seeking access to first and second resources that have different authentication levels, the computer system comprising a memory and a processor programmed to carry out the steps of:
- receiving, from a token agent, a primary token that is associated with a first authentication event of the user and authenticates the user to access the first resource;
  
  receiving at an authentication server from a computing device of the user, a first request associated with a first application to access the second resource;
  
  receiving at the authentication server from a computing device of the user, first credentials of the user;
  
  validating at the authentication server the first credentials;
  
  responsive to validating the first credentials, generating at the authentication server a second authentication event and storing the second authentication event that includes an authentication method and an authentication time within the primary token;
  
  receiving at the authentication server from the computing device of the user, the first request to access the second resource and the primary token; and
  
  issuing, to the token agent, a first secondary token that authenticates the user to access the second resource.
- View Dependent Claims (20)
- - 20. The computer system of claim 19, wherein the first application comprises a native application running on a mobile device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
XU, Emily Hong, LADDA, Shraddha, OLDS, Dale Robert

Granted Patent

US 9,578,015 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/62   Protecting access to data v...

G06F 2211/003   Mutual Authentication Bi-Di...

G06F 2211/009   Trust

H04L 2463/082   applying multi-factor authe...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 9/32   including means for verifyi...

H04L 9/3213   using tickets or tokens, e....

H04W 12/068   using credential vaults, e....

H04W 12/084   using delegated authorisati...

H04W 12/30   Security of mobile devices;...

H04W 12/66   Trust-dependent, e.g. using...

STEP-UP AUTHENTICATION FOR SINGLE SIGN-ON

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

56 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

STEP-UP AUTHENTICATION FOR SINGLE SIGN-ON

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links