SINGLE SIGN-ON FOR UNMANAGED MOBILE DEVICES

US 20160366119A1
Filed: 06/15/2015
Published: 12/15/2016
Est. Priority Date: 06/15/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium embodying a program executable in a client device, the program, when executed by the client device, being configured to cause the client device to at least:

receive a first request for an identity assertion from a client application executed in the client device, the first request being redirected from an identity provider;

authenticate with the identity provider using at least one security credential;

send a second request for the identity assertion to the identity provider;

receive the identity assertion from the identity provider; and

return the identity assertion to the client application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various examples for providing a single sign-on experience for mobile applications that may or may not be managed. A first application executed in a client device sends an access request to a service provider. The first application receives a redirection response from the service provider that redirects the first application to an identity provider. The first application then receives a further redirection response from the identity provider that causes the first application to request an identity assertion from a second application executed in the client device. The first application receives the identity assertion from the second application. The first authentication then authenticates with the service provider using the identity assertion.

Citations

20 Claims

1. A non-transitory computer-readable medium embodying a program executable in a client device, the program, when executed by the client device, being configured to cause the client device to at least:
- receive a first request for an identity assertion from a client application executed in the client device, the first request being redirected from an identity provider;
  
  authenticate with the identity provider using at least one security credential;
  
  send a second request for the identity assertion to the identity provider;
  
  receive the identity assertion from the identity provider; and
  
  return the identity assertion to the client application.
- View Dependent Claims (2, 3, 4)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the program, when executed by the client device, is further configured to cause the client device to at least:
    - render a user interface configured to receive the at least one security credential from a user of the client device; and
      
      receive the at least one security credential through the user interface.
  - 3. The non-transitory computer-readable medium of claim 1, wherein the second request for the identity assertion includes an identification of the client application.
  - 4. The non-transitory computer-readable medium of claim 1, wherein the first request for the identity assertion is received through a local uniform resource locator (URL) having a scheme name corresponding to the program, wherein the local URL includes callback information corresponding to the client application.

5. A system, comprising:
- a computing device;
  
  a first client application executable by the computing device;
  
  a second client application executable by the computing device; and
  
  the first client application is configured to cause the computing device to at least;
  
  send an access request to a service provider;
  
  receive a first redirection response to an identity provider from the service provider;
  
  receive a second redirection response to the second client application from the identity provider;
  
  request an identity assertion from the second client application;
  
  receive the identity assertion from the second client application; and
  
  authenticate with the service provider using the identity assertion.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
- - 6. The system of claim 5, wherein the first client application requests the identity assertion from the second client application by a local uniform resource locator (URL) including a scheme name corresponding to the second client application.
  - 7. The system of claim 5, wherein the second client application is configured to facilitate a single sign-on for a plurality of client applications executable in the computing device.
  - 8. The system of claim 5, wherein the first client application is further configured to cause the computing device to at least:
    - receive a session token from the service provider after authenticating; and
      
      subsequently authenticate with the service provider using the session token.
  - 9. The system of claim 5, wherein the redirection response comprises security assertion markup language (SAML).
  - 10. The system of claim 5, wherein the second client application is further configured to cause the computing device to at least:
    - authenticate with the identity provider;
      
      receive the identity assertion from the identity provider; and
      
      return the identity assertion to the first client application.
  - 11. The system of claim 10, wherein the second client application is further configured to cause the computing device to at least:
    - render a user interface configured to receive at least one security credential from a user;
      
      receive the at least one security credential from the user; and
      
      authenticate with the identity provider using the at least one security credential.
  - 12. The system of claim 10, wherein the second client application is further configured to cause the computing device to at least send an identification of the first client application to the identity provider.
  - 13. The system of claim 10, wherein the second client application returns the identity assertion to the first client application by calling a local uniform resource locator (URL) that encodes the identity assertion, the local URL including a scheme name corresponding to the first client application.

14. A method, comprising:
- sending, by a first application executed in a client device, an access request to a service provider;
  
  receiving, by the first application, a first redirection response from the service provider;
  
  receiving, by the first application, a second redirection response from an identity provider;
  
  requesting, by the first application, an identity assertion from a second application executed in the client device;
  
  receiving, by the first application, the identity assertion from the second application; and
  
  authenticating the first application with the service provider using the identity assertion.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, wherein requesting the identity assertion from the second application further comprises sending a request for the identity assertion to the second application by calling a local uniform resource locator (URL) that encodes the request for the identity assertion, the local URL including a scheme name corresponding to the second application.
  - 16. The method of claim 15, wherein the local URL includes callback information corresponding to the first application.
  - 17. The method of claim 16, wherein the callback information comprises another scheme name corresponding to the first application.
  - 18. The method of claim 14, further comprising:
    - requesting, by the second application, at least one security credential from a user;
      
      authenticating the second application with the identity provider using the at least one security credential.
  - 19. The method of claim 14, further comprising obtaining, by the second application, the identity assertion from the identity provider.
  - 20. The method of claim 19, wherein obtaining the identity assertion from the identity provider further comprises sending a request for the identity assertion to the identity provider, the request for the identity assertion specifying an identifier of the first application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Omnissa, LLC
Original Assignee
AirWatch LLC (Broadcom, Inc.)
Inventors
Xu, Emily Hong, Rykowski, Adam, Jain, Ashish, Olds, Dale Robert, Barday, Kabir, Austin, Kyle, Kommireddy, Sridhara Babu

Granted Patent

US 10,171,447 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 21/44   Program or device authentic...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 67/02   based on web technology, e....

H04L 67/306   User profiles

H04W 12/068   using credential vaults, e....

SINGLE SIGN-ON FOR UNMANAGED MOBILE DEVICES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SINGLE SIGN-ON FOR UNMANAGED MOBILE DEVICES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links