SINGLE SIGN-ON FOR MANAGED MOBILE DEVICES

US 20160366120A1
Filed: 06/15/2015
Published: 12/15/2016
Est. Priority Date: 06/15/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium embodying a program executable in a server computing device, the program, when executed by the server computing device, being configured to cause the server computing device to at least:

receive a request for an identity assertion from an application executed in a mobile device;

detect a platform associated with the mobile device;

send to the mobile device a response to the request based at least in part on the platform, the response requesting authentication by a management credential;

receive data generated by the management credential from the mobile device;

determine that the management credential is valid for the identity assertion; and

send the identity assertion to the mobile device in response to determining that the management credential is valid for the identity assertion.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various examples for single-sign on by way of managed mobile devices. For example, an identity provider service can receive a request for an identity assertion from an application executed in a client device. The identity provider service can then detect a platform associated with the client device. A response to the request can be sent based at least in part on the platform, where the response requests authentication by a management credential. Data generated by the management credential is received from the client device, and the management credential is determined to be valid for the identity assertion. The identity assertion is then sent to the client device in response to determining that the management credential is valid for the identity assertion.

49 Citations

View as Search Results

20 Claims

1. A non-transitory computer-readable medium embodying a program executable in a server computing device, the program, when executed by the server computing device, being configured to cause the server computing device to at least:
- receive a request for an identity assertion from an application executed in a mobile device;
  
  detect a platform associated with the mobile device;
  
  send to the mobile device a response to the request based at least in part on the platform, the response requesting authentication by a management credential;
  
  receive data generated by the management credential from the mobile device;
  
  determine that the management credential is valid for the identity assertion; and
  
  send the identity assertion to the mobile device in response to determining that the management credential is valid for the identity assertion.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the mobile device has access to the management credential in response to authentication by a device management service of a user of the mobile device.
  - 3. The non-transitory computer-readable medium of claim 1, wherein, when the platform is iOS, the request is generated by an iOS-specific certificate adapter.
  - 4. The non-transitory computer-readable medium of claim 1, wherein, when the platform is ANDROID, the request is generated by a certificate adapter.
  - 5. The non-transitory computer-readable medium of claim 1, wherein the management credential corresponds to a device management certificate maintained by a management application executed in the mobile device, the management application being configured to manage the application.
  - 6. The non-transitory computer-readable medium of claim 1, wherein the program, when executed by the server computing device, is further configured to cause the server computing device to at least:
    - receive a second request for a second identity assertion from a second application executed in the mobile device;
      
      send to the mobile device a second response to the second request based at least in part on the platform, the response requesting authentication by the management credential;
      
      receive the data generated by the management credential from the mobile device;
      
      determine that the management credential is valid for the second identity assertion; and
      
      send the second identity assertion to the mobile device in response to determining that the management credential is valid for the second identity assertion.

7. A system, comprising:
- at least one computing device; and
  
  an identity provider service executable by the at least one computing device, the identity provider service configured to cause the at least one computing device to at least;
  
  receive a request for an identity assertion from an application executed in a mobile device;
  
  determine that the application corresponds to a webview of a native application rather than a browser;
  
  send to the mobile device a response, the response requesting authentication by a management credential;
  
  receive data generated by the management credential from the mobile device;
  
  determine that the management credential is valid for the identity assertion; and
  
  send the identity assertion to the mobile device in response to determining that the management credential is valid for the identity assertion.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The system of claim 7, wherein the identity provider service is further configured to cause the at least one computing device to at least:
    - detect a platform associated with the mobile device; and
      
      wherein the response sent to the mobile device is generated based at least in part on the platform.
  - 9. The system of claim 7, wherein the identity provider service is further configured to cause the at least one computing device to at least generate the response to the request by an iOS-specific certificate adapter.
  - 10. The system of claim 7, wherein the request for the identity assertion is redirected to the identity provider service from a service provider.
  - 11. The system of claim 7, wherein the response to the request is a hypertext transfer protocol (HTTP) response having a 401 authentication required status code.

12. A method, comprising:
- receiving a request for an identity assertion from an application executed in a client device;
  
  detecting a platform associated with the client device;
  
  sending to the client device a response to the request based at least in part on the platform, the response requesting authentication by a management credential, the management credential corresponding to a secure certificate or a Kerberos profile;
  
  receiving data generated by the management credential from the client device;
  
  determining that the management credential is valid for the identity assertion; and
  
  sending the identity assertion to the client device in response to determining that the management credential is valid for the identity assertion.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The method of claim 12, wherein the client device has access to the management credential in response to authentication by a device management service of a user of the client device.
  - 14. The method of claim 12, wherein the request for the identity assertion is redirected from a service provider.
  - 15. The method of claim 12, further comprising detecting that the client device complies with a set of access rules.
  - 16. The method of claim 12, further comprising, in response to determining that the platform corresponds to iOS, generating the response to the request by an iOS-specific certificate adapter.
  - 17. The method of claim 12, wherein the identity assertion is a security assertion markup language (SAML) assertion.
  - 18. The method of claim 12, wherein the response to the request is a hypertext transfer protocol (HTTP) response having a 401 authentication required status code.
  - 19. The method of claim 12, wherein the response to the request in turn requests Kerberos protocol authentication.
  - 20. The method of claim 12, wherein the management credential corresponds to a device management certificate maintained by a management application executed in the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AirWatch LLC (Broadcom, Inc.)
Original Assignee
AirWatch LLC (Broadcom, Inc.)
Inventors
Rykowski, Adam, Jain, Ashish, Olds, Dale Robert, Xu, Emily Hong, Barday, Kabir, Austin, Kyle, Kommireddy, Sridhara Babu, Brannon, Jonathan Blake, Lotero, Camilo

Granted Patent

US 10,812,464 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04W 12/062   Pre-authentication

H04W 12/069   using certificates or pre-s...

H04W 12/37   Managing security policies ...

SINGLE SIGN-ON FOR MANAGED MOBILE DEVICES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

49 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

SINGLE SIGN-ON FOR MANAGED MOBILE DEVICES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others