SINGLE SIGN-ON FOR MANAGED MOBILE DEVICES

US 20160366121A1
Filed: 06/15/2015
Published: 12/15/2016
Est. Priority Date: 06/15/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium embodying a program executable in a client device, the program, when executed by the client device, being configured to cause the client device to at least:

send an access request to a service provider;

receive a redirection from the service provider to an identity provider;

send an identity assertion request to the identity provider based at least in part on the redirection;

receive a response from the identity provider, the response requesting authentication by a management credential, the management credential corresponding to a secure certificate or a Kerberos profile;

obtain the management credential from a device management application;

send data associated with the management credential to the identity provider;

receive an identity assertion from the identity provider based at least in part on the data associated with the management credential; and

authenticate with the service provider by way of the identity assertion.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various examples for providing a single sign-on experience for managed mobile devices. A management application executed in a computing device receives a single sign-on request from a managed client application executed by the same computing device. The management application determines that the client application is permitted to access a management credential for single sign-on use. The management application provides the management credential to the client application in response to the single sign-on request.

Citations

20 Claims

1. A non-transitory computer-readable medium embodying a program executable in a client device, the program, when executed by the client device, being configured to cause the client device to at least:
- send an access request to a service provider;
  
  receive a redirection from the service provider to an identity provider;
  
  send an identity assertion request to the identity provider based at least in part on the redirection;
  
  receive a response from the identity provider, the response requesting authentication by a management credential, the management credential corresponding to a secure certificate or a Kerberos profile;
  
  obtain the management credential from a device management application;
  
  send data associated with the management credential to the identity provider;
  
  receive an identity assertion from the identity provider based at least in part on the data associated with the management credential; and
  
  authenticate with the service provider by way of the identity assertion.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the program is managed by the device management application.
  - 3. The non-transitory computer-readable medium of claim 1, wherein the program is a native application.
  - 4. The non-transitory computer-readable medium of claim 1, wherein the program, when executed by the client device, is further configured to cause the client device to at least request an OAuth token from the service provider using the identity assertion.
  - 5. The non-transitory computer-readable medium of claim 1, wherein the device management application, when executed by the client device, is configured to cause the client device to at least:
    - identify the program;
      
      determine that the program should be granted access to the management credential based at least in part on configuration data; and
      
      provide the management credential to the program.

6. A system, comprising:
- a computing device; and
  
  a management application executable by the computing device, the management application configured to cause the computing device to at least;
  
  receive a single sign-on request from a client application executed by the computing device;
  
  determine that the client application is permitted to access a management credential for single sign-on use; and
  
  provide the management credential to the client application.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The system of claim 6, wherein the management application is further configured to cause the computing device to at least:
    - receive another single sign-on request from another client application executed by the computing device;
      
      determine that the other client application is not permitted to access the management credential for single sign-on use; and
      
      deny access to the management credential by the other client application.
  - 8. The system of claim 6, wherein the management application is further configured to cause the computing device to at least receive the management credential from a device management service provider.
  - 9. The system of claim 8, wherein the management application is further configured to cause the computing device to at least:
    - render a user interface upon a display, the user interface being configured to receive at least one security credential from a user;
      
      receive the at least one security credential from the user; and
      
      authenticate with the device management service provider using the at least one security credential received from the user.
  - 10. The system of claim 6, wherein the client application is configured to cause the computing device to at least:
    - send an access request to a service provider;
      
      receive a redirection from the service provider to an identity provider;
      
      send an identity assertion request to the identity provider based at least in part on the redirection;
      
      receive a response from the identity provider, the response requesting authentication by the management credential;
      
      send data associated with the management credential to the identity provider;
      
      receive an identity assertion from the identity provider; and
      
      authenticate with the service provider by way of the identity assertion.
  - 11. The system of claim 10, wherein the identity assertion comprises a security assertion markup language (SAML) assertion.
  - 12. The system of claim 10, wherein the client application is further configured to cause the computing device to at least receive a session token from the service provider after authenticating.

13. A method, comprising:
- sending an access request to a service provider;
  
  receiving a redirection from the service provider to an identity provider;
  
  sending an identity assertion request to the identity provider based at least in part on the redirection;
  
  receiving a response from the identity provider, the response requesting authentication by a management credential;
  
  obtaining the management credential from a device management application;
  
  sending data generated by the management credential to the identity provider;
  
  receiving an identity assertion from the identity provider; and
  
  authenticating with the service provider by way of the identity assertion.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, wherein the identity assertion request specifies a type of mobile device platform.
  - 15. The method of claim 13, wherein the response from the identity provider requests Kerberos authentication, and the data generated by the management credential is sent to the identity provider by a Kerberos protocol.
  - 16. The method of claim 13, wherein the access request is generated by a client application, and the method further comprises:
    - determining that the client application is permitted access to the management credential; and
      
      providing the management credential to the client application.
  - 17. The method of claim 13, further comprising:
    - rendering a user interface by the device management application, the user interface configured to receive a security credential;
      
      receiving the security credential from a user by way of the user interface; and
      
      requesting the management credential from a device management service provider based at least in part on the security credential.
  - 18. The method of claim 13, further comprising receiving a session token from the service provider after authenticating with the service provider by way of the identity assertion.
  - 19. The method of claim 18, wherein the session token comprises an OAuth token.
  - 20. The method of claim 13, wherein the identity assertion comprises a security assertion markup language (SAML) assertion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Omnissa, LLC
Original Assignee
AirWatch LLC (Broadcom, Inc.)
Inventors
Olds, Dale Robert, Lotero, Camilo, Rykowski, Adam, Jain, Ashish, Xu, Emily Hong, Barday, Kabir, Austin, Kyle, Kommireddy, Sridhara Babu, Brannon, Jonathan Blake

Granted Patent

US 9,882,887 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

SINGLE SIGN-ON FOR MANAGED MOBILE DEVICES

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SINGLE SIGN-ON FOR MANAGED MOBILE DEVICES

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links