SINGLE SIGN-ON FOR UNMANAGED MOBILE DEVICES

US 20160366122A1
Filed: 06/15/2015
Published: 12/15/2016
Est. Priority Date: 06/15/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program, when executed by the at least one computing device, being configured to cause the at least one computing device to at least:

receive an access request from a client application executed in a client device;

cause the client application, using a redirection response that redirects the access request to an identity provider, to request an identity assertion from an authentication application executed in the client device;

receive the identity assertion from the client application;

verify the identity assertion; and

authenticate the client application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various examples for providing a single sign-on experience for mobile devices that may or may not be managed. A service provider receives an access request from a first client application executed in a client device. The service provider causes the first client application, using a redirection response that redirects the access request to an identity provider, to request an authentication token from a second client application executed in the client device. The service provider receives the authentication token from the first client application. The service provider then authenticates the first client application in response to verifying the authentication token.

65 Citations

View as Search Results

20 Claims

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program, when executed by the at least one computing device, being configured to cause the at least one computing device to at least:
- receive an access request from a client application executed in a client device;
  
  cause the client application, using a redirection response that redirects the access request to an identity provider, to request an identity assertion from an authentication application executed in the client device;
  
  receive the identity assertion from the client application;
  
  verify the identity assertion; and
  
  authenticate the client application.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the program, when executed by the at least one computing device, is further configured to cause the at least one computing device to:
    - generate a session token in response to authenticating the client application; and
      
      set a cookie with the client application, the cookie including the session token.
  - 3. The non-transitory computer-readable medium of claim 1, wherein the client application is redirected to a local uniform resource locator (URL) with a predefined scheme name associated with the authentication application.
  - 4. The non-transitory computer-readable medium of claim 3, wherein the predefined scheme name corresponds to a randomly generated unique identifier.
  - 5. The non-transitory computer-readable medium of claim 1, wherein the access request comprises a hypertext transfer protocol (HTTP) request, and the access request is redirected by an HTTP response having a status code of 302.
  - 6. The non-transitory computer-readable medium of claim 1, wherein the authentication application is configured to request the identity assertion from the identity provider.
  - 7. The non-transitory computer-readable medium of claim 1, wherein the authentication application is configured to request at least one security credential from a user of the client device.

8. A system, comprising:
- at least one computing device; and
  
  a service provider executable by the at least one computing device, the service provider configured to cause the at least one computing device to at least;
  
  receive an access request from a first client application executed in a client device;
  
  cause the first client application, using a redirection response that redirects the access request to an identity provider, to request an authentication token from a second client application executed in the client device;
  
  receive the authentication token from the first client application; and
  
  authenticate the first client application in response to verifying the authentication token.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The system of claim 8, wherein the first client application is redirected to the second client application by a local uniform resource locator (URL).
  - 10. The system of claim 8, wherein the authentication token is received within a security assertion markup language (SAML) identity assertion.
  - 11. The system of claim 8, wherein the service provider is further configured to cause the at least one computing device to at least:
    - determine whether the first client application is configured to utilize a single sign-on procedure supported by the second client application; and
      
      wherein the first client application is sent the redirection response in response to determining that the first client application is configured to use the single sign-on procedure.
  - 12. The system of claim 8, further comprising an identity provider executable by the at least one computing device, the identity provider configured to cause the at least one computing device to at least:
    - receive an authentication request from the second client application;
      
      verify the authentication request;
      
      generate the authentication token; and
      
      send the authentication token to the second client application.
  - 13. The system of claim 12, wherein the authentication request includes at least one security credential received from a user by the second client application.

14. A method, comprising:
- receiving an access request from a first client application executed in a client device;
  
  redirecting the first client application to request an authentication token from a second client application executed in the client device;
  
  receiving the authentication token from the first client application;
  
  verifying the authentication token; and
  
  authenticating the first client application.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, further comprising:
    - generating a session token; and
      
      sending the session token to the first client application after authenticating the first client application.
  - 16. The method of claim 15, wherein the session token is sent to the first client application within a cookie.
  - 17. The method of claim 14, wherein redirecting the first client application further comprises sending a hypertext transfer protocol (HTTP) redirection response to the first client application.
  - 18. The method of claim 17, wherein the HTTP redirection response is configured to cause the first client application to make an HTTP request at a local uniform resource locator (URL) of the client device.
  - 19. The method of claim 18, wherein the local URL includes a predefined scheme name that corresponds to the second client application.
  - 20. The method of claim 19, wherein the predefined scheme name is a randomly generated unique identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AirWatch LLC (Broadcom, Inc.)
Original Assignee
AirWatch LLC (Broadcom, Inc.)
Inventors
Rykowski, Adam, Jain, Ashish, Olds, Dale Robert, Barday, Kabir, Xu, Emily Hong, Austin, Kyle, Kommireddy, Sridhara Babu

Granted Patent

US 10,171,448 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/0815   providing single-sign-on or...

H04W 12/062   Pre-authentication

SINGLE SIGN-ON FOR UNMANAGED MOBILE DEVICES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

65 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SINGLE SIGN-ON FOR UNMANAGED MOBILE DEVICES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links