SINGLE SIGN-ON FOR MANAGED MOBILE DEVICES USING KERBEROS

US 20170155640A1
Filed: 02/09/2017
Published: 06/01/2017
Est. Priority Date: 06/15/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium embodying a program executable by a processor of a computing device to cause the computing device to at least:

receive a certificate from a client device;

generate a ticket-granting ticket;

send the ticket-granting ticket to the client device;

receive a request for a service ticket from the client device, wherein the request for the service ticket includes the ticket-granting ticket;

generate the service ticket;

send the service ticket to the client device;

receive the service ticket from the client device; and

send a security assertion markup language (SAML) response to the client device, wherein the SAML response provides authentication credentials for a service provider associated with the service ticket.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various examples for single-sign on by way of managed mobile devices using Kerberos. For example, a certificate is received from a client device. In response, a Kerberos ticket-granting ticket is generated and sent to the client device. A request for a service ticket is later received from the client device. The request for the service ticket can include the ticket-granting ticket. The service ticket is then generated and sent to the client device. Subsequently, the service ticket is received from the client device and a security assertion markup language (SAML) response is sent to the client device in reply. The SAML response can provide authentication credentials for a service provider associated with the service ticket.

87 Citations

View as Search Results

20 Claims

1. A non-transitory computer-readable medium embodying a program executable by a processor of a computing device to cause the computing device to at least:
- receive a certificate from a client device;
  
  generate a ticket-granting ticket;
  
  send the ticket-granting ticket to the client device;
  
  receive a request for a service ticket from the client device, wherein the request for the service ticket includes the ticket-granting ticket;
  
  generate the service ticket;
  
  send the service ticket to the client device;
  
  receive the service ticket from the client device; and
  
  send a security assertion markup language (SAML) response to the client device, wherein the SAML response provides authentication credentials for a service provider associated with the service ticket.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the program further causes the computing device to at least receive a SAML authentication request from the client device.
  - 3. The non-transitory computer-readable medium of claim 2, wherein the program further causes the computing device to at least send a Kerberos challenge to the client device in response to receipt of the SAML authentication request.
  - 4. The non-transitory computer-readable medium of claim 3, wherein:
    - the Kerberos challenge is sent as a component of a hypertext transport protocol (HTTP) response that comprises a 401 unauthorized status code; and
      
      the certificate is received from the client device in response to the Kerberos challenge.
  - 5. The non-transitory computer-readable medium of claim 1, wherein the program further causes the computing device to at least validate the certificate with an online certificate status protocol (OCSP) service.
  - 6. The non-transitory computer-readable medium of claim 5, wherein the ticket-granting ticket is generated in response to a validation of the certificate by the OCSP service.

7. A system, comprising:
- a computing device comprising a processor and a memory; and
  
  machine readable instructions stored in the memory that, when executed by the processor, cause the computing device to at least;
  
  receive a certificate from a client device;
  
  generate a ticket-granting ticket;
  
  send the ticket-granting ticket to the client device;
  
  receive a request for a service ticket from the client device, wherein the request for the service ticket includes the ticket-granting ticket;
  
  generate the service ticket;
  
  send the service ticket to the client device;
  
  receive the service ticket from the client device; and
  
  send a security assertion markup language (SAML) response to the client device, wherein the SAML response provides authentication credentials for a service provider associated with the service ticket.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The system of claim 7, wherein the machine readable instructions, when executed by the processor, further cause the computing device to at least receive a SAML authentication request from the client device.
  - 9. The system of claim 8, wherein the machine readable instructions, when executed by the processor, further cause the computing device to at least send a Kerberos challenge to the client device in response to receipt of the SAML authentication request.
  - 10. The system of claim 9, wherein the Kerberos challenge is sent as a component of a hypertext transport protocol (HTTP) response that comprises a 401 unauthorized status code.
  - 11. The system of claim 9, wherein the certificate is received from the client device in response to the Kerberos challenge.
  - 12. The system of claim 7, wherein the machine readable instructions, when executed by the processor, further cause the computing device to at least validate the certificate with an online certificate status protocol (OCSP) service.
  - 13. The system of claim 12, wherein the ticket-granting ticket is generated in response to a validation of the certificate by the OCSP service.

14. A method, comprising:
- receiving a certificate from a client device;
  
  generating a ticket-granting ticket;
  
  sending the ticket-granting ticket to the client device;
  
  receiving a request for a service ticket from the client device, wherein the request for the service ticket includes the ticket-granting ticket;
  
  generating the service ticket;
  
  sending the service ticket to the client device;
  
  receiving the service ticket from the client device; and
  
  sending a security assertion markup language (SAML) response to the client device, wherein the SAML response provides authentication credentials for a service provider associated with the service ticket.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, further comprising receiving a SAML authentication request from the client device.
  - 16. The method of claim 14, further comprising sending a Kerberos challenge to the client device in response to receipt of the SAML authentication request
  - 17. The method of claim 16, wherein the Kerberos challenge is sent as a component of a hypertext transport protocol (HTTP) response that comprises a 401 unauthorized status code.
  - 18. The method of claim 16, wherein receiving the certificate from the client devcie occurs in response to sending the Kerberos challenge to the client device.
  - 19. The method of claim 14, further comprising validating the certificate with an online certificate status protocol (OCSP) service.
  - 20. The method of claim 19, wherein generating the ticket-granting ticket occurs in response to validating the certificate with the OCSP service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AirWatch LLC (Broadcom, Inc.)
Original Assignee
AirWatch LLC (Broadcom, Inc.)
Inventors
Barday, Kabir, Brannon, Jonathan Blake, Rykowski, Adam

Granted Patent

US 10,944,738 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/101   Access control lists [ACL]

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/37   Managing security policies ...

SINGLE SIGN-ON FOR MANAGED MOBILE DEVICES USING KERBEROS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

87 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SINGLE SIGN-ON FOR MANAGED MOBILE DEVICES USING KERBEROS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

87 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links