Certificate-based single sign-on (SSO) from mobile applications over the Internet

US 20200137042A1
Filed: 10/25/2018
Published: 04/30/2020
Est. Priority Date: 10/25/2018
Status: Active Grant

First Claim

Patent Images

1. A method to establish a secure session to a network-accessible application from a mobile device executing a native app, comprising:

configuring the network-accessible application for access by mobile device users by associating a set of one or more enterprise users with the network-accessible application;

receiving a request to validate that an enterprise user seeking access to the network-accessible application is associated with the network-accessible application, the request to validate having been generated by the network-accessible application in response to a login request initiated from the native app to the network-accessible application from a mobile device of the enterprise user, wherein a certificate for the network-accessible application is not available to the native app executing on the mobile device; and

upon validating that the enterprise user is associated with the network-accessible application, returning to the network-accessible application an authentication token, the authentication token evidencing that the enterprise user is permitted to access the network-accessible application for a session;

wherein upon receipt of the authentication token, access to the network-accessible application from the native app executing on the mobile device is enabled for the session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique to establish a secure session to a network-accessible application from a mobile device executing a native app. Initially, the network-accessible application is provisioned for access by an enterprise associating a set of one or more of its enterprise users with the network-accessible application. Thereafter, access to the application is enabled via an identity provider. In operation, the identity provider receives a request to validate that an enterprise user seeking access to the network-accessible application is associated with the application. The request is generated by the application in response to a login request initiated from the native app from a mobile device, wherein a certificate for the application is not available to the native app. Upon validating that the enterprise user is associated with the network-accessible application, the identity provider returns to the application an authentication token evidencing that the enterprise user is permitted to access the network-accessible application for a session.

Citations

21 Claims

1. A method to establish a secure session to a network-accessible application from a mobile device executing a native app, comprising:
- configuring the network-accessible application for access by mobile device users by associating a set of one or more enterprise users with the network-accessible application;
  
  receiving a request to validate that an enterprise user seeking access to the network-accessible application is associated with the network-accessible application, the request to validate having been generated by the network-accessible application in response to a login request initiated from the native app to the network-accessible application from a mobile device of the enterprise user, wherein a certificate for the network-accessible application is not available to the native app executing on the mobile device; and
  
  upon validating that the enterprise user is associated with the network-accessible application, returning to the network-accessible application an authentication token, the authentication token evidencing that the enterprise user is permitted to access the network-accessible application for a session;
  
  wherein upon receipt of the authentication token, access to the network-accessible application from the native app executing on the mobile device is enabled for the session.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as described in claim 1, further including serving a login page to the native app to facilitate establishing the secure session to the network-accessible application from the mobile device executing the native app.
  - 3. The method as described in claim 2, wherein the login page comprises a unique session key, the unique session key comprising an authentication service URL, an update service URL, and a polling service URL.
  - 4. The method as described in claim 3 wherein during an attempt to establish the session, a polling service reachable at the polling service URL receives one or more polls from the login page executing in the native app, wherein a poll seeks an authentication status.
  - 5. The method as described in claim 3 wherein during an attempt to establish the session, an authentication service reachable at the authentication service URL receives and responds to a request to authenticate the unique session key.
  - 6. The method as described in claim 5 wherein during an attempt to establish the session, an update service reachable at the update service URL responds to a successful authentication of the unique session key to generate and provide the authentication token to the network-accessible server.
  - 7. The method as described in claim 1 wherein the authentication token is a SAML assertion.

8. An apparatus configured as an identity provider (IdP) to facilitate establishment of a secure session to a network-accessible application from a mobile device executing a native app, comprising:
- a processor;
  
  computer memory holding computer program instructions executed by the processor, the computer program instructions comprising program code configured to;
  
  configure the network-accessible application for access by mobile device users by associating a set of one or more enterprise users with the network-accessible application;
  
  receive a request to validate that an enterprise user seeking access to the network-accessible application is associated with the network-accessible application, the request to validate having been generated by the network-accessible application in response to a login request initiated from the native app to the network-accessible application from a mobile device of the enterprise user, wherein a certificate for the network-accessible application is not available to the native app executing on the mobile device; and
  
  upon validating that the enterprise user is associated with the network-accessible application, return to the network-accessible application an authentication token, the authentication token evidencing that the enterprise user is permitted to access the network-accessible application for a session;
  
  wherein upon receipt of the authentication token, access to the network-accessible application from the native app executing on the mobile device is enabled for the session.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus as described in claim 8, wherein the computer program code is configured to serve a login page to the native app to facilitate establishing the secure session to the network-accessible application from the mobile device executing the native app.
  - 10. The apparatus as described in claim 9, wherein the login page comprises a unique session key, the unique session key comprising an authentication service URL, an update service URL, and a polling service URL.
  - 11. The apparatus as described in claim 10 wherein the computer program code is configured to execute a polling service reachable at the polling service URL during an attempt to establish the session, the polling service configured to receive one or more polls from the login page executing in the native app, wherein a poll seeks an authentication status.
  - 12. The apparatus as described in claim 10 wherein the computer program code is configured to execute an authentication service reachable at the authentication service URL during an attempt to establish the session, the authentication service configured to receive and respond to a request to authenticate the unique session key.
  - 13. The apparatus as described in claim 12 wherein the computer program code is configured to execute an update service reachable at the update service URL during an attempt to establish the session, the update service configured to respond to a successful authentication of the unique session key to generate and provide the authentication token to the network-accessible server.
  - 14. The apparatus as described in claim 8 wherein the authentication token is a SAML assertion.

15. A computer program product in a non-transitory computer readable medium for use in a data processing system configured as an identity provider (IdP), the identity provider configured to facilitate establishment of a secure session to a network-accessible application from a mobile device executing a native app, the computer program product holding computer program instructions executed by the data processing system, the computer program instructions comprising program code configured to:
- configure the network-accessible application for access by mobile device users by associating a set of one or more enterprise users with the network-accessible application;
  
  receive a request to validate that an enterprise user seeking access to the network-accessible application is associated with the network-accessible application, the request to validate having been generated by the network-accessible application in response to a login request initiated from the native app to the network-accessible application from a mobile device of the enterprise user, wherein a certificate for the network-accessible application is not available to the native app executing on the mobile device; and
  
  upon validating that the enterprise user is associated with the network-accessible application, return to the network-accessible application an authentication token, the authentication token evidencing that the enterprise user is permitted to access the network-accessible application for a session;
  
  wherein upon receipt of the authentication token, access to the network-accessible application from the native app executing on the mobile device is enabled for the session.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer program product as described in claim 15, wherein the computer program code is configured to serve a login page to the native app to facilitate establishing the secure session to the network-accessible application from the mobile device executing the native app.
  - 17. The computer program product as described in claim 16, wherein the login page comprises a unique session key, the unique session key comprising an authentication service URL, an update service URL, and a polling service URL.
  - 18. The computer program product as described in claim 17 wherein the computer program code is configured to execute a polling service reachable at the polling service URL during an attempt to establish the session, the polling service configured to receive one or more polls from the login page executing in the native app, wherein a poll seeks an authentication status.
  - 19. The computer program product as described in claim 17 wherein the computer program code is configured to execute an authentication service reachable at the authentication service URL during an attempt to establish the session, the authentication service configured to receive and respond to a request to authenticate the unique session key.
  - 20. The method as described in claim 19 wherein the computer program code is configured to execute an update service reachable at the update service URL during an attempt to establish the session, the update service configured to respond to a successful authentication of the unique session key to generate and provide the authentication token to the network-accessible server.
  - 21. The computer program product as described in claim 15 wherein the authentication token is a SAML assertion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Kannan, III, Nalini, Malik, Jatin, Gupta, Payas, Mehra, Amitabh

Granted Patent

US 10,757,091 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

Certificate-based single sign-on (SSO) from mobile applications over the Internet

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Certificate-based single sign-on (SSO) from mobile applications over the Internet

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links