Transferring an authenticated session between security contexts

US 9,225,711 B1
Filed: 05/14/2015
Issued: 12/29/2015
Est. Priority Date: 05/14/2015
Status: Active Grant

First Claim

Patent Images

1. A computerized method for transferring an authenticated session between security contexts, the method comprising:

establishing, on a mobile computing device, a first authenticated session between a native application and a server computing device via a communications network;

requesting, by the mobile device, transfer of the first authenticated session to a browser application on the mobile device;

receiving, by the mobile device, session transfer parameters from a first Security Assertion Markup Language (SAML) authentication system associated with the first authenticated session after transfer is requested, the session transfer parameters including a web address and a SAML security identifier;

directing, by the mobile device, the browser application to a second SAML authentication system using the session transfer parameters to initialize the browser application;

validating, by the second SAML authentication system, the SAML security identifier to generate an authentication credential for the mobile device, comprisingtransmitting, by the mobile device, the SAML security identifier to the second SAML authentication system;

establishing, by the second SAML authentication system, a connection to the first SAML authentication system;

receiving, by the second SAML authentication system, a SAML identity from the first SAML authentication system;

requesting, by the second SAML authentication system, resolution of the SAML security identifier from the first SAML authentication system based upon the SAML identity;

translating, by the second SAML authentication system, the received SAML identity into an internal identity associated with the server computing device; and

generating, by the second SAML authentication system, the authentication credential based upon the internal identity;

authenticating, by the mobile device, the browser application to the server computing device using the generated authentication credential; and

redirecting, by the mobile device, the browser application to the server computing device to complete transfer of the first authenticated session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatuses are described for transferring an authenticated session between security contexts. A mobile device establishes a first authenticated session between a native application and a server computing device via a communications network and requests transfer of the first authenticated session to a browser application. The mobile device receives session transfer parameters from a first Security Assertion Markup Language (SAML) authentication system associated with the first authenticated session after transfer is requested, the session transfer parameters including a web address and a SAML security identifier. The mobile device directs the browser application to a second SAML authentication system using the session transfer parameters to initialize the browser application and validates the SAML identifier at the SAML authentication system to generate an authentication credential. The mobile device authenticates the browser application to the server computing device using the authentication credential and redirects the browser application to the server computing device.

Citations

25 Claims

1. A computerized method for transferring an authenticated session between security contexts, the method comprising:
- establishing, on a mobile computing device, a first authenticated session between a native application and a server computing device via a communications network;
  
  requesting, by the mobile device, transfer of the first authenticated session to a browser application on the mobile device;
  
  receiving, by the mobile device, session transfer parameters from a first Security Assertion Markup Language (SAML) authentication system associated with the first authenticated session after transfer is requested, the session transfer parameters including a web address and a SAML security identifier;
  
  directing, by the mobile device, the browser application to a second SAML authentication system using the session transfer parameters to initialize the browser application;
  
  validating, by the second SAML authentication system, the SAML security identifier to generate an authentication credential for the mobile device, comprisingtransmitting, by the mobile device, the SAML security identifier to the second SAML authentication system;
  
  establishing, by the second SAML authentication system, a connection to the first SAML authentication system;
  
  receiving, by the second SAML authentication system, a SAML identity from the first SAML authentication system;
  
  requesting, by the second SAML authentication system, resolution of the SAML security identifier from the first SAML authentication system based upon the SAML identity;
  
  translating, by the second SAML authentication system, the received SAML identity into an internal identity associated with the server computing device; and
  
  generating, by the second SAML authentication system, the authentication credential based upon the internal identity;
  
  authenticating, by the mobile device, the browser application to the server computing device using the generated authentication credential; and
  
  redirecting, by the mobile device, the browser application to the server computing device to complete transfer of the first authenticated session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the SAML security identifier is formatted for one-time use.
  - 3. The method of claim 1, wherein the web address points to the second SAML authentication system.
  - 4. The method of claim 1, wherein the server computing device and the second SAML authentication system are operated by the same entity.
  - 5. The method of claim 1, wherein the session transfer parameters include a relay parameter.
  - 6. The method of claim 5, wherein the redirecting step comprisesidentifying an application hosted by the server computing device based upon the relay parameter;
    - andredirecting the browser application to the identified application.
  - 7. The method of claim 1, wherein the SAML security identifier is an encoded token.
  - 8. The method of claim 1, wherein the first authenticated session is established between the native application and the server computing device based upon login credentials received by the mobile device.
  - 9. The method of claim 1, further comprising requesting, by the mobile device, additional credentials from a user of the mobile device if the SAML security identifier is not validated.
  - 10. The method of claim 1, further comprising requesting, by the mobile device, additional credentials from a user of the mobile device based upon a risk score generated by the second SAML authentication system during validation of the SAML security identifier.
  - 11. The method of claim 1, wherein the session transfer parameters include one or more attributes of the mobile device and the second SAML authentication system uses the attributes of the mobile device to validate the SAML security identifier.
  - 12. The method of claim 1, wherein the redirecting step establishes a second authenticated session between the browser application and the server computing device, and the native application and the server computing device remain connected via the first authenticated session.

13. A system for transferring an authenticated session between security contexts, the system comprising a mobile computing device configured to:
- establish a first authenticated session between a native application and a server computing device via a communications network;
  
  request transfer of the first authenticated session to a browser application on the mobile device;
  
  receive session transfer parameters from a first Security Assertion Markup Language (SAML) authentication system associated with the first authenticated session after transfer is requested, the session transfer parameters including a web address and a SAML security identifier;
  
  direct the browser application to a second SAML authentication system using the session transfer parameters to initialize the browser application;
  
  validate the SAML security identifier at the second SAML authentication system to generate an authentication credential for the mobile device, comprising establishing a connection to the first SAML authentication system;
  
  receiving a SAML identity from the first SAML authentication system;
  
  requesting resolution of the SAML security identifier from the first SAML authentication system based upon the SAML identity;
  
  translating the received SAML identity into an internal identity associated with the server computing device; and
  
  generating the authentication credential based upon the internal identity;
  
  authenticate the browser application to the server computing device using the generated authentication credential; and
  
  redirect the browser application to the server computing device to complete transfer of the first authenticated session.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The system of claim 13, wherein the SAML security identifier is formatted for one-time use.
  - 15. The system of claim 13, wherein the web address points to the second SAML authentication system.
  - 16. The system of claim 13, wherein the server computing device and the second SAML authentication system are operated by the same entity.
  - 17. The system of claim 13, wherein the session transfer parameters include a relay parameter.
  - 18. The system of claim 17, for the redirecting step, the mobile device is further configured toidentify an application hosted by the server computing device based upon the relay parameter;
    - andredirect the browser application to the identified application.
  - 19. The system of claim 13, wherein the SAML security identifier is an encoded token.
  - 20. The system of claim 13, wherein the first authenticated session is established between the native application and the server computing device based upon login credentials received by the mobile device.
  - 21. The system of claim 13, wherein the mobile device is further configured to request additional credentials from a user of the mobile device if the SAML security identifier is not validated.
  - 22. The system of claim 13, wherein the mobile device is further configured to additional credentials from a user of the mobile device based upon a risk score generated by the second SAML authentication system during validation of the SAML security identifier.
  - 23. The system of claim 13, wherein the session transfer parameters include one or more attributes of the mobile device and the second SAML authentication system uses the attributes of the mobile device to validate the SAML security identifier.
  - 24. The system of claim 13, wherein the redirecting step establishes a second authenticated session between the browser application and the server computing device, and the native application and the server computing device remain connected via the first authenticated session.

25. A computer program product, tangibly embodied in a non-transitory computer readable storage device, for transferring an authenticated session between security contexts, the computer program product including instructions operable to cause a mobile computing device to:
- establish a first authenticated session between a native application and a server computing device via a communications network;
  
  request transfer of the first authenticated session to a browser application on the mobile device;
  
  receive session transfer parameters from a first Security Assertion Markup Language (SAML) authentication system associated with the first authenticated session after transfer is requested, the session transfer parameters including a web address and a SAML security identifier;
  
  direct the browser application to a second SAML authentication system using the session transfer parameters to initialize the browser application;
  
  validate the SAML security identifier at the second SAML authentication system to generate an authentication credential for the mobile device, comprising establishing a connection to the first SAML authentication system;
  
  receiving a SAML identity from the first SAML authentication system;
  
  requesting resolution of the SAML security identifier from the first SAML authentication system based upon the SAML identity;
  
  translating the received SAML identity into an internal identity associated with the server computing device; and
  
  generating the authentication credential based upon the internal identity;
  
  authenticate the browser application to the server computing device using the generated authentication credential; and
  
  redirect the browser application to the server computing device to complete transfer of the first authenticated session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
FMR LLC
Original Assignee
FMR LLC
Inventors
Sorensen, Carolyn Manis
Primary Examiner(s)
Schwartz, Darren B

Application Number

US14/711,870
Time in Patent Office

229 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/44   Program or device authentic...

H04L 63/0815   providing single-sign-on or...

H04W 12/02   Protecting privacy or anony...

H04W 12/06   Authentication

H04W 12/61   Time-dependent

Transferring an authenticated session between security contexts

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Transferring an authenticated session between security contexts

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links