Actively federated mobile authentication

US 9,825,948 B2
Filed: 02/18/2016
Issued: 11/21/2017
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

providing, by a computing device, a user credential to an identity provider that has an established trust relationship with an enterprise service;

receiving, by the computing device from the identity provider, a first token configured to provide authentication for a service request received at the enterprise service;

providing, by the computing device, the first token to a trust broker that has an established trust relationship with the identity provider;

receiving, by the computing device from the trust broker in response to the first token, a second token configured to provide authentication for a service relay to send the service request and the first token to the enterprise service, wherein the second token is configured to provide authentication to the service relay using an additional form of authentication that is different than the first token;

sending, by the computing device to the service relay, the service request with both the first token and the second token; and

receiving, by the computing device from the service relay, a service response indicative of authentication of the computing device by the enterprise service using the first token.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To make a trusted web service call, a client application sends a series of messages to obtain tokens that allow service requests to pass through a service relay. The user obtains a first security token by providing the user'"'"'s credentials. A second token is obtained from a trust broker that validates the first token. Both tokens are then sent with a service request to a service relay. The service relay validates the second token and then passes the first token and the service request to a connector service. The connector service validates the first token and passes the service request to a target back end service. The connector service acts as the user when communicating with the back end service. Service responses are routed back to the user through the connector service and the service relay.

27 Citations

View as Search Results

17 Claims

1. A computer-implemented method comprising:
- providing, by a computing device, a user credential to an identity provider that has an established trust relationship with an enterprise service;
  
  receiving, by the computing device from the identity provider, a first token configured to provide authentication for a service request received at the enterprise service;
  
  providing, by the computing device, the first token to a trust broker that has an established trust relationship with the identity provider;
  
  receiving, by the computing device from the trust broker in response to the first token, a second token configured to provide authentication for a service relay to send the service request and the first token to the enterprise service, wherein the second token is configured to provide authentication to the service relay using an additional form of authentication that is different than the first token;
  
  sending, by the computing device to the service relay, the service request with both the first token and the second token; and
  
  receiving, by the computing device from the service relay, a service response indicative of authentication of the computing device by the enterprise service using the first token.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the enterprise service comprises at least one of:
    - a back office service configured to process the service request;
      
      ora connector service configured to validate the service request and to pass the service request to a back office service.
  - 3. The method of claim 2, wherein the enterprise service comprises the connector service, and the first token comprises user identification information that allows the connector service to make a web service call to the back office service as if the connector service was the user.
  - 4. The method of claim 1, wherein the computing device comprises a user client device.
  - 5. The method of claim 4, wherein the user client device comprises a mobile device.

6. A computer-implemented method for processing a service request at a service relay configured to communicate with an enterprise network, the computer-implemented method comprising:
- receiving, by the service relay from a computing device, a service request with a first token and a second token, the service request being directed to the enterprise network, and the first token being indicative of user identity information corresponding to a user associated with the computing device;
  
  validating, by the service relay, the second token that authenticates the computing device to the service relay using an additional form of authentication that is different than the first token;
  
  based on validating the second token, sending, by the service relay to the enterprise network, the service request and first token;
  
  receiving, by the service relay from the enterprise network, a response to the service request; and
  
  sending, to the computing device, the response indicative of authentication of the computing device by the enterprise service using the first token.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The computer-implemented method of claim 6, wherein the enterprise network comprises a back end service.
  - 8. The computer-implemented method of claim 7, wherein the back end service comprises an enterprise resource planning application, and wherein the service request corresponds to a financial transaction initiated by the user on a remote device.
  - 9. The computer-implemented method of claim 6, wherein the back end service comprises a group of different systems configured to provide one or more services.
  - 10. The computer-implemented method of claim 6, wherein the computing device comprises a mobile device, and the token was issued to a mobile device by an identity provider having a trust relationship with the enterprise network.
  - 11. The computer-implemented method of claim 6, wherein the back end service comprises an enterprise resource planning application, and wherein the service request corresponds to a time entry logged by the user on a remote device.

12. A computing system comprising:
- a processor; and
  
  memory storing instructions executable by the processor, wherein the instructions, when executed, configure the computing system to;
  
  provide a user credential to an identity provider that has an established trust relationship with an enterprise service;
  
  receive a first token configured to provide authentication for a service request received by the enterprise service;
  
  provide the first token to a trust broker that has an established trust relationship with the identity provider;
  
  receive, from the trust broker in response to the first token, a second token configured to provide authentication for a service relay to send the service request and the first token to the enterprise service, the second token using an additional form of authentication that is different than the first token;
  
  send the service request to the service relay with both the first token and the second token; and
  
  receive, from the service relay, a service response indicative of authentication of the computing device by the enterprise service using the first token.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computing system of claim 12, wherein the instructions configure the computing system to:
    - receive the service request and the first token from the service relay at a connector service;
      
      extract user identity information from the first token;
      
      use the user identity information to communicate with the back office service in the user'"'"'s place; and
      
      send the service request to the back office service.
  - 14. The computing system of claim 12, wherein the enterprise service comprises at least one of:
    - a back office service configured to process the service request;
      
      ora connector service configured to expose a web service endpoint for a back office service.
  - 15. The computing system of claim 14, wherein the back office service comprises an enterprise resource planning application, and wherein the service request corresponds to a financial transaction initiated by a user on a remote device.
  - 16. The computing system of claim 14, wherein the back office service comprises an enterprise resource planning application, and wherein the service request corresponds to a time entry logged by a user on a remote device.
  - 17. The computing system of claim 12, wherein the enterprise service comprises a group of different systems configured to provide one or more services.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Young, Kyle Stapley, Drollinger, Robert Aron, O'Brien, Robert, Runde, David J., Pandya, Jagruti Dushyant, El Khoury, Georges
Primary Examiner(s)
Song, Hosuk
Assistant Examiner(s)
MURPHY, JOSEPH B

Application Number

US15/047,207
Publication Number

US 20160164869A1
Time in Patent Office

642 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0869   for achieving mutual authen...

H04L 63/0884   by delegation of authentica...

H04L 67/02   based on web technology, e....

H04L 67/56   Provisioning of proxy servi...

Actively federated mobile authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Actively federated mobile authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links