Single sign-on for managed mobile devices

US 9,882,887 B2
Filed: 06/15/2015
Issued: 01/30/2018
Est. Priority Date: 06/15/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium embodying a program executable in a client device, the program, when executed by the client device, being configured to cause the client device to at least:

send an access request to a service provider;

receive a redirection from the service provider to an identity provider;

send an identity assertion request to the identity provider based at least in part on the redirection;

receive a response from the identity provider, the response requesting authentication by a management credential, the management credential corresponding to a secure certificate or a Kerberos profile;

obtain the management credential from a device management application executed in the client device, wherein the device management application enforces at least one compliance rule on the client device, a device management service configures the device management application over a network to enforce the at least one compliance rule, the device management application obtains the management credential over the network from the device management service, and the device management application is in an authenticated state with the device management service in order to obtain the management credential;

send data associated with the management credential to the identity provider;

receive an identity assertion from the identity provider based at least in part on the data associated with the management credential; and

authenticate with the service provider by way of the identity assertion.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various examples for providing a single sign-on experience for managed mobile devices. A management application executed in a computing device receives a single sign-on request from a managed client application executed by the same computing device. The management application determines that the client application is permitted to access a management credential for single sign-on use. The management application provides the management credential to the client application in response to the single sign-on request.

61 Citations

View as Search Results

20 Claims

1. A non-transitory computer-readable medium embodying a program executable in a client device, the program, when executed by the client device, being configured to cause the client device to at least:
- send an access request to a service provider;
  
  receive a redirection from the service provider to an identity provider;
  
  send an identity assertion request to the identity provider based at least in part on the redirection;
  
  receive a response from the identity provider, the response requesting authentication by a management credential, the management credential corresponding to a secure certificate or a Kerberos profile;
  
  obtain the management credential from a device management application executed in the client device, wherein the device management application enforces at least one compliance rule on the client device, a device management service configures the device management application over a network to enforce the at least one compliance rule, the device management application obtains the management credential over the network from the device management service, and the device management application is in an authenticated state with the device management service in order to obtain the management credential;
  
  send data associated with the management credential to the identity provider;
  
  receive an identity assertion from the identity provider based at least in part on the data associated with the management credential; and
  
  authenticate with the service provider by way of the identity assertion.
- View Dependent Claims (2, 3, 4)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the program is a native application.
  - 3. The non-transitory computer-readable medium of claim 1, wherein the program, when executed by the client device, is further configured to cause the client device to at least request an OAuth token from the service provider using the identity assertion.
  - 4. The non-transitory computer-readable medium of claim 1, wherein the device management application, when executed by the client device, is configured to cause the client device to at least:
    - identify the program;
      
      determine that the program should be granted access to the management credential based at least in part on configuration data; and
      
      provide the management credential to the program.

5. A system, comprising:
- a computing device comprising a processor and a memory;
  
  a management application executable by the computing device, the management application configured to cause the computing device to at least;
  
  receive a single sign-on request from a client application executed by the computing device;
  
  determine that the client application is permitted to access a management credential for single sign-on use;
  
  provide the management credential to the client application; and
  
  wherein the management application enforces at least one compliance rule on the computing device, a device management service provider configures the management application over a network to enforce the at least one compliance rule, the management application obtains the management credential over the network from the device management service provider, and the management application is in an authenticated state with the device management service provider in order to obtain the management credential; and
  
  wherein the client application is configured to cause the computing device to at least;
  
  send an access request to a service provider;
  
  receive a redirection from the service provider to an identity provider;
  
  send an identity assertion request to the identity provider based at least in part on the redirection;
  
  receive a response from the identity provider, the response requesting authentication by the management credential;
  
  send data associated with the management credential to the identity provider;
  
  receive an identity assertion from the identity provider; and
  
  authenticate with the service provider by way of the identity assertion.
- View Dependent Claims (6, 7, 8, 9, 20)
- - 6. The system of claim 5, wherein the management application is further configured to cause the computing device to at least:
    - receive another single sign-on request from another client application executed by the computing device;
      
      determine that the other client application is not permitted to access the management credential for single sign-on use; and
      
      deny access to the management credential by the other client application.
  - 7. The system of claim 5, wherein the management application is further configured to cause the computing device to at least:
    - render a user interface upon a display, the user interface being configured to receive at least one security credential from a user;
      
      receive the at least one security credential from the user; and
      
      authenticate with the device management service provider using the at least one security credential received from the user.
  - 8. The system of claim 5, wherein the identity assertion comprises a security assertion markup language (SAML) assertion.
  - 9. The system of claim 5, wherein the client application is further configured to cause the computing device to at least receive a session token from the service provider after authenticating.
  - 20. The system of claim 5, wherein the response from the identity provider requests Kerberos authentication, and the data associated with the management credential is sent to the identity provider by a Kerberos protocol.

10. A method executed in a computing device, comprising:
- sending an access request to a service provider;
  
  receiving a redirection from the service provider to an identity provider;
  
  sending an identity assertion request to the identity provider based at least in part on the redirection;
  
  receiving a response from the identity provider, the response requesting authentication by a management credential;
  
  obtaining the management credential from a device management application executed in the computing device;
  
  sending data generated by the management credential to the identity provider;
  
  receiving an identity assertion from the identity provider;
  
  authenticating with the service provider by way of the identity assertion; and
  
  wherein the device management application enforces at least one compliance rule on the computing device, a device management service provider configures the device management application over a network to enforce the at least one compliance rule, the device management application obtains the management credential over the network from the device management service provider, and the device management application is in an authenticated state with the device management service provider in order to obtain the management credential.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The method of claim 10, wherein the identity assertion request specifies a type of mobile device platform.
  - 12. The method of claim 10, wherein the response from the identity provider requests Kerberos authentication, and the data generated by the management credential is sent to the identity provider by a Kerberos protocol.
  - 13. The method of claim 10, wherein the access request is generated by a client application, and the method further comprises:
    - determining that the client application is permitted access to the management credential; and
      
      providing the management credential to the client application.
  - 14. The method of claim 10, further comprising:
    - rendering a user interface by the device management application, the user interface configured to receive a security credential;
      
      receiving the security credential from a user by way of the user interface; and
      
      requesting the management credential from the device management service provider based at least in part on the security credential.
  - 15. The method of claim 10, further comprising receiving a session token from the service provider after authenticating with the service provider by way of the identity assertion.
  - 16. The method of claim 15, wherein the session token comprises an OAuth token.
  - 17. The method of claim 10, wherein the identity assertion comprises a security assertion markup language (SAML) assertion.
  - 18. The method of claim 10, further comprising:
    - receiving, by the device management application, a management command from the device management service provider instructing the computing device to take an action with respect to the at least one compliance rule; and
      
      implementing, by the device management application, the action in response to the management command.
  - 19. The method of claim 18, wherein implementing the action further comprises at least one of:
    - erasing data stored on the computing device;
      
      erasing an application stored on the computing device; and
      
      activating a display lock on the computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AirWatch LLC (Broadcom, Inc.)
Original Assignee
AirWatch LLC (Broadcom, Inc.)
Inventors
Rykowski, Adam, Jain, Ashish, Olds, Dale Robert, Xu, Emily Hong, Barday, Kabir, Austin, Kyle, Kommireddy, Sridhara Babu, Brannon, Jonathan Blake, Lotero, Camilo
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
MCCOY, RICHARD ANTHONY

Application Number

US14/739,980
Publication Number

US 20160366121A1
Time in Patent Office

960 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

Single sign-on for managed mobile devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

61 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Single sign-on for managed mobile devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links