Single sign-on for managed mobile devices
First Claim
Patent Images
1. A non-transitory computer-readable medium embodying a program executable in a client device, the program, when executed by the client device, being configured to cause the client device to at least:
- send an access request to a service provider;
receive a redirection from the service provider to an identity provider;
send an identity assertion request to the identity provider based at least in part on the redirection;
receive a response from the identity provider, the response requesting authentication by a management credential, the management credential corresponding to a secure certificate or a Kerberos profile;
obtain the management credential from a device management application executed in the client device, wherein the device management application enforces at least one compliance rule on the client device, a device management service configures the device management application over a network to enforce the at least one compliance rule, the device management application obtains the management credential over the network from the device management service, and the device management application is in an authenticated state with the device management service in order to obtain the management credential;
send data associated with the management credential to the identity provider;
receive an identity assertion from the identity provider based at least in part on the data associated with the management credential; and
authenticate with the service provider by way of the identity assertion.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed are various examples for providing a single sign-on experience for managed mobile devices. A management application executed in a computing device receives a single sign-on request from a managed client application executed by the same computing device. The management application determines that the client application is permitted to access a management credential for single sign-on use. The management application provides the management credential to the client application in response to the single sign-on request.
61 Citations
20 Claims
-
1. A non-transitory computer-readable medium embodying a program executable in a client device, the program, when executed by the client device, being configured to cause the client device to at least:
-
send an access request to a service provider; receive a redirection from the service provider to an identity provider; send an identity assertion request to the identity provider based at least in part on the redirection; receive a response from the identity provider, the response requesting authentication by a management credential, the management credential corresponding to a secure certificate or a Kerberos profile; obtain the management credential from a device management application executed in the client device, wherein the device management application enforces at least one compliance rule on the client device, a device management service configures the device management application over a network to enforce the at least one compliance rule, the device management application obtains the management credential over the network from the device management service, and the device management application is in an authenticated state with the device management service in order to obtain the management credential; send data associated with the management credential to the identity provider; receive an identity assertion from the identity provider based at least in part on the data associated with the management credential; and authenticate with the service provider by way of the identity assertion. - View Dependent Claims (2, 3, 4)
-
-
5. A system, comprising:
-
a computing device comprising a processor and a memory; a management application executable by the computing device, the management application configured to cause the computing device to at least; receive a single sign-on request from a client application executed by the computing device; determine that the client application is permitted to access a management credential for single sign-on use; provide the management credential to the client application; and wherein the management application enforces at least one compliance rule on the computing device, a device management service provider configures the management application over a network to enforce the at least one compliance rule, the management application obtains the management credential over the network from the device management service provider, and the management application is in an authenticated state with the device management service provider in order to obtain the management credential; and wherein the client application is configured to cause the computing device to at least; send an access request to a service provider; receive a redirection from the service provider to an identity provider; send an identity assertion request to the identity provider based at least in part on the redirection; receive a response from the identity provider, the response requesting authentication by the management credential; send data associated with the management credential to the identity provider; receive an identity assertion from the identity provider; and authenticate with the service provider by way of the identity assertion. - View Dependent Claims (6, 7, 8, 9, 20)
-
-
10. A method executed in a computing device, comprising:
-
sending an access request to a service provider; receiving a redirection from the service provider to an identity provider; sending an identity assertion request to the identity provider based at least in part on the redirection; receiving a response from the identity provider, the response requesting authentication by a management credential; obtaining the management credential from a device management application executed in the computing device; sending data generated by the management credential to the identity provider; receiving an identity assertion from the identity provider; authenticating with the service provider by way of the identity assertion; and wherein the device management application enforces at least one compliance rule on the computing device, a device management service provider configures the device management application over a network to enforce the at least one compliance rule, the device management application obtains the management credential over the network from the device management service provider, and the device management application is in an authenticated state with the device management service provider in order to obtain the management credential. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
-
Specification