Identity management and device enrollment in a cloud service

US 10,156,841 B2
Filed: 04/08/2016
Issued: 12/18/2018
Est. Priority Date: 12/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method for brokering requests to enroll machines with one or more cloud-based applications using an enrollment service application executed by a processor circuit, the method comprising:

receiving an enrollment request at an enrollment service application from a first machine, the enrollment request including a first access token;

providing the first access token to an authorization service application via a network;

receiving, via the network and from the authorization service application, an indication of one or more data access scopes associated with the first access token;

in the event of the one or more data access scopes being valid, requesting a second access token from the authorization service application via the network;

receiving the second access token from the authorization service application via the network; and

providing, using the enrollment service application, machine-specific identification information to the authorization service application using the second access token, and to the first machine, the machine-specific identification information selected for use by the first machine for later data access to a cloud-based application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In various example embodiments, systems and methods for administering machine access to a cloud service are presented. A first device or machine can access an enrollment service in a cloud environment using user-based credential data. The enrollment service can request registration of the first device with an authorization service. If the authorization service accepts the request, then the authorization service can provide credential data for the first device to use to access one or more cloud-based services. In an example embodiment, a third party application provides devices and an enrollment service with credential data that can be used to facilitate device enrollment with cloud services.

222 Citations

20 Claims

1. A method for brokering requests to enroll machines with one or more cloud-based applications using an enrollment service application executed by a processor circuit, the method comprising:
- receiving an enrollment request at an enrollment service application from a first machine, the enrollment request including a first access token;
  
  providing the first access token to an authorization service application via a network;
  
  receiving, via the network and from the authorization service application, an indication of one or more data access scopes associated with the first access token;
  
  in the event of the one or more data access scopes being valid, requesting a second access token from the authorization service application via the network;
  
  receiving the second access token from the authorization service application via the network; and
  
  providing, using the enrollment service application, machine-specific identification information to the authorization service application using the second access token, and to the first machine, the machine-specific identification information selected for use by the first machine for later data access to a cloud-based application.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the requesting the second access token from the authorization service application includes requesting an access token using a client credentials grant to initiate data communication between the enrollment service application and the authorization service application via the network.
  - 3. The method of claim 2, wherein the providing the machine-specific identification information includes providing a machine-specific identification code and corresponding secret to the first machine.
  - 4. The method of claim 2, wherein the providing the first access token to the authorization service application includes providing the token according to an OAuth 2.0 protocol.
  - 5. The method of claim 1, wherein the receiving the enrollment request at the enrollment service application includes receiving, via the Internet, the first access token in a header of a data packet, and wherein the receiving the enrollment request at the enrollment service application includes receiving a POST request at an /enroll endpoint of the enrollment service application.
  - 6. The method of claim 1, wherein the receiving, via the network and from the authorization service application, the indication of one or more data access scopes associated with the first access token includes receiving information indicating a data access limit associated with the first access token when the first access token is an OAuth2 token.

7. A method for enabling data communication between a machine and a remote service application via a network, the method comprising:
- providing, using a first machine, user-based credential data to an authorization service application via a network;
  
  receiving, at the first machine and via the network, an authorization code from the authorization service application when the user-based credential data is valid;
  
  providing, using the first machine and via the network, the authorization code and a request for an access token to the authorization service application, and in response, receiving an access token from the authorization service application;
  
  providing, using the first machine, the access token and an enrollment request to an enrollment service application via the network, the enrollment request including a request for data access to a cloud-based application; and
  
  receiving, from the enrollment service application, machine credential data selected by the enrollment service application to permit the first machine later access to the cloud-based application.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein the receiving the machine credential data includes receiving machine credential data selected by the enrollment service application to permit the first machine later access to the cloud-based application, wherein the later access to the cloud-based application includes using a different, later-acquired machine token from the authorization service application using the machine credential data.
  - 9. The method of claim 7, wherein the providing the authorization code and the request for an access token to the authorization service application includes providing a request for an access token according to an OAuth 2.0 protocol.
  - 10. The method of claim 7, wherein the providing the authorization code and the request for an access token to the authorization service application includes providing a request for an access token that is configured to provide the first machine with access to the enrollment service for a specified duration.
  - 11. The method of claim 7, further comprising requesting an access token from the enrollment service application using the machine credential data, the access token selected to enable communication between the first machine and a first cloud-based service.
  - 12. The method of claim 7, further comprising receiving the user-based credential data via a mobile device that is in data communication with the first machine.

13. A method for administering machine access to a cloud service application, the method comprising:
- accessing, by a computer system corresponding to a first machine, an enrollment service application executed on an enrollment server, the accessing permitted for a specified reference duration based on user credential data of a user of the first machine;
  
  using the enrollment service, providing a request via a network to an authorization service application to register the first machine with the authorization service application;
  
  in response to the request to register the first machine with the authorization service application, using the authorization service application, providing via the network an indication of authorized machine credential data, corresponding to the first machine, to the enrollment service application; and
  
  in response to successfully enrolling the first machine with the enrollment service application, receiving the authorized machine credential data at the first machine, the authorized machine credential data configured to grant the first machine data access to one or more cloud-based services.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, wherein the accessing the enrollment service application from the first machine includes:
    - using a first interface corresponding to the first machine, prompting the user of the first machine for the user credential data;
      
      receiving the user credential data from the user;
      
      providing the user credential data to the authorization service application; and
      
      when the user credential data is successfully validated by the authorization service application, receiving, at the first machine and from the authorization service application, a machine-specific authorization code for use by the first machine to obtain an access token from the enrollment service application.
  - 15. The method of claim 14, further comprising providing the machine-specific authorization code from the first machine to the authorization service application and, in response, receiving at the first machine an access token selected to permit the first machine access to the enrollment service application for a specified duration.
  - 16. The method of claim 15, further comprising providing the access token from the first machine to the enrollment service application with a request to enroll the first machine for use with one or more cloud-based service applications.
  - 17. The method of claim 16, further comprising providing the access token from the enrollment service application to the authorization service application for validation, and when the access token is successfully validated by the authorization service application, then receiving at the enrollment service application and via the network, one or more scopes associated with the access token.
  - 18. The method of claim 17, further comprising determining at the enrollment service application whether the one or more scopes received from the authorization service application are valid and, if the one or more scopes received from the authorization service application are valid, then requesting a second access token from the authorization service application for the enrollment service application to use to communicate with the authorization service application.
  - 19. The method of claim 18, further comprising receiving, at the enrollment service application, the second access token from the authorization service application via the network based on client credentials associated with the enrollment service application, and accessing the authorization service application using the second access token, the accessing including providing machine credential data for the first machine from the enrollment service application to the authorization service application.
  - 20. The method of claim 13, further comprising:
    - providing the authorized machine credential data from the first machine to the authorization service application to enable data communication between the first machine and a first cloud-based application associated with the first machine;
      
      sending machine use information about the first machine from the first machine to the first cloud-based application; and
      
      receiving, from the first cloud-based application, machine configuration information for use by the first machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GE Digital Holdings LLC (GE Aerospace)
Original Assignee
General Electric Company
Inventors
Wu, Jiaqi, Lammers, Greg
Primary Examiner(s)
Zaidi, Syed A

Application Number

US15/094,722
Publication Number

US 20170195331A1
Time in Patent Office

984 Days
Field of Search

726 4
US Class Current
CPC Class Codes

G05B 19/41885   characterised by modeling, ...

G05B 2219/23005   Expert design system, uses ...

G05B 2219/33139   Design of industrial commun...

G06F 2203/04806   Zoom, i.e. interaction tech...

G06F 3/0482   Interaction with lists of s...

G06F 3/04842   Selection of displayed obje...

G06F 3/04845   for image manipulation, e.g...

G06F 3/04847   Interaction techniques to c...

G06F 3/04883   for inputting data by handw...

G06Q 10/04   Forecasting or optimisation...

G06Q 10/06   Resources, workflows, human...

H04L 41/12   Discovery or management of ...

H04L 43/045   for graphical visualisation...

H04L 63/0823   using certificates cryptogr...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/18   using different networks or...

H04L 67/10   in which an application is ...

Y02P 90/80   Management or planning

Identity management and device enrollment in a cloud service

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

222 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Identity management and device enrollment in a cloud service

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

222 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links