Mechanism of passing security tokens through both untrusted and validating intermediaries

US 10,735,400 B2
Filed: 02/13/2018
Issued: 08/04/2020
Est. Priority Date: 02/13/2018
Status: Active Grant

First Claim

Patent Images

1. A method for performing a single sign on (SSO) service for a client in a system having a server that provides resources for the client, comprising:

receiving a request from the client to access a resource provided by the server, wherein the request contains an artifact referencing a security token and the security token contains an assertion for authorizing the client for a single sign on service with the server;

embedding the artifact in an access token, wherein the access token includes, in addition to the artifact, one or more fields for validating the access token itself;

after the access token is validated, the artifact is extracted from the access token and the server is in possession of the artifact, receiving a request from the server to resolve the artifact; and

sending the assertion to the server, wherein the assertion permits the client to access the requested resource provided by the server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a system and technique for validating a user for a single sign on without exposing secure information about the user to any part of the system except the connection server and the identity provider. In the technique, instead of relying directly on a SAML assertion, the technique uses an artifact representing the assertion and wraps the artifact in an access token. The access token is able to carry the artifact through one or more gateways on its way to a connection server without revealing any security information. Upon the access token being verified by either the gateway or the connection server, the artifact can be extracted from the access token and verification of the user for the single sign on can proceed between only the connection server and the identity provider.

7 Citations

21 Claims

1. A method for performing a single sign on (SSO) service for a client in a system having a server that provides resources for the client, comprising:
- receiving a request from the client to access a resource provided by the server, wherein the request contains an artifact referencing a security token and the security token contains an assertion for authorizing the client for a single sign on service with the server;
  
  embedding the artifact in an access token, wherein the access token includes, in addition to the artifact, one or more fields for validating the access token itself;
  
  after the access token is validated, the artifact is extracted from the access token and the server is in possession of the artifact, receiving a request from the server to resolve the artifact; and
  
  sending the assertion to the server, wherein the assertion permits the client to access the requested resource provided by the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the security token describes the assertion in Security Assertion Markup Language (SAML).
  - 3. The method of claim 1, wherein a gateway residing between the client and the server verifies the access token, extracts the artifact from the access token and sends the artifact to the server.
  - 4. The method of claim 3, wherein the gateway verifies issuance and expiration date of the access token.
  - 5. The method of claim 3, wherein the gateway verifies an issuer of the access token and an intended audience of the access token.
  - 6. The method of claim 1, wherein the server is a virtual desktop connection server that uses the assertion to connect the client to a virtual machine hosting a desktop.
  - 7. The method of claim 1, wherein the server verifies the access token and extracts the artifact from the access token.
  - 8. The method of claim 1, wherein the access token comprises a JavaScript object notation (JSON) web token (JWT).

9. A non-transitory computer readable medium containing instructions for performing a single sign on (SSO) service for a client in a system having a server that provides resources for the client and which, when executed by one or more processors, perform the steps of:
- receiving a request from the client to access a resource provided by the server, wherein the request contains an artifact referencing a security token and the security token contains an assertion for authorizing the client for a single sign on service with the server;
  
  embedding the artifact in an access token, wherein the access token includes, in addition to the artifact, one or more fields for validating the access token itself;
  
  after the access token is validated, the artifact is extracted from the access token and the server is in possession of the artifact, receiving a request from the server to resolve the artifact; and
  
  sending the assertion to the server, wherein the assertion permits the client to access the requested resource provided by the server.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The non-transitory computer readable medium of claim 9, the security token describes the assertion in Security Assertion Markup Language (SAML).
  - 11. The non-transitory computer readable medium of claim 9, wherein a gateway residing between the client and the server verifies the access token, extracts the artifact from the access token and sends the artifact to the server.
  - 12. The non-transitory computer readable medium of claim 11, wherein the gateway verifies issuance and expiration date of the access token.
  - 13. The non-transitory computer readable medium of claim 11, wherein the gateway verifies an issuer of the access token and an intended audience of the access token.
  - 14. The non-transitory computer readable medium of claim 9, wherein the server is a virtual desktop connection server that uses the assertion to connect the client to a virtual machine hosting a desktop.
  - 15. The non-transitory computer readable medium of claim 9, wherein the server verifies the access token and extracts the artifact from the access token.

16. A computer system comprising:
- a client;
  
  a server configured to provide resources for the client upon a successful sign on by the client; and
  
  an identity provider connected between the client and the server and configured to;
  
  receive a request from the client to access a resource provided by the server, wherein the request contains an artifact referencing a security token and the security token contains an assertion for authorizing the client for a single sign on service with the server;
  
  embed the artifact in an access token, wherein the access token includes, in addition to the artifact, one or more fields for validating the access token itself;
  
  after the access token is validated, the artifact is extracted from the access token and the server is in possession of the artifact, receive a request from the server to resolve the artifact; and
  
  send the assertion to the server, wherein the assertion permits the client to access the requested resource provided by the server.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The computer system of claim 16, wherein the security token describes the assertion in Security Assertion Markup Language (SAML).
  - 18. The computer system of claim 16,further comprising a gateway residing between the client and the server;
    - wherein the gateway verifies the access token, extracts the artifact from the access token and sends the artifact to the server.
  - 19. The computer system of claim 18, wherein the gateway verifies issuance and expiration date of the access token.
  - 20. The computer system of claim 16, wherein the server is a virtual desktop connection server that uses the assertion to connect the client to a virtual machine hosting a desktop.
  - 21. The computer system of claim 16, wherein the server verifies the access token and extracts the artifact from the access token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Benson, Mark, Xu, Emily Hong, Schoppert, Brett
Primary Examiner(s)
Avery, Jeremiah L

Application Number

US15/895,844
Publication Number

US 20190253408A1
Time in Patent Office

903 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 9/3213   using tickets or tokens, e....

Mechanism of passing security tokens through both untrusted and validating intermediaries

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

7 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Mechanism of passing security tokens through both untrusted and validating intermediaries

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links