STEP-UP AUTHENTICATION FOR SINGLE SIGN-ON

US 20170170963A1
Filed: 02/13/2017
Published: 06/15/2017
Est. Priority Date: 10/31/2014
Status: Active Grant

First Claim

Patent Images

1-20. -20. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating a user seeking access to first and second resources that have different authentication levels. The method includes receiving a primary token that is associated with a first authentication event of the user and authenticates the user to access the first resource, and receiving a first request to access the second resource. The method further includes receiving first credentials of the user. The method further includes, responsive to validating the first credentials, generating a second authentication event, associating the second authentication event with the primary token, and issuing a first secondary token that authenticates the user to access the second resource.

6 Citations

View as Search Results

40 Claims

1-20. -20. (canceled)

21. A method for providing step-up authentication in a system providing single-sign on to a plurality of applications, comprising:
- receiving a request to authenticate a user for a first application using a primary token associated with a single-sign on capability;
  
  determining that the primary token is insufficient to authenticate the user for the first application;
  
  requesting a step-up authentication for the user;
  
  updating the primary token to reflect the step-up authentication; and
  
  granting access to the first application based on an updated primary token.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 34)
- - 22. The method of claim 21, wherein updating the primary token comprises issuing a second token and the updated primary token comprises the second token.
  - 23. The method of claim 21, further comprising:
    - using the primary token to obtain a secondary token, the secondary token being associated with a second application.
  - 24. The method of claim 23, further comprising:
    - revoking the secondary token to revoke single-sign-on access through the second application without impacting the primary token.
  - 25. The method of claim 21, wherein the request to authenticate includes an identifier for the first application and the method further comprises:
    - receiving a second request to authenticate the user for a second application using the updated primary token, the second request including an identifier for the second application;
      
      determining that the second request requires step-up authentication;
      
      accessing the step-up authentication credentials from the updated primary token without requesting an additional step-up authentication from the user; and
      
      granting the second request to authenticate the user for the second application based on the step-up authentication credentials in the updated primary token.
  - 26. The method of claim 21, wherein:
    - the primary token comprises a JSON web token; and
      
      updating the primary token comprises storing information used for the step-up authentication in the AuthContext field of the JSON web token.
  - 27. The method of claim 21, further comprising:
    - re-using the step-up authentication for accessing the first application as a step-up authentication event for a plurality of additional applications without requesting additional user input.
  - 34. The system of claim 21, wherein the one or more servers are further configured to:
    - re-use the step-up authentication for accessing the first application as a step-up authentication event for a plurality of additional applications without requesting additional user input.

28. A system for providing step-up authentication with single sign-on, comprising:
- a client device configured to provide a request to authenticate a user for a first application using a primary token associated with a single-sign on capability; and
  
  one or more servers configured to;
  
  determine that the primary token is insufficient to authenticate the user for the first application;
  
  request a step-up authentication for the user;
  
  update the primary token to reflect the step-up authentication; and
  
  grant access to the first application based on an updated primary token.
- View Dependent Claims (29, 30, 31, 32, 33)
- - 29. The system of claim 28, wherein updating the primary token comprises issuing a second token and the updated primary token comprises the second token.
  - 30. The system of claim 28, wherein the one or more servers are further configured to use the primary token to obtain a secondary token, the secondary token being associated with a second application.
  - 31. The system of claim 30, wherein the one or more servers are further configured to revoke the secondary token to revoke single-sign-on access through the second application without impacting the primary token.
  - 32. The system of claim 28, wherein the request to authenticate includes an identifier for the first application and one or more servers are further configured to:
    - receive a second request to authenticate the user for a second application using the updated primary token, the second request including an identifier for the second application;
      
      determine that the second request requires step-up authentication;
      
      access the step-up authentication credentials from the updated primary token without requesting an additional step-up authentication from the user; and
      
      grant the second request to authenticate the user for the second application based on the step-up authentication credentials in the updated primary token.
  - 33. The system of claim 28, wherein:
    - the primary token comprises a JSON web token; and
      
      updating the primary token comprises storing information used for the step-up authentication in the AuthContext field of the JSON web token.

35. A computer-readable medium comprising instruction which, when executed by a processor, provide step-up authentication with single-sign by executing a series of steps comprising:
- receiving a request to authenticate a user for a first application using a primary token associated with a single-sign on capability;
  
  determining that the primary token is insufficient to authenticate the user for the first application;
  
  requesting a step-up authentication for the user;
  
  updating the primary token to reflect the step-up authentication; and
  
  granting access to the first application based on an updated primary token.
- View Dependent Claims (36, 37, 38, 39, 40)
- - 36. The computer-readable medium of claim 35, wherein updating the primary token comprises issuing a second token and the updated primary token comprises the second token.
  - 37. The computer-readable medium of claim 35, wherein the instructions further execute steps comprising using the primary token to obtain a secondary token, the secondary token being associated with a second application.
  - 38. The computer-readable medium of claim 37, wherein the instructions further execute a step comprising revoking the secondary token to revoke single-sign-on access through the second application without impacting the primary token.
  - 39. The computer-readable medium of claim 35, wherein the request to authenticate includes an identifier for the first application and the steps further comprise:
    - receiving a second request to authenticate the user for a second application using the updated primary token, the second request including an identifier for the second application;
      
      determining that the second request requires step-up authentication;
      
      accessing the step-up authentication credentials from the updated primary token without requesting an additional step-up authentication from the user; and
      
      granting the second request to authenticate the user for the second application based on the step-up authentication credentials in the updated primary token.
  - 40. The computer-readable medium of claim 35, wherein the steps further comprise:
    - re-using the step-up authentication for accessing the first application as a step-up authentication event for a plurality of additional applications without requesting additional user input.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Ladda, Shraddha, Olds, Dale Robert, Xu, Emily Hong

Granted Patent

US 10,171,241 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/62   Protecting access to data v...

G06F 2211/003   Mutual Authentication Bi-Di...

G06F 2211/009   Trust

H04L 2463/082   applying multi-factor authe...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 9/32   including means for verifyi...

H04L 9/3213   using tickets or tokens, e....

H04W 12/068   using credential vaults, e....

H04W 12/084   using delegated authorisati...

H04W 12/30   Security of mobile devices;...

H04W 12/66   Trust-dependent, e.g. using...

STEP-UP AUTHENTICATION FOR SINGLE SIGN-ON

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

6 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

STEP-UP AUTHENTICATION FOR SINGLE SIGN-ON

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links