Extending Single-Sign-On to Relying Parties of Federated Logon Providers

US 20190058706A1
Filed: 08/17/2017
Published: 02/21/2019
Est. Priority Date: 08/17/2017
Status: Active Grant

First Claim

Patent Images

1. An enterprise identity provider server comprising:

at least one processor;

a communication interface;

memory storing instructions that, when executed by the at least one processor, cause the enterprise identity provider server to;

receive, via the communication interface, from an enterprise server integrated with an enterprise identity service provided by the enterprise identity provider server, a first authentication token previously issued to the enterprise server by the enterprise identity provider server;

in response to receiving the first authentication token, retrieve, from a token store maintained by the enterprise identity provider server, a second authentication token associated with a federated identity service provided by a federated identity provider server;

refresh the second authentication token with the federated identity service provided by the federated identity provider server to obtain a refreshed authentication token; and

send, via the communication interface, to the enterprise server, the refreshed authentication token, wherein sending the refreshed authentication token to the enterprise server enables user devices manages by the enterprise server to access one or more resources provided by a third party system using the federated identity service.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Aspects of the disclosure relate to extending single-sign-on to relying parties for federated logon providers. An enterprise identity provider server may receive a first authentication token previously issued to an enterprise server by the enterprise identity provider server. Subsequently, the enterprise identity provider server may retrieve, from a token store, a second authentication token associated with a federated identity service provided by a federated identity provider server. The enterprise identity provider server may refresh the second authentication token with the federated identity service provided by the federated identity provider server to obtain a refreshed authentication token. Finally, the enterprise identity provider server may send the refreshed authentication token to the enterprise server, which may enable user devices managed by the enterprise server to access one or more resources provided by a third party system using the federated identity service.

90 Citations

View as Search Results

20 Claims

1. An enterprise identity provider server comprising:
- at least one processor;
  
  a communication interface;
  
  memory storing instructions that, when executed by the at least one processor, cause the enterprise identity provider server to;
  
  receive, via the communication interface, from an enterprise server integrated with an enterprise identity service provided by the enterprise identity provider server, a first authentication token previously issued to the enterprise server by the enterprise identity provider server;
  
  in response to receiving the first authentication token, retrieve, from a token store maintained by the enterprise identity provider server, a second authentication token associated with a federated identity service provided by a federated identity provider server;
  
  refresh the second authentication token with the federated identity service provided by the federated identity provider server to obtain a refreshed authentication token; and
  
  send, via the communication interface, to the enterprise server, the refreshed authentication token, wherein sending the refreshed authentication token to the enterprise server enables user devices manages by the enterprise server to access one or more resources provided by a third party system using the federated identity service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The enterprise identity provider server of claim 1, wherein the memory stores additional instructions that, when executed by the at least one processor, cause the enterprise identity provider server to:
    - prior to receiving the first authentication token, provision the enterprise server with the first authentication token.
  - 3. The enterprise identity provider server of claim 1, wherein the memory stores additional instructions that, when executed by the at least one processor, cause the enterprise identity provider server to:
    - store, in the token store, the second authentication token and a reference associating the second authentication token with the first authentication token.
  - 4. The enterprise identity provider server of claim 1, wherein the memory stores additional instructions that, when executed by the at least one processor, cause the enterprise identity provider server to:
    - in response to refreshing the second authentication token, store, in the token store, the refreshed authentication token and a reference associating the refreshed authentication token with the first authentication token.
  - 5. The enterprise identity provider server of claim 1, wherein refreshing the second authentication token further causes the enterprise identity provider server to:
    - send, via the communication interface, a request to the federated identity provider server to regenerate the second authentication token, wherein the federated identity provider server generates the refreshed authentication token; and
      
      receive, via the communication interface, the refreshed authentication token from the federated identity provider server.
  - 6. The enterprise identity provider server of claim 5, wherein refreshing the second authentication token further causes the enterprise identity provider server to:
    - update the token store with the refreshed authentication token and a reference associating the refreshed authentication token with the first authentication token.
  - 7. The enterprise identity provider server of claim 1, wherein the memory stores additional instructions that, when executed by the at least one processor, cause the enterprise identity provider server to:
    - receive, via the communication interface, a request from the enterprise server to access the one or more resources provided by the third party system using the federated identity service; and
      
      redirect, via the communication interface, the request from the enterprise server to the federated identity service provided by the federated identity provider server.
  - 8. The enterprise identity provider server of claim 1, wherein the first authentication token enables the user devices managed by the enterprise server to have single-sign-on access to one or more resources using an enterprise identity service provided by the enterprise identity provider server.
  - 9. The enterprise identity provider server of claim 1, wherein the second authentication token enables the user devices managed by the enterprise server to have single-sign-on access to the third party system using the federated identity service.
  - 10. The enterprise identity provider server of claim 1, wherein retrieving the second authentication token further causes the enterprise identity provider server to:
    - retrieve, from the token store, the second authentication token based on a reference associating the second authentication token with the first authentication token.

11. A method comprising:
- at an enterprise identity provider comprising at least one processor, memory, and a communication interface;
  
  receiving, via the communication interface, from an enterprise server integrated with an enterprise identity service provided by the enterprise identity provider server, a first authentication token previously issued to the enterprise server by the enterprise identity provider server;
  
  in response to receiving the first authentication token, retrieving, from a token store maintained by the enterprise identity provider server, a second authentication token associated with a federated identity service provided by a federated identity provider server;
  
  refreshing the second authentication token with the federated identity service provided by the federated identity provider server to obtain a refreshed authentication token; and
  
  sending, via the communication interface, to the enterprise server, the refreshed authentication token, wherein sending the refreshed authentication token to the enterprise server enables user devices managed by the enterprise server to access one or more resources provided by a third party system using the federated identity service.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11, further comprising:
    - prior to receiving the first authentication token, provisioning the enterprise server with the first authentication token.
  - 13. The method of claim 11, further comprising:
    - storing, in the token store, the second authentication token and a reference associating the second authentication token with the first authentication token.
  - 14. The method of claim 11, further comprising:
    - in response to refreshing the second authentication token, storing, in the token store, the second authentication token and a reference associating the second authentication token with the first authentication token.
  - 15. The method of claim 11, wherein refreshing the second authentication token further comprises:
    - sending, via the communication interface, a request to the federated identity provider server to regenerate the second authentication token, wherein the federated identity provider server generates the refreshed authentication token;
      
      receiving, via the communication interface, the refreshed authentication token from the federated identity provider server; and
      
      updating the token store with the refreshed authentication token and a reference associating the second authentication token with the first authentication token.
  - 16. The method of claim 11, further comprising:
    - receiving, via the communication interface, a request from the enterprise server to access the one or more resources provided by the third party system using the federated identity service; and
      
      redirecting, via the communication interface, the request from the enterprise server to the federated identity service provided by the federated identity provider server.
  - 17. The method of claim 11, wherein the first authentication token enables the user devices managed by the enterprise server to have single-sign-on access to one or more resources using an enterprise identity service provided by the enterprise identity provider server.
  - 18. The method of claim 11, wherein the second authentication token enables the user devices managed by the enterprise server to have single-sign-on access to the third party system using the federated identity service.
  - 19. The method of claim 11, further comprising:
    - retrieving, from a token store, the second authentication token based on a reference associating the second authentication token to the first authentication token.

20. One or more non-transitory computer-readable media storing instructions that, when executed by a computing platform comprising at least one processor, memory, and a communication interface, cause the computing platform to:
- receive, via the communication interface, from an enterprise server integrated with an enterprise identity service provided by the enterprise identity provider server, a first authentication token previously issued to the enterprise server by the enterprise identity provider server;
  
  in response to receiving the first authentication token, retrieve, from a token store maintained by the enterprise identity provider server, a second authentication token associated with a federated identity service provided by a federated identity provider server;
  
  refresh the second authentication token with the federated identity service provided by the federated identity provider server to obtain a refreshed authentication token; and
  
  send, via the communication interface, to the enterprise server, the refreshed authentication token, wherein sending the refreshed authentication token to the enterprise server enables user devices managed by the enterprise server to access one or more resources provided by a third party system using the federated identity service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Feijoo, Ricardo Fernando, Kludy, Thomas

Granted Patent

US 10,721,222 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/40   by quorum, i.e. whereby two...

G06F 21/41   where a single sign-on prov...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

Extending Single-Sign-On to Relying Parties of Federated Logon Providers

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Extending Single-Sign-On to Relying Parties of Federated Logon Providers

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links