Actively federated mobile authentication

US 9,294,454 B2
Filed: 05/13/2013
Issued: 03/22/2016
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A method for making web service calls to a service on an enterprise network from a mobile device, comprising:

providing user credentials to an identity provider to obtain a first security token, the identity provider having an established trust relationship with a trust broker and with an enterprise service, and the first security token configured to provide authentication for service requests received at the enterprise service;

providing a copy of the first security token to the trust broker, the trust broker having an established trust relationship with the service relay;

receiving a second security token from the trust broker in response to providing the copy of the first security token, the second security token configured to provide authentication to the service relay using an additional form of authentication that is different than the first security token;

sending a service request to the service relay, the service request comprising both the first security token and the second security token, wherein the second security token provides authentication to the service relay and provides permission for the service relay to forward the service request and the first security token to the enterprise service; and

receiving a service response from the service relay in response to the enterprise service authenticating the mobile device using the first security token.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To make a trusted web service call, a client application sends a series of messages to obtain tokens that allow service requests to pass through a service relay. The user obtains a first security token by providing the user'"'"'s credentials. A second token is obtained from a trust broker that validates the first token. Both tokens are then sent with a service request to a service relay. The service relay validates the second token and then passes the first token and the service request to a connector service. The connector service validates the first token and passes the service request to a target back end service. The connector service acts as the user when communicating with the back end service. Service responses are routed back to the user through the connector service and the service relay.

Citations

17 Claims

1. A method for making web service calls to a service on an enterprise network from a mobile device, comprising:
- providing user credentials to an identity provider to obtain a first security token, the identity provider having an established trust relationship with a trust broker and with an enterprise service, and the first security token configured to provide authentication for service requests received at the enterprise service;
  
  providing a copy of the first security token to the trust broker, the trust broker having an established trust relationship with the service relay;
  
  receiving a second security token from the trust broker in response to providing the copy of the first security token, the second security token configured to provide authentication to the service relay using an additional form of authentication that is different than the first security token;
  
  sending a service request to the service relay, the service request comprising both the first security token and the second security token, wherein the second security token provides authentication to the service relay and provides permission for the service relay to forward the service request and the first security token to the enterprise service; and
  
  receiving a service response from the service relay in response to the enterprise service authenticating the mobile device using the first security token.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the enterprise network comprises a connector service exposing a web service endpoint for a back office service.
  - 3. The method of claim 1, wherein the enterprise network comprises a group of different systems cooperatively providing a single service.
  - 4. The method of claim 1, wherein the enterprise network comprises a group of different systems providing a plurality of different services.
  - 5. The method of claim 1, wherein the enterprise service is an enterprise resource planning application, and wherein the service request corresponds to a financial transaction initiated by the mobile device.
  - 6. The method of claim 1, wherein the enterprise service is an enterprise resource planning application, and wherein the service request corresponds to a time entry logged by the mobile device.

7. A mobile device for making web service calls to an enterprise service via a service relay, comprising:
- one or more processors;
  
  a memory coupled to the one or more processors, the memory storing one or more instructions executable by the one or more processors to cause the mobile device to;
  
  provide user credentials to an identity provider to obtain a first security token, the identity provider having an established trust relationship with a trust broker and with an enterprise service, and the first security token configured to provide authentication for service requests received at the enterprise service;
  
  provide a copy of the first security token to the trust broker, the trust broker having an established trust relationship with the service relay;
  
  receive a second security token from the trust broker in response to providing the copy of the first security token, the second security token configured to provide authentication to the service relay using an additional form of authentication that is different than the first security token;
  
  send a service request to the service relay, the service request comprising both the first security token and the second security token, wherein the second security token provides authentication to the service relay and provides permission for the service relay to forward the service request and the first security token to the enterprise service; and
  
  receive a service response from the service relay in response to the enterprise service authenticating the mobile device using the first security token.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The mobile device of claim 7, wherein the enterprise service is a back office service that processes the service requests.
  - 9. The mobile device of claim 7, wherein the enterprise service includes a connector service that validates service requests and passes the service requests to a back office service.
  - 10. The mobile device of claim 9, wherein the first security token comprises user identification information that allows the connector service to make web service calls to the back office service as if the connector service was the user.
  - 11. The mobile device of claim 7, wherein the enterprise service is a group of different systems providing a single service.
  - 12. The mobile device of claim 7, wherein the enterprise service is a group of different systems providing a plurality of different services.

13. A memory device having program instructions stored thereon that, upon execution by a mobile device, cause the mobile device to:
- provide user credentials to an identity provider to obtain a first security token, the identity provider having an established trust relationship with a trust broker and with an enterprise service, and the first security token configured to provide authentication for service requests received at the enterprise service;
  
  provide the first security token to the trust broker, the trust broker having an established trust relationship with the service relay;
  
  receive a second security token from the trust broker in response to providing the copy of the first security token, the second security token configured to provide authentication to the service relay using an additional form of authentication that is different than the first security token;
  
  send a service request to the service relay, the service request comprising both the first security token and the second security token, wherein the second security token provides authentication to the service relay and provides permission for the service relay to forward the service request and the first security token to the enterprise service; and
  
  receive a service response from the service relay in response to the enterprise service authenticating the mobile device using the first security token.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The memory device of claim 13, wherein the enterprise network comprises a group of different systems cooperatively providing a single service.
  - 15. The memory device of claim 13, wherein the enterprise network comprises a group of different systems providing a plurality of different services.
  - 16. The memory device of claim 13, wherein the enterprise network comprises an enterprise resource planning application, and wherein the service request corresponds to a financial transaction initiated by the user on the mobile device.
  - 17. The memory device of claim 13, wherein enterprise network comprises an enterprise resource planning application, and wherein the service request corresponds to a time entry logged by the user on the mobile device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Young, Kyle Stapley, Drollinger, Robert Aron, O'Brien, Robert, Runde, David J., Pandya, Jagruti Dushyant, El Khoury, Georges
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
MURPHY, JOSEPH B

Application Number

US13/893,029
Publication Number

US 20140282989A1
Time in Patent Office

1,044 Days
Field of Search

726/9
US Class Current

1/1
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0869   for achieving mutual authen...

H04L 63/0884   by delegation of authentica...

H04L 67/02   based on web technology, e....

H04L 67/56   Provisioning of proxy servi...

Actively federated mobile authentication

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Actively federated mobile authentication

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links