Single sign-on without a broker application

US 9,692,745 B2
Filed: 04/10/2015
Issued: 06/27/2017
Est. Priority Date: 04/10/2015
Status: Active Grant

First Claim

Patent Images

1. In a computing environment, a method of facilitating single sign-on on a device having sandboxed applications, the method comprising:

identifying a plurality of associated applications, wherein at least a first application of the associated applications is in a different sandbox security container than at least a second application of the associated applications, and wherein each application of the plurality of associated applications comprises authentication information for obtaining services from one or more service providers;

selecting a primary application from among the plurality of associated applications based on one or more known criteria;

storing an authentication state at the primary application, wherein the authentication state comprises an authoritative set of state data for each of the plurality of associated applications;

receiving an authentication request at a non-primary application within the plurality of associated applications; and

servicing the authentication request via the primary application, wherein authentication information for the non-primary application is derived from the authentication state stored at the primary application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Facilitating single sign-on on a device having sandboxed applications. A method includes identifying a plurality of associated applications. Criteria are evaluated to identify a primary application. Authentication state is stored at the primary application. One or more portions of the authentication state can be used by the applications in the plurality of associated application for authentication.

32 Citations

View as Search Results

20 Claims

1. In a computing environment, a method of facilitating single sign-on on a device having sandboxed applications, the method comprising:
- identifying a plurality of associated applications, wherein at least a first application of the associated applications is in a different sandbox security container than at least a second application of the associated applications, and wherein each application of the plurality of associated applications comprises authentication information for obtaining services from one or more service providers;
  
  selecting a primary application from among the plurality of associated applications based on one or more known criteria;
  
  storing an authentication state at the primary application, wherein the authentication state comprises an authoritative set of state data for each of the plurality of associated applications;
  
  receiving an authentication request at a non-primary application within the plurality of associated applications; and
  
  servicing the authentication request via the primary application, wherein authentication information for the non-primary application is derived from the authentication state stored at the primary application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein selecting a primary application from among the plurality of associated applications based on one or more known criteria comprises identifying an ordered list of applications from the plurality of associated applications to identify back-up locations for the authentication state, the method further comprising storing at least a portion of the authentication state in a top n number of applications from the ordered list.
  - 3. The method of claim 2, wherein storing at least a portion of the authentication state in a top n number of applications from the ordered list is performed as a result of one or more of adding a user account, removing a user account, user interaction to provide authentication input, expiration of pre-determined time, an application version change, or a change in authentication state.
  - 4. The method of claim 2, further comprising determining that the authentication state is no longer available from the primary application due to the primary application being removed from the device, and as a result promoting a top application from the top n application to the primary application.
  - 5. The method of claim 2, further comprising determining that the authentication state is no longer available from the primary application due to the authentication state being unavailable from the primary application, and as a result, the primary application obtaining the authentication state from one of the top n applications.
  - 6. The method of claim 1, wherein selecting a primary application comprises selecting an application based on at least one or more of:
    - an alphabetical order by application name, application versions, software development kit (SDK) versions, protocol versions, a hard coded list, lifetime of applications on the device, frequency of application use, likelihood of application being installed or uninstalled, a specified user preference, or external metrics.
  - 7. The method of claim 1, further comprising, selecting the plurality of associated applications from an allowed list of applications that can be authenticated on the device.
  - 8. The method of claim 1, further comprising receiving a request for information from the authentication state from an application that is not in the plurality of associated applications, determining that the application is not in the plurality of associated applications, and as a result denying the request.
  - 9. The method of claim 1, wherein each of the applications in the plurality of associated applications can communicate with the primary application and with each other.

10. A sandboxed system comprising:
- a memory configured to store a plurality of associated applications, wherein each application of the plurality of associated applications comprises authentication information for obtaining services from one or more service providers;
  
  a security unit configured to maintain security containers to generate a plurality of sandboxes wherein at least some of the applications in the plurality of associated applications are in different sandboxes; and
  
  a processor configured to select a primary application from the plurality of associated applications based on one or more known criteria,wherein the primary application comprises an authentication state at the primary application, the authentication state comprising an authoritative set of state data for each of the plurality of associated applications including the authentication information for each of the plurality of associated applications, and which is used by the primary application to service one or more authentication request directed to one or more non-primary applications in the plurality of associated applications.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The sandboxed system of claim 10, wherein the processor identifies an ordered list of applications from the plurality of associated applications to identify back-up locations for the authentication state, and wherein a top n number of applications from the plurality of associated applications as identified by the ordered list comprise back-up information including at least a portion of the authentication state.
  - 12. The sandboxed system of claim 11, wherein the system comprises an update module that is configured to update the back-up information in the top n number of applications from the plurality of associated applications as a result of one or more of adding a user account, removing a user account, user interaction to provide authentication input, expiration of pre-determined time, an application version change, or a change in authentication state.
  - 13. The sandboxed system of claim 11, wherein the system comprises a validation module that is configured to determine that the authentication state is no longer available from the primary application due to the primary application being removed from the device, and as a result promote a top application from the top n application to the primary application.
  - 14. The sandboxed system of claim 11, wherein the system comprises a validation module that is configured to determine that the authentication state is no longer available from the primary application due to the authentication state being unavailable from the primary application, and as a result, cause the primary application to obtain the authentication state from one of the top n applications.
  - 15. The sandboxed system of claim 10, wherein the processor is configured to select the primary application based on at least one or more of:
    - an alphabetical order by application name, application versions, software development kit (SDK) versions, protocol versions, a hard coded list, lifetime of applications on the device, frequency of application use, likelihood of application being installed or uninstalled, a specified user preference, or external metrics.
  - 16. The sandboxed system of claim 10, further comprising an allowed applications data structure, wherein the applications in the plurality of associated applications are selected from an allowed list of applications in the allowed application data structure that can be authenticated on the device.
  - 17. The sandboxed system of claim 10, wherein each of the applications in the plurality of applications is configured to receive a request for information from the authentication state from an application that is not in the plurality of associated applications, determine that the application is not in the plurality of associated applications, and as a result deny the request.
  - 18. The sandboxed system of claim 10, wherein each of the applications in the plurality of associated applications is configured to communicate with the primary application and with each other.

19. A sandboxed system comprising:
- one or more processors; and
  
  one or more computer-readable hardware storage devices comprising computer executable instructions that are executable by the one or more processors for causing the sandbox system to perform the following;
  
  an election algorithm computation, wherein the election algorithm computation comprises;
  
  identifying a plurality of associated applications, wherein at least a first application of the associated applications is in a different sandbox than at least a second application of the associated applications, and wherein each application of the plurality of associated applications comprises authentication information for obtaining services from one or more service providers; and
  
  selecting a primary application from among the plurality of associated applications based on one or more known criteria; and
  
  storing an authentication state at the primary application, wherein the authentication state comprises the authoritative set of state data for each of the plurality of associated applications;
  
  receiving an authentication request at a non-primary application within the plurality of associated applications; and
  
  servicing the authentication request via the primary application, wherein authentication information for the non-primary application is derived from the authentication state stored at the primary application.
- View Dependent Claims (20)
- - 20. The system of claim 19, wherein the election algorithm computation further comprises identifying an ordered list of applications from the plurality of associated applications to identify back-up locations for the authentication state, and wherein the applications in the plurality of associated applications are configured to store at least a portion of the authentication state in a top n number of applications from the ordered list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Xia, Li Qing, He, Jia Le, Lundeen, Alan Jonathan, Subotic, Dejan
Primary Examiner(s)
EL HADY, NABIL M

Application Number

US14/684,139
Publication Number

US 20160301684A1
Time in Patent Office

809 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 21/53   by executing in a restricte...

H04L 63/0815   providing single-sign-on or...

H04L 63/108   when the policy decisions a...

H04L 63/12   Applying verification of th...

Single sign-on without a broker application

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

32 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Single sign-on without a broker application

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links