Synchronization of security-related data
US-2015365439-A1 · Dec 17, 2015 · US
Federated full domain logon
US10122703B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10122703-B2 |
| Application number | US-201514870447-A |
| Country | US |
| Kind code | B2 |
| Filing date | Sep 30, 2015 |
| Priority date | Sep 30, 2014 |
| Publication date | Nov 6, 2018 |
| Grant date | Nov 6, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Methods and systems for faster and more efficient smart card logon and for giving a client device full domain access in a remote computing environment are described herein. Components used to implement fast smart card logon may also be used to implement a federated full domain logon. A virtual smart card credential, which may be ephemeral, may be issued based on the acceptance of an external authentication event. Example external authentication events include logon at a Security Assertion Markup Language (SAML) Identity Provider, smart card authentication over TLS or SSL, and alternative authentication credentials such as biometrics or one-time password (OTP) without AD password. Moreover, the certificate operation interception components from fast smart card logon may be used to enable interaction with the virtual smart card without fully emulating a smart card at the PC/SC API level. The virtual smart card may be created locally at the authentication server or on a separate server that may be highly protected.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: storing a certificate at a credential mapper of a server device; corresponding, by the server device, a token to the certificate stored at the credential mapper; receiving, at the server device and from a client device, the token; determining, at the server device, whether the client device has authenticated with an identity providing device based on the token received from the client device; in response to determining that the client device has authenticated with the identity providing device based on the token, generating a temporary certificate based on the certificate stored at the credential mapper; after generating the temporary certificate based on the certificate stored at the credential mapper, sending, to the client device, the temporary certificate for granting the client device access to a domain; encrypting, using the temporary certificate, a reference to a credential managed by the credential mapper; and sending the encrypted reference to a virtualization agent managing one or more virtual resources. 2. The method of claim 1 , wherein determining whether the client device has authenticated with the identity providing device comprises: sending, by the server device to the identity providing device, information from the token received from the client device; and receiving, from the identity providing device, confirmation that the client device has authenticated with the identity providing device. 3. The method of claim 1 , wherein determining whether the client device has authenticated with the identity providing device comprises performing one or more of the following: determining, by the credential mapper of the server device, whether the token received from the client device corresponds to a token issued by the identity providing device; determining, by a gateway service of the server device, whether the token received from the client device corresponds to the token issued by the identity providing device; or determining, by an application store of the server device, whether the token received from the client device corresponds to the token issued by the identity providing device. 4. The method of claim 1 , further comprising: linking the temporary certificate to a proof key at the client device, wherein the sending the temporary certificate comprises sending the temporary certificate in response to a determination that the client device has the proof key. 5. The method of claim 1 , wherein the temporary certificate comprises a time-limited certificate. 6. The method of claim 1 , wherein the credential managed by the credential mapper comprises a virtual smart card managed by the credential mapper, and wherein the temporary certificate comprises a smart card class certificate. 7. An apparatus comprising: a processor; and memory storing computer-executable instructions that, when executed by the processor, cause the apparatus to: store a certificate at a credential mapper of the apparatus; correspond a token to the certificate stored at the credential mapper; receive, from a client device, the token; determine whether the client device has authenticated with an identity providing device based on the token received from the client device; in response to determining that the client device has authenticated with the identity providing device based on the token, generate a temporary certificate based on the certificate stored at the credential mapper; after generating the temporary certificate based on the certificate stored at the credential mapper, send, to the client device, the temporary certificate for granting the client device access to a domain; encrypt, using the temporary certificate, a reference to a credential managed by the credential mapper; and send the encrypted reference to a virtualization agent managing one or more virtual resources. 8. The apparatus of claim 7 , wherein determining whether the client device has authenticated with the identity providing device comprises: send, to the identity providing device, information from the token received from the client device; and receive, from the identity providing device, confirmation that the client device has authenticated with the identity providing device. 9. The apparatus of claim 7 , wherein determining whether the client device has authenticated with the identity providing device comprises performing one or more of the following: determining, by the credential mapper of the apparatus, whether the token received from the client device corresponds to a token issued by the identity providing device; determining, by a gateway service of the apparatus, whether the token received from the client device corresponds to the token issued by the identity providing device; or determining, by an application store of the apparatus, whether the token received from the client device corresponds to the token issued by the identity providing device. 10. The apparatus of claim 7 , wherein the memory stores computer-executable instructions that, when executed by the processor, cause the apparatus to: link the temporary certificate to a proof key at the client device, wherein the sending the temporary certificate comprises sending the temporary certificate in response to a determination that the client device has the proof key. 11. The apparatus of claim 7 , wherein the temporary certificate comprises a time-limited certificate. 12. The apparatus of claim 7 , wherein the credential managed by the credential mapper comprises a virtual smart card managed by the credential mapper, and wherein the temporary certificate comprises a smart card class certificate. 13. A method comprising: sending, by a client device and to an identity providing device, credentials for authenticating the client device with the identity providing device; receiving, at the client device and from the identity providing device, a token indicating that the client device is authenticated with the identity providing device; sending, by the client device and to a server device, the token; receiving, by the client device and from the server device, a temporary certificate for accessing a domain, wherein the temporary certificate is generated based on a certificate stored at a credential mapper of the server device; and in response to the client device receiving the temporary certificate for accessing the domain sending, by the client device and to a virtualization agent managing one or more virtual resources, the temporary certificate for accessing the domain. 14. The method of claim 13 , wherein the server device uses the token to determine whether the client device is authenticated with the identity providing device. 15. The method of claim 13 , wherein the token is linked to the certificate stored at the credential mapper of the server device. 16. The method of claim 13 , wherein the temporary certificate comprises a time-limited certificate. 17. The method of claim 13 , wherein the temporary certificate comprises a smart card class certificate. 18. The method of claim 1 , wherein the token received at the server device and from the client device comprises a token modified by the identity providing device. 19. The apparatus of claim 7 , wherein the token received from the client device comprises a token modified by the identity providing device. 20. The method of claim 13 , wherein the token sent by the client device to the server device comprises a token modified by the identity providing devic
Assignees
Inventors
Classifications
- H04L63/0815Primary
providing single-sign-on or federations · CPC title
using an additional device, e.g. smartcard, SIM or a different communication terminal (cryptographic mechanisms or cryptographic arrangements for entity authentication involving additional secure or trusted devices H04L9/3234) · CPC title
involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token (network architectures or network communication protocols for supporting authentication of entities using an additional device in a packet data network H04L63/0853) · CPC title
- G06F21/33Primary
using certificates · CPC title
including means for verifying the identity or authority of a user of the system {or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials} · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10122703B2 cover?
- Methods and systems for faster and more efficient smart card logon and for giving a client device full domain access in a remote computing environment are described herein. Components used to implement fast smart card logon may also be used to implement a federated full domain logon. A virtual smart card credential, which may be ephemeral, may be issued based on the acceptance of an external au…
- Who is the assignee on this patent?
- Citrix Systems Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0815. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Nov 06 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).