Providing A Managed Browser
US-2016241599-A1 · Aug 18, 2016 · US
Multi-factor authentication for managed applications using single sign-on technology
US10187374B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10187374-B2 |
| Application number | US-201514926769-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 29, 2015 |
| Priority date | Oct 29, 2015 |
| Publication date | Jan 22, 2019 |
| Grant date | Jan 22, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Disclosed are various examples for facilitating multi-factor authentication for client applications that are configured to use single sign-on technology. An authentication request for a first client application executed in a client device is received by an identity provider. The identity provider then receives data generated by a single sign-on credential from the client device. The single sign-on credential is configured to be used by multiple client applications of the client device. The data generated by the single sign-on credential is verified by the identity provider. The identity provider requests one or more supplementary authentication factors from a second client application. The identity provider then receives the supplementary authentication factor(s) from the second client application and verifies the supplementary authentication factor(s). The identity provider generates an authentication token and sends the token to the first client application.
First claim
Opening claim text (preview).
Therefore, the following is claimed: 1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program, when executed by the at least one computing device, being configured to cause the at least one computing device to at least: receive an authentication request for a first client application executed in a client device; receive data generated by a single sign-on credential from the client device as part of a single sign-on process, the single sign-on credential being configured to be used by a plurality of client applications of the client device; verify the data generated by the single sign-on credential; determine whether at least one supplementary authentication factor is required from a second client application by: determining a version of an operating system of the client device; and determining that the at least one second authentication factor should be requested when the version of the operating system corresponds to a particular operating system version; when the at least one supplementary authentication factor is required, and prior to sending an authentication token to the first client application: request the at least one supplementary authentication factor from the second client application; receive the at least one supplementary authentication factor from the second client application; and verify the at least one supplementary authentication factor prior to allowing the first client application to be authenticated in the single sign-on process; in response to verifying the data generated by the single sign-on credential and verifying the at least one supplementary authentication factor from the second client application, generate the authentication token; and send the authentication token to the first client application. 2. The non-transitory computer-readable medium of claim 1 , wherein the single sign-on credential comprises at least one of: a secure certificate or a Kerberos profile. 3. The non-transitory computer-readable medium of claim 1 , wherein the second client application is executed in the client device. 4. The non-transitory computer-readable medium of claim 1 , wherein the second client application is executed in a different client device. 5. The non-transitory computer-readable medium of claim 1 , wherein the first client application does not natively support authentication using the at least one supplemental authentication factor. 6. The non-transitory computer-readable medium of claim 1 , wherein the at least one supplementary authentication factor comprises at least one of: a one-time password, a smartcard, or a biometric identifier. 7. The non-transitory computer-readable medium of claim 1 , wherein the program, when executed by the at least one computing device, is further configured to cause the at least one computing device to: send a response to the authentication request to the first client application, the response requesting authentication by the single sign-on credential, wherein the authentication request is redirected from a service provider for which authentication is desired. 8. A system, comprising: at least one computing device; and an identity provider service executable by the at least one computing device, the identity provider service configured to cause the at least one computing device to at least: receive an authentication request for a first client application executed in a client device; receive data generated by a single sign-on credential from the client device as part of a single sign-on process, the single sign-on credential being configured to be used by a plurality of client applications of the client device; verify the data generated by the single sign-on credential; determine whether at least one supplementary authentication factor is required from a second client application by: determining a version of an operating system of the client device; and determining that the at least one second authentication factor should be requested when the version of the operating system corresponds to a particular operating system version; when the at least one supplementary authentication factor is required, and prior to sending an authentication token to the first client application; request the at least one supplementary authentication factor from the second client application; receive the at least one supplementary authentication factor from the second client application; and verify the at least one supplementary authentication factor prior to allowing the first client application to be authenticated in the single sign-on process; in response to verifying the data generated by the single sign-on credential and verifying the at least one supplementary authentication factor from the second client application, generate the authentication token; and send the authentication token to the first client application. 9. The system of claim 8 , wherein the single sign-on credential comprises data generated by at least one of: a secure certificate or a Kerberos profile. 10. The system of claim 8 , wherein the authentication token is sent within a security assertion markup language (SAML) identity assertion. 11. The system of claim 8 , wherein the first client application does not natively support authentication using the at least one supplemental authentication factor. 12. The system of claim 8 , wherein the at least one supplementary authentication factor comprises at least one of: a one-time password, a smartcard, or a biometric identifier. 13. A method, comprising: receiving an authentication request for a first client application executed in a client device; receiving data generated by a single sign-on credential from the client device as part of a single sign-on process, the single sign-on credential being configured to be used by a plurality of client applications of the client device; verifying the data generated by the single sign-on credential; determining whether at least one supplementary authentication factor is required from a second client application by: determining a version of an operating system of the client device; and determining that the at least one second authentication factor should be requested when the version of the operating system corresponds to a particular operating system version; when the at least one supplementary authentication factor is required, and prior to sending an authentication token to the first client application: requesting the at least one supplementary authentication factor from the second client application; receiving the at least one supplementary authentication factor from the second client application; and verifying the at least one supplementary authentication factor prior to allowing the first client application to be authenticated in the single sign-on process; in response to verifying the data generated by the single sign-on credential and verifying the at least one supplementary authentication factor from the second client application, generating the authentication token; and sending the authentication token to the first client application. 14. The method of claim 13 , wherein the single sign-on credential comprises at least one of: a secure certificate or a Kerberos profile. 15. The method of claim 14 , wherein the first client application is configured to request a session token from a service provider using the authentication token. 16. The method of claim 13 , wherein the first client application does not natively support authentication using the at least one supplemental authenticat
Assignees
Inventors
Classifications
applying multi-factor authentication · CPC title
Applying verification of the received information (cryptographic mechanisms or cryptographic arrangements for data integrity or data verification H04L9/32) · CPC title
using tickets, e.g. Kerberos (cryptographic mechanisms or cryptographic arrangements for entity authentication using tickets or tokens H04L9/3213) · CPC title
- H04L63/0815Primary
providing single-sign-on or federations · CPC title
using certificates (cryptographic mechanisms or cryptographic arrangements for entity authentication involving certificates H04L9/3263) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10187374B2 cover?
- Disclosed are various examples for facilitating multi-factor authentication for client applications that are configured to use single sign-on technology. An authentication request for a first client application executed in a client device is received by an identity provider. The identity provider then receives data generated by a single sign-on credential from the client device. The single sign…
- Who is the assignee on this patent?
- Airwatch Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0815. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jan 22 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).