Continuous multi-factor authentication
US-2016127351-A1 · May 5, 2016 · US
Single sign-on for unmanaged mobile devices
US12063208B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12063208-B2 |
| Application number | US-202117200225-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 12, 2021 |
| Priority date | Jun 15, 2015 |
| Publication date | Aug 13, 2024 |
| Grant date | Aug 13, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Disclosed are various examples for providing a single sign-on experience for mobile applications that may or may not be managed. A first application executed in a client device sends an access request to a service provider. The first application receives a redirection response from the service provider that redirects the first application to an identity provider. The first application then receives a further redirection response from the identity provider that causes the first application to request an identity assertion from a second application executed in the client device. The first application receives the identity assertion from the second application. The first authentication then authenticates with the service provider using the identity assertion.
First claim
Opening claim text (preview).
Therefore, the following is claimed: 1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program, when executed by the at least one computing device, being configured to cause the at least one computing device to at least: receive an access request from a client application executed in a client device, wherein the client application is a containerized application that is not a web browser and cannot share cookies with other applications on the client device; cause the client application, using a redirection response that redirects the access request to an identity provider, to request an identity assertion from an authentication application executed in the client device, the identity assertion being requested by the client application using a uniform resource locator (URL) corresponding to the authentication application, the URL comprising an identifier that uniquely identifies the client application and the access request; receive the identity assertion from the client application; verify the identity assertion; and authenticate the client application. 2. The non-transitory computer-readable medium of claim 1 , wherein the program, when executed by the at least one computing device, is further configured to cause the at least one computing device to: generate a session token in response to authenticating the client application; and set a cookie with the client application, the cookie including the session token. 3. The non-transitory computer-readable medium of claim 1 , wherein the redirection response redirects the client application to the URL. 4. The non-transitory computer-readable medium of claim 1 , wherein the URL comprises a randomly generated unique identifier. 5. The non-transitory computer-readable medium of claim 1 , wherein the access request comprises a hypertext transfer protocol (HTTP) request, and the access request is redirected by an HTTP response having a status code of 302. 6. The non-transitory computer-readable medium of claim 1 , wherein the authentication application is configured to request the identity assertion from the identity provider. 7. The non-transitory computer-readable medium of claim 1 , wherein the authentication application is configured to request at least one security credential from a user of the client device. 8. A system, comprising: at least one computing device, comprising: a processor; and a non-transitory computer-readable medium having stored thereon an application executable by the at least one computing device, the application configured to cause the at least one computing device to at least: receive an access request from a client application executed in a client device over a network connection associated with the at least one computing device, wherein the client application is a containerized application that is not a web browser and cannot share cookies with other applications on the client device; cause the client application, using a redirection response that redirects the access request to an identity provider, to request an identity assertion from an authentication application executed in the client device, the identity assertion being requested by the client application using a uniform resource locator (URL) corresponding to the authentication application, the URL comprising an identifier that uniquely identifies the client application and the access request; receive the identity assertion from the client application over the network connection; verify the identity assertion using the processor; and authenticate the client application using the processor. 9. The system of claim 8 , wherein the application further causes the at least one computing device to at least: generate a session token in response to authenticating the client application using the processor; and set a cookie with the client application, the cookie including the session token using the processor. 10. The system of claim 8 , wherein the redirection response redirects the client application to the URL using the network connection. 11. The system of claim 8 , wherein the URL comprises a randomly generated unique identifier. 12. The system of claim 8 , wherein the access request comprises a hypertext transfer protocol (HTTP) request, and the access request is redirected by an HTTP response having a status code of 302. 13. The system of claim 8 , wherein the authentication application is configured to request the identity assertion from the identity provider over the network connection. 14. A method, comprising: receiving, by an application executed by at least one computing device, an access request from a client application executed in a client device, wherein the client application is a containerized application that is not a web browser and cannot share cookies with other applications on the client device; causing, by the application, the client application, using a redirection response that redirects the access request to an identity provider, to request an identity assertion from an authentication application executed in the client device, the identity assertion being requested by the client application using a uniform resource locator (URL) corresponding to the authentication application, the URL comprising an identifier that uniquely identifies the client application and the access request; receiving, by the application, the identity assertion from the client application; verifying, by the application, the identity assertion; and authenticating, by the application, the client application. 15. The method of claim 14 , further comprising: generating, by the application, a session token in response to authenticating the client application; and setting, by the application, a cookie with the client application, the cookie including the session token. 16. The method of claim 14 , wherein the redirection response redirects the client application to the URL. 17. The method of claim 14 , wherein the predefined scheme name corresponds to URL comprises a randomly generated unique identifier. 18. The method of claim 14 , wherein the access request comprises a hypertext transfer protocol (HTTP) request, and the access request is redirected by an HTTP response having a status code of 302. 19. The method of claim 14 , wherein the authentication application is configured to request the identity assertion from the identity provider. 20. The method of claim 14 , wherein the authentication application is configured to request at least one security credential from a user of the client device.
Assignees
Inventors
Classifications
using credential vaults, e.g. password manager applications or one time password [OTP] applications · CPC title
based on web technology, e.g. hypertext transfer protocol [HTTP] · CPC title
Program or device authentication · CPC title
using tickets, e.g. Kerberos (cryptographic mechanisms or cryptographic arrangements for entity authentication using tickets or tokens H04L9/3213) · CPC title
User profiles · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12063208B2 cover?
- Disclosed are various examples for providing a single sign-on experience for mobile applications that may or may not be managed. A first application executed in a client device sends an access request to a service provider. The first application receives a redirection response from the service provider that redirects the first application to an identity provider. The first application then rece…
- Who is the assignee on this patent?
- Airwatch Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0815. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Aug 13 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).