Single sign-on processing for associated mobile applications
US-2015229636-A1 · Aug 13, 2015 · US
Step-up authentication for single sign-on
US9578015B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9578015-B2 |
| Application number | US-201414530064-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 31, 2014 |
| Priority date | Oct 31, 2014 |
| Publication date | Feb 21, 2017 |
| Grant date | Feb 21, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method for authenticating a user seeking access to first and second resources that have different authentication levels. The method includes receiving a primary token that is associated with a first authentication event of the user and authenticates the user to access the first resource, and receiving a first request to access the second resource. The method further includes receiving first credentials of the user. The method further includes, responsive to validating the first credentials, generating a second authentication event, associating the second authentication event with the primary token, and issuing a first secondary token that authenticates the user to access the second resource.
First claim
Opening claim text (preview).
We claim: 1. A method for authenticating a user seeking access to first and second resources that have different authentication levels, comprising: receiving, at a token agent installed on a computing device of a user, information authenticating the user, wherein the token agent is not a browser; sending, from the token agent to an authentication server, a request for a primary token authorizing access to the first resource, the request including the information authenticating the user; receiving the primary token at the token agent, from the authentication server, wherein the token agent associates the primary token with a plurality of applications installed on the computing device; receiving, at the token agent, a request to access the second resource from a first application of the plurality of applications installed on the computing device; sending, from the token agent to the authentication server, the primary token and the request to access the second resource; receiving, at the token agent, instructions from the authentication server to perform a second authentication event; in response to receiving instructions from the authentication server to perform a second authentication event, launching a user interface on the computing device through which the user provides authentication information for the second authentication event; sending, from the token agent to the authentication server, information associated with the second authentication event; receiving, at the token agent, an updated primary token from the authentication server, wherein the token agent associates the updated primary token with more than one of the plurality of applications installed on the computing device; resubmitting, from the token agent to the authentication server, the request to access the second resource from the first application, the resubmitted request including the updated primary token; and receiving, at the token agent, a secondary token from the authentication server, the secondary token authorizing the first application to access the second resource. 2. The method of claim 1 , further comprising: receiving, at the token agent, a request to access the second resource from a second application of the plurality of applications installed on the computing device; sending, from the token agent to the authentication server, the updated primary token and the request to access the second resource; and receiving, at the token agent, an additional secondary token from the authentication server, the additional secondary token authorizing the second application to access the second resource. 3. The method of claim 2 , further comprising: receiving, at the token agent, a request to access a third resource from a second application of the plurality of applications installed on the computing device; sending, from the token agent to the authentication server, the updated primary token and the request to access the third resource; and receiving, at the token agent, another secondary token from the authentication server, the another secondary token authorizing the second application to access the third resource. 4. The method of claim 1 , wherein the instructions from the authentication server to perform a second authentication event are generated based on a determination by the authentication server that an access policy associated with the primary token does not provide for access to the secondary resource. 5. The method of claim 1 , wherein receiving instructions from the authentication server to perform a second authentication event further comprises receiving a one-time access (OTA) token from the authentication server. 6. The method of claim 1 , wherein the request to access the second resource from the first application includes a first application identification (ID) that identifies the first application to the authentication server. 7. The method of claim 2 , wherein the request to access the second resource from the second application includes a second application identification (ID) that identifies the second application to the authentication server. 8. A non-transitory, computer-readable storage medium comprising instructions that, when executed by a processor of a computing device of a user, performs stages for authenticating a user seeking access to first and second resources having different authentication levels, the stages comprising: receiving, at a token agent installed on a computing device of a user, information authenticating the user, wherein the token agent is not a browser; sending, from the token agent to an authentication server, a request for a primary token authorizing access to the first resource, the request including the information authenticating the user; receiving the primary token at the token agent, from the authentication server, wherein the token agent associates the primary token with a plurality of applications installed on the computing device; receiving, at the token agent, a request to access the second resource from a first application of the plurality of applications installed on the computing device; sending, from the token agent to the authentication server, the primary token and the request to access the second resource; receiving, at the token agent, instructions from the authentication server to perform a second authentication event; in response to receiving instructions from the authentication server to perform a second authentication event, launching a user interface on the computing device through which the user provides authentication information for the second authentication event; sending, from the token agent to the authentication server, information associated with the second authentication event; receiving, at the token agent, an updated primary token from the authentication server, wherein the token agent associates the updated primary token with more than one of the plurality of applications installed on the computing device; resubmitting, from the token agent to the authentication server, the request to access the second resource from the first application, the resubmitted request including the updated primary token; and receiving, at the token agent, a secondary token from the authentication server, the secondary token authorizing the first application to access the second resource. 9. The non-transitory, computer-readable storage medium of claim 8 , wherein the stages performed by the processor of the computing device further comprise: receiving, at the token agent, a request to access the second resource from a second application of the plurality of applications installed on the computing device; sending, from the token agent to the authentication server, the updated primary token and the request to access the second resource; and receiving, at the token agent, an additional secondary token from the authentication server, the additional secondary token authorizing the second application to access the second resource. 10. The non-transitory, computer-readable storage medium of claim 8 , wherein the stages performed by the processor of the computing device further comprise: receiving, at the token agent, a request to access a third resource from a second application of the plurality of applications installed on the computing device; sending, from the token agent to the authentication server, the updated primary token and the request to access the third resource; and receiving, at the token agent, another secondary token from the authentication server, the another secondary token authorizing the second application to access the third resource. 11. The non-transitory, computer-readable storage medium of claim 8 , wherein
Assignees
Inventors
Classifications
for controlling access to devices or network resources · CPC title
Multiple levels of security · CPC title
Protecting access to data via a platform, e.g. using keys or access control rules · CPC title
- H04L63/0815Primary
providing single-sign-on or federations · CPC title
Mutual Authentication Bi-Directional Authentication, Dialogue, Handshake · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9578015B2 cover?
- A method for authenticating a user seeking access to first and second resources that have different authentication levels. The method includes receiving a primary token that is associated with a first authentication event of the user and authenticates the user to access the first resource, and receiving a first request to access the second resource. The method further includes receiving first c…
- Who is the assignee on this patent?
- Vmware Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0815. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Feb 21 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).