Performing a security action with regard to an access token based on clustering of access requests
US-2024406160-A1 · Dec 5, 2024 · US
Method and system for authenticating a rich client to a web or cloud application
US9699168B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9699168-B2 |
| Application number | US-96616510-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 13, 2010 |
| Priority date | Dec 13, 2010 |
| Publication date | Jul 4, 2017 |
| Grant date | Jul 4, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A rich client performs single sign-on (SSO) to access a web- or cloud-based application. According to the described SSO approach, the rich client delegates to its native application server the task of obtaining a credential, such as a SAML assertion. The native server, acting on behalf of the user, obtains an assertion from a federated identity provider (IdP) that is then returned to the rich client. The rich client provides the assertion to a cloud-based proxy, which presents the assertion to an identity manager to attempt to prove that the user is entitled to access the web- or cloud-based application using the rich client. If the assertion can be verified, it is exchanged with a signed token, such as a token designed to protect against cross-site request forgery (CSRF). The rich client then accesses the web- or cloud-based application making a REST call that includes the signed token. The application, which recognizes the request as trustworthy, responds to the call with the requested data.
First claim
Opening claim text (preview).
Having described our invention, what we now claim is as follows: 1. A method of enabling a rich client to authenticate to and access a web- or cloud-based application, comprising: in response to an authentication request issued by the rich client, the rich client being other than browser-based and that supports its own interface as opposed to exporting a web interface to the web- or cloud-based application, obtaining an assertion on behalf of the rich client from an identity provider; in response to receiving the assertion, determining whether the assertion can be verified and whether a user associated with the assertion is permitted to access the application using the rich client; when the assertion can be verified and the user associated with the assertion is permitted to access the application using the rich client, exchanging the assertion for a token; receiving a call together with the token; and when the token is validated, providing data in response to the call. 2. The method as described in claim 1 wherein the assertion is obtained by an application server associated with the rich client. 3. The method as described in claim 1 wherein the identity provider is a federated identity provider. 4. The method as described in claim 1 wherein the step of determining whether the user associated with the assertion is permitted to access the application using the rich client includes returning a session cookie if the outcome of the determination is positive. 5. The method as described in claim 4 wherein the call also includes the session cookie. 6. The method as described in claim 1 wherein the call is a REST call. 7. The method as described in claim 1 wherein the assertion is received via an HTTP POST generated in response to the authentication request. 8. The method as described in claim 1 wherein the rich client provides at least one of: email, calendaring, contact management, and instant messaging. 9. Apparatus to enable a rich client to authenticate to and access a web- or cloud-based application, comprising: a processor; computer memory holding computer program instructions executed by the processor to perform operations comprising: in response to an authentication request issued by the rich client, the rich client being other than browser-based and that supports its own interface as opposed to exporting a web interface to the web- or cloud-based application, obtaining an assertion on behalf of the rich client from an identity provider; in response to receiving the assertion, determining whether the assertion can be verified and whether a user associated with the assertion is permitted to access the application using the rich client; when the assertion can be verified and the user associated with the assertion is permitted to access the application using the rich client, exchanging the assertion for a token; receiving a call together with the token; and when the token is validated, providing data in response to the call. 10. The apparatus as described in claim 9 wherein the assertion is obtained by an application server associated with the rich client. 11. The apparatus as described in claim 9 wherein the identity provider is a federated identity provider. 12. The apparatus as described in claim 9 wherein determining whether the user associated with the assertion is permitted to access the application using the rich client includes returning a session cookie if the outcome of the determination is positive. 13. The apparatus as described in claim 12 wherein the call also includes the session cookie. 14. The apparatus as described in claim 9 wherein the call is a REST call. 15. The apparatus as described in claim 9 wherein the assertion is received via an HTTP POST generated in response to the authentication request. 16. The apparatus as described in claim 9 wherein the rich client provides at least one of: email, calendaring, contact management, and instant messaging. 17. A computer program product in a non-transitory computer readable medium for use in a data processing system to enable a rich client to authenticate to and access a web- or cloud-based application, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method comprising: in response to an authentication request issued by the rich client, the rich client being other than browser-based and that supports its own interface as opposed to exporting a web interface to the web- or cloud-based application, obtaining an assertion on behalf of the rich client from an identity provider; in response to receiving the assertion, determining whether the assertion can be verified and whether a user associated with the assertion is permitted to access the application using the rich client; when the assertion can be verified and the user associated with the assertion is permitted to access the application using the rich client, exchanging the assertion for a token; receiving a call together with the token; and when the token is validated, providing data in response to the call. 18. The computer program product as described in claim 17 wherein the assertion is obtained by an application server associated with the rich client. 19. The computer program product as described in claim 17 wherein the identity provider is a federated identity provider. 20. The computer program product as described in claim 17 wherein the step of determining whether the user associated with the assertion is permitted to access the application using the rich client includes returning a session cookie if the outcome of the determination is positive. 21. The computer program product as described in claim 20 wherein the call also includes the session cookie. 22. The computer program product as described in claim 17 wherein the call is a REST call. 23. The computer program product as described in claim 17 wherein the assertion is received via an HTTP POST generated in response to the authentication request. 24. The computer program product as described in claim 17 wherein the rich client provides at least one of: email, calendaring, contact management, and instant messaging.
Assignees
Inventors
Classifications
based on web technology, e.g. hypertext transfer protocol [HTTP] · CPC title
by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity · CPC title
- H04L63/0815Primary
providing single-sign-on or federations · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9699168B2 cover?
- A rich client performs single sign-on (SSO) to access a web- or cloud-based application. According to the described SSO approach, the rich client delegates to its native application server the task of obtaining a credential, such as a SAML assertion. The native server, acting on behalf of the user, obtains an assertion from a federated identity provider (IdP) that is then returned to the rich c…
- Who is the assignee on this patent?
- Pieczul Olgierd Stanislaw, Mcgloin Mark Alexander, Zurko Mary Ellen, and 3 more
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0815. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jul 04 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).