Mobile multifactor single-sign-on authentication

摘要

Features are disclosed for authentication of mobile device applications using a native, independent browser using a single-sign-on system. An authentication module within the mobile application can direct the mobile device's native browser to a URL to initiate authentication with an authentication appliance. The mobile browser can receive and store a browser-accessible token to indicate previous authentication performed by the user. The mobile application can receive from the application appliance and store a client application ID token that may be presented to network services for access. A second mobile device application may direct the same browser to the authentication appliance. The authentication appliance may inspect the persistent browser-accessible token and issue a second client application ID identity to the second application without collecting additional authentication information, or collecting additional authentication information that is different from the first authentication information.

主权项

1. A computer-implemented method for providing single-sign-on (SSO) authentication to a user of a client application on a mobile device, the computer-implemented method comprising:
receiving, from an independent browser on a mobile device, a first request to access a first uniform resource locator (URL) associated with a first non-browser mobile application executing on the mobile device; authenticating the user interacting with the mobile device at least partly by: receiving first authentication information related to the user from the independent browser, and verifying the first authentication information with an identity database; identifying a first URL mapping configured to invoke the first non-browser mobile application; sending, to the independent browser, a browser-based token, the first URL mapping, and a first client application identity for use by the first non-browser mobile application; receiving, from the independent browser on the mobile device, a second request to access a second uniform resource locator (URL) associated with a second non-browser mobile application executing on the mobile device, wherein the second request comprises the browser-based token; verifying, with the identity database, non-revocation of the browser-based token; identifying a second URL mapping configured to invoke the second non-browser mobile application; and sending, to the independent browser, a second client application identity for use by the second non-browser mobile application and the second URL mapping, said method performed in its entirety by a computer system that is separate from the mobile device, wherein the independent browser has not been specifically configured to provide identity information for non-browser mobile applications.