Secure single sign-on for a group of wrapped applications on a computing device and runtime credential sharing

摘要

A mobile device user is able to execute an app in a federation of wrapped apps without having to login to that app provided that the user has already logged into another app in that federation. The federation of apps on the device uses multi-app authentication to enable the user to start subsequent apps after explicitly entering login credentials for another app in that federation. This feature is loosely referred to as single sign-on for apps in the federation. The multi-app authentication is implemented by giving the second app a chance to prove two facts. One that it knows where in the operating system keychain a login ticket is stored and two, what the hash value of a random byte array is. By showing these facts, the logged-into app can safely provide login credentials to subsequent app without the user having to enter a login name or password.

主权项

1. A method of enabling single-sign on (SSO) in a federation of wrapped apps all using the same certificate on a mobile device, the method comprising:
wrapping an SSO app in the federation with a certificate, wherein the certificate was used to secure a login ticket manager app in the federation; determining that the SSO app is signed by the same certificate as the login ticket manager app by having the SSO app access a location in an operating system (OS) keychain shared with the login ticket manager app, said location specified in the certificate; retrieving a login ticket at the location in the OS keychain, said retrieving performed by the SSO app and wherein said login ticket was created and stored in the OS keychain by the login ticket manager app; showing the login ticket to the login ticket manager app, wherein the login ticket manager app knows that the SSO app is in the same federation; transmitting a federation login credentials from the login ticket manager app to the SSO app; and receiving the federation login credentials, wherein the federation login credentials are used to open a keystore of the SSO app thereby enabling the SSO app to execute on the mobile device without the mobile device having to communicate with an external server, wherein the login ticket manager app has a background thread for receiving login tickets from other apps in the federation and transmitting federation login credentials to those other wrapped apps.