Information handling devices (“devices”) come in a variety of forms, for example desktop and laptop computing devices, tablet computing devices, smart phones, e-readers, MP3 players, and the like. Many such devices are configured for use with applications “apps”, which often are downloaded by a user to his or her device (“client device”). Often times, these apps have a web-based presence, e.g., a web site that offers products and services associated with the client application.
As an example, a music store app may be downloaded to a client device by a user and provide the user with the ability to buy and download music files from the music store app at the client device. However, often such applications will include offers for products or services that are only available from the web-based presence (e.g., a product that may only be purchased using an associated music store web site in this example). Thus, a user may locate a product or service using the client device app and then (e.g., after selecting the product or service link within the client application) be automatically redirected to the web-based presence. In a common example, this re-direction takes the form of launching a web browser that takes the user to the associated web site corresponding to the selected product or service located using the app on the client device. Once at the web site, the user may complete the purchase or access the service desired, etc.
In summary, one aspect provides a method, comprising: receiving user credentials at a client application via an input device of an information handling device; creating a token using the user credentials; launching a web browser after receiving input at the client application; providing the token to a remote device; and loading, in response to the remote device authenticating the user based on the token, a secure web site in the web browser for presentation on a display device associated with the information handling device.
Another aspect provides an information handling device, comprising: an input device; one or more processors; and a memory operatively coupled to the one or more processors that stores instructions executable by the one or more processors to perform acts comprising: receiving user credentials at a client application via an input device of the information handling device; creating a token using the user credentials; launching a web browser after receiving input at the client application; providing the token to a remote device; and loading, in response to the remote device authenticating the user based on the token, a secure web site in the web browser for presentation on a display device associated with the information handling device.
A further aspect provides a program product, comprising: a storage medium having computer program code embodied therewith, the computer program code comprising: computer program code configured to receive user credentials at a client application via an input device of an information handling device; computer program code configured to create a token using the user credentials; computer program code configured to launch a web browser after receiving input at the client application; computer program code configured to provide the token to a remote device; and computer program code configured to load, in response to the remote device authenticating the user based on the token, a secure web site in the web browser for presentation on a display device associated with the information handling device.
A still further aspect provides a method, comprising: receiving, at an information handling device, user credentials input at a client application of a client device, the credentials received in the form of a token derived from the user credentials; authenticating, in response to a web page request from the client device, the user based on the token; providing, in response to authenticating the user based on the token, a secure web site to the web browser of the client device for presentation on a display device associated with the client device.
The foregoing is a summary and thus may contain simplifications, generalizations, and omissions of detail; consequently, those skilled in the art will appreciate that the summary is illustrative only and is not intended to be in any way limiting.
For a better understanding of the embodiments, together with other and further features and advantages thereof, reference is made to the following description, taken in conjunction with the accompanying drawings. The scope of the invention will be pointed out in the appended claims.
It will be readily understood that the components of the embodiments, as generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations in addition to the described example embodiments. Thus, the following more detailed description of the example embodiments, as represented in the figures, is not intended to limit the scope of the embodiments, as claimed, but is merely representative of example embodiments.
Reference throughout this specification to “one embodiment” or “an embodiment” (or the like) means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment. Thus, the appearance of the phrases “in one embodiment” or “in an embodiment” or the like in various places throughout this specification are not necessarily all referring to the same embodiment.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments. One skilled in the relevant art will recognize, however, that the various embodiments can be practiced without one or more of the specific details, or with other methods, components, materials, et cetera. In other instances, well known structures, materials, or operations are not shown or described in detail to avoid obfuscation.
In this description, client application (or client side application, client app or the like) takes the meaning of an application resident on a client device (e.g., tablet, smart phone, or other personal information handling device). A token takes the meaning of information identifying a user's session, e.g., a text based string. Each token is unique per login session. A token may be validated based on settings on the device performing the authentication (e.g., the web server in question).
Authentication problems exist between client side applications (“client apps”) and their associated web sites. For example, when a user authenticates in a client app on a client device (e.g., tablet computer) and then selects a product or service that is only available via an associated web site, the client app launches a web browser addressed to an appropriate web site (e.g., for completing a transaction).
However, even though the web site may use the same user credentials, the user is not recognized by the web site. This is so even though the user may have already authenticated to the client app and the web site uses the same credentials. The user in turn is required to input his or her credentials to authenticate to the web site, but this requires inputting the credentials a second time (e.g., user name/password input). While certain operating systems (e.g., WINDOWS 8 operating system) supports SSO between certain applications (e.g., “METRO applications” in the case of WINDOWS 8 operating system), there is no method to support SSO between an application and a web browser.
Accordingly, embodiments provide methods, products and devices that permit a single sign on (“SSO”) to be performed using a client app and a web site such that the user need only authenticate a single time (e.g., to the client side app). Embodiments therefore greatly reduce the cumbersome credentialing process that a user currently encounters when attempting to access products or services via a client app and associated web site.
The illustrated example embodiments will be best understood by reference to the figures. The following description is intended only by way of example, and simply illustrates certain example embodiments.
Referring to
There are power management chip(s) 230, e.g., a battery management unit, BMU, which manage power as supplied for example via a rechargeable battery 240, which may be recharged by a connection to a power source (not shown). In at least one design, a single chip, such as 210, is used to supply BIOS like functionality and DRAM memory.
ARM based systems 200 typically include one or more of a WWAN transceiver 250 and a WLAN transceiver 260 for connecting to various networks, such as telecommunications networks and wireless base stations. Commonly, an ARM based system 200 will include a touch screen 270 for data input and display. ARM based systems 200 also typically include various memory devices, for example flash memory 280 and SDRAM 290.
The example of
In
In
The system, upon power on, may be configured to execute boot code 190 for the BIOS 168, as stored within the SPI Flash 166, and thereafter processes data under the control of one or more operating systems and application software (for example, stored in system memory 140). An operating system may be stored in any of a variety of locations and accessed, for example, according to instructions of the BIOS 168. As described herein, a device may include fewer or more features than shown in the system of
Information handling devices, as for example outlined in
Referring to
At 330, on the server side, when the remote server (e.g., web server) receives the token, it provides the user with the desired web site using the token. For example, the remote server may set the token in the browser and redirect the browser to the target URL that recognizes the user (automatically) using the supplied token. If the token set in the browser is not accepted and the user is not authenticated at 340 (e.g., incorrect user credentials, token not valid, etc.) the user may be prompted for input of credentials to the web site (per standard convention). If the token is accepted, at 350 the web browser may thus present a web site that requires user login (“secure web site”) via use of the token. The token may be passed to the remote server via query string, form data, etc. Accordingly, an embodiment provides a mechanism whereby the user has input his or her credentials a single time (e.g., to the client app) and both the client app and the web browser recognize the user, eliminating the need for the user to provide his or her credentials to the web site for authentication.
Various security measures may be implemented to protect the process from unwanted or unauthorized access. For example, if it has been long enough (in time) since the user has input the credentials to the client app, the token may no longer be valid (e.g., a time out). The client app may also request that the user re-authenticate (i.e., re-input his or her credentials to the client app) prior to launching the web browser (e.g., after a time out has taken place or as a default measure for certain applications or functions thereof, e.g., payment web sites may be the focus of more security, etc.).
An embodiment thus provides for the routing of a device-based application user (“client app”, A1), authenticated through an SSO provider, to a browser-based application (“web browser”, A2), and communicating the user's authentication state from (A1) to (A2).
With further reference to
Items that may be used to accomplish these steps (a-d) include making decisions based on the requestor's IP address, which is available to logic on the proxy server, as well as token state and origination log files managed by the SSO provider. One or more of these, or other, security measures may be implemented to promote security to the process of passing the token and automatically authenticating the user to the web site using the token.
In practical use, a user may log into a client app, for example a support application, resident on the user's client device (e.g., tablet or smart phone). The user is authenticated within the client app and thus may proceed to user certain features, e.g., search help information organized based on a user history associated with the credentials, i.e., as available within the client app. The user may further choose to view information only available on an associated web site, e.g., user forums in which users may post comments and questions. On selecting such a service (e.g., via clicking on a link within the client app), the client app launches a web browser, as is known. According to an embodiment, however, a token is provided (e.g., to the web browser) automatically which may be used to authenticate the user to the web site having the requested product or service, (i.e., the “secure web site”). Thus, the user does not have to log in to the web site to access the requested service (e.g., posting comments or questions in a user forum).
The session token (including the user client app credentials) may be provided to the web site in a variety of ways. For example, the session token may be supplied to the web browser as a text string that is appended to the URL supplied to the web browser. The web server will thus be provided with the session token (and credentials) necessary for logging the user into the web site automatically. Other arrangements may also be utilized such that the client app credentials (token) are appropriately provided (formatted) for receipt and utilization by the web server.
Accordingly, embodiments provide methods, products and devices that permit a user to leverage a SSO between a client app and a web browser. This permits the user to quickly and conveniently sign into web sites associated with client apps without the need to re-input user credentials.
As will be appreciated by one skilled in the art, various aspects may be embodied as a system, method or device program product. Accordingly, aspects may take the form of an entirely hardware embodiment or an embodiment including software that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, aspects may take the form of a device program product embodied in one or more device readable medium(s) having device readable program code embodied therewith.
Any combination of one or more non-signal device readable medium(s) may be utilized. The non-signal medium may be a storage medium. A storage medium may be, for example, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a storage medium would include the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Program code embodied on a storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, et cetera, or any suitable combination of the foregoing.
Program code for carrying out operations may be written in any combination of one or more programming languages. The program code may execute entirely on a single device, partly on a single device, as a stand-alone software package, partly on single device and partly on another device, or entirely on the other device. In some cases, the devices may be connected through any type of connection or network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made through other devices (for example, through the Internet using an Internet Service Provider) or through a hard wire connection, such as over a USB connection.
Aspects are described herein with reference to the figures, which illustrate example methods, devices and program products according to various example embodiments. It will be understood that the actions and functionality illustrated may be implemented at least in part by program instructions. These program instructions may be provided to a processor of a general purpose information handling device, a special purpose information handling device, or other programmable data processing device or information handling device to produce a machine, such that the instructions, which execute via a processor of the device implement the functions/acts specified.
The program instructions may also be stored in a device readable medium that can direct a device to function in a particular manner, such that the instructions stored in the device readable medium produce an article of manufacture including instructions which implement the functions/acts specified.
The program instructions may also be loaded onto a device to cause a series of operational steps to be performed on the device to produce a device implemented process such that the instructions which execute on the device provide processes for implementing the functions/acts specified.
This disclosure has been presented for purposes of illustration and description but is not intended to be exhaustive or limiting. Many modifications and variations will be apparent to those of ordinary skill in the art. The example embodiments were chosen and described in order to explain principles and practical application, and to enable others of ordinary skill in the art to understand the disclosure for various embodiments with various modifications as are suited to the particular use contemplated.
Thus, although illustrative example embodiments have been described herein with reference to the accompanying figures, it is to be understood that this description is not limiting and that various other changes and modifications may be affected therein by one skilled in the art without departing from the scope or spirit of the disclosure.