Single sign on for a remote user session
Abstract
A user accesses a remote session, the connection to which is managed by a connection broker, according to a single sign-on (SSO) process. The SSO process includes the user entering his or her credentials and being authenticated to the connection broker. In addition to user authentication, the SSO process includes connection broker authentication to confirm that the connection broker is trustworthy. When the connection broker is authenticated, the user credentials are transmitted to the connection broker in a secure manner and the connection broker forwards them onto a machine hosting the remote session so that the user can be logged into the remote session without entering his or her credentials again.
Claims
exact text as granted — not AI-modifiedWe claim:
1 . A method of authenticating a user to a service running in a system, comprising:
responsive to receiving an input of user credentials at a client computing device, logging the user into the client computing device which is configured to communicate with the service via a network; storing the user credentials in the client computing device; displaying, on the client computing device, a first user interface including an option permitting the user to select whether to use the same user credentials used to log into the client computing device to also access the service; and responsive to a first request, made via the first user interface, to access the service using the same user credentials used to log into the client computing device:
transmitting the stored user credentials from the client computing device to the service, and
at the service, authenticating the user using the user credentials transmitted from the client computing device.
2 . The method of claim 1 , further comprising, configuring the first user interface to enable the option permitting the user to select whether to use the same user credentials used to log into the client computing device to also access the service.
3 . The method of claim 1 , wherein:
the first user interface is displayed responsive to a launching, in the client computing device, of a virtualized desktop infrastructure (VDI) client which facilitates a remote session with the service; and the option permitting the user to select whether to use the same user credentials used to log into the client computing device to also access the service is a checkbox in the first user interface.
4 . The method of claim 1 , further comprising:
responsive to a second request, made via the first user interface, to not access the service using the same user credentials used to log into the client computing device, displaying at the client computing device a second user interface which prompts the user to input user credentials for accessing the service.
5 . The method of claim 4 , wherein the second user interface prompts the user to input user credentials for a different authentication technique than a technique used to log into the client computing device.
6 . The method of claim 1 , further comprising, if authentication of the user at the service using the user credentials transmitted from the client computing device fails, displaying a second user interface which prompts the user to input user credentials for accessing the service.
7 . The method of claim 1 , wherein either the user credentials include a user ID and a password, or the user credentials include a certificate stored in a smart card and a PIN to access the certificate.
8 . The method of claim 1 , further comprising,
authenticating a connection broker, which manages connections to the service, to a process which runs in the client computing device and has access to the stored user credentials; responsive to successful authentication of the connection broker to the process, transmitting the stored user credentials via the process from the client computing device to the authenticated connection broker; and responsive to receiving the user credentials at the authenticated connection broker, forwarding the received user credentials from the authenticated connection broker to the service.
9 . The method of claim 8 , wherein the user credentials are securely stored in the client computing device and securely transmitted from the client computing device to the connection broker and from the connection broker to the service.
10 . The method of claim 1 , wherein the service is a remote desktop running in a virtual machine.
11 . A non-transitory computer-readable storage medium containing a program which, when executed by one or more processors, performs operations for authenticating a user to a service running in a system, the operations comprising:
responsive to receiving an input of user credentials at a client computing device, logging the user into the client computing device which is configured to communicate with the service via a network; storing the user credentials in the client computing device; displaying, on the client computing device, a first user interface including an option permitting the user to select whether to use the same user credentials used to log into the client computing device to also access the service; and responsive to a first request, made via the first user interface, to access the service using the same user credentials used to log into the client computing device:
transmitting the stored user credentials from the client computing device to the service, and
at the service, authenticating the user using the user credentials transmitted from the client computing device.
12 . The computer-readable storage medium of claim 11 , the operations further comprising, configuring the first user interface to enable the option permitting the user to select whether to use the same user credentials used to log into the client computing device to also access the service.
13 . The computer-readable storage medium of claim 11 , wherein:
the first user interface is displayed responsive to a launching, in the client computing device, of a virtualized desktop infrastructure (VDI) client which facilitates a remote session with the service; and the option permitting the user to select whether to use the same user credentials used to log into the client computing device to also access the service is a checkbox in the first user interface.
14 . The computer-readable storage medium of claim 11 , the operations further comprising:
responsive to a second request, made via the first user interface, to not access the service using the same user credentials used to log into the client computing device, displaying a second user interface which prompts the user to input user credentials for accessing the service.
15 . The computer-readable storage medium of claim 14 , wherein the second user interface prompts the user to input user credentials for a different authentication technique than a technique used to log into the client computing device.
16 . The computer-readable storage medium of claim 11 , the operations further comprising, if authentication of the user at the service using the user credentials transmitted from the client computing device fails, displaying a second user interface which prompts the user to input user credentials for accessing the service.
17 . The computer-readable storage medium of claim 11 , wherein either the user credentials include a user ID and a password, or the user credentials include a certificate stored in a smart card and a PIN to access the certificate.
18 . The computer-readable storage medium of claim 11 , the operations further comprising,
authenticating a connection broker, which manages connections to the service, to a process which runs in the client computing device and has access to the stored user credentials; responsive to successful authentication of the connection broker to the process, transmitting the stored user credentials via the process from the client computing device to the authenticated connection broker; and responsive to receiving the user credentials at the authenticated connection broker, forwarding the received user credentials from the authenticated connection broker to the service.
19 . The computer-readable storage medium of claim 18 , wherein the user credentials are securely stored in the client computing device and securely transmitted from the client computing device to the connection broker and from the connection broker to the service.
20 . A system in communication with one or more server computers in which a service runs, comprising:
a processor; and a memory, wherein the memory includes a program for authenticating a user to the service, the program being configured to perform operations comprising:
responsive to receiving an input of user credentials, logging the user into the system,
storing the user credentials,
displaying a user interface including an option permitting the user to select whether to use the same user credentials used to log into the system to also access the service, and
responsive to a request, made via the user interface, to access the service using the same user credentials used to log into the system, transmitting the user credentials to the service,
wherein the user is authenticated at the service using the transmitted user credentials.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.