公开(公告)号：US09509692B2

公开(公告)日：2016-11-29

申请号：US14833329

申请日：2015-08-24

Applicant: Citrix Systems, Inc.

Inventor： Andrew Innes ,  Chris Mayers

IPC: H04L29/06 ,  H04L12/911

CPC classification number: H04L63/0884 ,  H04L47/70 ,  H04L63/0281 ,  H04L63/08 ,  H04L63/0823 ,  H04L63/12

Abstract: A method of authentication and accessing resources is provided. A client device may send a request to a proxy device to access a resource, such as an enterprise resource. The proxy device may authenticate with one or more servers associated with the resource. During authentication, the proxy device may receive a request for a signature controlled by the client device. In response, the proxy device may send a request to the client device for the signature. The request may also include context information that identify a data structure of authentication information exchanged (or to be exchanged) during the authentication session. If the client device verifies the context information, the client device may send the requested signature.

公开(公告)号：US20180007059A1

公开(公告)日：2018-01-04

申请号：US15690417

申请日：2017-08-30

Applicant: Citrix Systems, Inc.

Inventor： Andrew Innes ,  Chris Mayers

IPC: H04L29/06 ,  G06F21/62

CPC classification number: H04L63/104 ,  G06F21/33 ,  G06F21/34 ,  G06F21/62 ,  G06F21/6218 ,  G06F21/6245 ,  G06F2221/2101 ,  G06F2221/2111 ,  G09C1/00 ,  H04L9/3228 ,  H04L9/3234 ,  H04L9/3263 ,  H04L63/061 ,  H04L63/0815 ,  H04L63/0823 ,  H04L63/0853 ,  H04L63/101 ,  H04L63/107

Abstract: Methods and systems for granting or denying a client device access to one or more resources in a remote computing environment are described herein. During authentication, context information for the client device, such as device type, device location, etc., may be determined. A computing device in the system may receive data indicating the context information, such as data indicating that the user is at a particular location and/or is of a particular device type. One or more labels for a session associated with the user of the client device may be determined based on the data indicating the context information. The computing device may generate an authentication certificate comprising one or more labels. Based on the certificate, one or more access groups for the user of the client device may be determined, and the user of the client device may be granted or denied access to one or more resources according to the access group(s).

公开(公告)号：US11641361B2

公开(公告)日：2023-05-02

申请号：US17063198

申请日：2020-10-05

Applicant: Citrix Systems, Inc.

Inventor： Andrew Innes ,  Chris Mayers

IPC: H04L29/06 ,  H04L9/40 ,  G06F21/62 ,  H04L9/32 ,  G06F21/33 ,  G09C1/00 ,  G06F21/34

Abstract: Methods and systems for granting or denying a client device access to one or more resources in a remote computing environment are described herein. A computing device may receive from an identity provider a token authenticating that a user of a client device is at a first location. The computing device may determine, based on the token, one or more labels for a session associated with the user. Each label of the one or more labels is associated with a corresponding security group. Based on the one or more labels, the user of the client device may be granted access to sensitive data.

公开(公告)号：US10122703B2

公开(公告)日：2018-11-06

申请号：US14870447

申请日：2015-09-30

Applicant: Citrix Systems, Inc.

Inventor： Andrew Innes ,  Chris Mayers

IPC: H04L29/06 ,  G06F21/33 ,  H04L9/32

Abstract: Methods and systems for faster and more efficient smart card logon and for giving a client device full domain access in a remote computing environment are described herein. Components used to implement fast smart card logon may also be used to implement a federated full domain logon. A virtual smart card credential, which may be ephemeral, may be issued based on the acceptance of an external authentication event. Example external authentication events include logon at a Security Assertion Markup Language (SAML) Identity Provider, smart card authentication over TLS or SSL, and alternative authentication credentials such as biometrics or one-time password (OTP) without AD password. Moreover, the certificate operation interception components from fast smart card logon may be used to enable interaction with the virtual smart card without fully emulating a smart card at the PC/SC API level. The virtual smart card may be created locally at the authentication server or on a separate server that may be highly protected.

公开(公告)号：US20160094543A1

公开(公告)日：2016-03-31

申请号：US14870447

申请日：2015-09-30

Applicant: Citrix Systems, Inc.

Inventor： Andrew Innes ,  Chris Mayers

IPC: H04L29/06

CPC classification number: H04L63/0823 ,  G06F21/33 ,  H04L9/3228 ,  H04L9/3234 ,  H04L9/3263 ,  H04L63/061 ,  H04L63/0815 ,  H04L63/0853 ,  H04L63/0876

Abstract: Methods and systems for faster and more efficient smart card logon and for giving a client device full domain access in a remote computing environment are described herein. Components used to implement fast smart card logon may also be used to implement a federated full domain logon. A virtual smart card credential, which may be ephemeral, may be issued based on the acceptance of an external authentication event. Example external authentication events include logon at a Security Assertion Markup Language (SAML) Identity Provider, smart card authentication over TLS or SSL, and alternative authentication credentials such as biometrics or one-time password (OTP) without AD password. Moreover, the certificate operation interception components from fast smart card logon may be used to enable interaction with the virtual smart card without fully emulating a smart card at the PC/SC API level. The virtual smart card may be created locally at the authentication server or on a separate server that may be highly protected.

Abstract translation: 这里描述了用于在远程计算环境中更快更高效地智能卡登录和给予客户端设备完全域访问的方法和系统。 用于实现快速智能卡登录的组件也可用于实现联合全域登录。 可以基于外部认证事件的接受来发布可能是短暂的虚拟智能卡凭证。 示例外部身份验证事件包括以安全断言标记语言（SAML）身份提供者登录，通过TLS或SSL进行智能卡身份验证，以及不带AD密码的替代身份验证凭证（例如生物识别或一次性密码（OTP））。 此外，来自快速智能卡登录的证书操作截取组件可以用于在没有在PC / SC API级别上完全模拟智能卡的情况下实现与虚拟智能卡的交互。 虚拟智能卡可以在身份验证服务器或可能受到高度保护的单独服务器上本地创建。

公开(公告)号：US20150365412A1

公开(公告)日：2015-12-17

申请号：US14833329

申请日：2015-08-24

Applicant: Citrix Systems, Inc.

Inventor： Andrew Innes ,  Chris Mayers

IPC: H04L29/06 ,  H04L12/911

CPC classification number: H04L63/0884 ,  H04L47/70 ,  H04L63/0281 ,  H04L63/08 ,  H04L63/0823 ,  H04L63/12

Abstract: A method of authentication and accessing resources is provided. A client device may send a request to a proxy device to access a resource, such as an enterprise resource. The proxy device may authenticate with one or more servers associated with the resource. During authentication, the proxy device may receive a request for a signature controlled by the client device. In response, the proxy device may send a request to the client device for the signature. The request may also include context information that identify a data structure of authentication information exchanged (or to be exchanged) during the authentication session. If the client device verifies the context information, the client device may send the requested signature.

Abstract translation: 提供了认证和访问资源的方法。 客户端设备可以向代理设备发送请求以访问诸如企业资源的资源。 代理设备可以与与资源相关联的一个或多个服务器认证。 在认证期间，代理设备可以接收由客户端设备控制的签名的请求。 作为响应，代理设备可以向客户端设备发送用于签名的请求。 该请求还可以包括识别在认证会话期间交换（或被交换的）认证信息的数据结构的上下文信息。 如果客户端设备验证上下文信息，则客户端设备可以发送所请求的签名。

公开(公告)号：US20230259349A1

公开(公告)日：2023-08-17

申请号：US17854662

申请日：2022-06-30

Applicant: Citrix Systems, Inc.

Inventor： Michael Herzberg ,  Chris Mayers

IPC: G06F8/65 ,  G06F8/71

CPC classification number: G06F8/65 ,  G06F8/71

Abstract: One disclosed method involves causing, by a computing system, installation of at least a first application and a second application, determining, by the computing system, first application data indicative of modifications occurring in response to installation of the first application, determining, by the computing system, second application data indicative of modifications occurring in response to installation of the second application, and processing the first application data and the second application data to generate a set of application policies to control use of the first application and the second application at a user device.

公开(公告)号：US20210021605A1

公开(公告)日：2021-01-21

申请号：US17063198

申请日：2020-10-05

Applicant: Citrix Systems, Inc.

Inventor： Andrew Innes ,  Chris Mayers

IPC: H04L29/06 ,  G06F21/62 ,  H04L9/32 ,  G06F21/33 ,  G09C1/00 ,  G06F21/34

Abstract: Methods and systems for granting or denying a client device access to one or more resources in a remote computing environment are described herein. A computing device may receive from an identity provider a token authenticating that a user of a client device is at a first location. The computing device may determine, based on the token, one or more labels for a session associated with the user. Each label of the one or more labels is associated with a corresponding security group. Based on the one or more labels, the user of the client device may be granted access to sensitive data.

公开(公告)号：US20160191645A1

公开(公告)日：2016-06-30

申请号：US14585320

申请日：2014-12-30

Applicant: Citrix Systems, Inc.

Inventor： Richard Hayton ,  Chris Mayers

IPC: H04L29/08 ,  H04L12/861 ,  H04L29/06

CPC classification number: H04L67/2842 ,  G06F8/00 ,  G06F9/445 ,  G06F9/4484 ,  G06F9/455 ,  G06F9/50 ,  G06F21/53 ,  G06F21/54 ,  G06F21/71 ,  H04L67/02 ,  H04L67/2819 ,  H04L67/34 ,  H04W12/0027 ,  H04W12/08

Abstract: Aspects described herein are directed toward systems, methods, devices, and non-transitory computer-readable media for containerizing a web application and managing its execution. In example implementations, at least a portion of a web application a resource list identified by that web application is retrieved. The portion of the web application and the resources retrieved are cached at a computing device. The application manager intercepts one or more function calls invoked at the cached portion of the web application and processes the function calls intercepted.

Abstract translation: 本文描述的方面针对用于集中化web应用并管理其执行的系统，方法，设备和非暂时性计算机可读介质。 在示例实现中，检索web应用程序的至少一部分由该web应用程序标识的资源列表。 Web应用程序的部分和检索的资源被缓存在计算设备上。 应用程序管理器拦截在Web应用程序的缓存部分调用的一个或多个函数调用，并处理被拦截的函数调用。

公开(公告)号：US09154488B2

公开(公告)日：2015-10-06

申请号：US13886845

申请日：2013-05-03

Applicant: Citrix Systems, Inc.

Inventor： Andrew Innes ,  Chris Mayers

IPC: H04L29/06

CPC classification number: H04L63/0884 ,  H04L47/70 ,  H04L63/0281 ,  H04L63/08 ,  H04L63/0823 ,  H04L63/12

Abstract: A method of authentication and accessing resources is provided. A client device may send a request to a proxy device to access a resource, such as an enterprise resource. The proxy device may authenticate with one or more servers associated with the resource. During authentication, the proxy device may receive a request for a signature controlled by the client device. In response, the proxy device may send a request to the client device for the signature. The request may also include context information that identify a data structure of authentication information exchanged (or to be exchanged) during the authentication session. If the client device verifies the context information, the client device may send the requested signature.

Abstract translation: 提供了认证和访问资源的方法。 客户端设备可以向代理设备发送请求以访问诸如企业资源的资源。 代理设备可以与与资源相关联的一个或多个服务器认证。 在认证期间，代理设备可以接收由客户端设备控制的签名的请求。 作为响应，代理设备可以向客户端设备发送用于签名的请求。 该请求还可以包括识别在认证会话期间交换（或被交换的）认证信息的数据结构的上下文信息。 如果客户端设备验证上下文信息，则客户端设备可以发送所请求的签名。