Identity services for organizations transparently hosted in the cloud

US 10,176,335 B2
Filed: 03/20/2012
Issued: 01/08/2019
Est. Priority Date: 03/20/2012
Status: Active Grant

First Claim

Patent Images

1. A method for establishing single identity on a cloud computing platform, comprising:

validating a user credential associated with a first user on a first computer;

receiving, from the first computer, information indicative of a domain comprising a plurality of computing devices communicating over a network for which single identity is to be established;

determining that the first user has control of the domain, in response to a determination that the domain is a public domain;

in response to validating the user credential and determining that the first user has control of the domain, storing the information indicative of the domain in a service on the cloud computing platform for authorizing sign-ons from a plurality of users of the domain including the first user, the service comprising a database used to authenticate the plurality of users within the domain;

determining to permit a log in by the first user to a second computer hosted on the cloud platform in response to determining that the service authorizes the user credential associated with the log in; and

authorizing the first user to access a software service provided on at least one computing device within the domain hosted on the cloud computing platform in response to determining that the service authorized the user credential associated with the log in.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention are disclosed for establishing single identity/single-sign on (SSO) on a cloud computing platform. In an embodiment, a user is validated to the cloud computing platform, and identifies a domain. After establishing that the user has control of the domain, the cloud computing platform configures a directory service for the domain. The user may then use the directory service on the cloud computing platform to log in to his or her computer, as well as software services hosted on the cloud computing platform.

Citations

20 Claims

1. A method for establishing single identity on a cloud computing platform, comprising:
- validating a user credential associated with a first user on a first computer;
  
  receiving, from the first computer, information indicative of a domain comprising a plurality of computing devices communicating over a network for which single identity is to be established;
  
  determining that the first user has control of the domain, in response to a determination that the domain is a public domain;
  
  in response to validating the user credential and determining that the first user has control of the domain, storing the information indicative of the domain in a service on the cloud computing platform for authorizing sign-ons from a plurality of users of the domain including the first user, the service comprising a database used to authenticate the plurality of users within the domain;
  
  determining to permit a log in by the first user to a second computer hosted on the cloud platform in response to determining that the service authorizes the user credential associated with the log in; and
  
  authorizing the first user to access a software service provided on at least one computing device within the domain hosted on the cloud computing platform in response to determining that the service authorized the user credential associated with the log in.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - determining that the domain has a service located external to the cloud computing platform;
      
      in response to determining that the domain has the service located external to the cloud computing platform, configuring a synchronization service on the cloud computing platform for replicating data between the service on the cloud computing platform and the service located external to the cloud computing platform;
      
      receiving an indication of a virtual private network (VPN) endpoint and a credential to access the service located external to the cloud computing platform;
      
      establishing, by the cloud computing platform, a VPN connection with the VPN endpoint, using the user credential to access the service located external to the cloud computing platform; and
      
      replicating credential data between the service on the cloud computing platform and the service located external to the cloud computing platform using the synchronization service.
  - 3. The method of claim 1, wherein configuring the service on the cloud computing platform for sign-ons from users of the domain further comprises:
    - in response to receiving the information indicative of a domain, configuring a federation service on the cloud computing platform to authenticate a user of the domain across an organizational boundary after the first user has been authenticated by the service.
  - 4. The method of claim 1, wherein storing the information indicative of the domain in the service on the cloud computing platform for authorizing sign-ons from users of the domain comprises:
    - in response to determining that the domain is a public domain, sending data to the computer; and
      
      determining that the data is accessible at a known location in the domain.
  - 5. The method of claim 4, wherein determining that the data is accessible at the known location in the domain comprises:
    - determining that the data is stored within a mail exchanger (MX) record in the domain.
  - 6. The method of claim 4, wherein determining that the data is accessible at the known location in the domain comprises:
    - determining that the data is stored within a domain TXT record (text record) in the domain.
  - 7. The method of claim 1, wherein storing the information indicative of the domain in the service on the cloud computing platform for authorizing sign-ons from users of the domain comprises:
    - determining that control of the domain need not be proven in response to determining that the domain is a private domain.
  - 8. The method of claim 1, wherein determining that the first user has control of the domain comprises:
    - generating a unique identifier (UID) associated with the validated user credential; and
      
      sending the UID to the computer to be stored a known, public location on the domain.

9. A system for establishing single identity on a cloud computing platform, comprising:
- a module configured to validate a user credential associated with a first user on a first computer;
  
  a module configured to receive, from the first computer, information indicative of a domain for which single identity is to be established, the domain comprising a plurality of computing devices communicating over a network;
  
  a module configured to determine that the domain is a public domain;
  
  a module configured to, in response to determining that the domain is a public domain, determine that the first user has control of the domain;
  
  a module configured to, in response to validating the user credential and determining that the first user has control of the domain, store the information indicative of the domain in a service on the cloud computing platform for authorizing sign-ons from a plurality of users of the domain including the first user, the service comprising a database used to authenticate the plurality of users within the domain;
  
  a module configured to, determine to permit a log in by the first user to a second computer on the cloud computing platform in response to determining that the service authorizes the user credential associated with the log in; and
  
  a module configured to authorize the first user to access a software service provided on at least one computing device within the domain hosted on the cloud computing platform in response to determining that the directory service authorized the user credential associated with the log in.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9, further comprising:
    - a module configured to determine that the domain has a service located external to the cloud computing platform;
      
      a module configured to, in response to determining that the domain has the service located external to the cloud computing platform, configure a synchronization service on the cloud computing platform for replicating data between the service on the cloud computing platform and the service located external to the cloud computing platform;
      
      a module configured to receive an indication of a virtual private network (VPN) endpoint and a credential to access the service located external to the cloud computing platform;
      
      a module configured to establish, by the cloud computing platform, a VPN connection with the VPN endpoint, using the credential to access the service located external to the cloud computing platform; and
      
      a module configured to replicate credential data between the service on the cloud computing platform and the service located external to the cloud computing platform using the synchronization service.
  - 11. The system of claim 9, further comprising:
    - a module configured to, in response to receiving the information indicative of a domain, configure a federation service on the cloud computing platform to authenticate a user of the domain across an organizational boundary after the first user has been authenticated by the service.
  - 12. The system of claim 9, comprising:
    - a module configured to, in response to determining that the domain is a public domain, send data to the computer; and
      
      a module configured to determine that the data is accessible at a known location in the domain.
  - 13. The system of claim 12, wherein the module configured to determine that the data is accessible at the known location in the domain further configured to:
    - determine that the data is stored within a mail exchanger (MX) record in the domain.
  - 14. The system of claim 12, wherein the module configured to determine that the data is accessible at the known location in the domain further configured to:
    - determine that the data is stored within a domain TXT record (text record) in the domain.
  - 15. The system of claim 9, further comprising:
    - a module configured to determine that control of the domain need not be proven in response to determining that the domain is a private domain.

16. A computer-readable storage device for establishing single identity on a cloud computing platform, bearing computer-executable instructions that when executed on a computer, cause the computer to perform operations comprising:
- validating a user credential associated with a first user on a first computer;
  
  receiving, from the first computer, information indicative of a domain comprising a plurality of computing devices communicating over a network for which single identity is to be established;
  
  determining that the first user has control of the domain in response to a determination that the domain is a public domainin response to validating the user credential and determining that the first user has control of the domain, storing the information indicative of the domain in a service on the cloud computing platform for authorizing sign-ons from a plurality of users of the domain including the first user, the service comprising a database used to authenticate the plurality of users within the domain;
  
  determining to permit a log in by the first user to a second computer on the cloud platform in response to determining that the service authorizes the user credential associated with the log in; and
  
  authorizing the first user to access a software service provided on at least one computing device within the domain hosted on the cloud computing platform in response to determining that the service authorized the user credential associated with the log in.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer-readable storage device of claim 16, further bearing computer-executable instructions that when executed on the computer, cause the computer to perform operations comprising:
    - determining that the domain has a service located external to the cloud computing platform;
      
      in response to determining that the domain has the service located external to the cloud computing platform, configuring a synchronization service on the cloud computing platform for replicating data between the service on the cloud computing platform and the service located external to the cloud computing platform;
      
      receiving an indication of a virtual private network (VPN) endpoint and a credential to access the service located external to the cloud computing platform;
      
      establishing, by the cloud computing platform, a VPN connection with the VPN endpoint, using the credential to access the service located external to the cloud computing platform; and
      
      replicating credential data between the service on the cloud computing platform and the service located external to the cloud computing platform using the synchronization service.
  - 18. The computer-readable storage device of claim 16, wherein storing the information indicative of the domain in a service on the cloud computing platform for authorizing sign-ons from users of the domain further comprises:
    - in response to receiving the information indicative of a domain, configuring a federation service on the cloud computing platform to authenticate a user of the domain across an organizational boundary after the first user has been authenticated by the service.
  - 19. The computer-readable storage device of claim 16, wherein storing the information indicative of the domain in a service on the cloud computing platform for authorizing sign-ons from users of the domain comprises:
    - in response to determining that the domain is a public domain, sending data to the computer; and
      
      determining that the data is accessible at a known location in the domain.
  - 20. The computer-readable storage device of claim 17, wherein determining that the domain has a service located external to the cloud computing platform comprises:
    - prompting the first computer for an indication that the domain has the external service;
      
      receiving the indication from the first computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Adams, Ross, Wells, Dean, Didcock, Clifford N., Chander, Girish
Primary Examiner(s)
Kim, Tae K

Application Number

US13/425,143
Publication Number

US 20130254847A1
Time in Patent Office

2,485 Days
Field of Search

709217, 709219, 709250, 726 2, 726 4- 5, 726 15
US Class Current
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2117   User registration

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0272   Virtual private networks

H04L 63/0815   providing single-sign-on or...

Identity services for organizations transparently hosted in the cloud

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Identity services for organizations transparently hosted in the cloud

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links