Virtual machine logon federation

US 10,205,717 B1
Filed: 04/01/2013
Issued: 02/12/2019
Est. Priority Date: 04/01/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

prompting, at a credential provider application that resides on a virtual machine, a user of the virtual machine to provide one or more user credentials via a log on interface on the virtual machine, the virtual machine and the credential provider application that resides on a virtual machine being in an external security domain outside of an original security domain of the user, the one or more user credentials provided by the original security domain of the user;

receiving, at the credential provider, the one or more user credentials from the user of the virtual machine, wherein;

the one or more user credentials are obtained by the user from the original security domain of the user, the original security domain comprising a plurality of host machines, the user credentials providing access to a first resource hosted in the original security domain of the user;

the virtual machine and the credential provider application that resides on the virtual machine are in the external security domain outside the original security domain of the user;

receiving, from the user, a request to access, via the virtual machine, a second resource in the external security domain of the user;

forwarding the one or more user credentials to an authentication entity in the external security domain; and

based at least in part on a determination that the one or more credentials are authentic;

receiving from an identity provider of the original security domain of the user a first security token for providing access to the second resource in the external security domain via the virtual machine;

creating a shadow user within the external security domain based on the user credentials;

assigning privileges to the shadow user based on information in the first security token wherein the information in the first security token corresponds to a set of allowed actions the shadow user may take with respect to the second resource and a set of forbidden actions the shadow user may not take with respect to the second resource while logged onto the virtual machine; and

providing the user of the virtual machine with access to the second resource in the external security domain via the virtual machine as determined using the privileges assigned to the shadow user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described for providing federated access to end-users of virtual machines. The method includes receiving a request from a user to access a resource outside of the user'"'"'s original security domain. The user'"'"'s existing security credentials are forwarded to an authentication entity, which determines if the user'"'"'s credentials are authentic. If it is determined that the user'"'"'s credentials are authentic, the user'"'"'s target identity provider generates a security token that provides the virtual machine user with access to the resource, the resource residing in an external security domain. The user may log on to the virtual machine with access to the desired resource, subject to the privileges identified in the security token.

Citations

22 Claims

1. A computer-implemented method comprising:
- prompting, at a credential provider application that resides on a virtual machine, a user of the virtual machine to provide one or more user credentials via a log on interface on the virtual machine, the virtual machine and the credential provider application that resides on a virtual machine being in an external security domain outside of an original security domain of the user, the one or more user credentials provided by the original security domain of the user;
  
  receiving, at the credential provider, the one or more user credentials from the user of the virtual machine, wherein;
  
  the one or more user credentials are obtained by the user from the original security domain of the user, the original security domain comprising a plurality of host machines, the user credentials providing access to a first resource hosted in the original security domain of the user;
  
  the virtual machine and the credential provider application that resides on the virtual machine are in the external security domain outside the original security domain of the user;
  
  receiving, from the user, a request to access, via the virtual machine, a second resource in the external security domain of the user;
  
  forwarding the one or more user credentials to an authentication entity in the external security domain; and
  
  based at least in part on a determination that the one or more credentials are authentic;
  
  receiving from an identity provider of the original security domain of the user a first security token for providing access to the second resource in the external security domain via the virtual machine;
  
  creating a shadow user within the external security domain based on the user credentials;
  
  assigning privileges to the shadow user based on information in the first security token wherein the information in the first security token corresponds to a set of allowed actions the shadow user may take with respect to the second resource and a set of forbidden actions the shadow user may not take with respect to the second resource while logged onto the virtual machine; and
  
  providing the user of the virtual machine with access to the second resource in the external security domain via the virtual machine as determined using the privileges assigned to the shadow user.
- View Dependent Claims (2, 3)
- - 2. The computer-implemented method of claim 1, further comprising granting the user access to the second resource within the external security domain using a second security token associated with the shadow user.
  - 3. The computer-implemented method of claim 1, wherein the one or more user credentials are in the form of at least one of biometrics, smart card data, or text entries.

4. A computer-implemented method comprising:
- prompting, at a credential provider application that resides on a virtual machine, a user of the virtual machine to provide one or more user credentials via a log on interface on the virtual machine, the virtual machine and the credential provider application that resides on the virtual machine being in an external security domain outside of an original security domain of the user, the one or more user credentials provided by the original security domain of the user;
  
  receiving, at the credential provider of the virtual machine, the one or more credentials from the user of the virtual machine, wherein;
  
  the one or more credentials provide access to a first resource in the original security domain of the user, the original security domain comprising a plurality of host machines; and
  
  the virtual machine and the credential provider reside in the external security domain outside the original security domain of the user;
  
  determining, by the credential provider application that resides on the virtual machine, if the one or more credentials are authentic; and
  
  based at least in part on a determination that the credentials are authentic;
  
  receiving identity information for the user, the identity information generated by an identity provider of the original security domain of the user and including a security token issued by the identity provider wherein the information in the security token indicates a set of allowed actions the shadow user may take with respect to a second resource and a set of forbidden actions the shadow user may not take with respect to the second resource while logged onto the virtual machine;
  
  creating a shadow user within the external security domain based on the security token;
  
  assigning privileges to the shadow user based on the security token; and
  
  providing the user of the virtual machine with access to the second resource via the virtual machine based on the privileges assigned to the shadow user, the second resource residing in the external security domain, wherein the virtual machine is accessed by using the identity information.
- View Dependent Claims (5, 6, 7)
- - 5. The computer-implemented method of claim 4, further comprising retaining the privileges of the shadow user between user login attempts to the virtual machine.
  - 6. The computer-implemented method of claim 5, wherein after each user login attempt, further comprising:
    - verifying the user is authenticated within the original security domain of the user; and
      
      verifying the shadow user is authorized to access the privileges of the shadow user in the external security domain.
  - 7. The computer-implemented method of claim 4, wherein the privileges further enable the user to access an application in the external security domain.

8. A computer system comprising:
- a processor, anda memory device including instructions that, as a result of being executed by the processor, cause the computer system to;
  
  prompt, at a credential provider application that resides on a virtual machine, a user of the virtual machine to provide one or more user credentials via a log on interface on the virtual machine, the virtual machine and the credential provider application that resides on the virtual machine being in an external security domain outside of an original security domain of the user, the one or more user credentials provided by the original security domain of the user;
  
  receive, at the credential provider application that resides on the virtual machine, the one or more credentials from the user of the virtual machine, wherein;
  
  the virtual machine and the credential provider application that resides on the virtual machine are in the external security domain outside of the original security domain of the user; and
  
  the one or more credentials provide access to a first resource in the original security domain of the user;
  
  determine if the one or more credentials are authentic; and
  
  based at least in part on a determination that the one or more credentials are authentic;
  
  receive, in a security token, identity information for the user, the identity information generated by an identity provider in the original security domain of the user wherein the identity information indicates a set of allowed actions a shadow user may take with respect to a second resource and a set of forbidden actions the shadow user may not take with respect to the second resource;
  
  based on the identity information, create the shadow user within the external security domain and assign privileges to the shadow user; and
  
  based on the privileges assigned to the shadow user, provide the user of the virtual machine with access to the second resource in the external security domain via the virtual machine, wherein the virtual machine is accessed by using the identity information.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer system of claim 8, wherein the identity information includes a security token issued by the identity provider.
  - 10. The computer system of claim 9, wherein information in the security token can be used to determine the privileges of the shadow user in the external security domain.
  - 11. The computer system of claim 10, wherein the instructions further cause the computer system to retain the privileges of the shadow user between user login attempts to the virtual machine.
  - 12. The computer system of claim 11, wherein after each user login attempt, further comprising:
    - verifying the user is authenticated within the security domain of the user; and
      
      verifying the shadow user is authorized to access the privileges of the shadow user in the external security domain.
  - 13. The computer system of claim 8, wherein the one or more credentials further enable the user to access, via the virtual machine, an application in the external security domain.
  - 14. The computer system of claim 8, wherein the instructions further cause the computer system to send the one or more credentials to an Active Directory Federation Services (ADFS) entity in order to determine if the one or more credentials are authentic.

15. A computer-implemented method comprising:
- prompting, at a credential provider application that resides on a virtual machine, a user of the virtual machine to provide one or more user credentials via a log on interface on the virtual machine, the virtual machine and the credential provider application that resides on the virtual machine being in an external security domain outside of an original security domain of the user, the one or more user credentials provided by the original security domain of the user;
  
  receiving, at the credential provider application that resides on the virtual machine, the one or more user credentials from the user of the virtual machine;
  
  receiving an indication that the user wishes to access, via the virtual machine, a resource in the external security domain;
  
  forwarding the one or more user credentials to an authentication entity in the external security domain, the authentication entity determining if the user credentials are authentic; and
  
  based at least in part on a determination that the one or more credentials are authentic;
  
  receiving from an identity provider of the original security domain of the user a security token;
  
  based on the security token, creating the shadow user within the external security domain;
  
  assigning privileges to the shadow user based on information in the security token wherein the information in the first security token corresponds to a set of allowed actions the shadow user may take with respect to the resource and a set of forbidden actions the shadow user may not take with respect to the resource while logged onto the virtual machine; and
  
  providing the user with access to the resource via the virtual machine, the access based on the privileges assigned to the shadow user.
- View Dependent Claims (16, 17)
- - 16. The computer-implemented method of claim 15, further comprising retaining the privileges between user login attempts to the virtual machine.
  - 17. The computer-implemented method of claim 16, wherein after each user login attempt, further comprising:
    - verifying the user is authenticated within the original security domain of the user; and
      
      verifying the user is authorized to access the privileges of the shadow user in the external security domain.

18. A non-transitory computer readable storage medium including instructions that, as a result of being executed by at least one processor of a computing system, cause the computing system to:
- prompt, at a credential provider application that resides on a virtual machine, a user of the virtual machine to provide one or more user credentials via a log on interface on the virtual machine, the virtual machine and the credential provider application that resides on the virtual machine being in an external security domain outside of an original security domain of the user, the one or more user credentials provided by the original security domain of the user;
  
  receive the one or more credentials from the user of the virtual machine, where;
  
  the one or more credentials provide access to the original security domain of the user and are received through the credential provider application that resides on the virtual machine; and
  
  the virtual machine and the credential provider application that resides on the virtual machine are in the external security domain outside of the original security domain of the user;
  
  determine if the one or more credentials are authentic; and
  
  based at least in part on a determination that the one or more credentials are authentic;
  
  receive, in a security token, identity information for the user, the identity information generated by an identity provider of the original security domain of the user, wherein the identity information designates privileges including an allowed action a shadow user may take with respect to a resource and a forbidden action the shadow user may not take with respect to the resource;
  
  create the shadow user having the privileges to the resource designated in the identity information; and
  
  provide the user of the virtual machine with access to the resource while logged onto the virtual machine, the resource residing in the external security domain, wherein the virtual machine is accessed by using the privileges of the shadow user to access the resource.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The non-transitory computer readable storage medium of claim 18, wherein the identity information includes the security token issued by the identity provider.
  - 20. The non-transitory computer readable storage medium of claim 19, wherein information in the security token can be used to determine the privileges of the shadow user.
  - 21. The non-transitory computer readable storage medium of claim 20, wherein the instructions further cause the computer system to retain the privileges between user login attempts to the virtual machine.
  - 22. The non-transitory computer readable storage medium of claim 21, wherein after each user login attempt, further comprising:
    - verifying the user is authenticated within the original security domain of the user; and
      
      verifying the user is authorized to access the privileges of the shadow user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Shah, Shon Kiran, Padukone, Ajit Nagendra, Suryanarayanan, Deepak, Tellvik, Erik Jonathon, Brown, David Everard
Primary Examiner(s)
Zoubair, Noura

Application Number

US13/854,697
Time in Patent Office

2,143 Days
Field of Search

726 3- 4, 726 6- 9, 726 26- 29, 713154-157, 713168, 713170, 713176
US Class Current
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/53   by executing in a restricte...

H04L 63/0815   providing single-sign-on or...

H04L 63/102   Entity profiles

Virtual machine logon federation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual machine logon federation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links