Virtual machine logon federation
First Claim
1. A computer-implemented method comprising:
- prompting, at a credential provider application that resides on a virtual machine, a user of the virtual machine to provide one or more user credentials via a log on interface on the virtual machine, the virtual machine and the credential provider application that resides on a virtual machine being in an external security domain outside of an original security domain of the user, the one or more user credentials provided by the original security domain of the user;
receiving, at the credential provider, the one or more user credentials from the user of the virtual machine, wherein;
the one or more user credentials are obtained by the user from the original security domain of the user, the original security domain comprising a plurality of host machines, the user credentials providing access to a first resource hosted in the original security domain of the user;
the virtual machine and the credential provider application that resides on the virtual machine are in the external security domain outside the original security domain of the user;
receiving, from the user, a request to access, via the virtual machine, a second resource in the external security domain of the user;
forwarding the one or more user credentials to an authentication entity in the external security domain; and
based at least in part on a determination that the one or more credentials are authentic;
receiving from an identity provider of the original security domain of the user a first security token for providing access to the second resource in the external security domain via the virtual machine;
creating a shadow user within the external security domain based on the user credentials;
assigning privileges to the shadow user based on information in the first security token wherein the information in the first security token corresponds to a set of allowed actions the shadow user may take with respect to the second resource and a set of forbidden actions the shadow user may not take with respect to the second resource while logged onto the virtual machine; and
providing the user of the virtual machine with access to the second resource in the external security domain via the virtual machine as determined using the privileges assigned to the shadow user.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are described for providing federated access to end-users of virtual machines. The method includes receiving a request from a user to access a resource outside of the user'"'"'s original security domain. The user'"'"'s existing security credentials are forwarded to an authentication entity, which determines if the user'"'"'s credentials are authentic. If it is determined that the user'"'"'s credentials are authentic, the user'"'"'s target identity provider generates a security token that provides the virtual machine user with access to the resource, the resource residing in an external security domain. The user may log on to the virtual machine with access to the desired resource, subject to the privileges identified in the security token.
-
Citations
22 Claims
-
1. A computer-implemented method comprising:
-
prompting, at a credential provider application that resides on a virtual machine, a user of the virtual machine to provide one or more user credentials via a log on interface on the virtual machine, the virtual machine and the credential provider application that resides on a virtual machine being in an external security domain outside of an original security domain of the user, the one or more user credentials provided by the original security domain of the user; receiving, at the credential provider, the one or more user credentials from the user of the virtual machine, wherein; the one or more user credentials are obtained by the user from the original security domain of the user, the original security domain comprising a plurality of host machines, the user credentials providing access to a first resource hosted in the original security domain of the user; the virtual machine and the credential provider application that resides on the virtual machine are in the external security domain outside the original security domain of the user; receiving, from the user, a request to access, via the virtual machine, a second resource in the external security domain of the user; forwarding the one or more user credentials to an authentication entity in the external security domain; and based at least in part on a determination that the one or more credentials are authentic; receiving from an identity provider of the original security domain of the user a first security token for providing access to the second resource in the external security domain via the virtual machine; creating a shadow user within the external security domain based on the user credentials; assigning privileges to the shadow user based on information in the first security token wherein the information in the first security token corresponds to a set of allowed actions the shadow user may take with respect to the second resource and a set of forbidden actions the shadow user may not take with respect to the second resource while logged onto the virtual machine; and providing the user of the virtual machine with access to the second resource in the external security domain via the virtual machine as determined using the privileges assigned to the shadow user. - View Dependent Claims (2, 3)
-
-
4. A computer-implemented method comprising:
-
prompting, at a credential provider application that resides on a virtual machine, a user of the virtual machine to provide one or more user credentials via a log on interface on the virtual machine, the virtual machine and the credential provider application that resides on the virtual machine being in an external security domain outside of an original security domain of the user, the one or more user credentials provided by the original security domain of the user; receiving, at the credential provider of the virtual machine, the one or more credentials from the user of the virtual machine, wherein; the one or more credentials provide access to a first resource in the original security domain of the user, the original security domain comprising a plurality of host machines; and the virtual machine and the credential provider reside in the external security domain outside the original security domain of the user; determining, by the credential provider application that resides on the virtual machine, if the one or more credentials are authentic; and based at least in part on a determination that the credentials are authentic; receiving identity information for the user, the identity information generated by an identity provider of the original security domain of the user and including a security token issued by the identity provider wherein the information in the security token indicates a set of allowed actions the shadow user may take with respect to a second resource and a set of forbidden actions the shadow user may not take with respect to the second resource while logged onto the virtual machine; creating a shadow user within the external security domain based on the security token; assigning privileges to the shadow user based on the security token; and providing the user of the virtual machine with access to the second resource via the virtual machine based on the privileges assigned to the shadow user, the second resource residing in the external security domain, wherein the virtual machine is accessed by using the identity information. - View Dependent Claims (5, 6, 7)
-
-
8. A computer system comprising:
-
a processor, and a memory device including instructions that, as a result of being executed by the processor, cause the computer system to; prompt, at a credential provider application that resides on a virtual machine, a user of the virtual machine to provide one or more user credentials via a log on interface on the virtual machine, the virtual machine and the credential provider application that resides on the virtual machine being in an external security domain outside of an original security domain of the user, the one or more user credentials provided by the original security domain of the user; receive, at the credential provider application that resides on the virtual machine, the one or more credentials from the user of the virtual machine, wherein; the virtual machine and the credential provider application that resides on the virtual machine are in the external security domain outside of the original security domain of the user; and the one or more credentials provide access to a first resource in the original security domain of the user; determine if the one or more credentials are authentic; and based at least in part on a determination that the one or more credentials are authentic; receive, in a security token, identity information for the user, the identity information generated by an identity provider in the original security domain of the user wherein the identity information indicates a set of allowed actions a shadow user may take with respect to a second resource and a set of forbidden actions the shadow user may not take with respect to the second resource; based on the identity information, create the shadow user within the external security domain and assign privileges to the shadow user; and based on the privileges assigned to the shadow user, provide the user of the virtual machine with access to the second resource in the external security domain via the virtual machine, wherein the virtual machine is accessed by using the identity information. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer-implemented method comprising:
-
prompting, at a credential provider application that resides on a virtual machine, a user of the virtual machine to provide one or more user credentials via a log on interface on the virtual machine, the virtual machine and the credential provider application that resides on the virtual machine being in an external security domain outside of an original security domain of the user, the one or more user credentials provided by the original security domain of the user; receiving, at the credential provider application that resides on the virtual machine, the one or more user credentials from the user of the virtual machine; receiving an indication that the user wishes to access, via the virtual machine, a resource in the external security domain; forwarding the one or more user credentials to an authentication entity in the external security domain, the authentication entity determining if the user credentials are authentic; and based at least in part on a determination that the one or more credentials are authentic; receiving from an identity provider of the original security domain of the user a security token; based on the security token, creating the shadow user within the external security domain; assigning privileges to the shadow user based on information in the security token wherein the information in the first security token corresponds to a set of allowed actions the shadow user may take with respect to the resource and a set of forbidden actions the shadow user may not take with respect to the resource while logged onto the virtual machine; and providing the user with access to the resource via the virtual machine, the access based on the privileges assigned to the shadow user. - View Dependent Claims (16, 17)
-
-
18. A non-transitory computer readable storage medium including instructions that, as a result of being executed by at least one processor of a computing system, cause the computing system to:
-
prompt, at a credential provider application that resides on a virtual machine, a user of the virtual machine to provide one or more user credentials via a log on interface on the virtual machine, the virtual machine and the credential provider application that resides on the virtual machine being in an external security domain outside of an original security domain of the user, the one or more user credentials provided by the original security domain of the user; receive the one or more credentials from the user of the virtual machine, where; the one or more credentials provide access to the original security domain of the user and are received through the credential provider application that resides on the virtual machine; and the virtual machine and the credential provider application that resides on the virtual machine are in the external security domain outside of the original security domain of the user; determine if the one or more credentials are authentic; and based at least in part on a determination that the one or more credentials are authentic; receive, in a security token, identity information for the user, the identity information generated by an identity provider of the original security domain of the user, wherein the identity information designates privileges including an allowed action a shadow user may take with respect to a resource and a forbidden action the shadow user may not take with respect to the resource; create the shadow user having the privileges to the resource designated in the identity information; and provide the user of the virtual machine with access to the resource while logged onto the virtual machine, the resource residing in the external security domain, wherein the virtual machine is accessed by using the privileges of the shadow user to access the resource. - View Dependent Claims (19, 20, 21, 22)
-
Specification