Scope-based certificate deployment

US 10,320,572 B2
Filed: 12/05/2016
Issued: 06/11/2019
Est. Priority Date: 08/04/2016
Status: Active Grant

First Claim

Patent Images

1. A method of operating a front-end access server to facilitate scope-based certificate deployment in a multi-tenant cloud-based content service, the method comprising:

receiving a request for authentication including metadata from an access system;

extracting the metadata from the authentication request;

processing the metadata to identify a tenant associated with the request for authentication;

accessing a tenant-specific certificate associated with the tenant;

accessing a set of global certificates shared among tenants in the multi-tenant cloud-based content service; and

responsive to the request for authentication, providing to the access system, the tenant-specific certificate for validation by a third-party certificate authority and one or more of the set of global certificates for accessing one or more corresponding back-end services,wherein the tenant-specific certificate is provided to the front-end access server and scoped prior to receiving the request for authentication.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The techniques described herein facilitate scope-based certificate deployment for secure dedicated tenant access in multi-tenant, cloud-based content and collaboration environments. In some embodiments, a method is described that includes receiving an incoming authentication request from an access system, wherein the authentication request includes metadata, extracting the metadata from the authentication request, and processing the metadata to identify a tenant corresponding to the request. A tenant-specific certificate associated with the tenant is then accessed and provided to the access system for validation by a third-party certificate authority.

26 Citations

View as Search Results

20 Claims

1. A method of operating a front-end access server to facilitate scope-based certificate deployment in a multi-tenant cloud-based content service, the method comprising:
- receiving a request for authentication including metadata from an access system;
  
  extracting the metadata from the authentication request;
  
  processing the metadata to identify a tenant associated with the request for authentication;
  
  accessing a tenant-specific certificate associated with the tenant;
  
  accessing a set of global certificates shared among tenants in the multi-tenant cloud-based content service; and
  
  responsive to the request for authentication, providing to the access system, the tenant-specific certificate for validation by a third-party certificate authority and one or more of the set of global certificates for accessing one or more corresponding back-end services,wherein the tenant-specific certificate is provided to the front-end access server and scoped prior to receiving the request for authentication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the tenant-specific certificate comprises one or more of a Secure Socket Layer (SSL) certificate, an email encryption certificate, or a code signing certificate.
  - 3. The method of claim 1, wherein the tenant-specific certificate comprises a certificate issued to the tenant by the third-party certificate authority.
  - 4. The method of claim 3, further comprising:
    - receiving the tenant-specific certificate from a dedicated tenant system;
      
      providing the tenant-specific certificate to the multi-tenant cloud-based content service;
      
      receiving an indication of machines on which tenant data is or will be stored; and
      
      deploying the tenant-specific certificates to the machines.
  - 5. The method of claim 4, further comprising deploying global certificates to the machines.
  - 6. The method of claim 1, further comprising:
    - receiving a request from the access system, wherein fulfilling the request requires accessing a back-end service;
      
      identifying a shared certificate corresponding to the back-end service; and
      
      authenticating with the back-end service using the shared certificate.
  - 7. The method of claim 1, further comprising authenticating a server using the tenant-specific certificate.
  - 8. The method of claim 1, further comprising:
    - receiving, by an Application Program Interface (API), a request to change a type of a first certificate from a global certificate to a scope-based certificate.
  - 9. The method of claim 8, further comprising:
    - responsive to receiving the request to change the type of the first certificate, identifying machines on which the first certificate is deployed; and
      
      reimaging the machines on which the first certificate is deployed.

10. A computer readable storage medium having program instructions stored thereon which, when executed by one or more processors, cause the one or more processors to:
- trigger an interrupt responsive to receiving a request for authentication from an access system, wherein the authentication request includes metadata;
  
  extract the metadata from the authentication request;
  
  process the metadata to identify a tenant associated with the request; and
  
  access a tenant-specific certificate associated with the tenant and a set of global certificates shared among tenants in a multi-tenant cloud-based content service.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The computer readable storage medium of claim 10, wherein the instructions, when executed by the one or more processors, further cause the one or more processors to:
    - provide the tenant-specific certificate to the access system for validation by a third-party certificate authority.
  - 12. The computer readable storage medium of claim 10, wherein the tenant-specific certificate comprises one or more of a Secure Socket Layer (SSL) certificate, an email encryption certificate, or a code signing certificate.
  - 13. The computer readable storage medium of claim 10, wherein the tenant-specific certificate comprises a certificate issued to the tenant by the third-party certificate authority.
  - 14. The computer readable storage medium of claim 13, wherein the instructions, when executed by the one or more processors, further cause the one or more processors to:
    - receive the tenant-specific certificate from a dedicated tenant system;
      
      provide the tenant-specific certificate to the multi-tenant cloud-based content service;
      
      receive an indication of machines on which tenant data is or will be stored; and
      
      deploy the tenant-specific certificates to the machines.
  - 15. The computer readable storage medium of claim 14, wherein the instructions, when executed by the one or more processors, further cause the one or more processors to deploy global certificates to the machines.
  - 16. The computer readable storage medium of claim 14, wherein the instructions, when executed by the one or more processors, further cause the one or more processors toreceive a request from the access system, wherein fulfilling the request requires accessing a back-end service;
    - identify a shared certificate corresponding to the back-end service; and
      
      authenticate with the back-end service using the shared certificate.
  - 17. The computer readable storage medium of claim 14, wherein the instructions, when executed by the one or more processors, further cause the one or more processors to:
    - responsive to receiving, a request to change a type of a first certificate from a global certificate to a scope-based certificate,modify the type of the first certificate,identify machines on which the first certificate is deployed; and
      
      reimage the machines on which the first certificate is deployed.

18. A method of operating a front-end access server to facilitate scope-based certificate deployment in a multi-tenant cloud-based content service, the method comprising:
- receiving a request for authentication from an access system, wherein the request includes metadata;
  
  extracting the metadata from the request;
  
  processing the metadata to identify a scope-based certificate corresponding to the request, wherein the scope-based certificate has a scope within the multi-tenant cloud-based content service;
  
  accessing the scope-based certificate and a set of global certificates shared among tenants in the multi-tenant cloud-based content service; and
  
  responsive to receiving the request for authentication, providing to the access system, the scope-based certificate for validation by a third-party certificate authority and one or more of the set of global certificates,wherein the set of global certificates are provided for accessing a set of back-end services.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, wherein the scope of the scope-based certificate comprises one or more of a particular region or content farm.
  - 20. The method of claim 18, wherein the certificate comprises one or more of a Secure Socket Layer (SSL) certificate, an email encryption certificate, or a code signing certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Rathinasabapathy, Mangalam, Simek, Patrick, Zeng, Xinghuo, Miglani, Harpreet, Silva, Roshane
Primary Examiner(s)
Su, Sarah

Application Number

US15/369,297
Publication Number

US 20180041346A1
Time in Patent Office

918 Days
Field of Search
US Class Current
CPC Class Codes

H04L 9/006   involving public key infras...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04L 9/3265   using certificate chains, t...

H04L 9/3268   using certificate validatio...

Scope-based certificate deployment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Scope-based certificate deployment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links