Cross cloud application access

US 10,511,593 B2
Filed: 06/13/2017
Issued: 12/17/2019
Est. Priority Date: 06/13/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for a security endpoint of a non-isolated public cloud computing environment that permits data access in accordance with a non-isolated scope, the method comprising:

receiving a login request related to an application, wherein the application operates in the non-isolated public cloud computing environment, and wherein the login request corresponds to a user of the application;

sending a lookup query to a directory service, wherein the lookup query includes information related to an identity of the user;

receiving a lookup response from the directory service;

in response to the lookup response indicating that the user belongs to the non-isolated public cloud computing environment;

requesting an authentication credential from a client device of the user,validating the authentication credential, andin response to successful validation of the authentication credential, providing an identity token to the client device; and

in response to the lookup response indicating that the user belongs to one of a plurality of isolated sovereign cloud computing environments, redirecting the client device to a security endpoint of the one of the plurality of isolated sovereign cloud computing environments, wherein the plurality of isolated sovereign cloud computing environments restrict data access in accordance with an isolated scope.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for a security endpoint of a non-isolated computing environment includes receiving a login request related to an application within that environment. The login request corresponds to a user of the application. The method includes sending a lookup query, including information related to an identity of the user, to a directory service. The method includes receiving a lookup response from the directory service. The method includes, in response to the lookup response indicating that the user belongs to the non-isolated computing environment, requesting an authentication credential from a client device of the user, validating the authentication credential, and in response to successful validation of the authentication credential, providing an identity token to the client device. The method includes, in response to the lookup response indicating that the user belongs to an isolated computing environment, redirecting the client device to a security endpoint of the isolated computing environment.

Citations

20 Claims

1. A computer-implemented method for a security endpoint of a non-isolated public cloud computing environment that permits data access in accordance with a non-isolated scope, the method comprising:
- receiving a login request related to an application, wherein the application operates in the non-isolated public cloud computing environment, and wherein the login request corresponds to a user of the application;
  
  sending a lookup query to a directory service, wherein the lookup query includes information related to an identity of the user;
  
  receiving a lookup response from the directory service;
  
  in response to the lookup response indicating that the user belongs to the non-isolated public cloud computing environment;
  
  requesting an authentication credential from a client device of the user,validating the authentication credential, andin response to successful validation of the authentication credential, providing an identity token to the client device; and
  
  in response to the lookup response indicating that the user belongs to one of a plurality of isolated sovereign cloud computing environments, redirecting the client device to a security endpoint of the one of the plurality of isolated sovereign cloud computing environments, wherein the plurality of isolated sovereign cloud computing environments restrict data access in accordance with an isolated scope.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the lookup response indicates that the user belongs to the one of the plurality of isolated sovereign cloud computing environments by including a unique identifier of the security endpoint of the one of the plurality of isolated sovereign cloud computing environments.
  - 3. The method of claim 2, wherein the unique identifier of the security endpoint of the one of the plurality of isolated sovereign cloud computing environments is a fully qualified domain of the security endpoint of the one of the plurality of isolated sovereign cloud computing environments.
  - 4. The method of claim 1, wherein:
    - the information related to the identity of the user includes a user principal name (UPN) of the user;
      
      a domain name of the user is a substring of the UPN; and
      
      the authentication credential is a password.
  - 5. The method of claim 1, wherein the login request is received from the client device and includes a name of the user.
  - 6. The method of claim 1, further comprising, in response to the login request, requesting a name of the user from the client device.
  - 7. The method of claim 1, further comprising, in response to receiving an authentication token from the one of the plurality of isolated sovereign cloud computing environments:
    - validating the authentication token; and
      
      in response to successful validation of the authentication token, providing the identity token to the client device.
  - 8. The method of claim 7, further comprising, in response to successful validation of the authentication token:
    - generating the identity token and an access token; and
      
      transmitting the identity token and the access token to the client device.
  - 9. The method of claim 7, wherein validating the authentication token includes validating a signature of the authentication token based on a certificate corresponding to the one of the plurality of isolated sovereign cloud computing environments.
  - 10. The method of claim 1, further comprising, in response to successful validation of the authentication credential:
    - generating the identity token and an access token; and
      
      transmitting the identity token and the access token to the client device,wherein validating the authentication credential includes comparing the authentication credential to a credential corresponding to the user obtained from the directory service.

11. A security endpoint of a non-isolated public cloud computing environment that permits data access in accordance with a non-isolated scope, the security endpoint comprising:
- a computer-readable storage device configured to store computer-executable instructions; and
  
  a processing device configured to execute the computer-executable instructions, which upon execution by the processing device, control the security endpoint to perform;
  
  receiving a login request related to an application, wherein the application operates in the non-isolated public cloud computing environment, and wherein the login request corresponds to a user of the application;
  
  sending a lookup query to a directory service, wherein the lookup query includes information related to an identity of the user;
  
  receiving a lookup response from the directory service;
  
  in response to the lookup response indicating that the user belongs to the non-isolated public cloud computing environment;
  
  requesting an authentication credential from a client device of the user,validating the authentication credential, andin response to successful validation of the authentication credential, providing an identity token to the client device; and
  
  in response to the lookup response indicating that the user belongs to one of a plurality of isolated sovereign cloud computing environments, redirecting the client device to a security endpoint of the one of the plurality of isolated sovereign cloud computing environments, wherein the plurality of isolated sovereign cloud computing environments restrict data access in accordance with an isolated scope.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The security endpoint of claim 11, wherein the lookup response indicates that the user belongs to the one of the plurality of isolated sovereign cloud computing environments by including a unique identifier of the security endpoint of the one of the plurality of isolated sovereign cloud computing environments.
  - 13. The security endpoint of claim 12, wherein the unique identifier of the security endpoint of the one of the plurality of isolated sovereign cloud computing environments is a fully qualified domain of the security endpoint of the one of the plurality of isolated sovereign cloud computing environments.
  - 14. The security endpoint of claim 11, wherein:
    - the information related to the identity of the user includes a user principal name (UPN) of the user;
      
      a domain name of the user is a substring of the UPN; and
      
      the authentication credential is a password.
  - 15. The security endpoint of claim 11, wherein the login request is received from the client device and includes a name of the user.
  - 16. The security endpoint of claim 11, wherein the computer-executable instructions, when executed by the processing device, control the security endpoint to perform further steps including, in response to the login request, requesting a name of the user from the client device.
  - 17. The security endpoint of claim 11, wherein the computer-executable instructions, when executed by the processing device, control the security endpoint to perform further steps including, in response to receiving an authentication token from the one of the plurality of isolated sovereign cloud computing environments:
    - validating the authentication token; and
      
      in response to successful validation of the authentication token, providing the identity token to the client device.
  - 18. The security endpoint of claim 17, wherein the computer-executable instructions, when executed by the processing device, control the security endpoint to perform further steps including, in response to successful validation of the authentication token:
    - generating the identity token and an access token; and
      
      transmitting the identity token and the access token to the client device.
  - 19. The security endpoint of claim 17, wherein validating the authentication token includes validating a signature of the authentication token based on a certificate corresponding to the one of the plurality of isolated sovereign cloud computing environments.
  - 20. The security endpoint of claim 11, wherein:
    - the computer-executable instructions, when executed by the processing device, control the security endpoint to perform further steps including, in response to successful validation of the authentication credential;
      
      generating the identity token and an access token; and
      
      transmitting the identity token and the access token to the client device; and
      
      validating the authentication credential includes comparing the authentication credential to a credential corresponding to the user obtained from the directory service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Appiah, Madan Mohan R., Satagopan, Murli Dharan, Kryatov, Maksym
Primary Examiner(s)
Shehni, Ghazal B

Application Number

US15/622,005
Publication Number

US 20180359238A1
Time in Patent Office

917 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

Cross cloud application access

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cross cloud application access

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links