Multi-tenancy identity management system
First Claim
1. A computer-implemented method comprising:
- creating, in a multi-tenant computing environment including a plurality of computing devices providing services to a plurality of customers, a first identity domain using an identity management (IDM) system configured to authenticate identities of users and authorize access to system resources, wherein the multi-tenant computing environment is a cloud computing environment, and wherein the identity management system is partitioned into a plurality of identity domains;
binding the first identity domain, that is created for a first customer of the plurality of customers, to identification information comprising a first uniform resource locator (URL) that is associated with the first identity domain, and wherein the first URL provides the first customer access to the first identity domain and services of the first identity domain;
associating, using the identity management system, a first plurality of services and one or more policies associated with a host machine for accessing the first plurality of services with the first identity domain, wherein associating the first plurality of services with the first identity domain comprises provisioning an instance of a service from among the first plurality of services to the first identity domain, and wherein access to the first plurality of services associated with the first identity domain is provided via the first URL when the customer satisfies the one or more policies associated with the host machine;
storing, in a first partition of a centralized identity store of the identity management system, identities and identity definitions of a first set of users using the identity management system;
associating, using the identity management system, the identities of the first set of users with the first plurality of services;
creating, in the multi-tenant computing environment using the identity management system, a second identity domain for the first customer that is isolated from the first identity domain, wherein the second identity domain comprises a second uniform resource locator (URL) that is associated with the second identity domain, and wherein the second URL provides the first customer access to the second identity domain;
associating, using the identity management system, a second plurality of services and one or more policies for accessing the second plurality of services with the second identity domain, wherein associating the second plurality of services with the second identity domain comprises provisioning an instance of a service from among the second plurality of services to the second identity domain;
storing, in a second partition of the centralized identity store, identities and identity definitions of a second set of users using the identity management system, wherein the second set of users is different from the first set of users; and
associating, using the identity management system, the identities of the second set of users with the second plurality of services.
1 Assignment
0 Petitions
Accused Products
Abstract
A multi-tenant identity management (IDM) system enables IDM functions to be performed relative to various different customers'"'"' domains within a shared cloud computing environment and without replicating a separate IDM system for each separate domain. The IDM system can provide IDM functionality to service instances located within various different customers'"'"' domains while enforcing isolation between those domains. A cloud-wide identity store can contain identity information for multiple customers'"'"' domains, and a cloud-wide policy store can contain security policy information for multiple customers'"'"' domains. The multi-tenant IDM system can provide a delegation model in which a domain administrator can be appointed for each domain, and in which each domain administrator can delegate certain roles to other user identities belong to his domain. Service instance-specific administrators can be appointed by a domain administrator to administer to specific service instances within a domain.
172 Citations
27 Claims
-
1. A computer-implemented method comprising:
-
creating, in a multi-tenant computing environment including a plurality of computing devices providing services to a plurality of customers, a first identity domain using an identity management (IDM) system configured to authenticate identities of users and authorize access to system resources, wherein the multi-tenant computing environment is a cloud computing environment, and wherein the identity management system is partitioned into a plurality of identity domains; binding the first identity domain, that is created for a first customer of the plurality of customers, to identification information comprising a first uniform resource locator (URL) that is associated with the first identity domain, and wherein the first URL provides the first customer access to the first identity domain and services of the first identity domain; associating, using the identity management system, a first plurality of services and one or more policies associated with a host machine for accessing the first plurality of services with the first identity domain, wherein associating the first plurality of services with the first identity domain comprises provisioning an instance of a service from among the first plurality of services to the first identity domain, and wherein access to the first plurality of services associated with the first identity domain is provided via the first URL when the customer satisfies the one or more policies associated with the host machine; storing, in a first partition of a centralized identity store of the identity management system, identities and identity definitions of a first set of users using the identity management system; associating, using the identity management system, the identities of the first set of users with the first plurality of services; creating, in the multi-tenant computing environment using the identity management system, a second identity domain for the first customer that is isolated from the first identity domain, wherein the second identity domain comprises a second uniform resource locator (URL) that is associated with the second identity domain, and wherein the second URL provides the first customer access to the second identity domain; associating, using the identity management system, a second plurality of services and one or more policies for accessing the second plurality of services with the second identity domain, wherein associating the second plurality of services with the second identity domain comprises provisioning an instance of a service from among the second plurality of services to the second identity domain; storing, in a second partition of the centralized identity store, identities and identity definitions of a second set of users using the identity management system, wherein the second set of users is different from the first set of users; and associating, using the identity management system, the identities of the second set of users with the second plurality of services. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A non-transitory computer-readable storage medium storing instructions, the instructions, when executed by one or more processors, causing the one or more processors to:
-
create, in a multi-tenant computing environment including a plurality of computing devices providing services to a plurality of customers, a first identity domain using an identity management (IDM) system configured to authenticate identities of users and authorize access to system resources, wherein the multi-tenant computing environment is a cloud computing environment, and wherein the identity management system is partitioned into a plurality of identity domains; bind the first identity domain, that is created for a first customer of the plurality of customers, to identification information comprising a first uniform resource locator (URL) that is associated with the first identity domain and wherein the first URL provides the first customer access to the first identity domain and services of the first identity domain; associate, using the identity management system, a first plurality of services and one or more policies associated with a host machine for accessing the first plurality of services with the first identity domain, wherein associating the first plurality of services with the first identity domain comprises provisioning an instance of a service from among the first plurality of services to the first identity domain, and wherein access to the first plurality of services associated with the first identity domain is provided via the first URL when the customer satisfies the one or more policies associated with the host machine; store, in a first partition of a centralized identity store of the identity management system, identities and identity definitions of a first set of users using the identity management system; associate, using the identity management system, the identities of the first set of users with the first plurality of services; create, in the multi-tenant computing environment using the identity management system, a second identity domain for the first customer that is isolated from the first identity domain, wherein the second identity domain comprises a second uniform resource locator (URL) that is associated with the second identity domain, and wherein the second URL provides the first customer access to the second identity domain; associate, using the identity management system, a second plurality of services and one or more policies for accessing the second plurality of services with the second identity domain, wherein associating the second plurality of services with the second identity domain comprises provisioning an instance of a service from among the second plurality of services to the second identity domain; store, in a second partition of the centralized identity store, identities and identity definitions of a second set of users using the identity management system, wherein the second set of users is different from the first set of users; and associate, using the identity management system, the identities of the second set of users with the second plurality of services.
-
-
27. A system comprising:
-
one or more processors; and a computer-readable storage memory that stores instructions comprising; creating, in a multi-tenant computing environment including a plurality of computing devices providing services to a plurality of customers, a first identity domain using an identity management (IDM) system configured to authenticate identities of users and authorize access to system resources, wherein the multi-tenant computing environment is a cloud computing environment, and wherein the identity management system is partitioned into a plurality of identity domains; binding the first identity domain, that is created for a first customer of the plurality of customers, to identification information comprising a first uniform resource locator (URL) that is associated with the first identity domain, and wherein the first URL provides the first customer access to the first identity domain and services of the first identity domain; associating, using the identity management system, a first plurality of services and one or more policies associated with a host machine for accessing the first plurality of services with the first identity domain, wherein associating the first plurality of services with the first identity domain comprises provisioning an instance of a service from among the first plurality of services to the first identity domain, and wherein access to the first plurality of services associated with the first identity domain is provided via the first URL when the customer satisfies the one or more policies associated with the host machine; storing, in a first partition of a centralized identity store of the identity management system, identities and identity definitions of a first set of users using the identity management system; associating, using the identity management system, the identities of the first set of users with the first plurality of services; creating, in the multi-tenant computing environment using the identity management system, a second identity domain for the first customer that is isolated from the first identity domain, wherein the second identity domain comprises a second uniform resource locator (URL) that is associated with the second identity domain, and wherein the second URL provides the first customer access to the second identity domain; associating, using the identity management system, a second plurality of services and one or more policies for accessing the second plurality of services with the second identity domain, wherein associating the second plurality of services with the second identity domain comprises provisioning an instance of a service from among the second plurality of services to the second identity domain; storing, in a second partition of the centralized identity store, identities and identity definitions of a second set of users using the identity management system, wherein the second set of users is different from the first set of users; and associating, using the identity management system, the identities of the second set of users with the second plurality of services.
-
Specification