Domain pass-through authentication in a hybrid cloud environment

US 10,673,837 B2
Filed: 06/01/2018
Issued: 06/02/2020
Est. Priority Date: 06/01/2018
Status: Active Grant

First Claim

Patent Images

1. A computing platform, comprising:

at least one processor;

a communication interface communicatively coupled to the at least one processor; and

memory storing computer-readable instructions that, when executed by the at least one processor, cause the computing platform to;

establish, with an external cloud computing platform, a first network connection;

send, to the external cloud computing platform and while the first network connection is established, a registration request corresponding to each of a plurality of resource location connectors wherein the registration request corresponding to each of the plurality of resource location connectors causes a resource location service (RLS) endpoint corresponding to each of the plurality of resource location connectors to be stored at a cloud configuration service at the external cloud computing host platform;

establish, with a user device, a second network connection;

receive, for each of the plurality of resource location connectors, a request for a resource location identifier corresponding to each of the plurality of resource location connectors;

determine an accessible resource location connector, where the accessible resource location connector comprises one of the plurality of resource location connectors that is accessible;

send, to the user device and while the second network connection is established, a resource location identifier corresponding to the accessible resource location connector;

receive, from the user device, a domain pass-through authentication request;

determine, using an authentication agent corresponding to the accessible resource location connector, a user identity;

send, to a ticketing service stored on the external cloud computing platform, the user identity;

receive, from the ticketing service stored on the external cloud computing platform, a one-time domain pass-through authentication ticket; and

send, to the user device, the one-time domain pass-through authentication ticket, wherein sending the one-time domain pass-through authentication ticket to the user device allows the user device to perform domain pass-through authentication with the external cloud computing platform and to access protected resources on the external cloud computing platform.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Aspects of the disclosure relate to processing systems using improved domain pass-through authentication techniques. A computing platform may send, to an external cloud computing platform, one or more registration requests that each may cause an RLS endpoint corresponding to each of a plurality of resource location connectors to be stored at the external cloud computing host platform. The computing platform may receive one or more requests for a resource location identifier. The computing platform may determine an accessible resource location connector and may send, to the user device, a corresponding resource location identifier. After receiving a pass-through authentication request, the computing platform may receive, from the ticketing service stored on the external cloud computing platform, a one-time ticket. The computing platform may send, to the user device, the one-time ticket, which may allow the user device to perform pass-through authentication with the external cloud computing platform.

Citations

20 Claims

1. A computing platform, comprising:
- at least one processor;
  
  a communication interface communicatively coupled to the at least one processor; and
  
  memory storing computer-readable instructions that, when executed by the at least one processor, cause the computing platform to;
  
  establish, with an external cloud computing platform, a first network connection;
  
  send, to the external cloud computing platform and while the first network connection is established, a registration request corresponding to each of a plurality of resource location connectors wherein the registration request corresponding to each of the plurality of resource location connectors causes a resource location service (RLS) endpoint corresponding to each of the plurality of resource location connectors to be stored at a cloud configuration service at the external cloud computing host platform;
  
  establish, with a user device, a second network connection;
  
  receive, for each of the plurality of resource location connectors, a request for a resource location identifier corresponding to each of the plurality of resource location connectors;
  
  determine an accessible resource location connector, where the accessible resource location connector comprises one of the plurality of resource location connectors that is accessible;
  
  send, to the user device and while the second network connection is established, a resource location identifier corresponding to the accessible resource location connector;
  
  receive, from the user device, a domain pass-through authentication request;
  
  determine, using an authentication agent corresponding to the accessible resource location connector, a user identity;
  
  send, to a ticketing service stored on the external cloud computing platform, the user identity;
  
  receive, from the ticketing service stored on the external cloud computing platform, a one-time domain pass-through authentication ticket; and
  
  send, to the user device, the one-time domain pass-through authentication ticket, wherein sending the one-time domain pass-through authentication ticket to the user device allows the user device to perform domain pass-through authentication with the external cloud computing platform and to access protected resources on the external cloud computing platform.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computing platform of claim 1, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, further cause the computing platform to:
    - perform, between the authentication agent and an authentication service stored at the external cloud computing host platform, a public-private key exchange;
      
      encrypt, using a public key from the authentication service, the user identity;
      
      generate a secure token including the encrypted user identity, wherein generating the secure token comprises signing the secure token with a private key corresponding to the authentication agent; and
      
      send, to the user device and while the second network connection is established, the secure token, wherein sending the secure token to the user device allows the user device to perform domain pass-through authentication with the external cloud computing platform and to access protected resources on the external cloud computing platform.
  - 3. The computing platform of claim 2, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, further cause the computing platform to:
    - determine, after sending the one-time domain pass-through authentication ticket, that the domain pass-through authentication between the user device and the external cloud computing host platform was unsuccessful.
  - 4. The computing platform of claim 3, wherein performing the public-private key exchange comprises performing the public-private key exchange in response to determining that the domain pass-through authentication between the user device and the external cloud computing host platform was unsuccessful.
  - 5. The computing platform of claim 1, wherein the computing platform comprises an internal cloud computing host platform that includes an active directory and one or more cloud connectors, wherein the one or more cloud connectors each include a resource location service and an authentication agent, and wherein the authentication agent is connected to the active directory.
  - 6. The computing platform of claim 1, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, further cause the computing platform to:
    - determine a second accessible resource location connector, where the second accessible resource location connector comprises one of the plurality of resource location connectors that is accessible;
      
      send, to the user device and while the second network connection is established, a second resource location identifier corresponding to the second accessible resource location connector; and
      
      determine that a latency level corresponding to the second accessible resource location connector is higher than a latency level corresponding to the accessible resource location connector.
  - 7. The computing platform of claim 6, wherein receiving the domain pass-through authentication request comprises receiving, based on the determination that the latency level corresponding to the second accessible resource location connector is higher than the latency level corresponding to the accessible resource location connector, the domain pass-through authentication request by the authentication agent corresponding to the accessible resource location connector.

8. A method comprising:
- at a computing platform comprising at least one processor, a communication interface, and memory;
  
  establishing, with an external cloud computing platform, a first network connection;
  
  sending, to the external cloud computing platform and while the first network connection is established, a registration request corresponding to each of a plurality of resource location connectors wherein the registration request corresponding to each of the plurality of resource location connectors causes a resource location service (RLS) endpoint corresponding to each of the plurality of resource location connectors to be stored at a cloud configuration service at the external cloud computing host platform;
  
  establishing, with a user device, a second network connection;
  
  receiving, for each of the plurality of resource location connectors, a request for a resource location identifier corresponding to each of the plurality of resource location connectors;
  
  determining an accessible resource location connector, where the accessible resource location connector comprises one of the plurality of resource location connectors that is accessible;
  
  sending, to the user device and while the second network connection is established, a resource location identifier corresponding to the accessible resource location connector;
  
  receiving, from the user device, a domain pass-through authentication request;
  
  determining, using an authentication agent corresponding to the accessible resource location connector, a user identity;
  
  sending, to a ticketing service stored on the external cloud computing platform, the user identity;
  
  receiving, from the ticketing service stored on the external cloud computing platform, a one-time domain pass-through authentication ticket; and
  
  sending, to the user device, the one-time domain pass-through authentication ticket, wherein sending the one-time domain pass-through authentication ticket to the user device allows the user device to perform domain pass-through authentication with the external cloud computing platform and to access protected resources on the external cloud computing platform.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, further comprising:
    - performing, between the authentication agent and an authentication service stored at the external cloud computing host platform, a public-private key exchange;
      
      encrypting, using a public key from the authentication service, the user identity;
      
      generating a secure token including the encrypted user identity, wherein generating the secure token comprises signing the secure token with a private key corresponding to the authentication agent; and
      
      sending, to the user device and while the second network connection is established, the secure token, wherein sending the secure token to the user device allows the user device to perform domain pass-through authentication with the external cloud computing platform and to access protected resources on the external cloud computing platform.
  - 10. The method of claim 9, further comprising:
    - determining, after sending the one-time domain pass-through authentication ticket, that the domain pass-through authentication between the user device and the external cloud computing host platform was unsuccessful.
  - 11. The method of claim 10, wherein performing the public-private key exchange comprises performing the public-private key exchange in response to determining that the domain pass-through authentication between the user device and the external cloud computing host platform was unsuccessful.
  - 12. The method of claim 8, wherein the computing platform comprises an internal cloud computing host platform that includes an active directory and one or more cloud connectors, wherein the one or more cloud connectors each include a resource location service and an authentication agent, and wherein the authentication agent is connected to the active directory.
  - 13. The method of claim 8, further comprising:
    - determining a second accessible resource location connector, where the second accessible resource location connector comprises one of the plurality of resource location connectors that is accessible;
      
      sending, to the user device and while the second network connection is established, a second resource location identifier corresponding to the second accessible resource location connector; and
      
      determining that a latency level corresponding to the second accessible resource location connector is higher than a latency level corresponding to the accessible resource location connector.
  - 14. The method of claim 13, wherein receiving the domain pass-through authentication request comprises receiving, based on the determination that the latency level corresponding to the second accessible resource location connector is higher than the latency level corresponding to the accessible resource location connector, the domain pass-through authentication request by the authentication agent corresponding to the accessible resource location connector.

15. One or more non-transitory computer-readable media storing instructions that, when executed by a computing platform comprising at least one processor, a communication interface, and memory, cause the computing platform to:
- establish, with an external cloud computing platform, a first network connection;
  
  send, to the external cloud computing platform and while the first network connection is established, a registration request corresponding to each of a plurality of resource location connectors wherein the registration request corresponding to each of the plurality of resource location connectors causes a resource location service (RLS) endpoint corresponding to each of the plurality of resource location connectors to be stored at a cloud configuration service at the external cloud computing host platform;
  
  establish, with a user device, a second network connection;
  
  receive, for each of the plurality of resource location connectors, a request for a resource location identifier corresponding to each of the plurality of resource location connectors;
  
  determine an accessible resource location connector, where the accessible resource location connector comprises one of the plurality of resource location connectors that is accessible;
  
  send, to the user device and while the second network connection is established, a resource location identifier corresponding to the accessible resource location connector;
  
  receive, from the user device, a domain pass-through authentication request;
  
  determine, using an authentication agent corresponding to the accessible resource location connector, a user identity;
  
  send, to a ticketing service stored on the external cloud computing platform, the user identity;
  
  receive, from the ticketing service stored on the external cloud computing platform, a one-time domain pass-through authentication ticket; and
  
  send, to the user device, the one-time domain pass-through authentication ticket, wherein sending the one-time domain pass-through authentication ticket to the user device allows the user device to perform domain pass-through authentication with the external cloud computing platform and to access protected resources on the external cloud computing platform.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The one or more non-transitory computer-readable media of claim 15, wherein the memory stores additional instructions, that when executed by the at least one processor, cause the at least one processor to:
    - perform, between the authentication agent and an authentication service stored at the external cloud computing host platform, a public-private key exchange;
      
      encrypt, using a public key from the authentication service, the user identity;
      
      generate a secure token including the encrypted user identity, wherein generating the secure token comprises signing the secure token with a private key corresponding to the authentication agent; and
      
      send, to the user device and while the second network connection is established, the secure token, wherein sending the secure token to the user device allows the user device to perform domain pass-through authentication with the external cloud computing platform and to access protected resources on the external cloud computing platform.
  - 17. The one or more non-transitory computer-readable media of claim 16, wherein the memory stores additional instructions, that when executed by the at least one processor, cause the at least one processor to:
    - determine, after sending the one-time domain pass-through authentication ticket, that the domain pass-through authentication between the user device and the external cloud computing host platform was unsuccessful.
  - 18. The one or more non-transitory computer-readable media of claim 17, wherein performing the public-private key exchange comprises performing the public-private key exchange in response to determining that the domain pass-through authentication between the user device and the external cloud computing host platform was unsuccessful.
  - 19. The one or more non-transitory computer-readable media of claim 15, wherein the computing platform comprises an internal cloud computing host platform that includes an active directory and one or more cloud connectors, wherein the one or more cloud connectors each include a resource location service and an authentication agent, and wherein the authentication agent is connected to the active directory.
  - 20. The one or more non-transitory computer-readable media of claim 15, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, further cause the computing platform to:
    - determine a second accessible resource location connector, where the second accessible resource location connector comprises one of the plurality of resource location connectors that is accessible;
      
      send, to the user device and while the second network connection is established, a second resource location identifier corresponding to the second accessible resource location connector; and
      
      determine that a latency level corresponding to the second accessible resource location connector is higher than a latency level corresponding to the accessible resource location connector.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Huang, Feng
Primary Examiner(s)
Pyzocha, Michael

Application Number

US15/995,540
Publication Number

US 20190372960A1
Time in Patent Office

732 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/335   for accessing specific reso...

G06F 21/6218   to a system of files or obj...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0884   by delegation of authentica...

H04L 63/0892   by using authentication-aut...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 67/10   in which an application is ...

H04L 67/1001   for accessing one among a p...

H04L 67/1097   for distributed storage of ...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3228   One-time or temporary data,...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

H04W 12/06   Authentication

Domain pass-through authentication in a hybrid cloud environment

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Domain pass-through authentication in a hybrid cloud environment

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links