EFFICIENT SINGLE SIGN-ON AND IDENTITY PROVIDER CONFIGURATION AND DEPLOYMENT IN A DATABASE SYSTEM

US 20110231919A1
Filed: 12/28/2010
Published: 09/22/2011
Est. Priority Date: 03/19/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of establishing single sign-on capabilities in a multi-tenant database system, the method comprising:

maintaining a cross-tenant and cross-user systemwide digital certificate at the multi-tenant database system;

receiving an instruction to create, for a user of the multi-tenant database system, a single sign-on link between a first organization of the multi-tenant database system and a second organization of the multi-tenant database system, the instruction identifying credential information for authenticating the user to the second organization; and

in response to receiving the instruction, using the cross-tenant and cross-user systemwide digital certificate to create the single sign-on link for the user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various techniques and procedures related to user authentication, identity providers, and single sign-on (SSO) are presented here. One approach creates an SSO link between two organizations in a streamlined manner using an internal cross-user systemwide digital certificate, and without processing any user-created, user-uploaded, or user-assigned digital certificates. Another approach presented here configures an identity provider service for an entity or organization by processing a single user command. The identity provider service is automatically configured in the background without processing any additional user commands, user instructions, or user-entered data.

162 Citations

View as Search Results

32 Claims

1. A computer-implemented method of establishing single sign-on capabilities in a multi-tenant database system, the method comprising:
- maintaining a cross-tenant and cross-user systemwide digital certificate at the multi-tenant database system;
  
  receiving an instruction to create, for a user of the multi-tenant database system, a single sign-on link between a first organization of the multi-tenant database system and a second organization of the multi-tenant database system, the instruction identifying credential information for authenticating the user to the second organization; and
  
  in response to receiving the instruction, using the cross-tenant and cross-user systemwide digital certificate to create the single sign-on link for the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising authenticating the user to the first organization, wherein receiving the instruction occurs after authenticating the user to the first organization and while the user is an authenticated user of the first organization.
  - 3. The method of claim 1, wherein the single sign-on link is created without processing a user-assigned digital certificate.
  - 4. The method of claim 1, wherein the multi-tenant database system creates the single sign-on link in response to receiving the instruction and without processing any additional user commands, user instructions, or user-entered data.
  - 5. The method of claim 1, wherein the single sign-on link for the user is bidirectional between the first organization and the second organization.
  - 6. The method of claim 1, further comprising:
    - associating the cross-tenant and cross-user systemwide digital certificate with the user and the single sign-on link; and
      
      configuring the single sign-on link such that the cross-tenant and cross-user systemwide digital certificate is provided with single sign-on assertions for the user between the first organization and the second organization.
  - 7. The method of claim 1, further comprising:
    - after creating the single sign-on link, obtaining a user command to navigate from an authenticated state in the first organization to the second organization;
      
      in response to the user command, generating a Security Assertion Markup Language (SAML) assertion on behalf of the user, using the single sign-on link;
      
      retrieving the cross-tenant and cross-user systemwide digital certificate; and
      
      including the cross-tenant and cross-user systemwide digital certificate with the SAML assertion.

8. A single sign-on method for a computer-implemented database system, the method comprising:
- authenticating a user to a first organization supported by the database system;
  
  thereafter, receiving credential information for authenticating the user to a second organization supported by the database system;
  
  obtaining a user instruction to link, for the user, the first organization to the second organization;
  
  in response to receiving the user instruction, and without requiring a user-assigned digital certificate, creating a single sign-on link for the user between the first organization and the second organization.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The method of claim 8, wherein:
    - the database system comprises a multi-tenant database system;
      
      the first organization is a first tenant of the multi-tenant database system; and
      
      the second organization is a second tenant of the multi-tenant database system.
  - 10. The method of claim 8, wherein the single sign-on link is bidirectional between the first organization and the second organization.
  - 11. The method of claim 8, wherein creating the single sign-on link is initiated by the user instruction and in the absence of any additional user commands or user-entered data.
  - 12. The method of claim 8, wherein creating the single sign-on link comprises:
    - retrieving a cross-tenant systemwide digital certificate;
      
      associating the cross-tenant systemwide digital certificate with the user and the single sign-on link; and
      
      configuring the single sign-on link such that the cross-tenant systemwide digital certificate is provided with single sign-on assertions for the user between the first organization and the second organization.
  - 13. The method of claim 8, further comprising validating the credential information for authenticating the user to the second organization, wherein creating the single sign-on link is performed in response to the validating.
  - 14. The method of claim 8, further comprising:
    - after creating the single sign-on link, obtaining a user command to navigate from an authenticated state in the first organization to the second organization; and
      
      in response to the user command, generating a single sign-on assertion for the second organization using the single sign-on link.
  - 15. The method of claim 14, wherein generating the single sign-on assertion comprises issuing a Security Assertion Markup Language (SAML) assertion on behalf of the user.
  - 16. The method of claim 15, further comprising retrieving a cross-tenant systemwide digital certificate, wherein the SAML assertion contains the cross-tenant systemwide digital certificate.

17. A computer system comprising a processor and a memory, wherein the memory comprises computer-executable instructions that, when executed by the processor, cause the computer system to:
- authenticate a user for access to a first organization supported by the database system;
  
  receive an instruction to create a single sign-on link for the user between the first organization and a second organization supported by the database system, wherein the instruction is issued while the user is an authenticated user of the first organization, and wherein the instruction includes or identifies credential information for authenticating the user to the second organization; and
  
  in response to receiving the instruction, create the single sign-on link using an internal cross-user systemwide digital certificate, and without processing any user-created, user-uploaded, or user-assigned digital certificates.
- View Dependent Claims (18, 19, 20)
- - 18. The computer system of claim 17, wherein the computer-executable instructions cause the computer system to create a bidirectional single sign-on link between the first organization and the second organization.
  - 19. The computer system of claim 17, wherein the computer-executable instructions cause the computer system to validate the credential information for authenticating the user to the second organization, wherein creating the single sign-on link is performed after the validating.
  - 20. The computer system of claim 17, wherein the computer-executable instructions cause the computer system to:
    - associate the internal cross-user systemwide digital certificate with the user and the single sign-on link; and
      
      configure the single sign-on link such that the internal cross-user systemwide digital certificate is provided with single sign-on assertions for the user between the first organization and the second organization.

21. A method of deploying an identity provider service for a computer-implemented system, the method comprising:
- receiving a user command;
  
  in response to receiving the user command, and without processing any additional user commands, user instructions, or user-entered data at the computer-implemented system, creating the identity provider service at the computer-implemented system; and
  
  after creating the identity provider service, and without processing any additional user commands, user instructions, or user-entered data at the computer-implemented system, configuring the identity provider service to allow the computer-implemented system to publish electronic identity information for its users.
- View Dependent Claims (22, 23, 24, 25, 26, 27)
- - 22. The method of claim 21, further comprising providing a graphical user interface (GUI) element, wherein the user command is issued in response to activation of the GUI element.
  - 23. The method of claim 22, further comprising providing a markup language document for presentation to a user, the markup language document defining the GUI element.
  - 24. The method of claim 23, wherein the markup language document defines a webpage.
  - 25. The method of claim 21, wherein creating the identity provider service comprises:
    - creating a self-signed digital certificate; and
      
      associating the self-signed digital certificate with the identity provider service.
  - 26. The method of claim 25, wherein creating the self-signed digital certificate comprises:
    - retrieving, with the computer-implemented system, descriptive data for an entity hosting the identity provider service; and
      
      populating data fields of the self-signed certificate with at least some of the descriptive data.
  - 27. The method of claim 26, wherein creating the self-signed digital certificate further comprises constructing a name for the self-signed digital certificate, using at least some of the descriptive data.

28. A computer-implemented method of publishing electronic identity information for a user, the method comprising:
- providing a first markup language document for presentation to the user, the first markup language document defining an active graphical user interface (GUI) element;
  
  receiving a user command that indicates activation of the active GUI element;
  
  in response to receiving the user command, and without requiring any additional user commands, user instructions, or user-entered data, creating an identity provider service at the computer-implemented system; and
  
  thereafter, providing a second markup language document for presentation to the user, the second markup language document confirming successful configuration of the identity provider service.
- View Dependent Claims (29, 30, 31, 32)
- - 29. The method of claim 28, further comprising authenticating the user before providing the first markup language document.
  - 30. The method of claim 28, wherein:
    - the first markup language document comprises a first web page that includes the active GUI element; and
      
      the second markup language document comprises a second web page that includes a confirmation notification.
  - 31. The method of claim 28, wherein creating the identity provider service comprises:
    - retrieving, with the computer-implemented system, descriptive data for an entity hosting the identity provider service;
      
      creating a self-signed digital certificate from at least some of the descriptive data; and
      
      associating the self-signed digital certificate with the identity provider service.
  - 32. The method of claim 28, further comprising operating the identity provider service to assert electronic identity information for the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Vangpat, Alan, Chabbewal, Harsimranjit

Granted Patent

US 8,566,917 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/8
CPC Class Codes

G06F 21/31   User authentication

G06F 21/41   where a single sign-on prov...

H04L 63/0815   providing single-sign-on or...

EFFICIENT SINGLE SIGN-ON AND IDENTITY PROVIDER CONFIGURATION AND DEPLOYMENT IN A DATABASE SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

162 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

EFFICIENT SINGLE SIGN-ON AND IDENTITY PROVIDER CONFIGURATION AND DEPLOYMENT IN A DATABASE SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

162 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links