LDAP-BASED MULTI-TENANT IN-CLOUD IDENTITY MANAGEMENT SYSTEM
First Claim
1. A computer-implemented method comprising:
- storing, in an LDAP directory having a root node, in a first directory subtree that descends from the root node, identities of entities that are associated with a first identity domain but not with a second identity domain;
storing, in the LDAP directory, in a second directory subtree that also descends from the root node but is separate from the first directory subtree, identities of entities that are associated with the second identity domain but not with the first identity domain;
preventing service instances that have been deployed to the first identity domain from accessing identities that are stored in the second directory subtree; and
preventing service instances that have been deployed to the second identity domain from accessing identities that are stored in the first directory subtree.
1 Assignment
0 Petitions
Accused Products
Abstract
A multi-tenant identity management (IDM) system enables IDM functions to be performed relative to various different customers'"'"' domains within a shared cloud computing environment and without replicating a separate IDM system for each separate domain. The IDM system can provide IDM functionality to service instances located within various different customers'"'"' domains while enforcing isolation between those domains. A cloud-wide identity store implemented as a single LDAP directory can contain identity information for multiple customers'"'"' domains. This single LDAP directory can store identities for entities for all tenants, in separate partitions or subtrees of the LDAP directory, each such partition or subtree being dedicated to a separate identity domain for a tenant. Components of the cloud computing environment ensure that LDAP entries within a particular subtree are accessible only to service instances that have been deployed to the identity domain that corresponds to that particular subtree.
279 Citations
20 Claims
-
1. A computer-implemented method comprising:
-
storing, in an LDAP directory having a root node, in a first directory subtree that descends from the root node, identities of entities that are associated with a first identity domain but not with a second identity domain; storing, in the LDAP directory, in a second directory subtree that also descends from the root node but is separate from the first directory subtree, identities of entities that are associated with the second identity domain but not with the first identity domain; preventing service instances that have been deployed to the first identity domain from accessing identities that are stored in the second directory subtree; and preventing service instances that have been deployed to the second identity domain from accessing identities that are stored in the first directory subtree. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-readable storage memory storing particular instructions capable of causing one or more processors to perform specified operations, the particular instructions comprising:
-
instructions to store, in an LDAP directory having a root node, in a first directory subtree that descends from the root node, identities of entities that are associated with a first identity domain but not with a second identity domain; instructions to store, in the LDAP directory, in a second directory subtree that also descends from the root node but is separate from the first directory subtree, identities of entities that are associated with the second identity domain but not with the first identity domain; instructions to prevent service instances that have been deployed to the first identity domain from accessing identities that are stored in the second directory subtree; and instructions to prevent service instances that have been deployed to the second identity domain from accessing identities that are stored in the first directory subtree. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A system comprising:
-
one or more processors; and a computer-readable storage memory that stores particular instructions comprising; instructions to store, in an LDAP directory having a root node, in a first directory subtree that descends from the root node, identities of entities that are associated with a first identity domain but not with a second identity domain; instructions to store, in the LDAP directory, in a second directory subtree that also descends from the root node but is separate from the first directory subtree, identities of entities that are associated with the second identity domain but not with the first identity domain; instructions to prevent service instances that have been deployed to the first identity domain from accessing identities that are stored in the second directory subtree; and instructions to prevent service instances that have been deployed to the second identity domain from accessing identities that are stored in the first directory subtree. - View Dependent Claims (18, 19, 20)
-
Specification