IDENTITY POOL BRIDGING FOR MANAGED DIRECTORY SERVICES

US 20150135272A1
Filed: 12/05/2013
Published: 05/14/2015
Est. Priority Date: 11/11/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for identity pool bridging, comprising:

under the control of one or more computer systems configured with executable instructions,enabling a user to utilize a set of credentials to access an interface provided by a computing resource service provider to access a managed directory service;

receiving, at the computing resource service provider, a first request from the user to create an identity pool within the managed directory service of the computing resource service provider, the first request comprising information based at least in part on the set of credentials;

as a result of the first request, creating, at the managed directory service, the identity pool and a shadow administrative account within the identity pool, the shadow administrative account usable for managing access to a directory within the managed directory service;

transmitting, through the computing resource service provider and to the managed directory service, a second request from the user to obtain a directory token for accessing the shadow administrative account;

receiving the directory token from the managed directory service; and

enabling the user to utilize the received directory token to perform actions within the directory.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A customer of a computing resource service provider may utilize a set of credentials to request creation of an identity pool within a managed directory service. Accordingly, the managed directory service may create the identity pool. Instead of having the customer create a separate account within this identity pool, the managed directory service may create a shadow administrator account within the identity pool, which may be used to manage other users and resources in the identity pool within the managed directory service. The managed directory service further exposes an application programming interface command that may be used to obtain a set of credentials for accessing the shadow administrator account. The customer may use this command to receive the set of credentials and access the shadow administrator account. Accordingly, the customer can manage users and resources in the identity pool within the managed directory service.

21 Citations

View as Search Results

20 Claims

1. A computer-implemented method for identity pool bridging, comprising:
- under the control of one or more computer systems configured with executable instructions,enabling a user to utilize a set of credentials to access an interface provided by a computing resource service provider to access a managed directory service;
  
  receiving, at the computing resource service provider, a first request from the user to create an identity pool within the managed directory service of the computing resource service provider, the first request comprising information based at least in part on the set of credentials;
  
  as a result of the first request, creating, at the managed directory service, the identity pool and a shadow administrative account within the identity pool, the shadow administrative account usable for managing access to a directory within the managed directory service;
  
  transmitting, through the computing resource service provider and to the managed directory service, a second request from the user to obtain a directory token for accessing the shadow administrative account;
  
  receiving the directory token from the managed directory service; and
  
  enabling the user to utilize the received directory token to perform actions within the directory.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein the shadow administrative account is further usable to manage one or more resources in a directory within the managed directory service.
  - 3. The computer-implemented method of claim 1, wherein enabling the user to utilize the set of credentials to access the interface provided by the computing resource service provider to access the managed directory service is contingent on verifying, at an identity management service provided by the computing resource service provider, that the user is authorized to access the managed directory service.
  - 4. The computer-implemented method of claim 1, wherein the user can delegate access to the managed directory service to other users by defining, at an identity management service provided by the computing resource service provider, one or more policies for the other users.
  - 5. The computer-implemented method of claim 1, wherein the user is a principal within an identity management service identity pool, the identity management service identity pool usable for managing access to one or more services of the computing resource service provider.
  - 6. The computer-implemented method of claim 1, wherein further comprising, upon creating of the identity pool and the shadow administrator account, enabling an application programming interface command to become usable by the user within the computing resource service provider to cause the managed directory service to transmit the directory token to the user.

7. A computer system, comprising:
- one or more processors; and
  
  memory having collectively stored therein instructions that, when executed by the computer system, cause the computer system to;
  
  authenticate a requestor utilizing credential information for accessing one or more services provided by a computing resource service provider;
  
  receive, from the requestor, a request to create an identity pool within a managed directory service provided by the computing resource service provider, the access to the managed directory service based at least in part on the credential information;
  
  after authenticating the requestor, create the identity pool within the managed directory service and an account usable by the requestor within the created identity pool; and
  
  enable the requestor to access the account from within the managed directory service.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The computer system of claim 7, wherein the creation of the identity pool and the account results in making an application programming interface command callable to cause requests to be transmitted to the managed directory service to obtain directory credential information for accessing the account from within the managed directory service.
  - 9. The computer system of claim 8, wherein to enable the requestor to access the account includes to:
    - transmit, through the computing resource service provider and to the managed directory service, the application programming interface command from the requestor to obtain directory credential information for accessing the account;
      
      receive the directory credential information from the managed directory service; and
      
      provide the received directory credential information to the requestor.
  - 10. The computer system of claim 7, wherein the requestor is a principal within an identity management service identity pool, the identity management service identity pool usable for managing access to the one or more services provided by the computing resource service provider.
  - 11. The computer system of claim 10, wherein the requestor can delegate access to the managed directory service to other users by defining one or more policies for the other users within the identity management service.
  - 12. The computer system of claim 7, wherein the account is usable to manage one or more resources in a directory within the managed directory service.
  - 13. The computer system of claim 12, wherein the one or more resources include one or more users of the managed directory service, one or more groups of the managed directory service, one or more policies and one or more applications in a directory within the managed directory service.

14. A non-transitory computer-readable storage medium having collectively stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
- verify a requestor utilizing credential information to access one or more services provided by a computing resource service provider is authorized to access a managed directory service provided by the computing resource service provider;
  
  receive, from the requestor, a request to create an identity pool within the managed directory service;
  
  after verifying that the requestor is authorized to access the managed directory service, create the identity pool within the managed directory service and an account usable by the requestor within the created identity pool; and
  
  enable the requestor to access the account from within the managed directory service.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein the creation of the identity pool and the account results in making an application programming interface command callable to cause requests to be transmitted to the managed directory service to obtain directory credential information for accessing the account from within the managed directory service.
  - 16. The non-transitory computer-readable storage medium of claim 15, wherein to enable the requestor to access the account includes to:
    - transmit, through the computing resource service provider and to the managed directory service, the application programming interface command from the requestor to obtain directory credential information for accessing the account;
      
      receive the directory credential information from the managed directory service; and
      
      provide the received directory credential information to the requestor.
  - 17. The non-transitory computer-readable storage medium of claim 14, wherein the requestor is a principal within an identity management service identity pool, the identity management service identity pool usable for managing access to the one or more services provided by the computing resource service provider.
  - 18. The non-transitory computer-readable storage medium of claim 17, wherein the requestor can delegate access to the managed directory service to other users by defining one or more policies for the other users within the identity management service.
  - 19. The non-transitory computer-readable storage medium of claim 14, wherein the account is usable to manage one or more resources within the managed directory service.
  - 20. The non-transitory computer-readable storage medium of claim 19, wherein the one or more resources include one or more users of the managed directory service, one or more groups of the managed directory service, one or more policies, and one or more applications in a directory within the managed directory service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Shah, Shon Kiran, Rao, Guruprakash Bangalore, Rizzo, Thomas Christopher, Mehta, Gaurang Pankaj

Granted Patent

US 9,736,159 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 2221/2113   Multi-level security, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 67/025   for remote control or remot...

IDENTITY POOL BRIDGING FOR MANAGED DIRECTORY SERVICES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

IDENTITY POOL BRIDGING FOR MANAGED DIRECTORY SERVICES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others