SINGLE SIGN-ON IDENTITY MANAGEMENT BETWEEN LOCAL AND REMOTE SYSTEMS

US 20170142094A1
Filed: 11/12/2015
Published: 05/18/2017
Est. Priority Date: 11/12/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for providing single sign-on to remote or cloud-based computing resources, comprising:

requesting, via a local network computer, access to a cloud-based resource;

passing a request from the local network computer to a local directory services system for a service ticket associated with a cloud-based directory services system through which access may be granted to the cloud-based resource;

passing the service ticket associated with the cloud-based directory services system from the local network computer to the cloud-based directory services system for validating a requesting user associated with the requesting local network computer for access to the requested cloud-based resource;

receiving from the cloud-based directory services system validation of the service ticket by the cloud-based directory services system for authenticating the requesting user for access to the requested cloud-based resource; and

receiving at the requesting local network computer authorization to access the requested cloud-based resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Single sign-on identity management between local and cloud-based systems is provided. A remote or cloud-based authentication endpoint is registered as a local device, service or resource in a user'"'"'s local directory services system. A local device and associated user requesting access to cloud-based resources will then see the authentication endpoint as an internal (inside the enterprise) server and may supply an authentication ticket which includes on-premises log-in or sign-on identity for the user. The remote or cloud-based authentication endpoint may then validate the authentication ticket, and the user may then access devices, applications and services operated in association with the remote or cloud-based authentication endpoint without a second or separate log-in or sign-on and without use of additional authentication equipment at the user'"'"'s enterprise network.

98 Citations

View as Search Results

20 Claims

1. A computer-implemented method for providing single sign-on to remote or cloud-based computing resources, comprising:
- requesting, via a local network computer, access to a cloud-based resource;
  
  passing a request from the local network computer to a local directory services system for a service ticket associated with a cloud-based directory services system through which access may be granted to the cloud-based resource;
  
  passing the service ticket associated with the cloud-based directory services system from the local network computer to the cloud-based directory services system for validating a requesting user associated with the requesting local network computer for access to the requested cloud-based resource;
  
  receiving from the cloud-based directory services system validation of the service ticket by the cloud-based directory services system for authenticating the requesting user for access to the requested cloud-based resource; and
  
  receiving at the requesting local network computer authorization to access the requested cloud-based resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computer-implemented method of claim 1, wherein receiving from the cloud-based directory services system validation of the service ticket by the cloud-based directory services system further comprises receiving identification information and authorization information for the requesting user for receiving authorization to access the requested cloud-based resource.
  - 3. The computer-implemented method of claim 1, prior to passing the request from the local network computer to a local directory services system for a service ticket associated with the cloud-based directory services system, receiving an authentication error from the cloud-based directory services system.
  - 4. The computer-implemented method of claim 1, prior to receiving a request, via a local network computer, for access to a cloud-based resource, receiving a sign-on at the local network computer.
  - 5. The computer-implemented method of claim 1, wherein passing the request to a cloud-based directory services system includes passing the request to the cloud-based directory services system based on the designation of the cloud-based directory services system as a local device, service or resource accessible by the requesting local network computer via the local network.
  - 6. The computer-implemented method of claim 5, wherein passing the request to the cloud-based directory services system includes passing the request to a cloud-based authentication endpoint.
  - 7. The computer-implemented method of claim 6, wherein passing the service ticket to the cloud-based directory services system includes passing the service ticket to the cloud-based authentication endpoint.
  - 8. The computer-implemented method of claim 7, prior to receiving a request, via the local network computer, for access to a cloud-based resource, creating a computer identification object for the cloud-based authentication endpoint in the local directory services system.
  - 9. The computer-implemented method of claim 8, prior to passing the service ticket to the cloud-based authentication endpoint, registering the cloud-based authentication endpoint with the local directory services system as a local device, service or resource for allowing the service ticket to be passed to the cloud-based authentication endpoint as a local endpoint.
  - 10. The computer-implemented method of claim 9, further comprising creating a unique identifier for the cloud-based authentication endpoint for associating the cloud-based authentication endpoint with the local directory services system for linking the local directory services system and an associated local device, service or resource with the cloud-based authentication endpoint.
  - 11. The computer-implemented method of claim 9, prior to registering the cloud-based authentication endpoint with the local directory services system as a local device, service or resource for allowing the service ticket to be passed to the cloud-based authentication endpoint as a local endpoint, further comprising sending installation data for the cloud-based authentication endpoint from the local directory services system to the cloud-based directory services system for use in linking the cloud-based authentication endpoint with the local directory services system.
  - 12. The computer-implemented method of claim 8, wherein creating a computer identification object for the cloud-based authentication endpoint in the local directory services system includes:
    - creating the computer identification object in the local directory services system wherein the computer identification object represents the cloud-based authentication endpoint;
      
      linking the computer identification object to the cloud-based authentication endpoint via a password or other secret data item; and
      
      utilizing the linking for creating the service ticket that is passed to the cloud-based authentication endpoint for validation of the service ticket by the cloud-based endpoint for authenticating access by the requesting user via the local network computer to the requested cloud-based resource in response to a single sign-on attempt to the requested cloud-based resource.
  - 13. The computer-implemented method of claim 10, wherein creating a unique identifier for associating the cloud-based authentication endpoint with the local directory services system includes creating a service principal name (SPN) for the cloud-based authentication endpoint.
  - 14. The computer-implemented method of claim 9, wherein registering the cloud-based authentication endpoint with the local directory services system as a local device, service or resource includes registering the cloud-based authentication endpoint with a plurality of local directory services systems as a local device, service or resource in each of the plurality of local directory services systems for allowing a service ticket to be passed from each of the plurality of local directory services systems to the cloud-based authentication endpoint for authenticating a local network computer associated with each of the plurality of local directory network services systems against the cloud-based authentication endpoint.
  - 15. The computer-implemented method of claim 14, wherein each of the plurality of local directory services systems is associated with a different computing tenant.

16. A computer-implemented method for providing single sign-on to cloud-based computing resources, comprising:
- registering a cloud-based authentication endpoint as an intranet addressed system for allowing access to the cloud-based authentication endpoint from an intranet device requesting access to a cloud-based resource;
  
  receiving at the cloud-based authentication endpoint a request from the intranet device for access to the cloud-based resource;
  
  returning an authentication error code indicating the request cannot be authenticated;
  
  in response to the authentication error code, receiving at the cloud-based authentication endpoint a service ticket from a local directory services system associated with the intranet device; and
  
  at the cloud-based authentication endpoint, validating the received service ticket and authenticating a requesting user associated with the requesting intranet device for access to the cloud-based resource.
- View Dependent Claims (17, 18)
- - 17. The computer-implemented method of claim 16, wherein authenticating a user associated with the requesting intranet device for access to the cloud-based resource includes generating authorization information for the requesting user for providing authorization to access the requested cloud-based resource by the requesting user.
  - 18. The computer-implemented method of claim 16, wherein registering a cloud-based authentication endpoint as an intranet addressed system for allowing access to the cloud-based authentication endpoint from an intranet device requesting access to a cloud-based resource includes linking the cloud-based authentication endpoint with the local directory services system for allowing the cloud-based authentication endpoint to receive the service ticket from the local directory services system associated with the intranet device.

19. A system for providing single sign-on to remote computing resources, comprising:
- one or more computer processors;
  
  a memory operatively associated with the one or more processors; and
  
  a single sign-on installation tool operative to;
  
  create a computer identification object for a remote authentication endpoint against which authentication may be made to or for a local network computer requiring access one or more remote resources;
  
  create a unique identifier for the remote authentication endpoint in association with a local directory services system for linking the remote authentication endpoint with the local network computer in association with the local directory services system in which the local network computer operates;
  
  designate the remote authentication endpoint as a local addressed system accessible by the local network computer via the local directory services system;
  
  the local directory services system associated with the local network computer operative to generate and send an authentication service ticket to the remote authentication endpoint for authenticating access by a requesting user via the local network computer to the one or more remote resources in response to a single sign-on attempt to the one or more remote resources.
- View Dependent Claims (20)
- - 20. The system of claim 19, the single sign-on installation tool being further operative to send installation data for the remote authentication endpoint from the local directory services system to a remote directory services system for use in linking the remote authentication endpoint with the local directory services system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Doitch, Edan, Yong, Shiung-Vei, Rouskov, Yordan Ivanov, Angelov, Yavor V., Adams, Ross Peter, Bibliowicz, Arieh, Romach, Hagar

Granted Patent

US 10,749,854 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 21/6218   to a system of files or obj...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0884   by delegation of authentica...

H04L 63/102   Entity profiles

H04L 9/3213   using tickets or tokens, e....

H04W 12/06   Authentication

SINGLE SIGN-ON IDENTITY MANAGEMENT BETWEEN LOCAL AND REMOTE SYSTEMS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

98 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

SINGLE SIGN-ON IDENTITY MANAGEMENT BETWEEN LOCAL AND REMOTE SYSTEMS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

98 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others