Efficient single sign-on and identity provider configuration and deployment in a database system

US 8,566,917 B2
Filed: 12/28/2010
Issued: 10/22/2013
Est. Priority Date: 03/19/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of establishing single sign-on capabilities in a multi-tenant database system, the multi-tenant database system supporting a plurality of users and a plurality of tenants, the method comprising:

maintaining a common systemwide digital certificate at the multi-tenant database system, wherein the common systemwide digital certificate is configured for use with all of the plurality of users and for all of the plurality of tenants supported by the multi-tenant database system to create single sign-on links between different tenants of the plurality of tenants;

receiving, by the multi-tenant database system, a first instruction to create, for a first user of the multi-tenant database system, a first single sign-on link between a first organization of the multi-tenant database system and a second organization of the multi-tenant database system, the first instruction identifying credential information for authenticating the first user to the second organization;

in response to receiving the first instruction, using the common systemwide digital certificate to cause the multi-tenant database system to create the first single sign-on link for the first user;

receiving, by the multi-tenant database system, a second instruction to create, for a second user of the multi-tenant database system, a second single sign-on link between a third organization of the multi-tenant database system and a fourth organization of the multi-tenant database system, the second instruction identifying credential information for authenticating the second user to the fourth organization; and

in response to receiving the second instruction, using the common systemwide digital certificate to cause the multi-tenant database system to create the second single sign-on link for the second user;

wherein the first and second single sign-on links are created without processing a user-assigned digital certificate.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various techniques and procedures related to user authentication, identity providers, and single sign-on (SSO) are presented here. One approach creates an SSO link between two organizations in a streamlined manner using an internal cross-user systemwide digital certificate, and without processing any user-created, user-uploaded, or user-assigned digital certificates. Another approach presented here configures an identity provider service for an entity or organization by processing a single user command. The identity provider service is automatically configured in the background without processing any additional user commands, user instructions, or user-entered data.

141 Citations

17 Claims

1. A computer-implemented method of establishing single sign-on capabilities in a multi-tenant database system, the multi-tenant database system supporting a plurality of users and a plurality of tenants, the method comprising:
- maintaining a common systemwide digital certificate at the multi-tenant database system, wherein the common systemwide digital certificate is configured for use with all of the plurality of users and for all of the plurality of tenants supported by the multi-tenant database system to create single sign-on links between different tenants of the plurality of tenants;
  
  receiving, by the multi-tenant database system, a first instruction to create, for a first user of the multi-tenant database system, a first single sign-on link between a first organization of the multi-tenant database system and a second organization of the multi-tenant database system, the first instruction identifying credential information for authenticating the first user to the second organization;
  
  in response to receiving the first instruction, using the common systemwide digital certificate to cause the multi-tenant database system to create the first single sign-on link for the first user;
  
  receiving, by the multi-tenant database system, a second instruction to create, for a second user of the multi-tenant database system, a second single sign-on link between a third organization of the multi-tenant database system and a fourth organization of the multi-tenant database system, the second instruction identifying credential information for authenticating the second user to the fourth organization; and
  
  in response to receiving the second instruction, using the common systemwide digital certificate to cause the multi-tenant database system to create the second single sign-on link for the second user;
  
  wherein the first and second single sign-on links are created without processing a user-assigned digital certificate.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising authenticating the first user to the first organization, wherein receiving the first instruction occurs after authenticating the first user to the first organization and while the first user is an authenticated user of the first organization.
  - 3. The method of claim 1, wherein the multi-tenant database system creates the first single sign-on link in response to receiving the first instruction and without processing any additional user commands, user instructions, or user-entered data.
  - 4. The method of claim 1, wherein the first single sign-on link for the user is bidirectional between the first organization and the second organization.
  - 5. The method of claim 1, further comprising:
    - associating the common systemwide digital certificate with the first user and the first single sign-on link; and
      
      configuring the first single sign-on link such that the common systemwide digital certificate is provided with single sign-on assertions for the first user between the first organization and the second organization.
  - 6. The method of claim 1, further comprising:
    - after creating the first single sign-on link, obtaining a user command to navigate from an authenticated state in the first organization to the second organization;
      
      in response to the user command, generating a Security Assertion Markup Language (SAML) assertion on behalf of the first user, using the first single sign-on link;
      
      retrieving the systemwide digital certificate; and
      
      including the systemwide digital certificate with the SAML assertion.

7. A single sign-on method for a computer-implemented multi-tenant database system that supports a plurality of users and a plurality of organizations, the method comprising:
- authenticating, by a processor of the database system, a first user to a first organization supported by the database system;
  
  thereafter, receiving, at the database system, credential information for authenticating the first user to a second organization supported by the database system;
  
  obtaining at the database system a first user instruction to link, for the first user, the first organization to the second organization;
  
  in response to receiving the first user instruction, and without requiring a user-assigned digital certificate, creating, by the processor of the database system, a first single sign-on link for the user between the first organization and the second organization, wherein the first single sign-on link is created using a common systemwide digital certificate that applies to all of the plurality of users and to all of the plurality of organizations supported by the database system to create single sign-on links between different organizations of the database system;
  
  authenticating, by the processor of the database system, a second user to a third organization supported by the database system;
  
  thereafter, receiving, at the database system, credential information for authenticating the second user to a fourth organization supported by the database system;
  
  obtaining at the database system a second user instruction to link, for the second user, the third organization to the fourth organization;
  
  in response to receiving the second user instruction, and without requiring a user-assigned digital certificate, creating, by the processor of the database system, a second single sign-on link for the second user between the third organization and the fourth organization, wherein the second single sign-on link is created using the common systemwide digital certificate.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The method of claim 7, wherein the first single sign-on link is bidirectional between the first organization and the second organization.
  - 9. The method of claim 7, wherein creating the first single sign-on link is initiated by the first user instruction and in the absence of any additional user commands or user-entered data.
  - 10. The method of claim 7, further comprising validating the credential information for authenticating the first user to the second organization, wherein creating the first single sign-on link is performed in response to the validating.
  - 11. The method of claim 7, further comprising:
    - after creating the first single sign-on link, obtaining a user command to navigate from an authenticated state in the first organization to the second organization; and
      
      in response to the user command, generating a single sign-on assertion for the second organization using the first single sign-on link.
  - 12. The method of claim 11, wherein generating the single sign-on assertion comprises issuing a Security Assertion Markup Language (SAML) assertion on behalf of the first user.
  - 13. The method of claim 12, wherein the SAML assertion contains the common systemwide digital certificate.

14. A computer-implemented multi-tenant database system comprising a processor and a memory, wherein the database system supports a plurality of users and a plurality of organizations, and wherein the memory comprises computer-executable instructions that, when executed by the processor, cause the computer system to:
- authenticate a user for access to a first organization supported by the database system;
  
  receive a first instruction to create a first single sign-on link for the user between the first organization and a second organization supported by the database system, wherein the first instruction is issued while the user is an authenticated user of the first organization, and wherein the first instruction includes or identifies credential information for authenticating the user to the second organization;
  
  in response to receiving the first instruction, create the first single sign-on link using an internal systemwide digital certificate that is configured for common use with all of the plurality of users supported by the database system and with all of the plurality of organizations supported by the database system, and without processing any user-created, user-uploaded, or user-assigned digital certificates;
  
  receive a second instruction to create a second single sign-on link for the user between the first organization and a third organization supported by the database system, wherein the second instruction is issued while the user remains an authenticated user of the first organization, and wherein the second instruction includes or identifies credential information for authenticating the user to the third organization; and
  
  in response to receiving the second instruction, create the second single sign-on link using the internal systemwide digital certificate, and without processing any user-created, user-uploaded, or user-assigned digital certificates.
- View Dependent Claims (15, 16, 17)
- - 15. The computer-implemented multi-tenant database system of claim 14, wherein the computer-executable instructions cause the computer-implemented multi-tenant database system to create a bidirectional single sign-on link between the first organization and the second organization.
  - 16. The computer-implemented multi-tenant database system of claim 14, wherein the computer-executable instructions cause the computer-implemented multi-tenant database system to validate the credential information for authenticating the user to the second organization, wherein creating the first single sign-on link is performed after the validating.
  - 17. The computer-implemented multi-tenant database system of claim 14, wherein the computer-executable instructions cause the computer-implemented multi-tenant database system to:
    - associate the internal systemwide digital certificate with the user and the first single sign-on link; and
      
      configure the first single sign-on link such that the internal systemwide digital certificate is provided with single sign-on assertions for the user between the first organization and the second organization.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Vangpat, Alan, Chabbewal, Harsimranjit
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
PARSONS, THEODORE C

Application Number

US12/979,557
Publication Number

US 20110231919A1
Time in Patent Office

1,029 Days
Field of Search

726/8
US Class Current

726/8
CPC Class Codes

G06F 21/31   User authentication

G06F 21/41   where a single sign-on prov...

H04L 63/0815   providing single-sign-on or...

Efficient single sign-on and identity provider configuration and deployment in a database system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

141 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Efficient single sign-on and identity provider configuration and deployment in a database system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

141 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links