Secure machine enrollment in multi-tenant subscription environment
First Claim
1. A method for securely enrolling a machine in a multi-tenant environment, comprising:
- receiving a request at a multi-tenant environment from a machine to access a resource of a tenant in the multi-tenant environment that includes a token, wherein the token was previously issued to the machine by the tenant upon authentication by the tenant based on the tenant'"'"'s own authentication mechanism;
retrieving a trust relationship previously established between the multi-tenant environment with an authentication service of the tenant;
determining the token is valid using the retrieved trust relationship;
determining the machine is authorized by the tenant to access the resource of the tenant using the token and the trust relationship; and
authorizing access to the resource upon determining the machine is authenticated by the tenant.
2 Assignments
0 Petitions
Accused Products
Abstract
In a multi-tenant environment, machines across the Internet, belonging to a particular subscription are securely enrolled with the tenant'"'"'s subscription. Authentication of the machines is delegated to each of the tenant'"'"'s own on-premise authentication mechanism The trust relationship with the tenant'"'"'s authentication service is used to validate the security token presented by the machine being authenticated. Once authenticated, the machine has authorization (e.g. SSL machine cert for identity, security token, etc.,) to access the subscription. Each tenant within the multi-tenant environment can provide its own level of authentication. The machine presents the security token to the multi-tenant environment for requests for resources (e.g. services/content) from a user. When a request is received from a machine to access a resource, the multi-tenant environment determines from the issued token whether or not the machine is authorized to access the requested resources.
27 Citations
20 Claims
-
1. A method for securely enrolling a machine in a multi-tenant environment, comprising:
-
receiving a request at a multi-tenant environment from a machine to access a resource of a tenant in the multi-tenant environment that includes a token, wherein the token was previously issued to the machine by the tenant upon authentication by the tenant based on the tenant'"'"'s own authentication mechanism; retrieving a trust relationship previously established between the multi-tenant environment with an authentication service of the tenant; determining the token is valid using the retrieved trust relationship; determining the machine is authorized by the tenant to access the resource of the tenant using the token and the trust relationship; and authorizing access to the resource upon determining the machine is authenticated by the tenant. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-readable device, having computer-executable instructions for excluding a machine from a multi-tenant environment, comprising:
-
receiving login information from a user of the machine; granting the user access to a multi-tenant cloud-based service; receiving a request at the multi-tenant cloud-based service from the machine to access a resource of the tenant in a multi-tenant environment, wherein the request includes a token; retrieving a trust relationship previously established between the multi-tenant cloud-based service with an authentication service of the tenant; determining the machine is not authorized by the tenant to access the resource of the tenant by using the retrieved trust relationship to determine the token was not issued to the machine from the tenant based on the tenant'"'"'s own authentication mechanism; and denying access to the resource upon determining the machine to not be authenticated by the tenant. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A system for securely enrolling a machine in a multi-tenant environment, comprising:
-
a network connection that is coupled to tenants of the multi-tenant environment; a processor and a computer-readable medium; an operating environment stored on the computer-readable medium and executing on the processor; and an authentication manager operating under the control of the operating environment and operative to; receive a request from a machine external to the multi-tenant environment to access a resource of a tenant, wherein the request includes a token previously issued to the machine by the tenant upon authentication by the tenant based on the tenant'"'"'s own authentication mechanism; retrieve a trust relationship previously established between the multi-tenant environment with an authentication service of the tenant; determine the machine is authorized by the tenant to access the resource of the tenant using the retrieved trust relationship to determine the token was issued to the machine from the tenant that authorizes the machine to access the resource; and authorize access to the resource upon determining the machine is authenticated by the tenant. - View Dependent Claims (18, 19, 20)
-
Specification