LDAP-based multi-tenant in-cloud identity management system

US 9,069,979 B2
Filed: 09/05/2013
Issued: 06/30/2015
Est. Priority Date: 09/07/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

storing, by a processor on a non-transitory computer-readable storage medium, in an LDAP directory having a root node, in a first directory subtree that descends from the root node, identities of entities that are associated with a first identity domain but not with a second identity domain;

storing, by a processor on a non-transitory computer-readable storage medium, in the LDAP directory, in a second directory subtree that also descends from the root node but is a separate from the first directory subtree, identities that are associated with the second identity domain but not with the first identity domain;

preventing service instances that have been deployed to the first identity domain from accessing identities that are stored in the second directory subtree; and

preventing service instances that have been deployed to the second identity domain from accessing identities that are stored in the first directory subtree.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A multi-tenant identity management (IDM) system enables IDM functions to be performed relative to various different customers'"'"' domains within a shared cloud computing environment and without replicating a separate IDM system for each separate domain. The IDM system can provide IDM functionality to service instances located within various different customers'"'"' domains while enforcing isolation between those domains. A cloud-wide identity store implemented as a single LDAP directory can contain identity information for multiple customers'"'"' domains. This single LDAP directory can store identities for entities for all tenants, in separate partitions or subtrees of the LDAP directory, each such partition or subtree being dedicated to a separate identity domain for a tenant. Components of the cloud computing environment ensure that LDAP entries within a particular subtree are accessible only to service instances that have been deployed to the identity domain that corresponds to that particular subtree.

216 Citations

20 Claims

1. A computer-implemented method comprising:
- storing, by a processor on a non-transitory computer-readable storage medium, in an LDAP directory having a root node, in a first directory subtree that descends from the root node, identities of entities that are associated with a first identity domain but not with a second identity domain;
  
  storing, by a processor on a non-transitory computer-readable storage medium, in the LDAP directory, in a second directory subtree that also descends from the root node but is a separate from the first directory subtree, identities that are associated with the second identity domain but not with the first identity domain;
  
  preventing service instances that have been deployed to the first identity domain from accessing identities that are stored in the second directory subtree; and
  
  preventing service instances that have been deployed to the second identity domain from accessing identities that are stored in the first directory subtree.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, further comprising:
    - storing, in the first directory subtree, identities of user entities that are associated with the first identity domain but not with the second identity domain;
      
      storing, in the first directory subtree, identities of service instance entities that are associated with the first identity domain but not with the second identity domain;
      
      preventing the user entities from interacting directly with an LDAP server that maintains the LDAP directory; and
      
      allowing the service instance entities to interact directly with the LDAP server on behalf of the user entities.
  - 3. The computer-implemented method of claim 1, further comprising:
    - in response to a deployment of a first service instance to the first identity domain but not to the second identity domain, generating a first credential which, when inspected by an LDAP server that maintains the LDAP directory, causes the LDAP server to permit the first service instance to access identities that are stored in the first directory subtree but not identities that are stored in the second directory subtree;
      
      providing the first credential to the first service instance;
      
      in response to a deployment of a second service instance to the second identity domain but not to the first identity domain, generating a second credential which, when inspected by the LDAP server, causes the LDAP server to permit the second service instance to access identities that are stored in the second directory subtree but not identities that are stored in the first directory subtree; and
      
      providing the second credential to the second service instance.
  - 4. The computer-implemented method of claim 1, further comprising:
    - storing, in the LDAP directory, access control policies that specify various identity domains from a plurality of identity domains; and
      
      controlling access to identity domain-associated subtrees of the LDAP directory based at least in part on the access control policies.
  - 5. The computer-implemented method of claim 4, further comprising:
    - storing, in the LDAP directory, a first access control policy that specifies access restrictions that apply to the first directory subtree but not to the second directory subtree; and
      
      storing, in the LDAP directory, a second access control policy that specifies access restrictions that apply to the second directory subtree but not to the first directory subtree.
  - 6. The computer-implemented method of claim 1, further comprising:
    - generating a globally unique identifier for a first user by affixing an identifier of a first identity domain to a log in name of the first user;
      
      storing the globally unique identifier for the first user in the first directory subtree;
      
      generating a globally unique identifier for a second user by affixing an identifier of a second identity domain to a log in name of the second user; and
      
      storing the globally unique identifier for the second user in the second directory subtree.
  - 7. The computer-implemented method of claim 6, further comprising:
    - storing, in association with a first uniform resource locator (URL), a first log in web page that specifies an identifier of the first identity domain;
      
      storing, in association with a second URL that differs from the first URL, a second log in web page that specifies an identifier of the second identity domain;
      
      receiving, from a particular user, through a particular log in web page that is either the first log in web page or the second log in web page, a log in name of the particular user;
      
      reconstructing a globally unique identifier for the particular user based on both (a) the log in name of the particular user and (b) a particular identity domain identifier that is specified by the particular log in web page; and
      
      authenticating the particular user based on the globally unique identifier for the particular user.
  - 8. The computer-implemented method of claim 1, further comprising:
    - in response to a deployment of a particular service instance to the first identity domain, automatically generating a bind credential that specifies both a name of the particular service instance and a randomly generated password; and
      
      in response to the deployment of the particular service instance to the first identity domain, automatically adding, to the LDAP directory, a new access control policy that specifies that an entity having the name of the particular service instance can only access information pertaining to the identity domain to which the particular service instance is being deployed.

9. A computer-readable storage memory storing particular instructions capable of causing one or more processors to perform specified operations, the particular instructions comprising:
- instructions to store, in an LDAP directory having a root node, in a first directory subtree that descends from the root node, identities of entities that are associated with a first identity domain but not with a second identity domain;
  
  instructions to store, in the LDAP directory, in a second directory subtree that also descends from the root node but is separate from the first directory subtree, identities of entities that are associated with the second identity domain but not with the first identity domain;
  
  instructions to prevent service instances that have been deployed to the first identity domain from accessing identities that are stored in the second directory subtree; and
  
  instructions to prevent service instances that have been deployed to the second identity domain from accessing identities that are stored in the first directory subtree.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-readable storage memory of claim 9, wherein the particular instructions further comprise:
    - instructions to store, in the first directory subtree, identities of user entities that are associated with the first identity domain but not with the second identity domain;
      
      instructions to store, in the first directory subtree, identities of service instance entities that are associated with the first identity domain but not with the second identity domain;
      
      instructions to prevent the user entities from interacting directly with an LDAP server that maintains the LDAP directory; and
      
      instructions to allow the service instance entities to interact directly with the LDAP server on behalf of the user entities.
  - 11. The computer-readable storage memory of claim 9, wherein the particular instructions further comprise:
    - instructions to generate, in response to a deployment of a first service instance to the first identity domain but not to the second identity domain, a first credential which, when inspected by an LDAP server that maintains the LDAP directory, causes the LDAP server to permit the first service instance to access identities that are stored in the first directory subtree but not identities that are stored in the second directory subtree;
      
      instructions to provide the first credential to the first service instance;
      
      instructions to generate, in response to a deployment of a second service instance to the second identity domain but not to the first identity domain, a second credential which, when inspected by the LDAP server, causes the LDAP server to permit the second service instance to access identities that are stored in the second directory subtree but not identities that are stored in the first directory subtree; and
      
      instructions to provide the second credential to the second service instance.
  - 12. The computer-readable storage memory of claim 9, wherein the particular instructions further comprise:
    - instructions to store, in the LDAP directory, access control policies that specify various identity domains from a plurality of identity domains; and
      
      instructions to control access to identity domain-associated subtrees of the LDAP directory based at least in part on the access control policies.
  - 13. The computer-readable storage memory of claim 12, wherein the particular instructions further comprise:
    - instructions to store, in the LDAP directory, a first access control policy that specifies access restrictions that apply to the first directory subtree but not to the second directory subtree; and
      
      instructions to store, in the LDAP directory, a second access control policy that specifies access restrictions that apply to the second directory subtree but not to the first directory subtree.
  - 14. The computer-readable storage memory of claim 9, wherein the particular instructions further comprise:
    - instructions to generate a globally unique identifier for a first user by affixing an identifier of a first identity domain to a log in name of the first user;
      
      instructions to store the globally unique identifier for the first user in the first directory subtree;
      
      instructions to generate a globally unique identifier for a second user by affixing an identifier of a second identity domain to a log in name of the second user; and
      
      instructions to store the globally unique identifier for the second user in the second directory subtree.
  - 15. The computer-readable storage memory of claim 14, wherein the particular instructions further comprise:
    - instructions to store, in association with a first uniform resource locator (URL), a first log in web page that specifies an identifier of the first identity domain;
      
      instructions to store, in association with a second URL that differs from the first URL, a second log in web page that specifies an identifier of the second identity domain;
      
      instructions to receive, from a particular user, through a particular log in web page that is either the first log in web page or the second log in web page, a log in name of the particular user;
      
      instructions to reconstruct a globally unique identifier for the particular user based on both (a) the log in name of the particular user and (b) a particular identity domain identifier that is specified by the particular log in web page; and
      
      instructions to authenticate the particular user based on the globally unique identifier for the particular user.
  - 16. The computer-readable storage memory of claim 9, wherein the particular instructions further comprise:
    - instructions to automatically generate, in response to a deployment of a particular service instance to the first identity domain, a bind credential that specifies both a name of the particular service instance and a randomly generated password; and
      
      instructions to automatically add, to the LDAP directory, in response to the deployment of the particular service instance to the first identity domain, a new access control policy that specifies that an entity having the name of the particular service instance can only access information pertaining to the identity domain to which the particular service instance is being deployed.

17. A system comprising:
- one or more processors; and
  
  a computer-readable storage memory that stores particular instructions comprising;
  
  instructions to store, in an LDAP directory having a root node, in a first directory subtree that descends from the root node, identities of entities that are associated with a first identity domain but not with a second identity domain;
  
  instructions to store, in the LDAP directory, in a second directory subtree that also descends from the root node but is separate from the first directory subtree, identities of entities that are associated with the second identity domain but not with the first identity domain;
  
  instructions to prevent service instances that have been deployed to the first identity domain from accessing identities that are stored in the second directory subtree; and
  
  instructions to prevent service instances that have been deployed to the second identity domain from accessing identities that are stored in the first directory subtree.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the particular instructions further comprise:
    - instructions to generate, in response to a deployment of a first service instance to the first identity domain but not to the second identity domain, a first credential which, when inspected by an LDAP server that maintains the LDAP directory, causes the LDAP server to permit the first service instance to access identities that are stored in the first directory subtree but not identities that are stored in the second directory subtree;
      
      instructions to provide the first credential to the first service instance;
      
      instructions to generate, in response to a deployment of a second service instance to the second identity domain but not to the first identity domain, a second credential which, when inspected by the LDAP server, causes the LDAP server to permit the second service instance to access identities that are stored in the second directory subtree but not identities that are stored in the first directory subtree; and
      
      instructions to provide the second credential to the second service instance.
  - 19. The system of claim 17, wherein the particular instructions further comprise:
    - instructions to generate a globally unique identifier for a first user by affixing an identifier of a first identity domain to a log in name of the first user;
      
      instructions to store the globally unique identifier for the first user in the first directory subtree;
      
      instructions to generate a globally unique identifier for a second user by affixing an identifier of a second identity domain to a log in name of the second user;
      
      instructions to store the globally unique identifier for the second user in the second directory subtree;
      
      instructions to store, in association with a first uniform resource locator (URL), a first log in web page that specifies an identifier of the first identity domain;
      
      instructions to store, in association with a second URL that differs from the first URL, a second log in web page that specifies an identifier of the second identity domain;
      
      instructions to receive, from a particular user, through a particular log in web page that is either the first log in web page or the second log in web page, a log in name of the particular user;
      
      instructions to reconstruct a globally unique identifier for the particular user based on both (a) the log in name of the particular user and (b) a particular identity domain identifier that is specified by the particular log in web page; and
      
      instructions to authenticate the particular user based on the globally unique identifier for the particular user.
  - 20. The system of claim 17, wherein the particular instructions further comprise:
    - instructions to automatically generate, in response to a deployment of a particular service instance to the first identity domain, a bind credential that specifies both a name of the particular service instance and a randomly generated password; and
      
      instructions to automatically add, to the LDAP directory, in response to the deployment of the particular service instance to the first identity domain, a new access control policy that specifies that an entity having the name of the particular service instance can only access information pertaining to the identity domain to which the particular service instance is being deployed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Srinivasan, Uppili, Asokkumar, Vasukiammaiyar
Primary Examiner(s)
Song, Hosuk

Application Number

US14/019,051
Publication Number

US 20140075501A1
Time in Patent Office

663 Days
Field of Search

726 1- 6, 707/705, 707/781, 707783-786, 707/797, 707/798
US Class Current

1/1
CPC Class Codes

G06F 21/62   Protecting access to data v...

H04L 61/4523   using lightweight directory...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/104   Grouping of entities

H04L 63/20   for managing network securi...

LDAP-based multi-tenant in-cloud identity management system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

216 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

LDAP-based multi-tenant in-cloud identity management system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

216 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others