Single sign-on in multi-tenant environments
First Claim
Patent Images
1. A computer-implemented method for authenticating a user in a hosted, multi-tenant computing environment, comprising:
- receiving a request for access to a first resource from a user, wherein the user has an account with a first plurality of tenants in the multi-tenant computing environment;
identifying a first tenant associated with the first request, wherein the first tenant is in the first plurality of tenants;
obtaining an authentication policy of the first tenant;
using an authentication mechanism associated with the authentication policy of the first tenant to authenticate the user;
upon authenticating the user, providing a first security token for enabling access to the first resource by the user, wherein the first tenant provides access to the first resource;
storing a representation of authenticating the user with respect to the first tenant;
receiving a second request from the user for a second resource, wherein a second tenant provides access to the second resource, wherein the second tenant belongs to the first plurality of tenants, wherein the second tenant is different from the first tenant, and wherein the second tenant has an authentication policy that is different from the authentication policy of the first tenant;
subsequent to receiving the second request from the user for the second resource from the second tenant, automatically detecting, by computer, that the user has been previously authenticated with respect to the first tenant by accessing the stored representation of the authentication of the user with respect to the first tenant;
using the detected previous authentication of the user with respect to the first tenant to authenticate the user with respect to the authentication policy of the second tenant; and
upon authenticating the user with respect to the authentication policy of the second tenant, providing, by the computer, a second security token for enabling access to the second resource by the user without requiring additional authentication credentials from the user.
1 Assignment
0 Petitions
Accused Products
Abstract
The disclosed embodiments provide a system that authenticates a user. During operation, the system identifies a first tenant associated with a first request for a first resource from the user and obtains an authentication policy for the first tenant. Next, the system uses an authentication mechanism associated with the authentication policy to authenticate the user. Upon authenticating the user, the system provides a first security token for enabling access to the first resource by the user.
17 Citations
25 Claims
-
1. A computer-implemented method for authenticating a user in a hosted, multi-tenant computing environment, comprising:
-
receiving a request for access to a first resource from a user, wherein the user has an account with a first plurality of tenants in the multi-tenant computing environment; identifying a first tenant associated with the first request, wherein the first tenant is in the first plurality of tenants; obtaining an authentication policy of the first tenant; using an authentication mechanism associated with the authentication policy of the first tenant to authenticate the user; upon authenticating the user, providing a first security token for enabling access to the first resource by the user, wherein the first tenant provides access to the first resource; storing a representation of authenticating the user with respect to the first tenant; receiving a second request from the user for a second resource, wherein a second tenant provides access to the second resource, wherein the second tenant belongs to the first plurality of tenants, wherein the second tenant is different from the first tenant, and wherein the second tenant has an authentication policy that is different from the authentication policy of the first tenant; subsequent to receiving the second request from the user for the second resource from the second tenant, automatically detecting, by computer, that the user has been previously authenticated with respect to the first tenant by accessing the stored representation of the authentication of the user with respect to the first tenant; using the detected previous authentication of the user with respect to the first tenant to authenticate the user with respect to the authentication policy of the second tenant; and upon authenticating the user with respect to the authentication policy of the second tenant, providing, by the computer, a second security token for enabling access to the second resource by the user without requiring additional authentication credentials from the user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for authenticating a user in a hosted, multi-tenant computing environment, comprising:
-
an identity provider and an authentication service, wherein the identity provider and the authentication service are configured to; receive a request for access to a first resource from a user, wherein the user has an account with a first plurality of tenants in the multi-tenant computing environment; identify a first tenant associated with the first request, wherein the first tenant is in the first plurality of tenants; and obtain an authentication policy of the first tenant; use an authentication mechanism associated with the authentication policy of the first tenant to authenticate the user; upon authenticating the user, provide a first security token for enabling access to the first resource by the user, wherein the first tenant provides access to the first resource; store a representation of authenticating the user with respect to the first tenant; receive a second request from the user for a second resource, wherein a second tenant provides access to the second resource, wherein the second tenant belongs to the first plurality of tenants, wherein the second tenant is different from the first tenant, and wherein the second tenant has an authentication policy that is different from the authentication policy of the first tenant; subsequent to receiving the second request from the user for the second resource from the second tenant, automatically detect that the user has been previously authenticated with respect to the first tenant by accessing the stored representation of the authentication of the user with respect to the first tenant; use the detected previous authentication of the user with respect to the first tenant to authenticate the user with respect to the authentication policy of the second tenant; and upon authenticating the user with respect to the authentication policy of the second tenant, provide a second security token for enabling access to the second resource by the user without requiring additional authentication credentials from the user. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for authenticating a user in a hosted, multi-tenant computing environment, the method comprising:
-
receiving a request for access to a first resource from a user, wherein the user has an account with a first plurality of tenants in the multi-tenant computing environment; identifying a first tenant associated with the first request, wherein the first tenant is in the first plurality of tenants; obtaining an authentication policy for the first tenant; using an authentication mechanism associated with the authentication policy of the first tenant to authenticate the user; upon authenticating the user, providing a first security token for enabling access to the first resource by the user, wherein the first tenant provides access to the first resource; storing a representation of authenticating the user with respect to the first tenant; receiving a second request from the user for a second resource, wherein a second tenant provides access to the second resource, wherein the second tenant belongs to the first plurality of tenants, wherein the second tenant is different from the first tenant, and wherein the second tenant has an authentication policy that is different from the authentication policy of the first tenant; subsequent to receiving the second request from the user for the second resource from the second tenant, automatically detecting, by computer, that the user has been previously authenticated with respect to the first tenant by accessing the stored representation of the authentication of the user with respect to the first tenant; using the detected previous authentication of the user with respect to the first tenant to authenticate the user with respect to the authentication policy of the second tenant; and upon authenticating the user with respect to the authentication policy of the second tenant, providing, by the computer, a second security token for enabling access to the second resource by the user without requiring additional authentication credentials from the user. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
-
Specification