Single sign-on in multi-tenant environments

US 9,369,456 B2
Filed: 09/21/2012
Issued: 06/14/2016
Est. Priority Date: 09/21/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for authenticating a user in a hosted, multi-tenant computing environment, comprising:

receiving a request for access to a first resource from a user, wherein the user has an account with a first plurality of tenants in the multi-tenant computing environment;

identifying a first tenant associated with the first request, wherein the first tenant is in the first plurality of tenants;

obtaining an authentication policy of the first tenant;

using an authentication mechanism associated with the authentication policy of the first tenant to authenticate the user;

upon authenticating the user, providing a first security token for enabling access to the first resource by the user, wherein the first tenant provides access to the first resource;

storing a representation of authenticating the user with respect to the first tenant;

receiving a second request from the user for a second resource, wherein a second tenant provides access to the second resource, wherein the second tenant belongs to the first plurality of tenants, wherein the second tenant is different from the first tenant, and wherein the second tenant has an authentication policy that is different from the authentication policy of the first tenant;

subsequent to receiving the second request from the user for the second resource from the second tenant, automatically detecting, by computer, that the user has been previously authenticated with respect to the first tenant by accessing the stored representation of the authentication of the user with respect to the first tenant;

using the detected previous authentication of the user with respect to the first tenant to authenticate the user with respect to the authentication policy of the second tenant; and

upon authenticating the user with respect to the authentication policy of the second tenant, providing, by the computer, a second security token for enabling access to the second resource by the user without requiring additional authentication credentials from the user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed embodiments provide a system that authenticates a user. During operation, the system identifies a first tenant associated with a first request for a first resource from the user and obtains an authentication policy for the first tenant. Next, the system uses an authentication mechanism associated with the authentication policy to authenticate the user. Upon authenticating the user, the system provides a first security token for enabling access to the first resource by the user.

17 Citations

View as Search Results

25 Claims

1. A computer-implemented method for authenticating a user in a hosted, multi-tenant computing environment, comprising:
- receiving a request for access to a first resource from a user, wherein the user has an account with a first plurality of tenants in the multi-tenant computing environment;
  
  identifying a first tenant associated with the first request, wherein the first tenant is in the first plurality of tenants;
  
  obtaining an authentication policy of the first tenant;
  
  using an authentication mechanism associated with the authentication policy of the first tenant to authenticate the user;
  
  upon authenticating the user, providing a first security token for enabling access to the first resource by the user, wherein the first tenant provides access to the first resource;
  
  storing a representation of authenticating the user with respect to the first tenant;
  
  receiving a second request from the user for a second resource, wherein a second tenant provides access to the second resource, wherein the second tenant belongs to the first plurality of tenants, wherein the second tenant is different from the first tenant, and wherein the second tenant has an authentication policy that is different from the authentication policy of the first tenant;
  
  subsequent to receiving the second request from the user for the second resource from the second tenant, automatically detecting, by computer, that the user has been previously authenticated with respect to the first tenant by accessing the stored representation of the authentication of the user with respect to the first tenant;
  
  using the detected previous authentication of the user with respect to the first tenant to authenticate the user with respect to the authentication policy of the second tenant; and
  
  upon authenticating the user with respect to the authentication policy of the second tenant, providing, by the computer, a second security token for enabling access to the second resource by the user without requiring additional authentication credentials from the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein the authentication policy comprises at least one of a policy name, the authentication mechanism, and location information for authentication credentials associated with the authentication mechanism.
  - 3. The computer-implemented method of claim 2, wherein using the authentication mechanism associated with the authentication policy to authenticate the user involves:
    - using the authentication mechanism to obtain one or more user-provided authentication credentials from the user;
      
      using the location information to obtain the authentication credentials; and
      
      comparing the user-provided authentication credentials with the authentication credentials.
  - 4. The computer-implemented method of claim 2, wherein the location information comprises at least one of a repository, a configuration of the repository, and a mechanism for accessing the repository.
  - 5. The computer-implemented method of claim 1, wherein the first tenant is identified using a tenant identifier associated with the first request.
  - 6. The computer-implemented method of claim 1, further comprising:
    - building a first security context using the first security token to enable access to the first resource; and
      
      storing a representation of the authentication of the user.
  - 7. The computer-implemented method of claim 6, wherein detecting the previous authentication of the user with the first tenant involves obtaining the stored representation of the previous authentication, and wherein the stored representation comprises a cookie in a browser of the user.
  - 8. The computer-implemented method of claim 7, wherein each of the first and second tenants is associated with at least one of a software offering, a group of users, a set of resources, a group of tools, and a group of portals.

9. A system for authenticating a user in a hosted, multi-tenant computing environment, comprising:
- an identity provider and an authentication service,wherein the identity provider and the authentication service are configured to;
  
  receive a request for access to a first resource from a user, wherein the user has an account with a first plurality of tenants in the multi-tenant computing environment;
  
  identify a first tenant associated with the first request, wherein the first tenant is in the first plurality of tenants; and
  
  obtain an authentication policy of the first tenant;
  
  use an authentication mechanism associated with the authentication policy of the first tenant to authenticate the user;
  
  upon authenticating the user, provide a first security token for enabling access to the first resource by the user, wherein the first tenant provides access to the first resource;
  
  store a representation of authenticating the user with respect to the first tenant;
  
  receive a second request from the user for a second resource, wherein a second tenant provides access to the second resource, wherein the second tenant belongs to the first plurality of tenants, wherein the second tenant is different from the first tenant, and wherein the second tenant has an authentication policy that is different from the authentication policy of the first tenant;
  
  subsequent to receiving the second request from the user for the second resource from the second tenant, automatically detect that the user has been previously authenticated with respect to the first tenant by accessing the stored representation of the authentication of the user with respect to the first tenant;
  
  use the detected previous authentication of the user with respect to the first tenant to authenticate the user with respect to the authentication policy of the second tenant; and
  
  upon authenticating the user with respect to the authentication policy of the second tenant, provide a second security token for enabling access to the second resource by the user without requiring additional authentication credentials from the user.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The system of claim 9, further comprising:
    - a portal container configured to;
      
      build a security context using the first security token; and
      
      provide the first resource to the user.
  - 11. The system of claim 10, further comprising:
    - storing a representation of the authentication of the user.
  - 12. The system of claim 11, wherein detecting the previous authentication of the user with the first tenant involves obtaining the stored representation of the previous authentication, and wherein the stored representation comprises a cookie in a browser of the user.
  - 13. The system of claim 9, wherein each of the first and second tenants is associated with at least one of a software offering, a group of users, a set of resources, a group of tools, and a group of portals.
  - 14. The system of claim 9, wherein the authentication policy comprises at least one of a policy name, the authentication mechanism, and location information for authentication credentials associated with the authentication mechanism.
  - 15. The system of claim 14, wherein using the authentication mechanism associated with the authentication policy to authenticate the user involves:
    - using the authentication mechanism to obtain one or more user-provided authentication credentials from the user;
      
      using the location information to obtain the authentication credentials; and
      
      comparing the user-provided authentication credentials with the authentication credentials.
  - 16. The system of claim 14, wherein the location information comprises at least one of a repository, a configuration of the repository, and a mechanism for accessing the repository.
  - 17. The system of claim 9, wherein the first tenant is identified using a tenant identifier associated with the first request.

18. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for authenticating a user in a hosted, multi-tenant computing environment, the method comprising:
- receiving a request for access to a first resource from a user, wherein the user has an account with a first plurality of tenants in the multi-tenant computing environment;
  
  identifying a first tenant associated with the first request, wherein the first tenant is in the first plurality of tenants;
  
  obtaining an authentication policy for the first tenant;
  
  using an authentication mechanism associated with the authentication policy of the first tenant to authenticate the user;
  
  upon authenticating the user, providing a first security token for enabling access to the first resource by the user, wherein the first tenant provides access to the first resource;
  
  storing a representation of authenticating the user with respect to the first tenant;
  
  receiving a second request from the user for a second resource, wherein a second tenant provides access to the second resource, wherein the second tenant belongs to the first plurality of tenants, wherein the second tenant is different from the first tenant, and wherein the second tenant has an authentication policy that is different from the authentication policy of the first tenant;
  
  subsequent to receiving the second request from the user for the second resource from the second tenant, automatically detecting, by computer, that the user has been previously authenticated with respect to the first tenant by accessing the stored representation of the authentication of the user with respect to the first tenant;
  
  using the detected previous authentication of the user with respect to the first tenant to authenticate the user with respect to the authentication policy of the second tenant; and
  
  upon authenticating the user with respect to the authentication policy of the second tenant, providing, by the computer, a second security token for enabling access to the second resource by the user without requiring additional authentication credentials from the user.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The computer-readable storage medium of claim 18, wherein each of the first and second tenants is associated with at least one of a software offering, a group of users, a set of resources, a group of tools, and a group of portals.
  - 20. The computer-readable storage medium of claim 18, wherein the authentication policy comprises at least one of a policy name, the authentication mechanism, and location information for authentication credentials associated with the authentication mechanism.
  - 21. The computer-readable storage medium of claim 20, wherein using the authentication mechanism associated with the authentication policy to authenticate the user involves:
    - using the authentication mechanism to obtain one or more user-provided authentication credentials from the user;
      
      using the location information to obtain the authentication credentials; and
      
      comparing the user-provided authentication credentials with the authentication credentials.
  - 22. The computer-readable storage medium of claim 20, wherein the location information comprises at least one of a repository, a configuration of the repository, and a mechanism for accessing the repository.
  - 23. The computer-readable storage medium of claim 18, wherein the first tenant is identified using a tenant identifier associated with the first request.
  - 24. The computer-readable storage medium of claim 18, further comprising:
    - building a first security context using the user token and the first security token to enable access to the first resource; and
      
      storing a representation of the authentication of the user.
  - 25. The computer-readable storage medium of claim 24, wherein detecting the previous authentication of the user with the first tenant involves obtaining the stored representation of the previous authentication, and wherein the stored representation comprises a cookie in a browser of the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intuit, Inc.
Original Assignee
Intuit, Inc.
Inventors
Singh, Servesh Pratap
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Alata, Ayoub

Application Number

US13/624,732
Publication Number

US 20140090037A1
Time in Patent Office

1,362 Days
Field of Search

726/2, 726/5, 726 7- 9
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/335   for accessing specific reso...

G06F 21/41   where a single sign-on prov...

G06F 21/6218   to a system of files or obj...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/205   involving negotiation or de...

Single sign-on in multi-tenant environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Single sign-on in multi-tenant environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links