Single set of credentials for accessing multiple computing resource services

US 9,407,615 B2
Filed: 12/05/2013
Issued: 08/02/2016
Est. Priority Date: 11/11/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for enabling access to one or more computing system services provided by a computing resource service provider, comprising:

under the control of one or more computer systems configured with executable instructions,enabling a user to utilize a set of credentials to access resources in a directory within a managed directory service;

receiving, at the managed directory service, a first request from the user to access a subset of the one or more computing system services, different from the managed directory service, provided by the computing resource service provider, the first request comprising information based at least in part on the set of credentials;

authenticating, at the managed directory service, the user based at least in part on the set of credentials;

on a first condition that the user has been authenticated, identifying, at the managed directory service, one or more policies applicable to the user, the one or more policies at least defining a level of access to the one or more services based at least in part on the first request, the one or more policies defined using a policy generator interface that enables an administrative user to define the one or more policies based at least in part on the one or more services;

on a second condition that the identified one or more policies allow access, transmitting to an identity management service, different from the managed directory service, a second request for a set of one or more temporary credentials wherein the temporary credentials enable the user to access a subset of the one or more services;

receiving the set of one or more temporary credentials from the identity management service;

providing a reference to a network location usable to access the one or more services in accordance with the one or more policies; and

utilizing the received set of one or more temporary credentials to fulfill, at least in part, the first request from the user to access the one or more services.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A user may utilize a set of credentials to access, through a managed directory service, one or more services provided by a computing resource service provider. The managed directory service may be configured to identify one or more policies applicable to the user. These policies may define the level of access to the one or more services provided by the computing resource service provider. Based at least in part on these policies, the managed directory service may transmit a request to an identity management system to obtain a set of temporary credentials that may be used to enable the user to access the one or more services. Accordingly, the managed directory service may be configured to enable the user, based at least in part on the policies and the set of temporary credentials, to access an interface, which can be used to access the one or more services.

46 Citations

View as Search Results

20 Claims

1. A computer-implemented method for enabling access to one or more computing system services provided by a computing resource service provider, comprising:
- under the control of one or more computer systems configured with executable instructions,enabling a user to utilize a set of credentials to access resources in a directory within a managed directory service;
  
  receiving, at the managed directory service, a first request from the user to access a subset of the one or more computing system services, different from the managed directory service, provided by the computing resource service provider, the first request comprising information based at least in part on the set of credentials;
  
  authenticating, at the managed directory service, the user based at least in part on the set of credentials;
  
  on a first condition that the user has been authenticated, identifying, at the managed directory service, one or more policies applicable to the user, the one or more policies at least defining a level of access to the one or more services based at least in part on the first request, the one or more policies defined using a policy generator interface that enables an administrative user to define the one or more policies based at least in part on the one or more services;
  
  on a second condition that the identified one or more policies allow access, transmitting to an identity management service, different from the managed directory service, a second request for a set of one or more temporary credentials wherein the temporary credentials enable the user to access a subset of the one or more services;
  
  receiving the set of one or more temporary credentials from the identity management service;
  
  providing a reference to a network location usable to access the one or more services in accordance with the one or more policies; and
  
  utilizing the received set of one or more temporary credentials to fulfill, at least in part, the first request from the user to access the one or more services.
- View Dependent Claims (2, 3, 4, 18)
- - 2. The computer-implemented method of claim 1, wherein the network location is of an interface useable for accessing the one or more services to fulfill, at least in part, the first request from the user to access the one or more services.
  - 3. The computer-implemented method of claim 2, wherein the interface is further configured to enable requests from the user to be transmitted to the identity management service to access the one or more services.
  - 4. The computer-implemented method of claim 1, wherein the one or more policies applicable to the user are defined in a profile at the managed directory service, the profile being specific to the user.
  - 18. The computer-implemented method of claim 1, wherein the reference is a uniform resource indicator.

5. A computer system, comprising:
- one or more processors; and
  
  memory having collectively stored therein instructions that, when executed by the computer system, cause the computer system to;
  
  authenticate, at a directory service, a requestor utilizing credential information for accessing a directory within the directory service;
  
  identify one or more policies applicable to the requestor, the one or more policies defined using a policy generator interface that enables an administrative user to define the one or more policies based at least in part on the one or more services;
  
  receive, from the requestor, a request to access a subset of one or more services provided by a computing resource service provider, access to the subset of the one or more services managed by the directory within the directory service;
  
  as a result of authenticating the requestor, obtain, from a second service different from the directory service, temporary credential information to access the subset of the one or more services;
  
  provide a reference to a network location usable to access the one or more services in accordance with the one or more policies; and
  
  utilize the temporary credential information obtained from the second service, to fulfill, at least in part, the request to access the subset of the one or more services.
- View Dependent Claims (6, 7, 8, 9, 10, 19)
- - 6. The computer system of claim 5, wherein the request comprises information based at least in part on the credential information.
  - 7. The computer system of claim 5, wherein the instructions further cause the computer system to enable the requestor to access, from the directory service, an interface accessible based at least in part on the authentication of the requestor to fulfill, at least in part, the request to access the subset of the one or more services.
  - 8. The computer system of claim 7, wherein the instructions further cause the computer system to provide a representation of a network address for the interface useable by the requestor to submit the request to access the subset of the one or more services.
  - 9. The computer system of claim 5, wherein the instructions that cause the computer system to obtain the temporary credential information further cause the computer system to communicate with the second service to request the temporary credential information and receive the temporary credential information from the second service.
  - 10. The computer system of claim 5, wherein the temporary credential information is configured to become unusable by the requestor as a result of the requestor terminating its access to the subset of the one or more services.
  - 19. The system of claim 5, wherein the reference is a uniform resource indicator.

11. A non-transitory computer-readable storage medium having collectively stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
- verify, at a directory service, a requestor utilizing credential information to access a directory within the directory service is authorized to access the directory;
  
  receive, from the requestor, a request to access a subset of one or more services provided by a computing resource service provider;
  
  as a result of verifying, at the directory service, that the requestor is authorized to access the directory, identify one or more policies applicable to the requestor, the one or more policies managed by the directory within the directory service, defined using a policy generator interface that enables an administrative user to define the one or more policies based at least in part on the one or more services, and usable to define a level of access to the subset of the one or more services;
  
  on a condition that the identified one or more policies allow access, obtain, from a second service different from the directory service, temporary credential information to access the subset of the one or more services;
  
  provide a reference to a network location usable to access the one or more services in accordance with the one or more policies; and
  
  utilize the temporary credential information obtained from the second service to fulfill, at least in part, the request to access the subset of the one or more services.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 20)
- - 12. The non-transitory computer-readable storage medium of claim 11, wherein the request comprises information based at least in part on the credential information.
  - 13. The non-transitory computer-readable storage medium of claim 11, wherein the executable instructions further cause the computer system to enable the requestor to access, from the directory service, an interface accessible based at least in part on the verification of the requestor to fulfill, at least in part, the request to access the subset of the one or more services.
  - 14. The non-transitory computer-readable storage medium of claim 13, wherein the instructions further cause the computer system to provide a representation of a network address for the interface useable by the requestor to submit the request to access the subset of the one or more services.
  - 15. The non-transitory computer-readable storage medium of claim 11, wherein the one or more policies applicable to the requestor are defined in a profile stored within the directory, the profile being specific to the requestor.
  - 16. The non-transitory computer-readable storage medium of claim 11, wherein the temporary credential information is configured to becomes unavailable to the requestor as a result of the requestor terminating its access to the subset of the one or more services.
  - 17. The non-transitory computer-readable storage medium of claim 11, wherein the instructions that cause the computer system to obtain the temporary credential information further cause the computer system to communicate with the second service to request the temporary credential information and receive the temporary credential information from the second service.
  - 20. The non-transitory computer-readable storage medium of claim 11, wherein the reference is a uniform resource indicator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Shah, Shon Kiran, Mehta, Gaurang Pankaj, Koonaparaju, Venakta N. S. S. Harsha, Rizzo, Thomas Christopher, Rao, Guruprakash Bangalore
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
FIELDS, COURTNEY D

Application Number

US14/098,341
Publication Number

US 20150135257A1
Time in Patent Office

971 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/41   where a single sign-on prov...

G06F 21/6218   to a system of files or obj...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

H04L 67/306   User profiles

Single set of credentials for accessing multiple computing resource services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

46 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Single set of credentials for accessing multiple computing resource services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links