Shared identity management (IDM) integration in a multi-tenant computing environment
First Claim
1. A method comprising:
- receiving, at a first computing system of a computing infrastructure system that provides access to a plurality of services, a request by a user to access a service of the plurality of services, wherein the computing infrastructure system restricts each tenant of the computing infrastructure system to one of the plurality of services;
extracting, by the first computing system, a tenant name and a service name of the service from a combined name included in the request;
authenticating, by the first computing system, the user by requesting a second computing system to determine whether the user is a member of a tenant having the tenant name in the second computing system, wherein the second computing system is different from the first computing system;
upon successfully authenticating that the user is the member of the tenant, accessing a directory of the second computing system to identify a set of roles that is both associated with the user and with a first service having the service name in the second computing system, wherein the first service is included in the plurality of services;
based on the set of roles, determining whether the user is permitted to perform an operation specified in the request relative to the service specified in the request; and
enabling the user to access the first service to perform the operation upon determining that a role in the set of roles is permitted to perform the operation specified in the request.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are disclosed for enabling tenant hierarchy information to be migrated directly between different multi-tenant system (e.g., from a shared IDM system to a Nimbula system, or vice versa). A corresponding new tenant is created in a Nimbula system based on a combination of the tenant information and the service information from the shared IDM system. The Nimbula system extracts the tenant name and the service name from a request and asks the shared IDM system to verify that the user actually is a member of the tenant identified by the extracted tenant name. Upon successful authentication of the user, the Nimbula system requests the IDM system for roles that are associated with both the user and the extracted service name. The Nimbula system enable access to the service upon determining whether the requested operation can be performed relative to the specified service based on the roles.
55 Citations
20 Claims
-
1. A method comprising:
-
receiving, at a first computing system of a computing infrastructure system that provides access to a plurality of services, a request by a user to access a service of the plurality of services, wherein the computing infrastructure system restricts each tenant of the computing infrastructure system to one of the plurality of services; extracting, by the first computing system, a tenant name and a service name of the service from a combined name included in the request; authenticating, by the first computing system, the user by requesting a second computing system to determine whether the user is a member of a tenant having the tenant name in the second computing system, wherein the second computing system is different from the first computing system; upon successfully authenticating that the user is the member of the tenant, accessing a directory of the second computing system to identify a set of roles that is both associated with the user and with a first service having the service name in the second computing system, wherein the first service is included in the plurality of services; based on the set of roles, determining whether the user is permitted to perform an operation specified in the request relative to the service specified in the request; and enabling the user to access the first service to perform the operation upon determining that a role in the set of roles is permitted to perform the operation specified in the request. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising:
-
one or more processors; and a memory coupled with and readable by the one or more processors, the memory configured to store a set of instructions that, when executed by the one or more processors, causes the one or more processors to; receive, at a first computing system of a computing infrastructure system that provides access to a plurality of services, a request by a user to access a service of the plurality of services, wherein the computing infrastructure system restricts each tenant of the computing infrastructure system to one of the plurality of services; extract, by the first computing system, a tenant name and a service name of the service from a combined name included in the request; authenticate, by the first computing system, the user by requesting a second computing system to determine whether the user is a member of a tenant having the tenant name in the second computing system, wherein the second computing system is different from the first computing system; upon successfully authenticating that the user is the member of the tenant, access a directory of the second computing system to identify a set of roles that is both associated with the user and with a first service having the service name in the second computing system, wherein the first service is included in the plurality of services; based on the set of roles, determine whether the user is permitted to perform an operation specified in the request relative to the service specified in the request; and enable the user to access the first service to perform the operation upon determining that a role in the set of roles is permitted to perform the operation specified in the request. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable storage memory storing a plurality of instructions executable by one or more processors to cause the one or more processors to:
-
receive, at a first computing system of a computing infrastructure system that provides access to a plurality of services, a request by a user to access a service of the plurality of services, wherein the computing infrastructure system restricts each tenant of the computing infrastructure system to one of the plurality of services; extract, by the first computing system, a tenant name and a service name of the service from a combined name included in the request; authenticate, by the first computing system, the user by requesting a second computing system to determine whether the user is a member of a tenant having the tenant name in the second computing system, wherein the second computing system is different from the first computing system; upon successfully authenticating that the user is the member of the tenant, access a directory of the second computing system to identify a set of roles that is both associated with the user and with a first service having the service name in the second computing system, wherein the first service is included in the plurality of services; based on the set of roles, determine whether the user is permitted to perform an operation specified in the request relative to the service specified in the request; and enable the user to access the first service to perform the operation upon determining that a role in the set of roles is permitted to perform the operation specified in the request. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification