Identity pool bridging for managed directory services
First Claim
1. A computer-implemented method,comprising:
- under the control of one or more computer systems configured with executableinstructions,enabling a user to utilize a set of credentials to access an interface provided by a computing resource service provider to access a managed directory service;
receiving, at the computing resource service provider, a request from the user to create an identity pool within the managed directory service of the computing resource service provider, the first request comprising information based at least in part on the set of credentials and the identity pool comprising user profiles of one or more other users of the managed directory service and directory policies defining, for each user of the one or more other users, a level of access to a directory within the managed directory service and to applications managed in the directory;
creating, at the managed directory service, the identity pool and a shadow administrative account within the identity pool, the shadow administrative account usable for managing the user profiles of the one or more other users of the managed directory service and the directory policies for defining the level of access to the directory and to the applications managed in the directory for individual users of the directory;
transmitting, through the computing resource service provider and to the managed directory service, an application programming interface command from the user to obtain a directory token for accessing the shadow administrative account, the application programming interface command made available to the user by the managed directory service;
receiving the directory token from the managed directory service; and
enabling the user to utilize the received directory token to perform actions withinthe directory.
1 Assignment
0 Petitions
Accused Products
Abstract
A customer of a computing resource service provider may utilize a set of credentials to request creation of an identity pool within a managed directory service. Accordingly, the managed directory service may create the identity pool. Instead of having the customer create a separate account within this identity pool, the managed directory service may create a shadow administrator account within the identity pool, which may be used to manage other users and resources in the identity pool within the managed directory service. The managed directory service further exposes an application programming interface command that may be used to obtain a set of credentials for accessing the shadow administrator account. The customer may use this command to receive the set of credentials and access the shadow administrator account. Accordingly, the customer can manage users and resources in the identity pool within the managed directory service.
56 Citations
20 Claims
-
1. A computer-implemented method,
comprising: - under the control of one or more computer systems configured with executable
instructions, enabling a user to utilize a set of credentials to access an interface provided by a computing resource service provider to access a managed directory service; receiving, at the computing resource service provider, a request from the user to create an identity pool within the managed directory service of the computing resource service provider, the first request comprising information based at least in part on the set of credentials and the identity pool comprising user profiles of one or more other users of the managed directory service and directory policies defining, for each user of the one or more other users, a level of access to a directory within the managed directory service and to applications managed in the directory; creating, at the managed directory service, the identity pool and a shadow administrative account within the identity pool, the shadow administrative account usable for managing the user profiles of the one or more other users of the managed directory service and the directory policies for defining the level of access to the directory and to the applications managed in the directory for individual users of the directory; transmitting, through the computing resource service provider and to the managed directory service, an application programming interface command from the user to obtain a directory token for accessing the shadow administrative account, the application programming interface command made available to the user by the managed directory service; receiving the directory token from the managed directory service; and enabling the user to utilize the received directory token to perform actions within the directory. - View Dependent Claims (2, 3, 4, 5, 6)
- under the control of one or more computer systems configured with executable
-
7. A computer system,
comprising: - one or more processors; and
memory having collectively stored therein instructions that, when executed by the computer system, cause the computer system to; authenticate a requestor utilizing credential information for accessing one or more services provided by a computing resource service provider; receive, from the requestor, a request to create an identity pool within a managed directory service provided by the computing resource service provider, the access to the managed directory service based at least in part on the credential information and the identity pool comprising user accounts of one or more users of the managed directory service and directory policies defining, for each user of the one or more users, a level of access to a directory within the managed directory service and to applications managed in the directory; create the identity pool within the managed directory service and an account usable by the requestor within the created identity pool, the account usable for managing user profiles of the one or more users and the directory policies; and enable the requestor to access, by transmitting an application programming interface command to the computer system, the account from within the managed directory service, the application programming interface command made available to the user by the managed directory service. - View Dependent Claims (8, 9, 10, 11, 12, 13)
- one or more processors; and
-
14. A non-transitory computer-readable storage medium having collectively stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
-
verify a requestor utilizing credential information to access one or more services provided by a computing resource service provider is authorized to access a managed directory service provided by the computing resource service provider; receive, from the requestor, a request to create an identity pool within the managed directory service, the identity pool usable to manage user accounts of one or more users of the managed directory service and directory policies defining, for each user of the one or more users, a level of access to a directory within the managed directory service and to applications managed in the directory; create the identity pool within the managed directory service and an account usable by the requestor within the created identity pool, the account usable for managing user profiles of the one or more users of the managed directory service and the directory policies; and enable the requestor to access, by transmitting an application programming interface command to the computer system, the account from within the managed directory service, the application programming interface command made available to the user by the managed directory service. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification