Desktop application fulfillment platform with multiple authentication mechanisms

US 9,985,953 B2
Filed: 11/10/2014
Issued: 05/29/2018
Est. Priority Date: 11/10/2014
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a plurality of computing nodes that collectively provide virtual computing services to one or more clients of a service provider, each of the computing nodes comprising at least one processor and a memory; and

a virtualized computing resource instance executing on one of the computing nodes;

wherein the virtualized computing resource instance implements a virtual desktop instance on behalf of a given end user that receives services from the service provider, and wherein an application delivery agent is installed on the virtual desktop instance;

wherein one or more of the plurality of computing nodes implement an application fulfillment platform;

wherein the application fulfillment platform is configured to;

receive, from the application delivery agent, a request to register the virtual desktop instance with the application fulfillment platform as a device, wherein the request includes a device identity ticket;

in response to the request to register the virtual desktop instance;

validate the device identity ticket;

generate a security token for the device; and

return the security token for the device to the application delivery agent;

receive, from the application delivery agent, a request to register the given end user with the application fulfillment platform, wherein the request includes a user identity ticket received from an active directory service;

in response to the request to register the given end user;

validate the user identity ticket;

generate a security token for the given end user; and

return the security token for the given end user to the application delivery agent; and

receive, from the application delivery agent, a request for service, wherein the request for service includes the security token for the device or the security token for the given end user, and wherein the security token included in the request for service is dependent on the type of the service request or the entity on whose behalf the service request was submitted by the application delivery agent.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A service provider system may include an application fulfillment platform that delivers desktop applications to desktops on physical computing devices or virtual desktop instances. A computing resource instance may be registered with the platform, which generates a unique identifier and a security token for the computing resource instance using multiple authentication mechanisms. An end user of a customer organization may be registered with the platform, which generates a unique identifier and a security token for the end user using multiple authentication mechanisms. An application delivery agent may submit service requests to the platform on behalf of itself or the given user. The identity and security credentials included in the requests may be dependent on the request type and the entities on whose behalf they are submitted. A proxy service on the platform may receive the requests and validate the credentials, then dispatch the requests to other services on the platform.

32 Citations

View as Search Results

20 Claims

1. A system, comprising:
- a plurality of computing nodes that collectively provide virtual computing services to one or more clients of a service provider, each of the computing nodes comprising at least one processor and a memory; and
  
  a virtualized computing resource instance executing on one of the computing nodes;
  
  wherein the virtualized computing resource instance implements a virtual desktop instance on behalf of a given end user that receives services from the service provider, and wherein an application delivery agent is installed on the virtual desktop instance;
  
  wherein one or more of the plurality of computing nodes implement an application fulfillment platform;
  
  wherein the application fulfillment platform is configured to;
  
  receive, from the application delivery agent, a request to register the virtual desktop instance with the application fulfillment platform as a device, wherein the request includes a device identity ticket;
  
  in response to the request to register the virtual desktop instance;
  
  validate the device identity ticket;
  
  generate a security token for the device; and
  
  return the security token for the device to the application delivery agent;
  
  receive, from the application delivery agent, a request to register the given end user with the application fulfillment platform, wherein the request includes a user identity ticket received from an active directory service;
  
  in response to the request to register the given end user;
  
  validate the user identity ticket;
  
  generate a security token for the given end user; and
  
  return the security token for the given end user to the application delivery agent; and
  
  receive, from the application delivery agent, a request for service, wherein the request for service includes the security token for the device or the security token for the given end user, and wherein the security token included in the request for service is dependent on the type of the service request or the entity on whose behalf the service request was submitted by the application delivery agent.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1,wherein the request was submitted by the application delivery agent on behalf of the application delivery agent;
    - andwherein the request for service comprises an identifier of the device and the security token for the device.
  - 3. The system of claim 1,wherein the request was submitted by the application delivery agent on behalf of the given end user;
    - andwherein the request for service comprises an identifier of the given end user and the security token for the given end user.
  - 4. The system of claim 1,wherein the application fulfillment platform comprises a plurality of control plane services, including a proxy service;
    - wherein one or more of the request to register the virtual desktop instance, the request to register the end user, or the request for service is received by a proxy service; and
      
      wherein in response to receiving the request to register the virtual desktop instance, the request to register the end user, or the request for service, the proxy service is configured to;
      
      validate a security token included in the request; and
      
      dispatch the request to another one of the control plane services.
  - 5. The system of claim 4,wherein the application fulfillment platform comprises an outbound queue from which the application delivery agent can retrieve notifications;
    - wherein the other one of the control plane services is configured to;
      
      receive the dispatched request for service;
      
      process the dispatched request for service; and
      
      return a response for the dispatched request for service to the application delivery agent, wherein to return the response, the other one of the control plane services places a notification in the outbound queue for retrieval by the application delivery agent.

6. A method, comprising:
- performing, by one or more computers that implement an application fulfillment platform on resources of a service provider;
  
  receiving a service request from an application delivery agent that is installed on a computing resource instance of a given user in an organization that receives services from the service provider, wherein the service request comprises a security credential for the computing resource instance or a security credential for the given user; and
  
  in response to receiving the service request, validating a particular identity resource of a plurality of different identity resources using two or more authentication mechanisms, wherein the particular identity resource being validated is based on whether the service request was submitted by the application delivery agent on behalf of the computing resource instance or was submitted by the application delivery agent on behalf of the given user, and wherein individual ones of the different identity resources comprise;
  
  an identity of the computing resource instance and a security credential for the computing resource instance, oran identity of the given user and a security credential for the given user; and
  
  in response to validating the identity and the security credential for the computing resource instance of the given user or for the given user, processing the service request.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 7. The method of claim 6, further comprising, prior to said receiving:
    - generating the security credential for the computing resource instance of the given user;
      
      orgenerating the security credential for the given user.
  - 8. The method of claim 7,wherein the method further comprises, prior to receiving the service request, receiving a request to register the computing resource instance with the application fulfillment service platform;
    - andwherein said generating the security credential for the computing resource instance of the given user is performed in response to receiving the request to register the computing resource instance with the application fulfillment service platform.
  - 9. The method of claim 7,wherein the method further comprises, prior to receiving the service request, receiving a request to register the given user with the application fulfillment service platform or an indication that the given user has logged into the computing resource instance;
    - andwherein said generating the security credential for the given user is performed in response to receiving the request to register the given user with the application fulfillment service platform or the indication that the given user has logged into the computing resource instance.
  - 10. The method of claim 7,wherein at least one of said generating the security credential for the computing resource instance of the given user or said generating the security credential for the given user comprises generating a temporary security token that expires after a pre-determined period of time;
    - andwherein the method further comprises renewing the temporary security token in response to the temporary security token expiring.
  - 11. The method of claim 7,wherein at least one of said generating the security credential for the computing resource instance of the given user or said generating the security credential for the given user comprises:
    - receiving a security credential or unique resource identifier for the computing resource instance of the given user or for the given user that is of a different type than that of the security credential and that is not recognized by one or more control plane services implemented by the application fulfillment platform;
      
      reformatting the security credential or unique resource identifier for the computing resource instance of the given user or for the given user that is of the different type; and
      
      exchanging the reformatted security credential or unique resource identifier for the computing resource instance of the given user or for the given user for the security credential, wherein the security credential is recognized by the one or more control plane services implemented by the application fulfillment platform.
  - 12. The method of claim 6,wherein the method further comprises, prior to said receiving, generating a unique identifier for the computing resource instance of the given user or generating a unique identifier for the given user.
  - 13. The method of claim 12,wherein said validating the particular identity resource comprises validating the unique identifier that was generated for the computing resource instance of the given user or validating the unique identifier that was generated for the given user.
  - 14. The method of claim 6, wherein the service request comprises a request to install a desktop application on the computing resource instance of the given user, uninstall a desktop application on the computing resource instance of the given user, subscribe to a desktop application, unsubscribe from a desktop application, or reinstall a desktop application on the computing resource instance.
  - 15. The method of claim 6,wherein the service request was submitted by the application delivery agent on behalf of the given user;
    - andwherein the service request comprises the identity of the given user and the security credential for the given user.
  - 16. The method of claim 6,wherein the service request was submitted by the application delivery agent on behalf of the application delivery agent;
    - andwherein the service request comprises the identity of the computing resource instance and the security credential for the computing resource instance.
  - 17. The method of claim 6, wherein the application delivery agent stores the identity and the security credential for the computing resource instance of the given user or the identity and the security credential for the given user in secure storage on the computing resource instance.
  - 18. The method of claim 6, wherein the computing resource instance comprises a virtualized computing resource instance or a virtual desktop instance that is implemented on resources of the service provider.

19. A non-transitory computer-readable storage medium storing program instructions that when executed on one or more computers cause the one or more computers to implement an application fulfillment platform, wherein the application fulfillment platform is configured to perform:
- configuring a computing resource instance on behalf of a given user, wherein said configuring comprises;
  
  building a virtual desktop instance on the computing resource instance; and
  
  installing an application delivery agent on the virtual desktop instance;
  
  generating a unique identifier and a security token for the virtual desktop instance;
  
  generating a unique identifier and a security token for the given user;
  
  receiving requests for service from the application delivery agent on behalf of the application delivery agent or the given user, wherein the requests for service comprise a security token for the virtual desktop instance or a security token for the given user; and
  
  validating a particular identity resource of a plurality of different identity resources for different ones of the requests for service based on whether a given request for service was submitted by the application delivery agent on behalf of the application delivery agent or was submitted by the application delivery agent on behalf of the given user, wherein individual ones of the different identity resources comprise;
  
  the unique identifier for the virtual desktop instance and the security token for the virtual desktop instance, orthe unique identifier for the given user and the security token for the given user.
- View Dependent Claims (20)
- - 20. The non-transitory computer-readable storage medium of claim 19, wherein the application fulfillment platform is further configured to perform:
    - storing the unique identifier for the virtual desktop instance, the security token for the virtual desktop instance, the unique identifier for the given user, and the security token for the given user on resources of a service provider that provides services to end users of a service provider customer organization, including the given user, through the application fulfillment platform; and
      
      maintaining a record of an association between the given end user and the virtual desktop instance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Koushik, Sheshadri Supreeth, Shah, Jaimin Paresh, Lin, Yang, Shrivastava, Abhinav, Sahijwani, Vikram Vijay, Peng, Hao, Pessis, David
Primary Examiner(s)
Tabor, Amare F

Application Number

US14/537,789
Publication Number

US 20160134616A1
Time in Patent Office

1,296 Days
Field of Search

726 9
US Class Current
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 8/60   Software deployment

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

Desktop application fulfillment platform with multiple authentication mechanisms

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

32 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Desktop application fulfillment platform with multiple authentication mechanisms

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others