Restricting access to public cloud SaaS applications to a single organization
First Claim
Patent Images
1. In a computing environment, a computer system comprising:
- one or more processors; and
one or more computer-readable media having stored thereon instructions that are executable by the one or more processors to configure the computer system to allow an enterprise device managed by an enterprise to access a tenant that is associated with the enterprise and that is a part of a cloud service while preventing the enterprise device from accessing one or more other tenants that are also parts of the cloud service by causing the computer system to perform at least the following;
at the cloud service, which is managed by the computer system, receiving an access request that originated from the enterprise device, the access request including both (1) a request from the enterprise device to access the enterprise'"'"'s associated tenant and (2) policy that, when implemented by the cloud service, controls how the cloud service is to subsequently issue an authentication token such that the request and the policy are included in the access request prior to issuance of the authentication token, wherein the policy includes one or more uniform resource locators (URLs) that collectively identifies at least one or more allowed tenant that the enterprise device is permitted to navigate to or one or more tenant that the enterprise device is not permitted to navigate to;
at the cloud service, determining that the policy corresponds to access permissions for the enterprise'"'"'s associated tenant, the policy being received from the enterprise for enforcement by the cloud service, wherein the policy included in the access request provides an indication to the cloud service whether the access request is to be granted by issuing the authentication token or denied by refraining from issuing the authentication token; and
at the cloud service, granting or denying the access request based on the policy which was obtained from the enterprise and which was included in the access request, wherein any URL in the policy that identifies an allowed tenant causes issuance of the authorization token for the allowed tenant and any URL in the policy that identifies a tenant that the enterprise device is not permitted to navigate to is used to prevent the issuance of the authentication token for the tenant that the enterprise device is not permitted to navigate to.
1 Assignment
0 Petitions
Accused Products
Abstract
Allowing an entity managed device to access a tenant associated with the e on a public cloud service while preventing the device from accessing one or more other tenants on the cloud service. A method includes, at the cloud service, obtaining policy from the entity with respect to tenant access. The method further includes, at the cloud service, receiving a request from the entity managed device to access a tenant at the cloud service. The method further includes granting or denying the access request based on the policy obtained from the entity.
37 Citations
18 Claims
-
1. In a computing environment, a computer system comprising:
-
one or more processors; and one or more computer-readable media having stored thereon instructions that are executable by the one or more processors to configure the computer system to allow an enterprise device managed by an enterprise to access a tenant that is associated with the enterprise and that is a part of a cloud service while preventing the enterprise device from accessing one or more other tenants that are also parts of the cloud service by causing the computer system to perform at least the following; at the cloud service, which is managed by the computer system, receiving an access request that originated from the enterprise device, the access request including both (1) a request from the enterprise device to access the enterprise'"'"'s associated tenant and (2) policy that, when implemented by the cloud service, controls how the cloud service is to subsequently issue an authentication token such that the request and the policy are included in the access request prior to issuance of the authentication token, wherein the policy includes one or more uniform resource locators (URLs) that collectively identifies at least one or more allowed tenant that the enterprise device is permitted to navigate to or one or more tenant that the enterprise device is not permitted to navigate to; at the cloud service, determining that the policy corresponds to access permissions for the enterprise'"'"'s associated tenant, the policy being received from the enterprise for enforcement by the cloud service, wherein the policy included in the access request provides an indication to the cloud service whether the access request is to be granted by issuing the authentication token or denied by refraining from issuing the authentication token; and at the cloud service, granting or denying the access request based on the policy which was obtained from the enterprise and which was included in the access request, wherein any URL in the policy that identifies an allowed tenant causes issuance of the authorization token for the allowed tenant and any URL in the policy that identifies a tenant that the enterprise device is not permitted to navigate to is used to prevent the issuance of the authentication token for the tenant that the enterprise device is not permitted to navigate to. - View Dependent Claims (2, 3, 4, 5, 6, 17, 18)
-
-
7. In a computing environment, a method of allowing an enterprise device managed by an enterprise to access content of a tenant that is associated with the enterprise and that is a part of a cloud service while preventing the enterprise device from accessing content of one or more other tenants that are also parts of the cloud service, the method comprising:
-
at the cloud service, receiving an access request that originated from the enterprise device, the access request including both (1) a request from the enterprise device to access the enterprise'"'"'s associated tenant and (2) policy that, when implemented by the cloud service, controls how the cloud service is to subsequently issue an authentication token such that the request and the policy are included in the access request prior to issuance of the authentication token, wherein the policy includes one or more uniform resource locators (URLs) that collectively identifies at least one or more allowed tenant that the enterprise device is permitted to navigate to or one or more tenant that the enterprise device is not permitted to navigate to; at the cloud service, determining that the policy corresponds to access permissions for the enterprise'"'"'s associated tenant, the policy being received from the enterprise for enforcement by the cloud service, wherein the policy included in the access request provides an indication to the cloud service whether the access request is to be granted by issuing the authentication token or denied by refraining from issuing the authentication token; and at the cloud service, granting or denying the access request based on the policy which was obtained from the enterprise and which was included in the access request, wherein any URL in the policy that identifies an allowed tenant causes issuance of the authorization token for the allowed tenant and any URL in the policy that identifies a tenant that the enterprise device is not permitted to navigate to is used to prevent the issuance of the authentication token for the tenant that the enterprise device is not permitted to navigate to. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. In a computing environment, a system comprising:
-
a cloud service, wherein the cloud service comprises; a plurality of application instances including at least one application instance for a plurality of tenants; and an identity platform, wherein the identity platform is configured to;
receive an access request that originated from an enterprise device managed by an enterprise, the access request including both (1) a request from the enterprise device to access a tenant of the enterprise and (2) policy that, when implemented by the identify platform, controls how the identity platform is to subsequently issue an authentication token such that the request and the policy are included in the access request prior to issuance of the authentication token, wherein the policy includes one or more uniform resource locators (URLs) that collectively identifies at least one or more allowed tenant that the enterprise device is permitted to navigate to or one or more tenant that the enterprise device is not permitted to navigate to;determine that the policy corresponds to access permissions for the enterprise'"'"'s associated tenant, the policy being received from the enterprise for enforcement by the identity platform, wherein the policy included in the access request provides an indication to the cloud service whether the access request is to be granted by issuing the authentication token or denied by refraining from issuing the authentication token; and at the cloud service, grant or deny the access request based on the policy which was obtained from the enterprise and which was included in the access request, wherein any URL in the policy that identifies an allowed tenant causes issuance of the authorization token for the allowed tenant and any URL in the policy that identifies a tenant that the enterprise device is not permitted to navigate to is used to prevent the issuance of the authentication token for the tenant that the enterprise device is not permitted to navigate to. - View Dependent Claims (14, 15, 16)
-
Specification