Restricting access to public cloud SaaS applications to a single organization

US 10,320,844 B2
Filed: 01/13/2016
Issued: 06/11/2019
Est. Priority Date: 01/13/2016
Status: Active Grant

First Claim

Patent Images

1. In a computing environment, a computer system comprising:

one or more processors; and

one or more computer-readable media having stored thereon instructions that are executable by the one or more processors to configure the computer system to allow an enterprise device managed by an enterprise to access a tenant that is associated with the enterprise and that is a part of a cloud service while preventing the enterprise device from accessing one or more other tenants that are also parts of the cloud service by causing the computer system to perform at least the following;

at the cloud service, which is managed by the computer system, receiving an access request that originated from the enterprise device, the access request including both (1) a request from the enterprise device to access the enterprise'"'"'s associated tenant and (2) policy that, when implemented by the cloud service, controls how the cloud service is to subsequently issue an authentication token such that the request and the policy are included in the access request prior to issuance of the authentication token, wherein the policy includes one or more uniform resource locators (URLs) that collectively identifies at least one or more allowed tenant that the enterprise device is permitted to navigate to or one or more tenant that the enterprise device is not permitted to navigate to;

at the cloud service, determining that the policy corresponds to access permissions for the enterprise'"'"'s associated tenant, the policy being received from the enterprise for enforcement by the cloud service, wherein the policy included in the access request provides an indication to the cloud service whether the access request is to be granted by issuing the authentication token or denied by refraining from issuing the authentication token; and

at the cloud service, granting or denying the access request based on the policy which was obtained from the enterprise and which was included in the access request, wherein any URL in the policy that identifies an allowed tenant causes issuance of the authorization token for the allowed tenant and any URL in the policy that identifies a tenant that the enterprise device is not permitted to navigate to is used to prevent the issuance of the authentication token for the tenant that the enterprise device is not permitted to navigate to.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Allowing an entity managed device to access a tenant associated with the e on a public cloud service while preventing the device from accessing one or more other tenants on the cloud service. A method includes, at the cloud service, obtaining policy from the entity with respect to tenant access. The method further includes, at the cloud service, receiving a request from the entity managed device to access a tenant at the cloud service. The method further includes granting or denying the access request based on the policy obtained from the entity.

37 Citations

View as Search Results

18 Claims

1. In a computing environment, a computer system comprising:
- one or more processors; and
  
  one or more computer-readable media having stored thereon instructions that are executable by the one or more processors to configure the computer system to allow an enterprise device managed by an enterprise to access a tenant that is associated with the enterprise and that is a part of a cloud service while preventing the enterprise device from accessing one or more other tenants that are also parts of the cloud service by causing the computer system to perform at least the following;
  
  at the cloud service, which is managed by the computer system, receiving an access request that originated from the enterprise device, the access request including both (1) a request from the enterprise device to access the enterprise'"'"'s associated tenant and (2) policy that, when implemented by the cloud service, controls how the cloud service is to subsequently issue an authentication token such that the request and the policy are included in the access request prior to issuance of the authentication token, wherein the policy includes one or more uniform resource locators (URLs) that collectively identifies at least one or more allowed tenant that the enterprise device is permitted to navigate to or one or more tenant that the enterprise device is not permitted to navigate to;
  
  at the cloud service, determining that the policy corresponds to access permissions for the enterprise'"'"'s associated tenant, the policy being received from the enterprise for enforcement by the cloud service, wherein the policy included in the access request provides an indication to the cloud service whether the access request is to be granted by issuing the authentication token or denied by refraining from issuing the authentication token; and
  
  at the cloud service, granting or denying the access request based on the policy which was obtained from the enterprise and which was included in the access request, wherein any URL in the policy that identifies an allowed tenant causes issuance of the authorization token for the allowed tenant and any URL in the policy that identifies a tenant that the enterprise device is not permitted to navigate to is used to prevent the issuance of the authentication token for the tenant that the enterprise device is not permitted to navigate to.
- View Dependent Claims (2, 3, 4, 5, 6, 17, 18)
- - 2. The system of claim 1, wherein the access request is denied and the cloud service refrains from issuing the authentication token.
  - 3. The system of claim 1, wherein obtaining policy from the enterprise comprises obtaining policy injected into a header of the request from the enterprise device to access the enterprise'"'"'s associated tenant at the cloud service.
  - 4. The system of claim 3, wherein the policy was injected into the header by a network edge element configured to inject data into headers of network packets.
  - 5. The system of claim 4, wherein only traffic directed to an authorized endpoint of the enterprise device is gated by the cloud service, the injected policy being usable by the cloud service to determine which endpoints are authorized for the enterprise device.
  - 6. The system of claim 3, wherein the policy was injected into the header by a device element configured to inject data into headers of network packets at a device level.
  - 17. The system of claim 1, wherein the policy includes a plurality of uniform resource locators (URLs), including at least a particular URL of tenant that the enterprise device is permitted to navigate to and at least a particular URL of tenant that the enterprise device is not permitted to navigate to.
  - 18. The computer system of claim 1, wherein a header of the access request includes a listing of a plurality of tenant names, and wherein, after the cloud service receives the listing of the plurality of tenant names, the cloud service uses the listing to control inter-organizational sharing in which any named tenant in the listing is identified by the cloud service as having permissions to provide resources to the enterprise device.

7. In a computing environment, a method of allowing an enterprise device managed by an enterprise to access content of a tenant that is associated with the enterprise and that is a part of a cloud service while preventing the enterprise device from accessing content of one or more other tenants that are also parts of the cloud service, the method comprising:
- at the cloud service, receiving an access request that originated from the enterprise device, the access request including both (1) a request from the enterprise device to access the enterprise'"'"'s associated tenant and (2) policy that, when implemented by the cloud service, controls how the cloud service is to subsequently issue an authentication token such that the request and the policy are included in the access request prior to issuance of the authentication token, wherein the policy includes one or more uniform resource locators (URLs) that collectively identifies at least one or more allowed tenant that the enterprise device is permitted to navigate to or one or more tenant that the enterprise device is not permitted to navigate to;
  
  at the cloud service, determining that the policy corresponds to access permissions for the enterprise'"'"'s associated tenant, the policy being received from the enterprise for enforcement by the cloud service, wherein the policy included in the access request provides an indication to the cloud service whether the access request is to be granted by issuing the authentication token or denied by refraining from issuing the authentication token; and
  
  at the cloud service, granting or denying the access request based on the policy which was obtained from the enterprise and which was included in the access request, wherein any URL in the policy that identifies an allowed tenant causes issuance of the authorization token for the allowed tenant and any URL in the policy that identifies a tenant that the enterprise device is not permitted to navigate to is used to prevent the issuance of the authentication token for the tenant that the enterprise device is not permitted to navigate to.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein the access request is granted and the cloud service issues the authentication token.
  - 9. The method of claim 7, wherein obtaining policy from the enterprise comprises obtaining policy injected into a header of the request from the enterprise device to access the enterprise'"'"'s associated tenant at the cloud service.
  - 10. The method of claim 9, wherein the policy was injected into the header by a network edge element configured to inject data into headers of network packets.
  - 11. The method of claim 10, wherein only traffic directed to an authorized endpoint of the enterprise device is gated by the cloud service, the injected policy being usable by the cloud service to determine which endpoints are authorized for the enterprise device.
  - 12. The method of claim 9, wherein the policy was injected into the header by a device element configured to inject data into headers of network packets at a device level.

13. In a computing environment, a system comprising:
- a cloud service, wherein the cloud service comprises;
  
  a plurality of application instances including at least one application instance for a plurality of tenants; and
  
  an identity platform, wherein the identity platform is configured to;
  
  receive an access request that originated from an enterprise device managed by an enterprise, the access request including both (1) a request from the enterprise device to access a tenant of the enterprise and (2) policy that, when implemented by the identify platform, controls how the identity platform is to subsequently issue an authentication token such that the request and the policy are included in the access request prior to issuance of the authentication token, wherein the policy includes one or more uniform resource locators (URLs) that collectively identifies at least one or more allowed tenant that the enterprise device is permitted to navigate to or one or more tenant that the enterprise device is not permitted to navigate to;
  
  determine that the policy corresponds to access permissions for the enterprise'"'"'s associated tenant, the policy being received from the enterprise for enforcement by the identity platform, wherein the policy included in the access request provides an indication to the cloud service whether the access request is to be granted by issuing the authentication token or denied by refraining from issuing the authentication token; and
  
  at the cloud service, grant or deny the access request based on the policy which was obtained from the enterprise and which was included in the access request, wherein any URL in the policy that identifies an allowed tenant causes issuance of the authorization token for the allowed tenant and any URL in the policy that identifies a tenant that the enterprise device is not permitted to navigate to is used to prevent the issuance of the authentication token for the tenant that the enterprise device is not permitted to navigate to.
- View Dependent Claims (14, 15, 16)
- - 14. The system of claim 13, wherein obtaining policy from the enterprise comprises obtaining policy injected into a header of the request from the enterprise device to access the enterprise'"'"'s associated tenant at the cloud service.
  - 15. The system of claim 14, wherein the policy was injected into the header by a network edge element configured to inject data into headers of network packets.
  - 16. The system of claim 14, wherein the policy was injected into the header by a device element configured to inject data into headers of network packets at a device level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Vincent, Benjamin Richard, Adams, Ross Peter, Gordon, Ariel, Ryvkin, Konstantin
Primary Examiner(s)
Gracia, Gary S

Application Number

US14/995,004
Publication Number

US 20170201549A1
Time in Patent Office

1,245 Days
Field of Search

726 1, 726 27
US Class Current
CPC Class Codes

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 67/1097   for distributed storage of ...

Restricting access to public cloud SaaS applications to a single organization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

37 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Restricting access to public cloud SaaS applications to a single organization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links