Policy enforcement point for a multi-tenant identity and data security management cloud service

US 10,425,386 B2
Filed: 05/10/2017
Issued: 09/24/2019
Est. Priority Date: 05/11/2016
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable medium having instructions stored thereon that, when executed by a processor, cause the processor to provide cloud-based identity and access management for a plurality of tenancies, the providing comprising:

receiving a request by a cloud gate for an identity management service for reaching an application, the request having a corresponding request endpoint that also requires access to a resource of the application;

determining a tenancy of the plurality of tenancies from a header value of the request;

looking up a policy configured to be applied for the tenancy, the policy indicating whether access to the resource by the request endpoint is allowed and a method of access;

applying the policy to the request including the method of access; and

sending the request to a microservice based on a result of the applying of the policy to the request when the policy determines that access to the resource is allowed, wherein the microservice performs the identity management service for reaching the application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system provides cloud-based identity and access management. The system receives a request by a web gate for an identity management service for reaching an application, and determines a tenancy from a header value of the request. The system looks up a policy configured to be applied for the tenancy, and applies the policy to the request. The system then sends the request to a microservice based on a result of the applying of the policy to the request, where the microservice performs the identity management service for reaching the application.

327 Citations

20 Claims

1. A non-transitory computer readable medium having instructions stored thereon that, when executed by a processor, cause the processor to provide cloud-based identity and access management for a plurality of tenancies, the providing comprising:
- receiving a request by a cloud gate for an identity management service for reaching an application, the request having a corresponding request endpoint that also requires access to a resource of the application;
  
  determining a tenancy of the plurality of tenancies from a header value of the request;
  
  looking up a policy configured to be applied for the tenancy, the policy indicating whether access to the resource by the request endpoint is allowed and a method of access;
  
  applying the policy to the request including the method of access; and
  
  sending the request to a microservice based on a result of the applying of the policy to the request when the policy determines that access to the resource is allowed, wherein the microservice performs the identity management service for reaching the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer readable medium of claim 1, wherein the method of access comprises one of basic authentication or token based authentication.
  - 3. The computer readable medium of claim 1, wherein the policy is specified in a file managed by the cloud gate.
  - 4. The computer readable medium of claim 1, wherein the microservice implements OAuth functionality.
  - 5. The computer readable medium of claim 1, wherein the cloud gate implements cookie-based session management functionality for accessing the application.
  - 6. The computer readable medium of claim 1, wherein the cloud gate acts as an OAuth relaying party for accessing the application.
  - 7. The computer readable medium of claim 1, wherein the microservice is stateless and retrieves data from a database to perform the identity management service.
  - 8. The computer readable medium of claim 7, wherein the database and the microservice are configured to scale independently of one another.
  - 9. The computer readable medium of claim 7, wherein the database comprises a distributed data grid.

10. A method of providing cloud-based identity and access management for a plurality of tenancies, comprising:
- receiving a request by a cloud gate for an identity management service for reaching an application, the request having a corresponding request endpoint that also requires access to a resource of the application;
  
  determining a tenancy of the plurality of tenancies from a header value of the request;
  
  looking up a policy configured to be applied for the tenancy, the policy indicating whether access to the resource by the request endpoint is allowed and a method of access;
  
  applying the policy to the request including the method of access; and
  
  sending the request to a microservice based on a result of the applying of the policy to the request when the policy determines that access to the resource is allowed, wherein the microservice performs the identity management service for reaching the application.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, wherein the method of access comprises one of basic authentication or token based authentication.
  - 12. The method of claim 10, wherein the policy is specified in a file managed by the cloud gate.
  - 13. The method of claim 10, wherein the microservice implements OAuth functionality.
  - 14. The method of claim 10, wherein the cloud gate implements cookie-based session management functionality for accessing the application.
  - 15. The method of claim 10, wherein the cloud gate acts as an OAuth relaying party for accessing the application.
  - 16. The method of claim 10, wherein the microservice is stateless and retrieves data from a database to perform the identity management service.
  - 17. The method of claim 16, wherein the database and the microservice are configured to scale independently of one another.

18. A system for providing cloud-based identity and access management for a plurality of tenancies, comprising:
- a processor executing stored instructions to implement a plurality of modules, the modules comprising;
  
  a receiving module that receives a request by a cloud gate for an identity management service for reaching an application, the request having a corresponding request endpoint that also requires access to a resource of the application;
  
  a determining module that determines a tenancy of the plurality of tenancies from a header value of the request;
  
  a look up module that looks up a policy configured to be applied for the tenancy, the policy indicating whether access to the resource by the request endpoint is allowed and a method of access;
  
  an applying module that applies the policy to the request including the method of access; and
  
  a sending module that sends the request to a microservice based on a result of the applying of the policy to the request when the policy determines that access to the resource is allowed, wherein the microservice performs the identity management service for reaching the application.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein the method of access comprises one of basic authentication or token based authentication.
  - 20. The system of claim 18, wherein the policy is specified in a file managed by the cloud gate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Wardell, Stephan, Folkins, Andrew B., Lander, Vadim, Mishra, Prateek, Levinson, Rich, Womacks, Cory, Cuthbert, Dino E.
Primary Examiner(s)
Li, Meng

Application Number

US15/591,358
Publication Number

US 20170331791A1
Time in Patent Office

867 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/18   Delegation of network manag...

H04L 41/28   Restricting access to netwo...

H04L 41/5003   Managing SLA; Interaction b...

H04L 41/5096   wherein the managed service...

H04L 63/0281   Proxies

H04L 63/0815   providing single-sign-on or...

H04L 63/205   involving negotiation or de...

H04L 67/02   based on web technology, e....

H04L 67/146   Markers for unambiguous ide...

H04L 67/563   Data redirection of data ne...

H04L 67/568   Storing data temporarily at...

H04W 12/062   Pre-authentication

H04W 12/069   using certificates or pre-s...

Policy enforcement point for a multi-tenant identity and data security management cloud service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

327 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Policy enforcement point for a multi-tenant identity and data security management cloud service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

327 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links