System and method for single sign-on technical support access to tenant accounts and data in a multi-tenant platform
地域:
CA
CA Redwood City
摘要
Shown is single sign-on support access to tenant accounts in a multi-tenant service platform involving a proxy user account in an identity provider for a tenant account on the service platform having security metadata associated therewith, mapping in the identity provider maps a support user to a proxy user identifier, a corresponding security endpoint in the service platform and mapping of the proxy user account identifier to the tenant account and security metadata. The identity provider authenticates a request to access the tenant account on the service platform, obtains the security credentials for the proxy user identifier, and sends a security assertion with the proxy user identifier and the security metadata to the security endpoint. The endpoint receives and validates the security assertion against the mapping for the proxy user identifier to the tenant account and the security metadata in the service platform, and permits access by the support user to the tenant account in the service platform.
說(shuō)明書
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
This application is a continuation of U.S. patent application Ser. No. 16/922,939 filed Jul. 7, 2020 and entitled “System and Method for Single Sign-On Technical Support Access to Tenant Accounts and Data in a Multi-Tenant Platform,” now U.S. Pat. No. 11,405,376, which is a continuation of U.S. patent application Ser. No. 16/293,435 filed Mar. 5, 2019 and entitled “System and Method for Single Sign-On Technical Support Access to Tenant Accounts and Data in a Multi-Tenant Platform,” now U.S. Pat. No. 10,708,255, which is a continuation of U.S. patent application Ser. No. 14/884,492 filed Oct. 15, 2015 and entitled “System and Method for Single Sign-On Technical Support Access to Tenant Accounts and Data in a Multi-Tenant Platform,” now U.S. Pat. No. 10,250,584, which claims the benefit of U.S. Provisional Patent Application Ser. No. 62/064,348 filed Oct. 14, 2014 and entitled “Single Sign-on Access to Tenant Accounts and Data in a Multi-Tenant Platform,” which are hereby incorporated by reference herein.
A multi-tenant computing platform may be operated by a service provider to provide support for cloud-based processing, data storage and business oriented applications to multiple tenants. As part of operating the platform, asynchronous messages are typically received by the multi-tenant platform from the multiple tenants that are generally processed in the order that the messages are received or using resources that are previously assigned to each tenant. Such asynchronous message systems typically operate in a stateless manner.
權(quán)利要求
The invention claimed is:1. A method for single sign-on support access to tenant systems on a multi-tenant service platform, the method including the steps of:providing a plurality of proxy user account identifiers in an identity provider module, each proxy user account identifier of the plurality of proxy user account identifiers configured to assist in identifying a proxy user account configured to assist in accessing a respective tenant system of a plurality of tenant systems on a multi-tenant service platform, each proxy user account identifier of the plurality of proxy user account identifiers having corresponding security metadata associated therewith in the identity provider module, the corresponding security metadata configured to enable a corresponding proxy user account to access a corresponding respective tenant system, a particular proxy user account identifier identifying a particular proxy user account of the plurality of proxy user accounts that is configured to assist in accessing a particular tenant system of the plurality of tenant systems; providing mappings in the identity provider module that map a plurality of support user accounts to the plurality of proxy user account identifiers, at least one first particular mapping of the mappings in the identity provider module mapping a first particular support user account of the plurality of support user accounts to the particular proxy user account identifier, at least one second particular mapping of the mappings in the identity provider module mapping a second particular support user account of the plurality of support user accounts to a subset of the plurality of proxy user account identifiers, the subset of the plurality of proxy user account identifiers including the particular proxy user account identifier and including less than all of the proxy user account identifiers; using a security endpoint module in the multi-tenant service platform to assist in connecting each proxy user account of the plurality of proxy user accounts to the respective tenant system of the plurality of tenant systems, the security endpoint module including a mapping that maps each proxy user account of the plurality of proxy user accounts to the respective tenant system of the plurality of tenant systems; in the identity provider module:receiving from the second particular support user account a request to access the particular tenant system, confirming that the second particular support user account is authorized to access the particular tenant system, and if the second particular support user account is authorized, sending a security assertion with the particular proxy user account identifier and the corresponding security metadata to the security endpoint module in response to the request; and in the security endpoint module:receiving the security assertion, the particular proxy user account identifier, and the corresponding security metadata for the second particular support user account, using the particular proxy user account identifier to identify the particular proxy user account, using the particular proxy user account and the corresponding security metadata to enable the second particular support user account to access the particular tenant system of the plurality of tenant systems without disclosing the corresponding security metadata to the second particular support user account, and without allowing the second particular support user account to access other tenant systems of the plurality of tenant systems in response to the request, and enabling removal of at least a portion of the mappings in the identity provider module, the at least a portion of the mappings corresponding to the second particular support user account. 2. The method of claim 1 , further comprising:in the identity provider module:receiving from an other support user account of the plurality of support user accounts a request to access the particular tenant system on the multi-tenant service platform, and sending an other security assertion with the particular proxy user account identifier and the corresponding security metadata to the security endpoint module in response to the request; and in the security endpoint module:receiving the other security assertion and the particular proxy user account identifier for the other support user account, using the particular proxy user account identifier to identify the particular proxy user account, and using the particular proxy user account and the corresponding security metadata to enable the other support user account to access the particular tenant system of the plurality of tenant systems without disclosing the corresponding security metadata to the other support user account, and without allowing the other support user account to access other tenant systems of the plurality of tenant systems in response to the request. 3. The method of claim 1 , wherein the providing the mappings in the identity provider module that map the plurality of support user accounts to the plurality of proxy user identifiers, and the providing the mapping in the security endpoint module that maps each proxy user account of the plurality of proxy user accounts to the respective tenant system of the plurality of tenant systems, comprise:determining eligible tenant systems without mappings configured in the identity provider module; obtaining a list of support user accounts for the tenant system configured in a configuration file of the identity provider module; and for each tenant system without a mapping configured:creating a mapping entity for the tenant system, mapping the created entity to the list of support user accounts for the tenant system, creating a proxy user account for the tenant system with a federated identifier, mapping each support user account in the list of support user accounts to the federated identifier, and creating the corresponding security metadata for the proxy user account. 4. The method of claim 3 , wherein the providing the mappings in the identity provider module and the security endpoint module takes place after at least one of an addition of a tenant system to the plurality of tenant systems and an addition of a particular support user account to the plurality of support user accounts. 5. The method of claim 1 , wherein, responsive to deactivation of a certain tenant system, the method further includes at least one of the steps of:disabling support access to the certain tenant system by removing the mappings in the identity provider module that map at least one certain support user account to a certain proxy user account identifier; and removing the mapping in the security endpoint module that maps the certain proxy user account to the certain tenant system. 6. The method of claim 1 , wherein, responsive to deactivation of a certain support user account, the deactivated certain support user account is removed from the mappings in the identity provider module. 7. The method of claim 1 , wherein the particular tenant system identifier is the particular proxy user account identifier. 8. The method of claim 1 , further comprising the step of separately tracking activity of the second particular support user account. 9. A system for single sign-on support access to tenant systems on a multi-tenant service platform, the system including:at least one hardware processor; an identity provider module with a plurality of proxy user account identifiers, each proxy user account identifier of the plurality of proxy user account identifiers configured to assist in identifying a proxy user account configured to assist in accessing a respective tenant system of a plurality of tenant systems on a multi-tenant service platform, each proxy user account identifier of the plurality of proxy user account identifiers having corresponding security metadata associated therewith in the identity provider module, the corresponding security metadata configured to enable a corresponding proxy user account to access a corresponding respective tenant system, a particular proxy user account identifier identifying a particular proxy user account of the plurality of proxy user accounts that is configured to assist in accessing a particular tenant system of the plurality of tenant systems; mappings in the identity provider module that map a plurality of support user accounts to the plurality of proxy user account identifiers, at least one first particular mapping of the mappings in the identity provider module mapping a first particular support user account of the plurality of support user accounts to the particular proxy user account identifier, at least one second particular mapping of the mappings in the identity provider module mapping a second particular support user account of the plurality of support user accounts to a subset of the plurality of proxy user account identifiers, the subset of the plurality of proxy user account identifiers including the particular proxy user account identifier and including less than all of the proxy user account identifiers; a security endpoint module in the multi-tenant service platform, the security endpoint module configured to assist in connecting each proxy user account of the plurality of proxy user accounts to the respective tenant system of the plurality of tenant systems, the security endpoint module including a mapping that maps each proxy user account of the plurality of proxy user accounts to the respective tenant system of the plurality of tenant systems; wherein the identity provider module is configured to:receive from the second particular support user account a request to access the particular tenant system, confirm that the second particular support user account is authorized to access the particular tenant system, and if the second particular support user account is authorized, send a security assertion with the particular proxy user account identifier and the corresponding security metadata to the security endpoint module in response to the request; and wherein the security endpoint module is configured to:receive the security assertion, the particular proxy user account identifier, and the corresponding security metadata for the second particular support user account, use the particular proxy user account identifier to identify the particular proxy user account, use the particular proxy user account and the corresponding security metadata to enable the second particular support user account to access the particular tenant system of the plurality of tenant systems without disclosing the corresponding security metadata to the second particular support user account, and without allowing the second particular support user account to access other tenant systems of the plurality of tenant systems in response to the request, and enable the removal of at least a portion of the mappings in the identity provider module, the at least a portion of the mappings corresponding to the second particular support user account. 10. The system of claim 9 , wherein:the identity provider module is further configured to:receive from an other support user account of the plurality of support user accounts a request to access the particular tenant system on the multi-tenant service platform, and send an other security assertion with the particular proxy user account identifier and the corresponding security metadata to the security endpoint module in response to the request; and the security endpoint module is further configured to:receive the other security assertion and the particular proxy user account identifier for the other support user account, use the particular proxy user account identifier to identify the particular proxy user account, and use the particular proxy user account and the corresponding security metadata to enable the other support user account to access the particular tenant system of the plurality of tenant systems without disclosing the corresponding security metadata to the other support user account, and without allowing the other support user account to access other tenant systems of the plurality of tenant systems in response to the request. 11. The system of claim 9 , further comprising a module for providing the mappings in the identity provider module that map the plurality of support user accounts to the plurality of proxy user identifiers, and for providing the mapping in the security endpoint module that maps each proxy user account of the plurality of proxy user accounts to the respective tenant system of the plurality of tenant systems, wherein the providing the mappings comprises:determining eligible tenant systems without mappings configured in the identity provider module; obtaining a list of support user accounts for the tenant system configured in a configuration file of the identity provider module; and for each tenant system without a mapping configured:creating a mapping entity for the tenant system, mapping the created entity to the list of support user accounts for the tenant system, creating a proxy user account for the tenant system with a federated identifier, mapping each support user account in the list of support user accounts to the federated identifier, and creating the corresponding security metadata for the proxy user account. 12. The system of claim 11 , wherein the module for providing the mappings in the identity provider module and the security endpoint module is configured to provide the mappings after at least one of an addition of a tenant system to the plurality of tenant systems and an addition of a support user account to the plurality of support user accounts. 13. The system of claim 9 , further comprising a module configured to respond to deactivation of a certain tenant system by:disabling support access to the certain tenant system by removing the mappings in the identity provider module that map at least one certain support user account to a certain proxy user account identifier; and removing the mapping in the security endpoint module that maps the certain proxy user account to the certain tenant system. 14. The system of claim 9 , further comprising a module configured to respond to deactivation of a certain support user account by removing the deactivated certain support user account from the mappings in the identity provider module. 15. The system of claim 9 , wherein the particular tenant system identifier is the particular proxy user account identifier. 16. The system of claim 9 , further comprising a module configured to separately track activity of the second particular support user account. 17. Non-transitory computer readable storage storing computer code configured to cause one or more processing devices to operate to provide single sign-on support access to tenant systems on a multi-tenant service platform, the computer code including instructions that configure the one or more processing devices to:provide a plurality of proxy user account identifiers in an identity provider module, each proxy user account identifier of the plurality of proxy user account identifiers configured to assist in identifying a proxy user account configured to assist in accessing a respective tenant system of a plurality of tenant systems on a multi-tenant service platform, each proxy user account identifier of the plurality of proxy user account identifiers having corresponding security metadata associated therewith in the identity provider module, the corresponding security metadata configured to enable a corresponding proxy user account to access a corresponding respective tenant system, a particular proxy user account identifier identifying a particular proxy user account of the plurality of proxy user accounts that is configured to assist in accessing a particular tenant system of the plurality of tenant systems; provide mappings in the identity provider module that map a plurality of support user accounts to the plurality of proxy user account identifiers, at least one first particular mapping of the mappings in the identity provider module mapping a first particular support user account of the plurality of support user accounts to the particular proxy user account identifier, at least one second particular mapping of the mappings in the identity provider module mapping a second particular support user account of the plurality of support user accounts to a subset of the plurality of proxy user account identifiers, the subset of the plurality of proxy user account identifiers including the particular proxy user account identifier and including less than all of the proxy user account identifiers; use a security endpoint module in the multi-tenant service platform to assist in connecting each proxy user account of the plurality of proxy user accounts to the respective tenant system of the plurality of tenant systems, the security endpoint module including a mapping that maps each proxy user account of the plurality of proxy user accounts to the respective tenant system of the plurality of tenant systems; in the identity provider module:receive from the second particular support user account a request to access the particular tenant system, confirm that the second particular support user account is authorized to access the particular tenant system, and if the second particular support user account is authorized, send a security assertion with the particular proxy user account identifier and the corresponding security metadata to the security endpoint module in response to the request; and in the security endpoint module:receive the security assertion, the particular proxy user account identifier, and the corresponding security metadata for the second particular support user account, use the particular proxy user account identifier to identify the particular proxy user account, use the particular proxy user account and the corresponding security metadata to enable the second particular support user account to access the particular tenant system of the plurality of tenant systems without disclosing the corresponding security metadata to the second particular support user account, and without allowing the second particular support user account to access other tenant systems of the plurality of tenant systems in response to the request, and enable removal of at least a portion of the mappings in the identity provider module, the at least a portion of the mappings corresponding to the second particular support user account. 18. The non-transitory computer readable storage of claim 17 , the computer code further including instructions that configure the one or more processing devices to:in the identity provider module:receive from an other support user account of the plurality of support user accounts a request to access the particular tenant system on the multi-tenant service platform, and send an other security assertion with the particular proxy user account identifier and the corresponding security metadata to the security endpoint module in response to the request; and in the security endpoint module:receive the other security assertion and the particular proxy user account identifier for the other support user account, use the particular proxy user account identifier to identify the particular proxy user account, and use the particular proxy user account and the corresponding security metadata to enable the other support user account to access the particular tenant system of the plurality of tenant systems without disclosing the corresponding security metadata to the other support user account, and without allowing the other support user account to access other tenant systems of the plurality of tenant systems in response to the request. 19. The non-transitory computer readable storage of claim 17 , wherein the computer code including instructions that configure the one or more processing devices to provide the mappings in the identity provider module that map the plurality of support user accounts to the plurality of proxy user identifiers, and to provide the mapping in the security endpoint module that maps each proxy user account of the plurality of proxy user accounts to the respective tenant system of the plurality of tenant systems comprises the computer code including instructions that configure the one or more processing devices to:determine eligible tenant systems without mappings configured in the identity provider module; obtain a list of support user accounts for the tenant system configured in a configuration file of the identity provider module; and for each tenant system without a mapping configured:create a mapping entity for the tenant system, map the created entity to the list of support user accounts for the tenant system, create a proxy user account for the tenant system with a federated identifier, map each support user account in the list of support user accounts to the federated identifier, and create the corresponding security metadata for the proxy user account. 20. The non-transitory computer readable storage of claim 19 , wherein the computer code including instructions that configure the one or more processing devices to provide the mappings in the identity provider module and the security endpoint module comprises the computer code including instructions that configure the one or more processing devices to provide the mappings after at least one of an addition of a tenant system to the plurality of tenant systems and an addition of a support user account to the plurality of support user accounts. 21. The non-transitory computer readable storage of claim 17 , the computer code further including instructions that configure the one or more processing devices to respond to deactivation of a certain tenant system by:disabling support access to the certain tenant system by removing the mappings in the identity provider module that map at least one certain support user account to a certain proxy user account identifier; and removing the mapping in the security endpoint module that maps the certain proxy user account to the certain tenant system. 22. The non-transitory computer readable storage of claim 17 , the computer code further including instructions that configure the one or more processing devices to respond to deactivation of a certain support user account by removing the deactivated certain support user account from the mappings in the identity provider module. 23. The non-transitory computer readable storage of claim 17 , wherein the particular tenant system identifier is the particular proxy user account identifier. 24. The non-transitory computer readable storage of claim 17 , the computer code further including instructions that configure the one or more processing devices to separately track activity of the second particular support user account.
意見反饋
使用該功能遇到問(wèn)題
該功能需要專業(yè)版企業(yè)版VIP權(quán)限,您可以:
您也可以聯(lián)系官方QQ: 2157717237 電話: 13264338900