白丝美女被狂躁免费视频网站,500av导航大全精品,yw.193.cnc爆乳尤物未满,97se亚洲综合色区,аⅴ天堂中文在线网官网

Secure resource authorization for external identities using remote principal objects

專利號(hào)
US11888856B2
公開日期
2024-01-30
申請(qǐng)人
Microsoft Technology Licensing, LLC(US WA Redmond)
發(fā)明人
Charles Prakash Rao Dasari; Maksym Yaryn; Debashis Choudhury; Jeffrey A Staiman
IPC分類
H04L9/40
技術(shù)領(lǐng)域
domain,principal,remote,tenant,resource,rpo,access,in,directory,data
地域: WA WA Redmond

摘要

Methods of secure resource authorization for external identities using remote principal objects are performed by systems and devices. An external entity creates a user group and defines entitlements to an owning entity's secure resource as a set of permissions for the group. An immutable access template with the permissions and an access policy for the secure resource are provided to the owning entity for approval. On approval, a remote principal object is created in the owner directory according to the permissions and access policy. A remote principal that is a group member requests access via an interface to the owner domain using external domain credentials. The identity of the remote principal is verified against the remote principal object by a token service. Verification causes generation and issuance of a token, with the enumerated entitlements, to the remote principal interface affecting a redirect for access to the secure resource.

說明書

In embodiments, token 600 issued by STS 232 is required to not divulge the real identity, or identifying information, of the user/remote principal from the domain of the user/remote principal, e.g., a member of group 318 of second domain 304 in FIG. 3 and/or the user/remote principal of tenant B/P 238 as illustrated in and described with respect to flow diagram 400 of FIG. 4. Accordingly, in embodiments, attributes such as but not limited to the following are not populated: “family_name”, “given_name”, “name”, “oid”, “onprem_sid”, “puid”, “unique_name”, “upn”, “deviceid”, etc. In some embodiments, claims which refer to conditional access policies and multi-factor authentication (MFA) “auth.state” are also not populated: e.g., “amr”, “controls”, “signin_state”, etc. However, in some embodiments, one or more portions of identifying information may be included in tokens based on an agreement therefor between data resource owners and accessors. Additionally, an attribute designating that a remote principal is specified in token 600, e.g., “rpo,” is included with token 600 that points to the RPO from which token 600 is created, in embodiments. This is used to correlate token 600 to the RPO(s) and through that to the ELM package that created the RPO. This example “rpo” claim is optional in some embodiments, and may only be provided for services/applications that subscribe to this claim. The “rpo” claim contains the RPO object ID in the customer tenant. In some embodiments, when workloads require additional information in the token for various purposes such as granular and compliance auditing, etc., the data resource owner and the partner/remote principal can mutually agree for additional information to be available in the token, such as partner user “oid”, partner user “upn”, etc.

權(quán)利要求

1
微信群二維碼
意見反饋