Secure resource authorization for external identities using remote principal objects
摘要
說明書
Embodiments in this description provide for systems, devices, and methods for secure resource authorization for external identities using remote principal objects. For instance, a system is described herein. The system is enabled and configured for authorizing access by a remote principal of a second domain to a secure data resource in a first domain, according to embodiments. The system includes a processing system that includes one or more processors, and at least one memory that stores program code to be executed by the processing system to perform a method. The method includes receiving from an interface associated with the remote principal a request to access a first domain of a domain host, the first domain being different from the second domain, the request including an identifier and second domain credentials of the remote principal, and determining that the remote principal is associated with a remote principal object generated by, and stored at a directory of, the domain host and inaccessible from the second domain. The method also includes verifying that the remote principal is identified as being associated with a group, of the second domain, having at least one entitlement to the secure data resource as enumerated in a set of permissions and at least one associated access policy defined by the second domain and represented in the remote principal object, and generating an access token for the remote principal that includes the at least one entitlement. The method further includes providing the access token to the remote principal causing a redirect of the interface that provides access to the secure data resource by the remote principal.
In an embodiment of the system, the method includes causing generation of the remote principal object in the first domain at the domain host that links the remote principal to the entitlements based on the set of permissions prior to said determining.
