Secure resource authorization for external identities using remote principal objects
摘要
說明書
A method is also described herein. The method is for authorizing access by a remote principal of a second domain to a secure data resource in a first domain, according to embodiments. The method includes receiving from an interface associated with the remote principal a request to access a first domain of a domain host, the first domain being different from the second domain, the request including an identifier and second domain credentials of the remote principal, and determining that a remote principal object generated and stored at a directory of the domain host and inaccessible from the second domain is present and valid in the directory. The method also includes verifying that the remote principal is identified as being associated with a group, of the second domain, having at least one entitlement to the secure data resource as enumerated in a set of permissions and at least one associated access policy defined by the second domain and represented in the remote principal object, generating an access token for the remote principal that includes the at least one entitlement, and providing the access token to the remote principal causing a redirect of the user interface that provides access to the secure data resource by the remote principal.
In an embodiment, the method includes causing generation of the remote principal object in the first domain at the domain host that links the remote principal to the entitlements based on the set of permissions prior to said determining.
In an embodiment of the method, generating the remote principal object is performed based on an acceptance within the first domain of an access permission approval request for the secure data resource that is initiated in and provided on behalf of the second domain.
