| CPC H04L 63/0884 (2013.01) [G06F 9/541 (2013.01); G06F 16/986 (2019.01); H04L 63/0807 (2013.01); H04L 63/0823 (2013.01); H04L 63/102 (2013.01); H04L 63/0209 (2013.01)] | 9 Claims |
|
1. A computer system comprising:
an enterprise network computer system for an enterprise; and
an external service provider comprising one or more servers in communication with the enterprise network computer system via a computer data network, wherein:
the external service provider is external to the enterprise network computer system;
the external service provider provides a SaaS application for end users of the enterprise network computer system; and
the enterprise network computer system comprises:
an identity provider server system comprising one or more servers configured for authenticating end users of the enterprise network computer system, wherein the end users must be in-network of the enterprise network computer system in order to leverage authentication by the identity provider server system; and
an entitlements data store that stores entitlement data for end users of the enterprise network computer system with respect to the external service provider, wherein:
the entitlement data stored by the entitlements data store comprise:
data regarding whether the end users are entitled to access the external service provider; and
data regarding, for each end user that is entitled to access the external service provider, one or more actions that the end user is permitted to perform on resources hosted by the external service provider;
the identity provider server system and the entitlements data store are programmed to communicate via web services calls; and
the identity provider server system is programmed to, upon a first end user requesting access to the external service provider:
authenticate the first end user in response to an access request from the external service provider;
after authenticating the end user, making a web services call to the entitlements data store; and
make a determination of whether the first end user is authorized to access the external service provider based on:
authentication of the first end user by the identity provider server system; and
the entitlement data from the entitlements data store for the first end user with respect to the external service provider, wherein the entitlement data for the first end user comprise conditional access parameters of the first end user, and wherein the entitlement data are set by a manager of the enterprise network computer system and such that the conditional access parameters for the first end user are not configurable by the first end user; and
upon a determination by the identity provider server system that the first end user is authorized to access the external service provider, send a SAML token to the first end user, wherein the SAML token comprises an XML representation of entitlement information for the first end user for the external service provider, wherein the XML representation of the entitlement information in the SAML token is based on the entitlement data for the first end user stored in the entitlements data store, wherein the XML representation in the SAML token comprises one or more XML representations about the one or more actions that the first end user is permitted to perform on the resources hosted by the external service provider; and
upon a determination by the identity provider server system that the first end user is not authorized to access the external service provider, send a message to be displayed for the first end user that first end user is not authorized to access the external service provider, wherein the process of authorizing the first end user is terminated upon display of the message such that enterprise-specific data for the request from the first end user is not sent outside of the enterprise network computer system.
|