| CPC H04L 63/0815 (2013.01) [G06F 21/41 (2013.01); H04L 63/0884 (2013.01); H04L 67/10 (2013.01); H04W 4/60 (2018.02)] | 24 Claims |
|
1. A method for single sign-on support access to tenant systems on a multi-tenant service platform, the method including the steps of:
providing a plurality of proxy user account identifiers in an identity provider module, each proxy user account identifier of the plurality of proxy user account identifiers configured to assist in identifying a proxy user account configured to assist in accessing a respective tenant system of a plurality of tenant systems on a multi-tenant service platform, each proxy user account identifier of the plurality of proxy user account identifiers having corresponding security metadata associated therewith in the identity provider module, the corresponding security metadata configured to enable a corresponding proxy user account to access a corresponding respective tenant system, a particular proxy user account identifier identifying a particular proxy user account of the plurality of proxy user accounts that is configured to assist in accessing a particular tenant system of the plurality of tenant systems;
providing mappings in the identity provider module that map a plurality of support user accounts to the plurality of proxy user account identifiers, at least one first particular mapping of the mappings in the identity provider module mapping a first particular support user account of the plurality of support user accounts to the particular proxy user account identifier, at least one second particular mapping of the mappings in the identity provider module mapping a second particular support user account of the plurality of support user accounts to a subset of the plurality of proxy user account identifiers, the subset of the plurality of proxy user account identifiers including the particular proxy user account identifier and including less than all of the proxy user account identifiers;
using a security endpoint module in the multi-tenant service platform to assist in connecting each proxy user account of the plurality of proxy user accounts to the respective tenant system of the plurality of tenant systems, the security endpoint module including a mapping that maps each proxy user account of the plurality of proxy user accounts to the respective tenant system of the plurality of tenant systems;
in the identity provider module:
receiving from the second particular support user account a request to access the particular tenant system,
confirming that the second particular support user account is authorized to access the particular tenant system, and
if the second particular support user account is authorized, sending a security assertion with the particular proxy user account identifier and the corresponding security metadata to the security endpoint module in response to the request; and
in the security endpoint module:
receiving the security assertion, the particular proxy user account identifier, and the corresponding security metadata for the second particular support user account,
using the particular proxy user account identifier to identify the particular proxy user account,
using the particular proxy user account and the corresponding security metadata to enable the second particular support user account to access the particular tenant system of the plurality of tenant systems without disclosing the corresponding security metadata to the second particular support user account, and without allowing the second particular support user account to access other tenant systems of the plurality of tenant systems in response to the request, and
enabling removal of at least a portion of the mappings in the identity provider module, the at least a portion of the mappings corresponding to the second particular support user account.
|