Secure identity propagation in a cloud-based computing environment

摘要

The present disclosure describes methods, systems, and computer program products for providing secure identity propagation in a cloud-based computing environment. One computer-implemented method includes receiving, from a user, a first security response message, transmitting, to the user in response to receiving the first security response message, a second security response message, wherein the second security response message comprises a Token Granting Token (TGT), receiving, from a cloud application, a Service Token (ST) request, wherein the ST request comprises the TGT, verifying the ST request based on the TGT, generating, in response to the verifying, a ST, wherein the ST is used to validate an access request to access a backend system, and transmitting the ST to the cloud application.

主权项

1. A method, comprising:
receiving, from a user application and at a cloud-based security token service (STS) executing in the same cloud domain name server (DNS) domain as a cloud application a first security response message used to generate a Token Granting Token (TGT) for generating a Service Token (ST), wherein the user application is external to the cloud DNS domain, and wherein the first security response message is generated externally to the cloud DNS domain by an Identity Provider (IDP) after successful verification of the user application following an attempted access by the user application of a protected resource in the cloud application; transmitting, from the STS and to the user application in response to receiving the first security response message, a second security response message, wherein the second security response message is generated by the STS, wherein the second security response message comprises the TGT, and wherein the TGT includes a unique identifier of the TGT and a unique identifier of the cloud application; receiving, at the STS and from the cloud application, a ST request, wherein the ST request comprises the TGT received from the user application; verifying, at the STS, the ST request based on the TGT; generating, at the STS and in response to the verifying, a ST, wherein the ST is used to validate an access request to access a backend system; and transmitting the ST from the STS to the cloud application.