Secure machine enrollment in multi-tenant subscription environment

摘要

In a multi-tenant environment, machines across the Internet, belonging to a particular subscription are securely enrolled with the tenant's subscription. Authentication of the machines is delegated to each of the tenant's own on-premise authentication mechanism The trust relationship with the tenant's authentication service is used to validate the security token presented by the machine being authenticated. Once authenticated, the machine has authorization (e.g. SSL machine cert for identity, security token, etc.,) to access the subscription. Each tenant within the multi-tenant environment can provide its own level of authentication. The machine presents the security token to the multi-tenant environment for requests for resources (e.g. services/content) from a user. When a request is received from a machine to access a resource, the multi-tenant environment determines from the issued token whether or not the machine is authorized to access the requested resources.

主权项

1. A method for securely enrolling a machine in a multi-tenant environment, comprising:
receiving a request at a multi-tenant environment from a machine to access a resource of a tenant in the multi-tenant environment that includes a token, wherein the token was previously issued to the machine by the tenant upon authentication by the tenant based on the tenant's own authentication mechanism; retrieving a trust relationship previously established between the multi-tenant environment with an authentication service of the tenant; determining the token is valid using the retrieved trust relationship; determining the machine is authorized by the tenant to access the resource of the tenant using the token and the trust relationship; and authorizing access to the resource upon determining the machine is authenticated by the tenant.