Automatic directory join for virtual machine instances
US-2015160956-A1 · Jun 11, 2015 · US
Management and authentication in hosted directory service
US9596233B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-9596233-B1 |
| Application number | US-201615060236-A |
| Country | US |
| Kind code | B1 |
| Filing date | Mar 3, 2016 |
| Priority date | Sep 29, 2014 |
| Publication date | Mar 14, 2017 |
| Grant date | Mar 14, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A user, group, and device management and authentication system allows administrators to manage one or more directories with devices that are not associated with a domain of the one or more directories via a set of APIs. The system also allows applications and services that do not have direct access to a list of directory users to access the one or more directories. The user, group, and device management and authentication system may be an add-on system that works in conjunction with a centrally-managed directory service to provide such functionality. For example, the system may generate an access token associated with a particular directory that can be used by a service accessed by an administrator to call an API provided by the system. The API call may be translated into a directory-specific API call that can be used to perform an action in the particular directory.
First claim
Opening claim text (preview).
What is claimed is: 1. A system comprising: a plurality of computing systems, wherein each computing system hosts a different directory in a plurality of directories; and a computing resource service provider system comprising one or more computing devices, the computing resource service provider system in communication with the plurality of computing systems and programmed to implement: an authentication service configured to receive, from a user device, a credential, a client identifier, and a directory identifier, wherein the directory identifier identifies a first directory in the plurality of directories, and wherein the client identifier is associated with a service that is not associated with the first directory; and an agent associated with the first directory, the agent configured to receive the credential from the authentication service and to determine whether the credential can be authenticated, wherein, in response to a determination that the credential can be authenticated, the authentication service is further configured to: generate an authentication code that is valid for a finite period of time, transmit the authentication code to the user device, instruct the user device to access the service associated with the client identifier, receive the authentication code from the service associated with the client identifier, generate, in response to receiving the authentication code from the service associated with the client identifier before the authentication code expires, an access token based on the authentication code and the directory identifier, and transmit the access token to the service associated with the client identifier, wherein the access token allows the user device to manage the first directory via the service associated with the client identifier. 2. The system of claim 1 , wherein the agent is configured to determine whether the credential can be authenticated by instructing a managed directory service to access the first directory. 3. The system of claim 1 , wherein the authentication code is an OAuth code. 4. A computer-implemented method of authenticating an administrator for the management of one or more directories, the method comprising: as implemented by a computer resource service provider system comprising one or more computing devices, the computer resource service provider system in communication with a plurality of directories, the computer resource service provider system configured with specific executable instructions, receiving, from a user device, a credential and a directory identifier, wherein the directory identifier identifies a first directory in the plurality of directories, and wherein the user device accessed a service that is not associated with the first directory; determining whether the credential can be authenticated; generating, in response to a determination that the credential can be authenticated, an authentication code that is valid for a finite period of time; transmitting the authentication code to the user device; receiving the authentication code from the service accessed by the user device before the authentication code expires; generating an access token based on the authentication code; and transmitting the access token to the service accessed by the user device, wherein the access token allows the user device to manage the first directory via the service accessed by the user device. 5. The computer-implemented method of claim 4 , wherein determining whether the credential can be authenticated further comprises determining whether the credential can be authenticated by instructing a managed directory service to access the first directory. 6. The computer-implemented method of claim 4 , wherein generating an access token further comprises generating the access token in response to receiving the authentication code from the service accessed by the user device before the authentication code expires. 7. The computer-implemented method of claim 4 , wherein the authentication code is an OAuth code. 8. The computer-implemented method of claim 4 , wherein the credential comprises a username and a password. 9. A non-transitory computer storage system comprising a non-transitory storage device, said computer storage system having stored thereon executable program instructions that direct a computer system to at least: receive, from a user device, a credential and a directory identifier, wherein the directory identifier identifies a first directory in a plurality of directories, wherein the first directory is associated with a first network, and wherein the user device is associated with a second network different from the first network; determine whether the credential can be authenticated; generate, in response to a determination that the credential can be authenticated, an authentication code that is valid for a finite period of time; transmit the authentication code to the user device; receive the authentication code from a service accessed by the user device before the authentication code expires in response to a request for an access token to manage the first directory; generate the access token based on the authentication code; and transmit the access token to the service accessed by the user device, wherein the access token allows the user device to manage the first directory via the service accessed by the user device. 10. The non-transitory computer storage system of claim 9 , wherein the executable program instructions further direct the computer system to at least determine whether the credential can be authenticated by accessing the first directory. 11. The non-transitory computer storage system of claim 9 , wherein the executable program instructions further direct the computer system to at least generate the access token in response to receiving the authentication code from the service accessed by the user device before the authentication code expires. 12. The non-transitory computer storage system of claim 9 , wherein the credential comprises a username and a password.
Assignees
Inventors
Classifications
- H04L63/0807Primary
using tickets, e.g. Kerberos (cryptographic mechanisms or cryptographic arrangements for entity authentication using tickets or tokens H04L9/3213) · CPC title
to a system of files or objects, e.g. local or distributed file system or database · CPC title
- H04L63/0853Primary
using an additional device, e.g. smartcard, SIM or a different communication terminal (cryptographic mechanisms or cryptographic arrangements for entity authentication involving additional secure or trusted devices H04L9/3234) · CPC title
for supporting key management in a packet data network (cryptographic mechanisms or cryptographic arrangements for key management H04L9/08) · CPC title
- H04L63/083Primary
using passwords (cryptographic mechanisms or cryptographic arrangements for entity authentication using a predetermined code H04L9/3226) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9596233B1 cover?
- A user, group, and device management and authentication system allows administrators to manage one or more directories with devices that are not associated with a domain of the one or more directories via a set of APIs. The system also allows applications and services that do not have direct access to a list of directory users to access the one or more directories. The user, group, and device m…
- Who is the assignee on this patent?
- Amazon Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0807. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 14 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).