Search

US-12621304-B2 - Systems and method for authenticating users of a data processing platform from multiple identity providers

US12621304B2US 12621304 B2US12621304 B2US 12621304B2US-12621304-B2

Abstract

A system and method for authenticating users of a data processing platform stores a mapping of a unique user platform identifier to multiple user identity provider identifiers associated with multiple realms for a same user. In some examples, the method includes receiving a request from a client device to establish an access session to perform one or more actions on data of the data processing platform and receiving, from at least one of the first external identity provider of the first realm or the second external identity provider of the second realm, a user identity provider identifier associated with the request. In certain examples, the method includes granting permission to perform the one or more actions on the data of the data processing platform based at least in part on the received user identity provider identifier.

Inventors

  • Lili Yang
  • Mark Elliot
  • Lam Tran
  • Robert Kruszewski
  • Divyanshu Arora

Assignees

  • Palantir Technologies Inc.

Dates

Publication Date
20260505
Application Date
20240209

Claims (20)

  1. 1 . A method for authenticating users of a data processing platform comprising: receiving a request from a user to establish an access session to perform one or more actions on data of the data processing platform; receiving, from at least one of a first identity provider of a first realm or a second identity provider of a second realm, a user identity provider identifier corresponding to the request; upon receiving the user identity provider identifier, determining a user platform identifier by matching the received user identity provider identifier to at least one of a first user identity provider identifier assigned by the first identity provider of the first realm for the user or a second user identity provider identifier assigned by the second identity provider of the second realm for the user, wherein the user platform identifier is mapped to both the first user identity provider identifier and the second user identity provider identifier; identifying a conflict by evaluating first permission data corresponding to the first user identity provider identifier and second permission data corresponding to the second user identity provider identifier, wherein the first identity provider corresponds to a first priority and the second identity provider corresponds to a second priority different from the first priority; resolving the identified conflict, in response to evaluating the first permission data and the second permission data for the request, by generating merged permission data for the unique user platform identifier; and granting permission to the requesting user to perform the one or more actions on the data of the data processing platform using the received user identity provider identifier and the merged permission data; wherein the method is performed by one or more processors.
  2. 2 . The method of claim 1 , wherein each of the first realm and the second realm is a source of users or groups of users provided by the first identity provider and the second identity provider, respectively.
  3. 3 . The method of claim 1 , wherein the request includes the user identity provider identifier and a data resource identifier of a data resource associated with the data processing platform.
  4. 4 . The method of claim 1 , further comprising: generating a mapping of the user platform identifier to both of the first user identity provider identifier and the second user identity provider identifier for the user using a data mapping structure, wherein the data mapping structure comprises the unique user platform identifier, the first user identity provider identifier, and the second user identity provider identifier.
  5. 5 . The method of claim 4 , wherein the generating a mapping of the user platform identifier comprises creating the unique user platform identifier as mapped to both of the first user identity provider identifier associated with the first identity provider of the first realm and the second user identity provider identifier associated with the second identity provider of the second realm.
  6. 6 . The method of claim 4 , wherein the generating a mapping of the user platform identifier comprises: assigning a first user platform identifier to the first user identity provider identifier associated with the first identity provider of the first realm and assigning a second user platform identifier to the second user identity provider identifier associated with the second identity provider; linking the first user platform identifier to the second user platform identifier to link the first permission data with the second permission data; and using at least one of either of the linked first user platform identifier or the second user platform identifier to grant permission to perform the one or more actions on the data.
  7. 7 . The method of claim 1 , wherein the generating merged permission data for the unique user platform identifier based on the evaluation includes if the first priority is higher than the second priority, generating the merged permission data using the first permission data.
  8. 8 . The method of claim 1 , further comprising: assigning a timeout period to at least one selected from a group consisting of the first permission data associated with the first user identity provider identifier and the second permission data associated with the second user identity provider identifier.
  9. 9 . A system for authenticating users of a data processing platform comprising: one or more processors; and a memory comprising stored executable instructions that when executed by the one or more processors cause the one or more processors to perform operations comprising: receiving a request from a user to establish an access session to perform one or more actions on data of the data processing platform; receiving, from at least one of a first identity provider of a first realm or a second identity provider of a second realm, a user identity provider identifier corresponding to the request; upon receiving the user identity provider identifier, determining a user platform identifier by matching the received user identity provider identifier to at least one of a first user identity provider identifier assigned by the first identity provider of the first realm for the user or a second user identity provider identifier assigned by the second identity provider of the second realm for the user, wherein the user platform identifier is mapped to both the first user identity provider identifier and the second user identity provider identifier; identifying a conflict by evaluating first permission data corresponding to the first user identity provider identifier and second permission data corresponding to the second user identity provider identifier, wherein the first identity provider corresponds to a first priority and the second identity provider corresponds to a second priority different from the first priority; resolving the identified conflict in response to evaluating the first permission data and the second permission data for the request by generating merged permission data for the unique user platform identifier; and granting permission to the requesting user to perform the one or more actions on the data of the data processing platform using the received user identity provider identifier and the merged permission data.
  10. 10 . The system of claim 9 , wherein each of the first realm and the second realm is a source of users or groups of users provided by the first identity provider and the second identity provider, respectively.
  11. 11 . The system of claim 9 , wherein the request includes the user identity provider identifier and a data resource identifier of a data resource associated with the data processing platform.
  12. 12 . The system of claim 9 , wherein the operations further comprise: generating a mapping of the user platform identifier to both of the first user identity provider identifier and the second user identity provider identifier for the user using a data mapping structure, wherein the data mapping structure comprises the unique user platform identifier, the first user identity provider identifier, and the second user identity provider identifier.
  13. 13 . The system of claim 12 , wherein the generating a mapping of the user platform identifier comprises creating the unique user platform identifier as mapped to both of the first user identity provider identifier associated with the first identity provider of the first realm and the second user identity provider identifier associated with the second identity provider of the second realm.
  14. 14 . The system of claim 12 , wherein the generating a mapping of the user platform identifier comprises: assigning a first user platform identifier to the first user identity provider identifier associated with the first identity provider of the first realm and assigning a second user platform identifier to the second user identity provider identifier associated with the second identity provider; linking the first user platform identifier to the second user platform identifier to link the first permission data with the second permission data; and using at least one of either of the linked first user platform identifier or the second user platform identifier to grant permission to perform the one or more actions on the data.
  15. 15 . The system of claim 9 , wherein the generating merged permission data for the unique user platform identifier based on the evaluation includes if the first priority is higher than the second priority, generating the merged permission data using the first permission data.
  16. 16 . The system of claim 9 , wherein the operations further comprise: assigning a timeout period to at least one selected from a group consisting of the first permission data associated with the first user identity provider identifier and the second permission data associated with the second user identity provider identifier.
  17. 17 . A non-transitory computer-readable medium storing instructions for authenticating users of a data processing platform, the instructions when executed by one or more processors of a computing device, cause the computing device to perform operations comprising: receiving a request from a user to establish an access session to perform one or more actions on data of the data processing platform; receiving, from at least one of a first identity provider of a first realm or a second identity provider of a second realm, a user identity provider identifier corresponding to the request; upon receiving the user identity provider identifier, determining a user platform identifier by matching the received user identity provider identifier to at least one of a first user identity provider identifier assigned by the first identity provider of the first realm for the user or a second user identity provider identifier assigned by the second identity provider of the second realm for the user, wherein the user platform identifier is mapped to both the first user identity provider identifier and the second user identity provider identifier; identifying a conflict by evaluating first permission data corresponding to the first user identity provider identifier and second permission data corresponding to the second user identity provider identifier, wherein the first identity provider corresponds to a first priority and the second identity provider corresponds to a second priority different from the first priority; resolving the identified conflict in response to evaluating the first permission data and the second permission data for the request by generating merged permission data for the unique user platform identifier; and granting permission to the requesting user to perform the one or more actions on the data of the data processing platform using the received user identity provider identifier and the merged permission data.
  18. 18 . The non-transitory computer-readable medium of claim 17 , wherein the generate merged permission data for the unique user platform identifier based on the evaluation includes generating, if the first priority is higher than the second priority, the merged permission data using the first permission data.
  19. 19 . The non-transitory computer-readable medium of claim 17 , wherein each of the first realm and the second realm is a source of users or groups of users provided by the first identity provider and the second identity provider, respectively, and wherein the request includes the user identity provider identifier and a data resource identifier of a data resource associated with the data processing platform.
  20. 20 . The non-transitory computer-readable medium of claim 17 , wherein the operations further comprise: generating a mapping of the user platform identifier to both of the first user identity provider identifier and the second user identity provider identifier for the user using a data mapping structure, wherein the data mapping structure comprises the unique user platform identifier, the first user identity provider identifier, and the second user identity provider identifier.

Description

CROSS REFERENCE TO RELATED APPLICATIONS This application is a continuation of U.S. application Ser. No. 17/693,780, filed Mar. 14, 2022, which is a continuation of U.S. application Ser. No. 16/662,466, filed Oct. 24, 2019, which claims priority to U.S. Provisional Application No. 62/913,249, filed Oct. 10, 2019, both incorporated by reference herein for all purposes. BACKGROUND Certain embodiments of the present disclosure relate to data security over a network and/or to establishing access sessions in computing platforms. More particularly, some embodiments of the present disclosure provide systems and methods for authenticating users of a data processing platform that interface with a plurality of identity providers, for example external identity providers via a network. Cloud computing is a computing infrastructure for enabling ubiquitous access to shared pools of servers, storage, computer networks, applications and other data resources, which can be rapidly provisioned, often over a network, such as the Internet. For example, a “data resource” as used herein may include any item of data or code (e.g., a data object) that can be used by one or more computer programs. In example embodiments, data resources are stored in one or more network databases and are capable of being accessed by applications hosted by servers that share common access to the network database. A data resource may, for example, be a data analysis application, a data transformation application, a report generating application, a machine learning process, a spreadsheet or a database, or part of a spreadsheet or part of a database, e.g. records. Some companies provide cloud computing data processing services for registered customers, for example, manufacturing and technology companies, to create, store, manage and execute their own resources via a network. Users within the customer's domain, and other users outside of the customer's domain, e.g., support administrators of the provider company, may perform one or more actions on one or more data resources, which actions may vary from reading, authoring, editing, transforming, merging, or executing. Sometimes, these resources may interact with other resources, for example, those provided by the cloud platform provider. Certain data resources may be used to control external systems. When providing access to cloud-based computing services and data resources, such as a data processing platform for performing said one or more tasks, an authentication service may be provided that typically provides a basic login workflow. Some external organizations utilizing the cloud-based services may have peculiar requirements for login flows, for example, in terms of the protocols they implement, the complex organizational structure they represent, and/or the various compliance/auditing requirements they impose. For example, some external organizations may wish to enable a login session for their data resources using a simple one-factor authentication method, e.g., username and password. Other external organizations may wish to use multi-factor authentication methods, e.g., by means of sending a challenge to a user device (e.g. mobile phone) or email account for response, after the username and password first-factor has been verified. Some external organizations may wish to require a terms of service agreement to be agreed to by the user before a login session can be established, and so on. It is also known for platform provider organizations to outsource at least part of their one-factor authentication service or other multi-factor service to external services called Identity Providers (IdP). In this way, the user authenticates themselves, e.g., with username and password (and second factor information if desired), to the IdP via a webpage, and the returned page contains a form with a success or failure assertion which is then submitted to the provider organization's login webpage for establishing a login session, if successful. This can avoid the provider organization having to provide at least part of the infrastructure of an authentication service. In some platforms, platform authentication systems are implemented as an application server and services that act as a service provider that manages access to applications that are provided by the platform, based on a set of users that are connected through an identity provider. Platform authentication systems may also operate as permissioning systems that limit users to permissions specified by organizations whose users use the platform. As such, users (including applications or other services) of client applications and/or the applications in the platform are authenticated. Each authentication source such as external identity providers or internal authentication sources that are internal to the platform are sometimes referred to as a realm. For example, some deployments might have a Lightweight Directory Access Protocol (LDAP) based realm used for custome