Search

US-20260129036-A1 - SECURE CUSTOMER-MANAGED CERTIFICATE AUTHORITY INTEGRATION

US20260129036A1US 20260129036 A1US20260129036 A1US 20260129036A1US-20260129036-A1

Abstract

A system associated with an application access framework in a cloud computing environment may include a secure login server that authenticates, via a secure login service, a customer user requesting access to a cloud application. The secure login service may then obtain a user access token via an identity authentication protocol client at a customer cloud-based identity authentication service tenant. It is arranged for the user access token to be exchanged for an exchanged access token. The exchanged access token can then be provided from the secure login service to a cloud service identity provider of the customer to gain temporary access. The secure login service uses the temporary access to have a customer Public Key Infrastructure (“PKI”) certificate authority in the cloud service issue an authentication certificate for the customer user.

Inventors

  • Nils Neumann
  • Marc RAHN

Assignees

  • SAP SE

Dates

Publication Date
20260507
Application Date
20241106

Claims (20)

  1. 1 . A system associated with an application access framework in a cloud computing environment, comprising: a secure login server, including: a computer processor, and a computer memory storing instructions that, when executed by the computer processor, cause the secure login server to: authenticate, via a secure login service, a customer user requesting access to a cloud application, obtain, by the secure login service, a user access token via an identity authentication protocol client at a customer cloud-based identity authentication service tenant, arrange for the user access token to be exchanged for an exchanged access token, provide the exchanged access token from the secure login service to a cloud service identity provider of the customer to gain temporary access, and use, by the secure login service, the temporary access to have a customer Public Key Infrastructure (“PKI”) certificate authority in the cloud service issue an authentication certificate for the customer user.
  2. 2 . The system of claim 1 , wherein the authentication certificate is used to provide the customer user with access to the cloud application.
  3. 3 . The system of claim 2 , wherein the access to the cloud application is revoked after the customer user accesses the cloud application.
  4. 4 . The system of claim 1 , wherein the identity authentication protocol client at the customer cloud-based identity authentication service tenant is an Open Identifier Connect (“OIDC”) client.
  5. 5 . The system of claim 4 , wherein the OIDC client is a clone of a parent OIDC client and inherits access from the parent OIDC client.
  6. 6 . The system of claim 1 , wherein the secure login service authenticates the customer user via Single Sign-On (“SSO”).
  7. 7 . The system of claim 1 , wherein the authentication certificate is an X.509 public key certificate.
  8. 8 . The system of claim 1 , wherein the cloud service identity provider of the customer communicatees with the customer certificate authority in accordance with customer user roles and policies.
  9. 9 . The system of claim 1 , wherein the exchanged access token is anonymized.
  10. 10 . The system of claim 1 , wherein the cloud application access is part of an integration suite for data, application, and application Programming Interface (“API”) integration.
  11. 11 . The system of claim 10 , wherein the cloud application comprises an Advanced Business Application Programming (“ABAP”) business application.
  12. 12 . The system of claim 1 , wherein the temporary access gained by secure login service expires after a pre-determined period of time.
  13. 13 . A computer-implemented method associated with an application access framework in a cloud computing environment, comprising: authenticating, by a computer processor of a secure login server via a secure login service, a customer user requesting access to a cloud application; obtaining, by the secure login service, a user access token via an Open Identifier Connect (“OIDC”) client at a customer cloud-based identity authentication service tenant; arranging for the user access token to be exchanged for an exchanged access token; providing the exchanged access token from the secure login service to a cloud service identity provider of the customer to gain temporary access; using, by the secure login service, the temporary access to have a customer Public Key Infrastructure (“PKI”) certificate authority in the cloud service issue a X.509 public key certificate for the customer user; and using the X.509 public key certificate to provide the customer user with access to the cloud application.
  14. 14 . The method of claim 13 , wherein the access to the cloud application is revoked after the customer user accesses the cloud application and the temporary access gained by secure login service expires after a pre-determined period of time.
  15. 15 . The method of claim 13 , wherein the cloud service identity provider of the customer communicatees with the customer certificate authority in accordance with customer user roles and policies.
  16. 16 . The method of claim 13 , wherein the exchanged access token is anonymized.
  17. 17 . One or more non-transitory computer-readable media storing computer-executable instructions that, when executed by a computing system, cause the computing system to perform operations for an application access framework in a cloud computing environment, comprising: authenticating, by a secure login server via a secure login service, a customer user requesting access to a cloud application; obtaining, by the secure login service, a user access token via an identity authentication protocol client at a customer cloud-based identity authentication service tenant; arranging for the user access token to be exchanged for an exchanged access token; providing the exchanged access token from the secure login service to a cloud service identity provider of the customer to gain temporary access; using, by the secure login service, the temporary access to have a customer Public Key Infrastructure (“PKI”) certificate authority in the cloud service issue an authentication certificate for the customer user; and using the authentication certificate to provide the customer user with access to the cloud application.
  18. 18 . The media of claim 17 , wherein the secure login service authenticates the customer user via Single Sign-On (“SSO”).
  19. 19 . The media of claim 17 , wherein the cloud application access is part of an integration suite for data, application, and application Programming Interface (“API”) integration.
  20. 20 . The media of claim 17 , wherein the cloud application comprises an Advanced Business Application Programming (“ABAP”) business application.

Description

BACKGROUND A provider may let a customer enterprise access business applications in a cloud computing environment. For example, a customer employee may access an Advanced Business Application Programming (“ABAP”) business application. Such an arrangement may utilize a Public Key Infrastructure (“PKI”) to create, manage, distribute, use, and store digital certificates and manage public-key encryption. The PKI may facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking, and other confidential communications. The PKI binds public keys with respective identities of entities through a process of certificate registration and issuance by a Certificate Authority (“CA”). The X.509 protocol is an International Telecommunication Union (“ITU”) standard defining the format of public key certificates, such as those used in the Transport Layer Security (TLS”), Secure Socket Layer (“SSL”), and Hyper-Text Transfer Protocol-Secure (“HTTPS”) for browsing the web. To facilitate access, the provider may establish a secure log-in service that lets customer employees access business application with a Single Sign-On (“SSO”) authentication scheme. SSO may let a user log in with a single identifier to several related, yet independent, software systems. For example, the customer employee may log in once (e.g., with a username and password) and access services without needing to re-enter authentication factors. FIG. 1 is a traditional system 100 in which a customer employee 110 logs in via a provider 130 to access ABAP-based business applications. The customer employee uses a secure login service 120 that communicates with a cloud PKI 130 to issue a X.509 client certificate. These X.509 client certificates are issued within the cloud PKI 135 which is operated solely by the provider 130. For compliance reasons, customers may not want to use a provider 130 managed cloud PKI 135 to sign the X.509 client certificates. Instead, the customer may prefer to integrate a Certificate Authority (“CA”) and PKI that is fully under their control. That is, customers may want to maintain full control of their PKI while retaining the easy integration and capabilities provided by the secure login service 120. They might also not want to give the provider 130 permanent and complete access to a PKI (e.g., via shared and fixed credentials). Instead, the customer may prefer to share only temporary and restricted access with the secure login service 120 to issue X.509 client certificates on behalf of their employees. It would therefore be desirable to provide customer-managed CA integration in a secure, automatic, and efficient manner. SUMMARY According to some embodiments, methods and systems associated with an application access framework in a cloud computing environment may include a secure login server that authenticates, via a secure login service, a customer user requesting access to a cloud application. The secure login service may then obtain a user access token via an identity authentication protocol client at a customer cloud-based identity authentication service tenant. It is arranged for the user access token to be exchanged for an exchanged access token. The exchanged access token can then be provided from the secure login service to a cloud service identity provider of the customer to gain temporary access. The secure login service uses the temporary access to have a customer PKI certificate authority in the cloud service issue an authentication certificate for the customer user. Some embodiments comprise: means for authenticating, by a computer processor of a secure login server via a secure login service, a customer user requesting access to a cloud application; means for obtaining, by the secure login service, a user access token via an Open Identifier Connect (“OIDC”) client at a customer cloud-based identity authentication service tenant; means for arranging for the user access token to be exchanged for an exchanged access token; means for providing the exchanged access token from the secure login service to a cloud service identity provider of the customer to gain temporary access; means for using, by the secure login service, the temporary access to have a customer PKI certificate authority in the cloud service issue a X.509 public key certificate for the customer user; and means for using the X.509 public key certificate to provide the customer user with access to the cloud application. Some technical advantages of some embodiments disclosed herein are improved systems and methods to provide customer-managed CA integration in a secure, automatic, and efficient manner. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a traditional business application access system. FIG. 2 is a customer-managed CA integration system architecture in accordance with some embodiments. FIG. 3 is a customer-managed CA integration method according to some embodiments. FIG. 4 is a more detailed