公开(公告)号：US20180167384A1

公开(公告)日：2018-06-14

申请号：US15376174

申请日：2016-12-12

Applicant: SAP SE

Inventor： Martin Raepple ,  Vladimir Savchenko ,  Milen Manov

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/0853 ,  G06F21/335 ,  H04L63/0807 ,  H04L63/083 ,  H04L67/02

Abstract: A system receives a request from an in-browser application for an authorization code, creates a session that re-directs the in-browser application to an authorization server, and receives the authorization code from the authorization server by way of the in-browser application. The system requests an access token from the authorization server and receives the access token from the authorization server. The system then receives a request from the in-browser application for a resource, uses the access token to request the resource from a third-party resource server, and returns the resource to the in-browser application.

公开(公告)号：US20200007550A1

公开(公告)日：2020-01-02

申请号：US16023804

申请日：2018-06-29

Applicant: SAP SE

Inventor： Bhagyesh Hede ,  Milen Manov ,  Vasil Panushev

IPC: H04L29/06 ,  G06F8/60 ,  G06F9/54

Abstract: Techniques are described for management of authorization (e.g., OAuth) clients on a distributed computing environment (e.g., platform), through a deployment descriptor of the application(s) hosted in the environment. The deployment descriptor can be provided with the deployed application, and describes various permissions for access to services provided by the platform and scope(s) of such access. Credentials can be generated for each subscriber of the application, according to the scope(s) indicated in the descriptor, and an authorization client can be generated that describes the various subscriptions of the various access and access scope(s) associated with each subscription. The authorization client is available on the platform and accessed at application runtime to control the application's access to the various services available on the platform.

公开(公告)号：US10270672B2

公开(公告)日：2019-04-23

申请号：US15372823

申请日：2016-12-08

Applicant: SAP SE

Inventor： Milen Manov ,  Vasil Panushev

IPC: G06F11/00 ,  G06F15/16 ,  H04L12/26 ,  H04L29/08 ,  G06F11/36 ,  G06F11/07

Abstract: A first request is received at a central tracing component and from a first module in a complex computing system. The first request is received when the first module is called to execute. In response to the first request, input data of the first module is stored in the central tracing component. A second request is received from the first module when the first module has been successfully executed. In response to the second request, output data of the first module is stored in the central tracing component. A third request is received from a second module when the second module has failed execution. In response to the third request, the stored data in the central tracing component is sent to the second module.

公开(公告)号：US10992680B2

公开(公告)日：2021-04-27

申请号：US16023804

申请日：2018-06-29

Applicant: SAP SE

Inventor： Bhagyesh Hede ,  Milen Manov ,  Vasil Panushev

IPC: H04L29/06 ,  G06F9/54 ,  G06F8/60

Abstract: Techniques are described for management of authorization (e.g., OAuth) clients on a distributed computing environment (e.g., platform), through a deployment descriptor of the application(s) hosted in the environment. The deployment descriptor can be provided with the deployed application, and describes various permissions for access to services provided by the platform and scope(s) of such access. Credentials can be generated for each subscriber of the application, according to the scope(s) indicated in the descriptor, and an authorization client can be generated that describes the various subscriptions of the various access and access scope(s) associated with each subscription. The authorization client is available on the platform and accessed at application runtime to control the application's access to the various services available on the platform.

公开(公告)号：US10484385B2

公开(公告)日：2019-11-19

申请号：US14730235

申请日：2015-06-04

Applicant: SAP SE

Inventor： Milen Manov ,  Jasen Minov ,  Martin Raepple

IPC: H04L29/06 ,  G06F21/62

Abstract: A request from an application client is received at a protected application. The request includes an access token. A grant information associated with the received access token is retrieved. The grant information includes a plurality of intersecting scopes of rights granted to the application client. In another aspect, a session is established between the protected application and the application client. Furthermore, at least one scope of rights from the plurality of intersecting scopes of rights is determined to be mapped to at least one Application Programming Interface (API) from a number of APIs provided by the protected application.

公开(公告)号：US10230720B2

公开(公告)日：2019-03-12

申请号：US15376174

申请日：2016-12-12

Applicant: SAP SE

Inventor： Martin Raepple ,  Vladimir Savchenko ,  Milen Manov

IPC: G06F21/33 ,  H04L29/06 ,  H04L29/08

Abstract: A system receives a request from an in-browser application for an authorization code, creates a session that re-directs the in-browser application to an authorization server, and receives the authorization code from the authorization server by way of the in-browser application. The system requests an access token from the authorization server and receives the access token from the authorization server. The system then receives a request from the in-browser application for a resource, uses the access token to request the resource from a third-party resource server, and returns the resource to the in-browser application.

公开(公告)号：US10015157B2

公开(公告)日：2018-07-03

申请号：US15169841

申请日：2016-06-01

Applicant: SAP SE

Inventor： Jasen Minov ,  Milen Manov ,  Stefan Petrov

IPC: H04L29/06

CPC classification number: H04L63/0815 ,  H04L63/062 ,  H04L63/10

Abstract: A multi-domain application requiring SSO and SLO operations in cloud environment is presented. The computing system of the multi-domain application includes a multi-domain service (MDS) to redirect the calls for the multi-domain application to an identity provider to authenticate the user or to invoke the single logout services (SLOs) on the domains of the multi-domain application and to invalidate the user sessions on the domains. A cookie that includes the multi-domain application URL is generated to reach the assertion consumer service (ASC) and the single logout service (SLO) that receive an identity assertion response from the identity provider. Domain specific SLOs are provided. A trust between these domain specific SLOs and the SLO is provided based on service provider keys. The SAML mechanism for a logout scenario is reused for communication between the SLO and the domain specific SLOs, where the SLO plays a role of a local IDP.

公开(公告)号：US20180167293A1

公开(公告)日：2018-06-14

申请号：US15372823

申请日：2016-12-08

Applicant: SAP SE

Inventor： Milen Manov ,  Vasil Panushev

IPC: H04L12/26 ,  H04L29/08

CPC classification number: H04L43/06 ,  G06F11/079 ,  G06F11/36 ,  G06F11/362 ,  H04L43/04 ,  H04L43/0823 ,  H04L67/02 ,  H04L67/10

Abstract: A first request is received at a central tracing component and from a first module in a complex computing system. The first request is received when the first module is called to execute. In response to the first request, input data of the first module is stored in the central tracing component. A second request is received from the first module when the first module has been successfully executed. In response to the second request, output data of the first module is stored in the central tracing component. A third request is received from a second module when the second module has failed execution. In response to the third request, the stored data in the central tracing component is sent to the second module.