Modern software development is evolving away from the client-server model toward network-based processing systems that provide access to data and services via the Internet or other networks. In contrast to traditional systems that host networked applications on dedicated server hardware, a “cloud” computing model allows applications to be provided over the network “as a service” supplied by an infrastructure provider. The infrastructure provider typically abstracts the underlying hardware and other resources used to deliver a customer-developed application so that the customer no longer needs to operate and support dedicated server hardware. The cloud computing model can often provide substantial cost savings to the customer over the life of the application because the customer no longer needs to provide dedicated network infrastructure, electrical and temperature controls, physical security and other logistics in support of dedicated server hardware.
Multi-tenant cloud-based architectures have been developed to improve collaboration, integration, and community-based cooperation between customer tenants without sacrificing data security. Generally speaking, multi-tenancy refers to a system wherein a single hardware and software platform simultaneously supports multiple user groups (also referred to as “organizations” or “tenants”) from a common data store. The multi-tenant design provides a number of advantages over conventional server virtualization systems. First, the multi-tenant platform operator can often make improvements to the platform based upon collective information from the entire tenant community. Additionally, because all users in the multi-tenant environment execute applications within a common processing space, it is relatively easy to grant or deny access to specific sets of data for any user within the multi-tenant platform, thereby improving collaboration and integration between applications and the data managed by the various applications. The multi-tenant architecture therefore allows convenient and cost effective sharing of similar application features between multiple sets of users.
In certain situations, a single user or operator of a multi-tenant database system might have legitimate credentials for login access to the applications and data of two or more different tenants. Traditionally, such a user would need distinct credentials (i.e., different usernames and/or different passwords) for each tenant. Some systems (including some multi-tenant database systems) utilize single sign-on (SSO) techniques to control access to multiple systems. For example, if a multi-tenant system implements an SSO technique, then a user that successfully logs into one system will also be given access to one or more other systems, depending upon how the SSO features for that user have been configured. In practice, the creation, setup, and configuration of SSO links between systems, organizations, and/or tenants can be time consuming, and often require the involvement of a system administrator or other technician.
Modern computing systems often use Security Assertion Markup Language (SAML) as a standard mechanism for implementing SSO features. In accordance with common practice, however, SAML-based SSO procedures require an identity provider, which is a processing module or logical construct that issues SAML assertions when an authenticated user of a first system initiates a SAML-based SSO procedure to gain access to a second system. In other words, the identity provider is the processing component of the first system that “guarantees” the identity of the user seeking access to the other system. Accordingly, before SSO can be supported by a system, an appropriate identity provider must be deployed for that system. In traditional systems, however, the process for creating an identity provider can be time consuming and vulnerable to human data entry errors.