Single sign-on (SSO) techniques have become commonly used to enable a user to log in once and then gain access to other systems/services without having to log in again at each system or at each device/service in the system(s). Several standards/protocols have been written to address SSO usage, such as OpenID and Liberty Alliance.
With SSO, the user creates an identity by opening an account within an Identity Provider (IdP) and then uses this account to access other various Internet services without having to subscribe (e.g., create another account) to every one of the services. The IdP may be an entity that provides pure identity management or any Application Service Provider (ASP) that adds an identity management service to its portfolio of services. For example, FACEBOOK is a social networking ASP that also provides identity management services. Although most users open a FACEBOOK account in order to use FACEBOOK, the users may also use their FACEBOOK account to access other ASP(s) (referred to as a “Relaying Party” or RP in the SSO schemes) by using the “connect with FACEBOOK” options that appear in the user's FACEBOOK pages.
This service to provide identity management is attractive to users and to ASPs, and hence there are many identity management services available today. More ASPs and/or other entities wish to enter this space so as to provide better user experience and to attract more users to their services.
A problem is that the same user connecting to the same ASP (RP) or web service from different IdPs are identified as different users. and thus are not able to have/access/use the same content in the local account at the RP or web service. Although some ASPs have identified this issue and allow the user to configure several allowed IdPs/identities in the user's local account, this solution is not scalable, is not user friendly, and decreases the attractiveness of SSO to the users since the users need to create and manage their account in each of the various RPs or web services, and each account may require/recognize only specific IdPs/identities.