Many applications, or more generally services, maintain accounts for users. For each account, a service typically maintains a separate set of information. For example, an electronic mail service stores emails sent and received using each account. When creating an account for a user, the user provides credentials such as a user principal name (e.g., electronic mail address) and password. The user principal name (“UPN”) typically uniquely identifies the account, and the password is used to authenticate the user when the user later signs in to the account.
Many services employ an identity provider service to perform the authentication of users. When an account is created, the service directs the user to the identity provider service to input their UPN and password for the account. The identity provider service maintains a database or user store of user credentials for the service. When the user subsequently wants to access the account, the service directs the user to the identity provider service. The user provides the credentials to the identity provider service. The identity provider service verifies the credentials against those in the database. If the credentials are verified, the identity provider service provides to the service a security token for the account (e.g., indirectly via the device of the user). The security token is signed by the identity provider service and is evidence that the user has been authenticated as providing the proper credentials for the account. The service can check the signature of the security token to determine that it was signed by the identity provider service and check the content of the security token to confirm that the user has been authenticated. The service then allows the user to access the account.
In a cloud data center, the services of many different organizations may be hosted. Such organizations are referred to as tenants of the cloud data center. An example tenant may be a home improvement company that has retail stores. The cloud data center may host an inventory application for the home improvement company for its retail employees to access inventory information via kiosks (e.g., computers with Internet access) within the stores. To access the inventory application, an employee would need to sign in to the inventory application. In some cases, tenants delegate the sign-in process to a sign-in portal of the cloud data center. When the sign-in portal is used, an account would need to be created with a sign-in portal for each employee that needs to access the inventory application. The user principal name for an account may be an electronic mail address such as “john.doe@hic.com” where “hic.com” is the domain name of the home improvement company. The sign-in portal may delegate the authentication to an identity provider service. So, when an employee requests to sign-in the request is redirected to the identity provider service. The identity provider service can identify the tenant from the domain name and access the user store for the home improvement company to authenticate the employee based on the credentials. The identity provider then sends a security token for the employee to the sign-in portal to be used as evidence by the inventory application that the employee has been authenticated.
The use of credentials such as a UPN and password presents difficulties in certain situations. For example, during the springtime, the home improvement company may hire many seasonal workers. Although an account with a UPN and password may be created for each seasonal worker, such workers often have difficulty remembering their credentials. As another example, in some organizations, many of the employees may be considered “deskless” workers. A deskless worker is a worker who does not have a desk with a computer, such as a construction worker, a wait person, and so on. These deskless workers may still need to access certain applications of the organization, such as scheduling or payroll applications. These deskless workers may access their accounts so infrequently that it may be difficult for them to remember their credentials. When workers forget their credentials, it may lead to dissatisfied customers, loss of productivity, loss of revenue, and so on.