As connectivity to the Internet and to network applications has grown in recent years, so has the need for providing more robust network-oriented techniques for authenticating network entities. Authentication generally includes two components: an identity and a statement which can be used for verifying that identity. For example, a network client can authenticate to network service by providing a client identifier (identity) and a client password (statement for verifying the identity).
Successful authentication can establish a trusted relationship between two entities. During that trusted relationship, statements and requests made between the two entities can be relied upon or assumed to be legitimate. Trusted relationships can provide for secure and seamless interactions between trusted entities during network transactions.
Unfortunately, authentication and trusted relationships between entities are not without a significant amount of problems. First, during authentication confidential and proprietary information about one of the entities may be potentially exposed on a network wire, where it can be maliciously intercepted and used to feign the identity of that entity. Second, an entity may have a plurality of authentication techniques requiring a multitude of different confidential information that the entity uses to authenticate and establish trusted relationships, where each of the different techniques are used depending upon a role or circumstance associated with the entity. Third, an entity may not always be relied upon to represent a specific physical location (e.g., specific Internet Protocol Address). This is so because an entity may be a user that accesses a plurality of different client machines or a user that accesses a portable device which plugs into a variety of different networks or network devices as the user moves. Fourth, different circumstances, locations, or roles of an entity may require changes in the authentication techniques that are used by the entity. Fifth, disparate services seldom share authentication credentials, thus requiring an entity to authenticate multiple times.
Lastly, the identity information of any particular entity can vary substantially depending upon the service or other entity that the entity is authenticating with. Moreover, this disparate identity information can be required in different data formats by the various services and can be stored on a plurality of disparate identity data stores.
Because of the variety of security concerns, authentication techniques, and architectural arrangements of identity information and identity services, a unified mechanism for managing an entity's authentication and trust relationships have heretofore remained elusive in the industry. Consequently, entities are forced to manually manage their own authentication and trust relationships. This causes much transactional inefficiency and frustration as passwords expire (are forgotten) and services change.
Additionally, the problems are not exclusively limited to an entity's perspective (e.g., application or user perspective), because much manual management and support are still required by network administrators to keep everything secure and in synchronization, so that entities can access the resources that they need. In fact, it can become extremely time-consuming for network administrators to continually reset passwords for entities or reissue identity information in different formats as services are added or upgraded.
Thus, improved techniques for dynamically establishing and managing authentication and trust relationships are needed.