Service providers are increasingly hosting and providing their web services at service clusters in a cloud, where the service clusters can be at geographically distributed locations to serve users/clients around the world and each of the service clusters includes a plurality of servers/service nodes hosting the services provided. For non-limiting examples, the network security services offered to the clients and their associated appliances include but are not limited to, content category lookup, virus signature checking, advanced threat detection by identifying behavior of the network traffic, etc.
When a user intends to access the services hosted in the cloud from associated appliances/devices such as firewalls, web filters, and gateways, the service provider needs to authenticate the identifications and credentials of the user and to ascertain the service entitlement information of the user, e.g., what types/levels of services the user and his/her associated appliance is entitled to access at certain level of priority, authorization, and duration. Since the cloud-based services can be offered by different service providers, each having its own authentication process and requirements, the appliances associated with the users may often need to authenticate itself to each of the different service providers individually in order to be able to access the services they provide. Such per-service authentication can be time-consuming and put additional burden on the appliances. In addition, since the appliances associated with the users may be globally deployed anywhere around the world, they often need to choose the closest service cluster and deal with load balancing issues for each of the different services they intend to access in order to reduce network latency and maintain service quality. It is thus desirable to be able to authenticate and manage service entitlement information for the appliances across different/heterogeneous service providers and to provide the most efficient service clusters/nodes to the appliances for fast response time.
The foregoing examples of the related art and limitations related therewith are intended to be illustrative and not exclusive. Other limitations of the related art will become apparent upon a reading of the specification and a study of the drawings.