Field of the Invention
The specification generally relates to a broker-based authentication system. In particular, the specification relates to a system and method for authenticating an internal system with an internal authentication mechanism based on certified responses from an external authentication system.
Description of the Background Art
Authentication is a major challenge when two vendors want to do business over a network since one party may not be ready to share their user credentials with the other party, or users may get annoyed when they have to maintain different sets of user credentials for different applications. For example, when a hospital tries to use a telemedicine system to serve remote patients provided by a third party vendor (e.g., a local clinic), two authentication issues need to be considered. First, the hospital system may not be willing to share crucial data such as employees' names, addresses, phone numbers, etc., with the third party vendor. Second, a doctor or a technician may not be ready to enter and remember multiple credentials for different systems (e.g., the hospital and the clinic). Therefore it is important to build an authentication system that can authenticate a user in one domain (e.g., a hospital domain) and give the user access to applications in another domain (e.g., a third party domain) without effecting the internal structure of an application (e.g., no sharing of any critical data).
Some current solutions include open single sign-on (OpenSSO) and federated identity such as security assertion markup language (SAML), OpenID, etc. However, these approaches have deficiencies. The cookie based “OpenSSO” approach fails when systems are located in multiple different domains since the cookie of one domain cannot be transferred to another domain. Also, OpenSSO is vendor specific, e.g., the OpenSSO solution for one vendor cannot be integrated to another vendor. Federated identity approaches may provide a more generalized solution compared to the OpenSSO. However, federated identity approaches are browser specific and are not capable of authenticating any session less system. There is a lack of a system that can authenticate both session less as well as session oriented system.