1. Technical Field
The present invention relates generally to the field of computer software and, more particularly, to methods of incorporating a password change policy into a single sign-on environment.
2. Description of the Related Art
As computers have infiltrated society over the past several decades and become more important in all aspects of modern life, more and more confidential information has been stored on a variety of enterprise resources such as NT shared directories, Netware domains, S/390 resources, and protected web server pages. However, computers and networks such as the Internet allow multitudes of users access to these resources. Many times multiple resources may be accessed via the same network, but not all users on the network need or should have access to every resource. Therefore, security devices have been implemented to prevent unauthorized access to specified resources.
One method of preventing unauthorized access is to require the user to provide user identification information to verify that the user is entitled access to specific resources. Thus, many resource manager applications require a user to provide identification information, such as a user ID and password, in order to access protected resources. These applications may have this information fixed within the application (i.e., “hard coded”), the application may be configured with the information, or, in some cases, the application may prompt the user for this information at run time.
However, resource manager applications are not the only computer resources requiring a user to provide identifying information. Other resources such as servers and networks may also require users to provide identifying information. Because different resources have different security requirements and because some resources assign identities rather than allowing a user to choose an identity, many users may have multiple identities depending on the particular resource that they are accessing.
Single-Sign-on (SSO) technology manages this set of multiple identities on behalf of a user so that the user only needs to maintain a single user identity. The user then allows the SSO environment to manage the other identities automatically whenever the user attempts to access a particular protected resource. Some SSO technology stores all of the user's passwords in a centralized database. However, since passwords are confidential, the SSO server uses a “master key” to encrypt the user's passwords before it stores them and it uses the “master key” to decrypt the user's passwords after it retrieves them from the database and before it sends them to the 350 client.
However, when a user wants to change a SSO password, there is no presently available system to allow the user to change all of the user's target passwords with a single operation. In addition, administrators would like to specify a security policy in which the administrator may control when a target password may be changed, as well as what the content of the changed target password should be in relation to the original SSO password. Therefore, a flexible scheme for changing SSO target passwords and a method that supports this scheme in the existing SSO architecture is desirable.