The invention relates generally to communication networks, and more particularly to passive client single sign-on for Web applications.
In recent years, the Internet has become one of the most important tools for organizations to communicate and interact with each other. Access to a network resource by a user via the internet, or by a user in a related or federated network, are increasing. Providing user directories to accommodate an expanded group of users outside a typical network has tended to increase over time, along with the effort in maintaining these directories. For security reasons, a user in a particular organization often has to be authenticated before being granted access to resources in another organization. Different mechanisms have been developed to facilitate user authentication. One such mechanism is Web Services (WS)-Federation. WS-Federation enables the sharing of identity across enterprise boundaries using Extensible Markup Language (XML) security tokens. These XML tokens utilize formats, such as Security Assertion Markup Language (SAML) or Extensible Rights Markup Language (XrML).
Typically, the claims in the security tokens flow between a pair of enterprises. However, for security reasons resources that a web client or a network partner would access may be disposed outside of a security boundary. The establishment of a security boundary may call for a shadow directory, and a token transfer mechanism to preserve security. This arrangement typically calls for multiple sign on by a user. In a typical token exchange the originator of the tokens is called the Identity Provider. The Identity Provider owns a user's identity and authentication. The consumer of the tokens is called the Resource Provider. The Resource Provider may provide any number of Web Services or other applications. A cryptographic trust may be established between the two parties so that the Resource Provider can authenticate the Identity Provider as the authority for security tokens.
Like reference numerals are used to designate like parts in the accompanying drawings.