A computer system typically requires a user to authenticate himself to the system. Authentication is a necessary technical precondition for any authorization of a user. Only if a computer system or a network of connected computer systems can authenticate a user, i.e. be sure about his identity, the user can be authorized to perform certain actions within the network, such as adding, modifying or removing data.
Before the time of the Internet, the user's identity was only used within a limited space, typically a single computer. One user repository (for example, one LDAP directory) was sufficient for authentication of all users of the single computer system. However, with the development of computer networks, the use of only a single user repository is no longer sufficient. Accordingly, concepts were developed for authentication in a whole computer environment comprising several computer systems. One example is Microsoft's current Active Directory model, wherein multiple domains are combined within one “forest”. In this concept, the indication of the domain name in front of the actual userid is sufficient for a unique identification.
However, most computer environments are nowadays no longer homogeneous but use instead hardware and software from a variety of vendors, which apply different authentication strategies. For example, a user may authenticate himself on a given Active Directory using MS programs as:
“euro\jdoe”
However, the same user, may authenticate himself on a UNIX system, which results in the following Id:
“en=John Doe,ou=users,ou=England,dc=euro, dc=company,dc=com”
Another example is Windows NT: Internally, users are represented by a SID (security identifier), which is a numeric value that can globally identify a user uniquely within a windows domain. The form of the SID that can be read by humans and processed also by non-Windows software looks like:
jdoe@myorg.com.
In the Lightweight Directory Access Protocol (LDAP), the LDAP directory is a centrally reachable service that maintains, among other entries, user entries. Any LDAP object is always represented by its position within the hierarchical tree:
“en=john doe, ou=userjo=eurjdc=mycomp,dc=org”
It is quite evident that there is no easy way to identify all of the above representations as actually referring to the same user. The above difficulties occur regardless of whether the user is a human or again a computer or an application, which accesses resources within the heterogeneous computer environment.
Such inconsistencies are particularly a problem, if tasks are delegated within a heterogeneous computer environment. To this end, credentials of a certain user are passed on in such a way that the recipient system must be able to recognize these credentials. Accordingly, it must be able to compare specific credentials with others and these credentials must be meaningful, and not just a blob of data. Only if the recipient understands the user credentials he can then take further authorization actions. Mapping one user id (of one part of the computer environment) to another resolves the issue only partly, since every mapping process leads to a loss of the information, namely, where a user may have authenticated himself for the first time in the overall computer environment.
Thus, in view of the above, improvements in authentication of users are desired.