Technical Field
This disclosure relates generally to management of user sessions in a federated environment.
Background of the Related Art
User authentication is one function that service providers offer to ensure that users accessing resources (e.g., applications, web content, etc.) are authorized to do so. To ensure that a user is not an imposter, service providers (e.g., web servers) generally ask for a user's username and password to prove identity before authorizing access to resources. Single sign-on (SSO) is an access control mechanism which enables a user to authenticate once (e.g., provide a username and password) and gain access to software resources across multiple systems. Typically, an SSO system enables user access to resources within an enterprise or an organization. Federated Single Sign-on (F-SSO) extends the concept of single sign-on across multiple enterprises, thus establishing partnerships between different organizations and enterprises. F-SSO systems typically include application level protocols that allow one enterprise (e.g., an identity provider) to supply a user's identity and other attributes to another enterprise (e.g., a service provider). In other words, an F-SSO system helps transport the user's credentials from the identity provider to the service provider using any suitable protocol. Typically, current F-SSO techniques use HTTP as the transport protocol.
An emerging information technology (IT) delivery model is cloud computing, by which shared resources, software and information are provided over the Internet to computers and other devices on-demand. Cloud computing can significantly reduce IT costs and complexities while improving workload optimization and service delivery. With this approach, an application instance can be hosted and made available from Internet-based resources that are accessible through a conventional Web browser over HTTP. While this is highly desirable, the application itself may have data transfer and storage requirements that use other non-HTTP-based protocols. Thus, while most of the interactions with the application may occur over HTTP and are easily bound to the user, often the key interactions (involving data) must take place over legacy protocols yet still require the same “user binding.” The need to support both HTTP-based and non HTTP-based protocols complicates the provisioning and use of the application in the cloud environment. This problem is further exacerbated by the fact that single sign-on requirements (for the application) may require support for other lower level protocols, such as CIFS, NFS, SSH, Telnet, and the like, as well as the co-existence of SSO across multiple protocols.
Current approaches to authentication in the cloud, however, are insufficient. Thus, for example, where the SSH network protocol is used to log into a remote machine and execute commands, the state-of-the-art involves either providing direct (back-proxy) links to a customer's LDAP (or its equivalent) directory for authentication with a user name and password (U/P), or providing for the explicit distribution to users of SSH key pairs. Each approach, however, has significant drawbacks. Direct connections from a cloud provider to a customer's LDAP may not be allowed, even for simple LDAP bind requests. Distribution of SSH key pairs is not a scalable approach for on-boarding to the cloud of a large number of users. There are similar deficiencies in prior art approaches for other protocols such as CIFS, NFS, and the like.