It is known to provide aggregated services via a single “sign-on” where a user may access the services after having their identity authenticated via the sign-on. As used herein, the term “authenticated” refers to a determination that the user is who he/she is purported to be using, for example, a usemame and password associated with the user. However, in some single sign-on aggregated systems, a user may still be required to separately gain access to each of the services provided by the aggregated system before use may be made of the services. For example, if a user signs-on an aggregated system to access two different services provided by two different service providers, the user may be authenticated by a sign-on, but may still need authorization to access the services by providing further information to one or the other of the two services.
Two examples of such single sign-on aggregated systems discussed above are the .NET Passport system (“Passport”) made available by Microsoft, Inc. of Redmond, Wash. and the Liberty system (“Liberty”) made available by Sun MicroSystems, Inc. of Mountain View, Calif. The Passport system provides for authentication of a user by creating a set of credentials that enable the user to sign-on to any of the services (such as that offered by a website) that supports the Passport service. An exemplary representation of the Passport system is shown in FIG. 1, including a Passport server 115 and three service providers 110A-C each of which supports the Passport system 100. According to FIG. 1, a user can access the Passport system using, for example, a computer 101 by signing-on to the service provider 110A over a link 105. The service provider 110A redirects the user's sign-on to the Passport server 115 via a link 120, whereupon the user signs-on to the Passport server 115. The Passport server 115 can authenticate the user's sign-on information using locally accessible user identity information 130. If the user's sign-on information is authenticated, the user is redirected from the Passport server 115 back to the service provider 110A via a link 135, whereupon service provider 110A allows the user to access services provided thereon. It will be understood that service providers 110B and C may operate similarly.
An exemplary illustration of the Liberty system is shown in FIG. 2, including service providers 210A-C and an identity server 214. In particular, a user can access services via the Liberty system 200 over a link 205 to the service provider 210A using, for example, a computer 201. The user's sign-on to the service provider 210A is redirected to the identity server 214 via a link 220 whereupon the user signs on using identity information 230 available to the identity server 214. The identity server 214 uses the identity information 230 to determine whether the user (identified by the identity information 206A-C) is an authentic user known to the service provider 210A over a link 222, 210B over a link 223, or 210C over a link 224. If the identity server 214 is able to verify the authenticity of the user, the user is redirected back to the service provider 210A via link 235, whereupon the user is able to access the services via service provider 210A.
Notwithstanding the authentication services provided by aggregated systems such as Passport and Liberty, there is a need for further improvement in providing authentication and authorization transparent services via aggregated systems. Each service provider in an aggregated system does not necessarily know about the authorization levels, user identities, and services offered by the others. Accordingly, it may be difficult to authorize a user subscribed to one service provider to use services offered by others with proper levels of granularity.