An enterprise might have multiple web-based applications that can be accessed by internal users, external users, or both. The users might be required to sign in to the applications so that the users can be authenticated and authorized. That is, when attempting to access an application, a user typically provides a user ID and a password to the application. The application might then authenticate the user by confirming that the password is correct for the user ID. After authentication, an authorization process might determine whether the user is allowed to have access to the requested application.
Authentication and authorization information for the users is typically stored in a data store such as a relational database or a directory such as a directory compliant with the Lightweight Directory Access Protocol. For example, an authentication data store might maintain a list of user IDs and corresponding passwords. When a user attempts to sign on to an application, the password provided by the user is checked against the password stored in the authentication data store for the user's user ID. If the passwords match, the user is considered authentic.
An authorization data store might maintain a list of applications to which a user is allowed access. The application to which the user has requested access can be checked against the list of applications available to the user and, if the requested application is on the list, the user can be authorized to use the application. The authentication data store and the authorization data store might be separate or might be combined into a single data store.
In some cases, an application might perform its own authentication and authorization activities by interacting directly with the authentication and authorization data stores. In other cases, a policy server or other intermediary component might receive user ID and password information from one or more applications, pass the user ID and password information to the authentication and authorization data stores, receive one or more responses from the authentication and authorization data stores, and return the responses to the applications. In either case, each application might have its own data store for authentication and authorization information. Alternatively, authentication and authorization information for more than one application might be stored in a single data store. In some cases, there might be a single authentication and authorization data store for all internal users and a separate single authentication and authorization data store for all external users.