1. Field of the Invention
The invention relates to the field of authentication-based data sharing, and more specifically to sharing data across a distributed computer system based on an initial sign-on.
2. Background of the Invention
The average computer user accesses a variety of computer applications in a number of settings. These applications may include a combination of local, LAN, and WAN applications hosted on a variety of operating platforms, such as Windows™, mainframe, Unix, Linux, or Macintosh™ platforms. The user may access these applications from a variety of locations over the course of a working day by utilizing a laptop, desktop, special use computer, kiosk, conference room terminal or other machine. Interruptions in workflow and changes in user location occur regularly over the course of a normal working day. Each time a user resumes her workflow, time must be spent logging on to applications and/or restoring settings or other data from a previous computing session.
Many of the applications a user accesses throughout the day will require the authentication of the user, most commonly through a sign-on transaction involving a user identifier and password. Each application and each platform may include its own procedures for generating, storing, and validating user sign-on transactions. As each application is started, it will generally require the user to follow its sign-on procedure. Each application may have different rules for acceptable user identifiers and passwords, including different combinations and patterns of letters, numerals, or other characters. Requiring multiple sign-on transactions by the user represents a productivity loss due to time and distraction, may discourage the adoption and use of some applications, and may require the user to manage multiple user identifiers and passwords.
Furthermore, there is often still a lag between the time a user launches and is authenticated on an application and when the user can be fully productive. Typically, a user will need to make adjustments to the application to reflect her preferred settings. Sometimes in order to access a file for use in one application, another file management program must be launched as well. Where more than one application is being used simultaneously—a common occurrence as a worker may need to monitor email, active jobs that are being processed, or other tasks while working in another application—or where tasks within the same application are being used, the user may also have to manually resize the window displays showing the different tasks.
When a user moves from one terminal to another, such information is lost and must be regenerated. In addition, temporary data such as the user's specific location within a file, the collection of files that are simultaneously open, and other information specific to a user's experience cannot be saved and retrieved easily. If the user changes terminals, or there are gaps between her active working times, both frequent occurrences in the workplaces, she must recreate the setting she left before she can be productive. During the course of a working day, much time is wasted across enterprises in authentication tasks, restoring preferences, settings, and application data as a user moves from one working location to another.
No single system for reducing the time wasted in logging on to single applications and constantly restoring non-authentication preference, setting, environment, and temporary data when users move across an enterprise currently exist. There are limited solutions for consolidating sign-on tasks, such as those offered by Netscape, Liberty Alliance, Plumtree, and Microsoft Passport. Enterprise systems for enabling single sign-on transactions for multiple applications across platforms include IBM Enterprise Identity Mapping (“EIM”), Siteminder, and ETrust. However none of these also allows for the capture, storage, and retrieval of authentication and non-authentication data across different users, platforms, and terminals.
Operation of IBM's EIM is illustrative of current approaches to providing a single user sign-on transaction for sign-on to multiple enterprise applications. IBM's EIM stores multiple user identities and related user authentication information from across user registries associated with OS platforms, applications, and middleware. The user identities are stored in a well-known data source accessible throughout the enterprise, such as a lightweight data access protocol (“LDAP”) server. The IBM EIM provides common services across platforms for accessing the mappings. EIM allows a user to execute a sign-on transaction that generates an electronic validation ticket. That ticket is then used to validate the user to a predetermined set of systems and applications defined in the EIM data source based upon the user identities stores in that data source.
Although IBM's EIM and similar systems do support some form of single sign-on, they do not support the cross-platform sharing of non-authentication data. Because of this, integration among applications is limited. Further, they do not allow users to move among terminals while maintaining state, preference, and other application data. Thus there is a need for systems that automatically authenticate users and facilitate the sharing of data across an enterprise, thus allowing users to move seamlessly between terminals, applications, and platforms without having to recreate their workplace environment in each new setting.