An enterprise might have multiple web-based applications that can be accessed only by authorized users. For authentication and authorization purposes, the users might be required to sign in to the applications or to a security system controlling access to the applications. That is, when attempting to access an application, a user typically provides a user ID (identification) and a password to the application. The application might then authenticate the identity of the user by confirming that the password is correct for the user ID. After authentication, an authorization process might determine whether the user is allowed to have access to the requested application.
Authentication and authorization information for the users is typically stored in a data store such as a relational database or a directory such as a directory compliant with the Lightweight Directory Access Protocol. For example, an authentication data store might maintain a list of user IDs and corresponding passwords. When a user attempts to sign on to an application, the password provided by the user is checked against the password stored in the authentication data store for the user's user ID. If the password and user ID combinations match, the identity of the user is confirmed.
An authorization data store might maintain the users entitlements within an application to which a user is allowed access. The application to which the user has proper access relies upon authorization data to determine what functions the user is allowed to perform. The authentication data store and the authorization data store might be separate or might be combined into a single data store.
In some cases, an application might perform its own authentication and authorization activities by interacting directly with its own internal authentication and authorization data stores. In other cases, a policy server or other intermediary component might act as an authentication broker on behalf of the application. In such a case, the intermediary would not itself be responsible for directly authenticating a user attempting access to an application. Instead, it would only be capable of receiving the user ID and password combination submitted by the user and directs the access request to a separate authentication and/or authorization data store for actual evaluation of the credentials. The data store would perform the authentication of the user and send the results of the credential test back to the intermediary which, in turn, will forward to the application to either allow or deny user access. The benefits of an intermediary is that it is capable of interacting with multiple types of authentication and/or authorization data store technologies, leaving the application itself insulated from the actual task of authentication. An intermediary is also capable of allowing multiple applications to share the same user ID and password combination. This provides the user of the applications a quicker, more pleasant computing experience.
In addition to the authentication and authorization data stores, an enterprise might have multiple systems that maintain the digital identities of employees and other individuals within or associated with the enterprise. A person's digital identity is considered to be any electronic information that is associated with that person for the general purpose of identifying them to a system or service. Systems that are responsible for collecting and maintaining the integrity of a person's common digital information and the resources they use for the benefit of an entire enterprise are called Identity Management systems. Common identity attributes stored in an enterprise Identity Management System are name, phone number, email address, job title, manager's name, user ID(s), password(s) and other information that is commonly in demand by the enterprise systems. For example, there might be separate identity management systems for network sign-on, mainframe sign-on, application sign-on, access badge-related security, and other areas where unique user identities are needed. These identity management systems might use different naming standards and other protocols for managing user IDs, passwords, and other identity-related attributes. Since each identity management system might have its own data store to hold identity information, maintenance of multiple identity management systems and data stores can be complex, contradicting, cumbersome, and error prone.