A user can be authenticated from computer desktop or mobile device by utilizing a user or device credential. In a federated authentication system, the user can be redirected to the third party authentication service, which can use Security Assertion Markup Language (SAML) to communicate user authentication result with the customer system. New credential types can easily be added for enterprises where the authentication service handles all of the credential lifecycle management interfaces. However, this doesn't accommodate customers who want to have full control over user workflow. Also, the service model requires a customer system to handle SAML request signing and verification, which may not always be the case. For example, the Radius protocol is more widely used by enterprise VPN servers.
What is needed is a service model that needs little integration by enterprise servers and that provides the users with the superior experience and security while permitting the customer to retain full control over user authentication workflow. When the requirement of enterprise system SAML integration is eliminated, the user authentication credential communication and authentication ticket should ensure end-to-end security across the systems.