In many organizations, workers interact with multiple applications during daily routines to access or input sensitive information. Further, with the proliferation of intranets, business-to-business extranets, cloud applications, and other distributed work environments have lead to customers, partners, and employees demanding anytime, anywhere access to critical applications, information, and services. However, although these information technology developments present new opportunities to increase revenues, manage costs, and deepen relationships with users, opening information technology organizations to distributed work environments can introduce significant security, management, and compliance challenges. For example, because users often interact with sensitive data and multiple applications that can be distributed among various information technology environments, many applications have been front-ended with secure logon processes to handle data security and compliance requirements. However, because different systems and applications typically have different authentication schemes, users often have to enter different authentication credentials to access the various systems and applications. In an effort to accommodate these diverse authentication processes, many users resort to insecure practices such as writing down passwords or using the same password for multiple systems or applications, which can defeat the purpose of secure logon procedures, especially in situations where workers or users share workstations or work areas (e.g., in hospitals or help desk environments).
As such, despite the promise that distributed work environments have to increase revenues, manage costs, and deepen user relationships, existing systems tend to fall short in effectively balancing security needs to protect sensitive data with business needs to provide workers with efficient access. For example, enterprise resource planning (ERP) solutions were originally deployed in client/server implementations, but in recent years many ERP vendors have developed web-based front ends to ease delivering these solutions to users. However, like any other standalone application, these solutions tend to come with distinct security systems and require separate logon processes. While most ERP solutions generally provide single sign-on (SSO) capabilities between the individual ERP components, they typically do not integrate access security with other web-based applications that may be distributed across the organization. Thus, because many organizations have initiated efforts to move towards web-based approaches to deliver applications that need to meet information and access needs for substantial numbers of internal and external users, the need to extend SSO capabilities across the organization has become increasingly important. Further, to let business in while keeping risk out, many organizations have sought to standardize and centralize information technology infrastructures, including security management. These factors, among others, result in a strong desire within the information technology community to have a single access management system that can provide centralized authentication, authorization, auditing, and SSO across all web-enabled applications.
To that end, various systems have been developed to provide vendor supported, policy-based mechanisms to apply consistent security to web-enabled applications that communicate via Hypertext Transfer Protocol (HTTP). However, HTTP was designed to provide a stateless transport mechanism, which can raise problems with managing applications that require state maintenance (e.g., maintaining a communication session, shopping cart, etc.). As such, existing systems typically use various mechanisms to maintain state across multiple HTTP requests, most commonly an HTTP cookie that authentication information, site preferences, shopping cart contents, session identifiers, or other state information that can be communicated between a web browser and a web server. However, the HTTP Cookie specification does not provide any built-in mechanisms to secure the information contained within a cookie, lacks mechanisms to specify a link between one cookie and another, and does not provide mechanisms that specify how to transport a cookie from one HTTP client to another. Thus, although existing systems have sought to provide mechanisms to consistently secure web-enabled applications, the underlying transport protocol that web-enabled applications use to handle communications lack suitable mechanisms to integrate security across various distributed applications that may need to share state information, whereby existing systems tend to fall short in providing an integrated solution that can share state information across various web-enabled applications.