1. Field of the Invention
The present invention relates to provision of user access to a secure application, particularly although not exclusively, providing a remote user with secure access to authentication credentials required for reduced or single sign-on services to applications. The invention also relates to the convenient storage and management of such user credentials.
2. Discussion of the Background Art
Reduced or single sign-on (SSO) services have been developed to manage authentication of users wishing to access secure applications, in order to overcome difficulties with management of authentication credentials (such as user names and passwords) of users. One example of an SSO service is discussed in US Patent Publication No. 2004/0163087 assigned to the present applicant and in co-pending Australian Patent Application No. 2004200465, also filed by the present applicant in its former name.
In one form of SSO system there is included a client application installed on a user workstation, which application runs as a background process on the workstation. Such a client application is conventionally installed, whether from local portable storage media or over a secure network connection to a local network server, by adding a persistent program to the menu of applications programs accessible by the workstation's operating system.
However, some organisations are disinclined to distribute single sign-on client applications for installation on a remote user work station in an uncontrolled environment. A home office computing environment, for example, may not be as well protected from external security threats as an office workstation coupled to a fire-walled corporate network. A highly mobile user may further wish to have a reduced or single sign-on capability from a communal computer work station, such as provided in a hotel business centre or Internet cafe. Installation of persistent client applications on a communal or shared work station is generally not possible or at least highly undesirable.
The disclosure in US 2003/0158949 (Miller et al) is concerned with a single sign on system without a central session management server, wherein a session credential can be validated on multiple application servers without requiring communication with a central session management server in order to validate the session credential. Miller requires that the client provide service-independent session credential to the target application servers, requiring the client machine to directly communicate with the application program server (instead of an application client). Accordingly, this arrangement is limited to a scenario where the same session credential can be validated by all target application servers.
In other arrangements, a web browser application installed on a user's workstation can be used to access a corporate web site when the workstation is coupled to the Internet. Where the web site incorporates a corporate web portal provided by a back-end portal server, the portal can display information to a corporate user in a consolidated form. The portal server can achieve this by authenticating the user to the secure application on behalf of the user. Thus the single sign-on process occurs between the back-end server and the secure application. However, this arrangement does not address the issue of providing initial secure access to the portal server via the user's web browser application.
The disclosure in US 2003/0105981 (Miller et al.) is concerned with a single sign on system, wherein credentials from a first computer system are placed on a client and used by a second computer system to effectively impersonate the client to the first system for validation purposes. When the first system confirms the validity of the credentials the second system uses that validation to grant access to the client machine. In one embodiment discussed in Miller, the first system is a central logon server and the second system is a target application server that relies on a token generated by the first system. Miller requires that the client machine to provide a service-independent credentiavtoken to the target application system. However, the credentiavtoken is not related to the application credentials rather it is associated with another trusted system, requiring the second system to communicate with the first system to validate the credential/token.
In a manner similar to web portal single sign-on service terminal server configurations, such as Microsoft Terminal Server™ and Citrix Metaframe™ or equivalents, many existing SSO solutions run on the terminal server rather on a remote workstation. Because of this configuration, these solutions are limited to providing SSO services to applications running in the terminal server environment and do nothing to provide SSO to applications run on the user's workstation.
The disclosure in US 2004/0003081 (Microsoft) is concerned with a single sign on system, wherein a single sign on server receives a request from the client's credentials from a computer program, determines whether the client's credentials are stored in a database, and sends the client's credentials from the database to the computer program. The Microsoft arrangement requires the single sign on server to present the client credentials authorizing access to the application to the target computer program directly, wherein the SSO engine is on the server rather than the client machine.
The disclosure in US 2004/0250118 (IBM) is concerned with an access portal server that provides a front-end to a set of target applications, providing a single point of authentication for all of the target applications. The access portal server incorporates an SSO engine that provides application credentials to a target application after the target application is selected, and then transfers the authenticated target application session from the access server to the client machine. The IBM arrangement requires that the access server to present the application credentials to the target application directly where, again, the SSO engine is on the server instead of on the client machine.
A further problem with SSO solutions exists when credentials for accessing secure applications hosted by backend systems must be reset or changed. Ordinarily the reset or change of credentials involves going into the normal interface for the backend system; resetting/changing the password or other credentials; accessing the SSO interface and setting the new credential in SSO. However, this procedure is both time consuming and error prone.
The disclosure in US 2003/0188193 (IBM) is concerned with a single sign on system, wherein credentials from a first system are placed on a client and used by a second system to impersonate the client to the first system. When the first system confirms the validity of the credentials the second system uses that validation to grant access to the client. In one described embodiment utilizing Kerberos authentication, the first system is a central logon server and the second system is a target application server that relies on a token generated by the first system. This arrangement requires the client to provide a service-independent credential/token to the target application system, limiting the invention to when the credential/token is not related to the application credentials themselves but is associated with another trusted system, and further limiting the invention to when the second system communicates to the first system to validate the credential/token.
The reference to any prior art in this specification is not, and should not be taken as an acknowledgement or any form of suggestion that the referenced prior art forms part of the common general knowledge in Australia.