To perform functions on a computer system, different services may be used. A service may correspond to a computer program, or to a functional part of a computer program. Different services may have been developed independently of one another, and each service may have different ways of authenticating users of that service. When the user of one service wishes to use a different service, a different manner of authentication may be necessary, requiring the user to authenticate himself or herself to the second service using an entirely different method than is used to authenticate the same user to a first service. This makes it cumbersome for users to remember, if the formats for authentication are different. For example, one service may require an account identifier and a password, while another service requires an e-mail address and a password.
It can be more annoying when the user has already authenticated himself or herself to one service used by a company, and the user must reauthenticate himself or herself to each service the user uses from the same company. This is because the customer expects that a single authentication would suffice, and can be annoyed by the reauthentication that may be required to perform different tasks within the same corporation.
Even though the authentication information may be the same from one service to the next, the user may nevertheless be required to reauthenticate himself when using different services if the different services use different formats to store the same information. Although it would be possible to write conversions of the formats from one format to the other, if there are many such services using many different formats, the possible permutations can be large, making such conversions a logistical problem. If authentication information is provided as a signed token, even the same information stored in the same format may have different signatures, depending on the service using the token, and this adds to the number of permutations that must be accommodated.
Conventional security token services can be used to perform such conversions of signed tokens containing identity information. However, there may be more than one such service in use. Determining which security token service is capable of performing the proper conversion would again require a list of possible permutations and the security token service to use to implement each conversion for each permutation. Such a list can grow to a large size if the number of services is large and keeping the list in synchronization with the capabilities of each security token service can be error prone and cumbersome.
What is needed is a system and method that can allow a user of a computer service who has authenticated himself or herself to that service to use other services without reauthentication when multiple security token services are in use, without maintaining complex lists of the capabilities of each security token service.