1. Technical Field
This disclosure relates generally to entity authentication in computing systems.
2. Background of the Related Art
Authentication is the process of validating a set of credentials that are provided by a user or on behalf of a user. Authentication is accomplished by verifying something that a user knows, something that a user has, or something that the user is, i.e. some physical characteristic about the user. Something that a user knows may include a shared secret, such as a user's password, or by verifying something that is known only to a particular user, such as a user's cryptographic key. Something that a user has may include a smartcard, or a hardware-based token. Some physical characteristic about the user might include a biometric input, such as a fingerprint or a retinal map. It should be noted that a user is typically, but not necessarily, a natural person; a user could be a machine, a computing device, or other type of data processing system that uses a computational resource. Also, a user typically but not necessarily possesses a single unique identifier; in some scenarios, multiple unique identifiers may be associated with a single user.
User authentication is one function that service providers offer to ensure that users accessing resources (e.g., applications, web content, etc.) are authorized to do so. To ensure that a user is not an imposter, service providers implement authentication systems, typically as server-based applications. In a typical use case, an authentication system asks for a user's username and password to prove identity before authorizing access to resources. Single sign-on (SSO) is a more sophisticated authentication system that includes an access control mechanism which enables a user to authenticate once (e.g., provide a username and password) and gain access to software resources across multiple systems. Typically, an SSO system enables user access to resources within an enterprise or an organization. Federated Single Sign-on (F-SSO) extends the concept of single sign-on across multiple enterprises, thus establishing partnerships between different organizations and enterprises. F-SSO systems typically include application level protocols that allow one enterprise (e.g., an identity provider) to supply a user's identity and other attributes to another enterprise (e.g., a service provider).
Traditionally, an authentication “context” is established for a single entity (e.g., one user, one programming agent) presenting its secret(s) to an authentication system. The resulting authentication context carries with it a single identity.
In many business scenarios, however, the need arises for an authenticated context representing two or more identities. One example is a business process wherein approval of a process step requires the collaboration of several actors or entities. Another example might arise in the context of the information technology (IT) delivery model known as “cloud computing,” by which shared resources, software and information are provided on-demand over the Internet to computers and other devices. In a typical cloud approach of this type, an application instance is hosted for a tenant in a provider's compute cloud. A multi-identity authenticated context in this example would be one in which it is desired to modify a tenant's sensitive data, but only with the cooperative approval of both the tenant and an authorized cloud service provider administrator. A useful analogy is a safe deposit box at a bank, wherein a customer's key, as well as the bank's key, is required to unlock the box.
There is a need in the art to provide for efficient, yet secure techniques to establish a single authentication context for multiple identities to facilitate these and other use scenarios. This disclosure addresses this need.