This disclosure relates generally to computer and internet technologies, and particularly to systems and methods for intersystem Single Sign-On (SSO).
Many internet-based applications require the user to carry out a series of steps crossing multiple systems that collaborate with each other yet each remains independent. For example, in internet commerce applications, a consumer may select a product to purchase on a seller's website, but need to make a payment through another website that belongs to a payment service provider. This procedure is particularly common in consumer-to-consumer (C2C) electronic commerce applications, in which the seller may not be equipped to receive electronic payment, or has not established a reputation to be trusted for making a direct payment. In internet auctions, for example, the buyer makes a purchase selection at a C2C website (auction site), but instead of paying directly to the seller, the buyer often prefers to make a payment through a payment website of a third-party service provider, which may be known for its secure, reliable and convenient instant electronic payment. In this example, the C2C website and the third party payment website are two independent websites maintained by two independent companies, each having its own user ID domain and ID verification mechanism. To complete the purchase transaction, the buyer may have to logon twice, once in the C2C website and another in the third party payment website. From the user (buyer) point of view, however, it is usually desirable to have a smooth and simplified shopping experience without having to sign on two different websites during a single purchase transaction. Under such circumstances, it is desirable to have a Single Sign-On (SSO) mechanism that is convenient, fast and secure.
SSO refers to a logon environment in which a user only needs to enter user ID information once for ID verification, and thereupon can automatically sign on to multiple systems or application programs that require user ID verification. The one-time entry of user ID information is done in one of the multiple systems or application programs. The user is not required to enter user ID information again by the other systems or application programs.
Conventional SSO methods and systems are based on two basic software and hardware components: (1) a centralized user administration system for maintaining a universal user view; and (2) a common user ID verification system for conducting unified user ID verification. A user first signs on at the common user ID verification system using a universal user ID, and thereby obtains an authorized token to prove their ID to the participating systems. As the user requests to visit a participating system within the same user ID administrative domain, the authorized token is included in the user's logon request as a hidden “password”. The target participating system inquires the common user ID verification system to verify the validity of the token, and determines whether the user ID is valid based on the results of the inquiry.
FIG. 1 illustrates an example of the conventional SSO method and system. The procedure for a single sign-on according to the method and system in FIG. 1 is described as follows:
At step one, a user (not shown) makes an initial request through user browser 100 to application system 110 for accessing a certain resource therein. Upon finding that the user does not have an authorized ID token, application system 110 redirects the user to common ID verification and authorization system 120 for ID verification. The common ID verification and authorization system 120 utilizes a common user ID library 130 for user ID administration.
At step two, the user passes ID verification process at the common ID verification and authorization system 120 and receives an authorized ID token.
At step three, the user is redirected by the common ID verification and authorization system 120 to application system 110, and sends the authorized ID token to application system 110.
At step four, application system 110 sends the authorized ID token to the common ID verification and authorization system 120 to verify the validity of the ID token. If the ID token is verified to be valid, application system 110 allows the user to access the requested resource; if not, application system 110 denies access by the user.
As illustrated, the conventional SSO method requires a common ID verification and authorization system shared by multiple application systems, and further requires a common user ID library. With multiple application systems hosted at diverse websites that use various administrative systems, establishing a common user ID library and common ID verification and authorization system poses difficulties in both administration strategies and technical implementations. Representative examples of such difficulties include:
1. Different websites have different user groups. These user groups each constitute a set. These sets may intersect with each other but usually are not identical to each other. As a result, it is difficult to combine and unify different user groups into a common user ID library.
2. Different websites have their own unique strategy and procedure for user registration and administration. Requiring different websites to convert their systems to a common user ID administrative system for universal user registration and administration is often incompatible with business requirements.
3. Although the common user ID library is shared by multiple systems, each system may need to upgrade independently. As a result, it is difficult to establish a consensus with regard to the standard to be used, and further difficult to determine which system should have the primacy in establishing and maintaining the common user ID library.
4. On the internet, ID tokens are usually communicated using cookies, which generally require that all website systems of the same SSO logon domain belong to the same network domain. Although possible, establishing SSO across different network domains requires a very complicated procedure.
5. The common user ID verification system is a centralized session management unit and is typically prone to single point faults and performance bottleneck problems. Solving such problems may require costly and complicated cluster technology, significantly increasing the cost for constructing and maintaining the system.
6. Considerable modification and renovation of the present system may be necessary in order to change multiple discrete user ID verification and administration systems into a common user ID verification and administration system. This not only increases the cost, but also adds a great deal of risk.
For the foregoing reasons, there exist a significant need for an improved SSO method and system.