1. Technical Field
The invention relates to the field of network security and, in particular, has application to secure access to resources in a network.
In the following, authentication is used to denote verification of the identity of a person, program or device. Authorization is used to denote deciding if a person, program or device is allowed to have access to a resource (data, functionality or service). The invention has particular application to resources accessed via a network and identified by a universal resource locator (URL).
2. Related Art
Large organizations typically support a multitude of diverse directories or databases for separate applications. Within large organizations there can be a number of directories for user identity data which are not consolidated owing to fundamental incompatibilities resulting from their having being produced and developed independently of each other. Directory mapping can be used to support single sign-on (SSO) between various web sites using such disparate directories. For example, SSO is currently provided between the BT.com web site and the web customer relationship management (CRM) application Siebel 7 using a directory mapping. SiteMinder ensures that the user is correctly logged into Siebel using the authorized user (e.g. Siebel User ID: SMITHSONJR), rather than the authenticated user (BT.com user name: jeremy.r.smithson@bt.com). Netegrity® SiteMinder is a commercially available access management system featuring policy-based authentication and authorization management and supporting single sign-on.
A given web site may use one or more databases to support its operation. In the case of a web site using the WebLogic application server, a single database may contain multiple copies of the username (in multiple tables). Some web sites are also dependent on services provided by supporting systems and databases that contain additional copies of the username. The proliferation of multiple copies of a username leads to problems when a user wishes to change their user name. To implement a username change requires each copy of the username to be changed across all databases and systems that store the username. This includes the application server database and supporting databases.
A user might change username, for example, if an email address is used as a username and the user's email address has changed. In this case the user will wish to change username to align with the new email address. Alternatively, a user might change their username as part of plan to migrate all usernames from using email address to using non-email addresses. There is therefore a requirement to facilitate username changes.