1. Field of the Invention
The present invention is directed to technology for authenticating users.
2. Description of the Related Art
As the impact of the Internet continues to alter the economic landscape, companies are experiencing a fundamental shift in how they do business. Business processes involve complex interactions between companies and their customers, suppliers, partners, and employees. For example, businesses interact constantly with their customers—often other businesses—to provide information on product specification and availability. Businesses also interact with vendors and suppliers in placing orders and obtaining payments. Businesses must also make a wide array of information and services available to their employee populations, generating further interactions. To meet new challenges and leverage opportunities, while reducing their overall cost-of-interactions, many organizations are migrating to network-based business processes and models. Among the most important of these is Internet-based E-business.
To effectively migrate their complex interactions to an Internet-based E-business environment, organizations must contend with a wide array of challenges and issues. For example, businesses need to securely provide access to business applications and content to users they deem authorized. This implies that businesses need to be confident that unauthorized use is prevented. Often, this involves the nontrivial, ongoing task of attempting to tie together disparate, system-specific authentication and/or authorization schemes.
To meet these challenges, an E-business host company needs a web access management solution that delivers the ability to effectively secure and manage all the various network-based interactions. A system should accommodate all participants involved with the E-business, whether they are local or remote. It must also be able to distinguish between the E-business' employees and all the users who are affiliated with the E-business host's customers, suppliers and/or partners.
Prior to authorizing a user to access a resource, previous access management systems will authenticate a user. That is, they will verify the identity of the user. After a user successfully authenticates for a first protected resource, the user may request access to a second resource. If the second resource is also protected, the user may be required to perform a second authentication for the second resource. However, it may be redundant to force the user to re-authenticate for the second resource, especially if the previous authentication occurred relatively recently. Requiring repetitive re-authentications can unduly burden both users and networks, causing reductions in productivity and degradations in network performance.
At least one prior art method allows users to avoid such re-authentication in certain limited contexts. For web-based resources existing within a single domain, a single authentication cookie may be set to prove a user's previous successful authentication for a resource within the single domain. If a second resource in the same domain is requested, the previously set cookie can be referenced as proof of a prior authentication in the same domain. If such a cookie exists, the user can bypass authentication for the second resource, as long as the cookie is still valid.
However, authentication becomes significantly more complicated when requested resources reside in multiple domains, any of which may be contained within a single server or distributed across multiple servers. In prior art systems, even if a user need not re-authenticate for access to resources within a single domain, re-authentication would still be required for successive requests made for access to resources residing in different domains. As network-based resources continue to become ever more distributed, these re-authentication inefficiencies grow. Thus, there is a need to authenticate users for multiple resources distributed across multiple domains through a single authentication step without unduly burdening users and systems with unnecessary re-authentication steps.