In a networked directory services system, various components are used for authenticating users and for generating authorization data for controlling access to network resources to provide secure network access to network data by authorized users and that rejects access by unauthorized users. In a typical corporate or other enterprise network, computing devices, applications and services are maintained and secured inside the enterprise network, and access to those systems is typically provided only to authorized enterprise personnel. However, as remotely situated computing devices, applications and services accessible to a user via a distributed computing network such as the Internet (also known as a cloud-based system) are becoming more and more available, there is a growing need for providing access to applications and services operated and maintained outside the user's enterprise network. In order to grant access to such remotely maintained applications and services, there is similarly a growing need for using existing on-premises device and/or user identities for access to remotely-based applications and services so that user access to such devices, applications and services is not difficult, time-consuming or cumbersome.
In a typical identity management system, a user may be required to log-in or sign-on to her local enterprise directory services system for accessing enterprise devices, applications and services, followed by a second log-in or sign-on to a cloud-based directory services system for accessing remotely-based devices, applications or services. Alternatively, an operator of the user's enterprise-based directory services system may install and maintain additional local translation devices/servers (e.g., federation servers) that translate a user's log-in or sign-on identity (e.g., credentials such as user name and password) into a token that can be consumed by the remote or cloud-based directory services system for authenticating the user's access to remote devices, applications and services. In the first instance, two sign-on operations must be conducted, and in the second instance, additional equipment must be maintained. Thus, there is a need for single sign-on (SSO) identity management that allows a user to access remote or cloud-based devices, applications and services that saves time, processing resources, equipment resources and that makes the sign-on process more efficient and enjoyable for the user.