1. Field of the Invention
The present invention relates to computer systems. More specifically, the present invention relates to a method and an apparatus for facilitating single sign-on of a client to access multiple computational applications and resources within an enterprise without having to re-authenticate.
2. Related Art
Single sign-on servers have been deployed in many enterprises to improve customer satisfaction, reduce authentication overhead, and to maintain stricter compliance with security policies. A single sign-on server allows a user to authenticate one time, and subsequently allows the user to access multiple applications and resources within an enterprise without having to re-authenticate. In many cases, these applications and resources are located on different servers in different locations.
Single sign-on servers typically operate by sending a cookie to a client. A cookie includes information that can be stored on the client by the single sign-on server, and can be retrieved at a later time. Host cookies can be retrieved only by the server that is designated as the host of the cookie, however, domain cookies can be retrieved by any server that is a member of the same domain as the server that assigned the cookie. Because of this flexibility, domain cookies are often used for single sign-on purposes.
Cookie implementations, in their current form, are not an effective mechanism for preventing nefarious individuals from gaining access to single sign-on systems. Cookies are easy to hijack and can be manipulated because they are stored on the client. In addition, because domain cookies can be retrieved by any server within the same domain as the issuer, nothing is stopping an nefarious individual from deploying a rogue server within a domain to collect these cookies.
Hence, what is needed is a secure means for implementing single sign-on without the limitations listed above.