1. Technical Field
This disclosure relates generally to management of computing resources in a federated environment.
2. Background of the Related Art
Federated environments are known in the art. A federation is a set of distinct entities, such as enterprises, organizations, institutions, or the like, that cooperate to provide a single-sign-on, ease-of-use experience to a user. A federated environment differs from a typical single-sign-on environment in that two enterprises need not have a direct, pre-established, relationship defining how and what information to transfer about a user. Within a federated environment, entities provide services that deal with authenticating users, accepting authentication assertions (e.g., authentication tokens) that are presented by other entities, and providing some form of translation of the identity of the vouched-for user into one that is understood within the local entity. Federation eases the administrative burden on service providers. A service provider (SP) can rely on its trust relationships with respect to the federation as a whole; the service provider does not need to manage authentication information, such as user password information, because it can rely on authentication being accomplished by a user's authentication home domain, which is the domain at which the user authenticates.
In particular, a federated entity may act as a user's home domain that provides identity information and attribute information about federated users. An entity within a federated computing environment that provides identity information, identity or authentication assertions, or identity services, is termed an identity provider (IdP). Other entities or federation partners within the same federation may rely on an identity provider for primary management of a user's authentication credentials, e.g., accepting a single-sign-on (SSO) token that is provided by the user's identity provider. An identity provider is a specific type of service that provides identity information as a service to other entities within a federated computing environment.
It is also known to use a login service where SAML (Security Assertion Markup Language) security has been deployed. The SAML security model offloads user authentication to an IdP, which handles the user login. After the IdP has verified the user's identity, the IdP issues to a service provider (SP) application an identity assertion representing the authenticated user. On receipt of the identity assertion, the SP cryptographically verifies the user's assertion, and the SP may allow the user access to resources if the assertion verification is successful. As a prerequisite to verifying assertions, typically the SP is partnered with the IdP and obtains information about the IdP, including the IdP's certificate used with cryptographic operations.
A service provider may also support web-based single sign-on (SSO) with many different Identity Provider partners. In a typical use case, a user accesses a secured business application without yet being authenticated. The service provider is required to start an SSO service to authenticate the user. When multiple IdPs are available, a challenge arises in determining which identity provider is appropriate for a particular request. To address this problem, it is known in the art to provide Identity Provider discovery services and protocols, such as WAYF (“Where Are You From” service), OASIS Identity Provider discovery service, IBM® Tivoli® Federated Identity Manager (TFIM), which is a WAYF-based solution, and the like. The TFIM WAYF-based solution may be configured to automatically redirect a user to a single IdP that meets specific criteria based on the HTTP request data. U.S. Publication No. 2012/0144034, which is assigned to the assignee of this application, describes an alternative IdP discovery service that directs a user to a specific instance of an IdP based on geographic location or IdP system load.
Known identity provider discovery services that are built on WAYF or OASIS often require explicit action by the user (or other unspecified means) to select the appropriate IdP. Discovery services that are provided in commercial products (namely, IBM TFIM) provide significant advantages, but they may require administrator configuration and a deep awareness of the patterns and use cases to fully configure the correct IdP selection parameters.