In a distributed computing environment, resources or services that a user needs to access may be spread out across different computers. As one example, each employee in an enterprise may have a desktop or laptop computer, which accesses files stored in a central cluster of file servers. Each of these various computers may be controlled by a sign on procedure that requires presentation of credentials. For example, the user may have to enter a valid userID/password combination in order to gain access to his desktop or laptop computer. Typically, once a user is signed onto his or her desktop or laptop, he or she does not have to enter a userID/password combination again in order to access the file server, because the file server and the user's computer are part of the same domain.
However, in some cases a user may be working in a first domain (e.g., an environment based on the MICROSOFT WINDOWS operating systems), and may need to access information in a second domain of a different type (e.g., a cluster of computers based on the UNIX operating system). (Domains that differ from each other in this manner may be referred to as “heterogeneous.”) The second domain may maintain its own userIDs and passwords, and may require that the user sign onto the second domain separately. Conventionally, when the user attempts to access the second domain, the second domain will present the user with a prompt to enter “credentials” (e.g., a userID and password) for the second domain, which is clearly an inconvenience to the user. It is desirable to provide a software system that signs a user of the first domain onto the second domain seamlessly, by automatically tendering that user's corresponding userID/password combination to the second domain. Such a system may be referred to as a “single sign-on” (“SSO”) system.
An SSO system may include a database that stores the user's credentials for the various domains that the user may need to access. Thus, when the SSO system needs to sign the user onto a different domain than the domain that the user is already signed onto, the SSO system can look up that user's corresponding userID/password in the other domain. However, the SSO system's ability to sign the user onto another domain is dependent upon the system having access to an up-to-date password for the user in that other domain. Thus, when the user changes his password in any domain, the database should be synchronized to those changes, so that it will have the user's current password. In some cases, it may also be desirable to synchronize passwords between domains, such that a given user's password in all domains will be the same.
The present invention provides a mechanism to support such synchronization, which has not been realized in the prior art.