1. Field of the Invention
The present invention relates to the field of computer networking. More specifically, the present invention relates to a method and apparatus for subscribing, authenticating, and provisioning network-based applications and services.
2. Background Information
With Internet usage becoming near ubiquitous, an ever-increasing number of software application providers and users are turning to the Internet for delivery of that software. Software vendors are migrating to an application service provider (ASP) model of software delivery, and corporate IT is beginning to look upon itself as an ASP, as a Provider to its own end user customers. The application service provider delivery model involves providing a set of one or more computer software applications or services through one or more network connections to a Subscriber, which obtains the application services from the Provider for the benefit of its end users.
In the past, the process of delivering applications from a Provider to a Subscriber (e.g. from an ASP to a Corporate Subscriber, or from Corporate IT to its end users) has been a manual, labor-intensive process as each Subscriber network or end user client was required to be manually configured in order to access each Provider network and Provider application. To accomplish this, Subscribers and Providers were often forced to undergo lengthy planning and design sessions, gathering information from Network/Internet service providers and application vendors for network and system integration.
Similarly in the past, Subscriber End User authentication has been performed on an application by application basis each time a user attempted to access an application hosted by the Provider. This required that the Subscriber notify the Provider and have the Provider update its authentication databases every time the Subscriber required user access privileges to be changed. FIG. 1 illustrates a prior art Provider-Subscriber relationship whereby a Subscriber is connected (e.g., through Internet 105) to two Providers (Provider 1 & Provider 2) each hosting multiple applications. In the past, network integration between Providers and Subscribers has been prohibitively difficult, because of security policies enforced by firewalls and because of local network addressing requirements. To overcome these issues of connectivity, Providers and Subscribers have been forced to do one of two things: (1) pay for non-Internet Wide-Area-Network access through frame Relay, ATM, or private leased lines, or (2) go through the very expensive and time consuming process of installing a VPN solution. Each of these approaches are an expensive means of connecting the two organizations, and they do nothing to address the provisioning, authentication, allocation, and monitoring of the application to be delivered.
In the past it has been necessary for Subscriber End Users to be authenticated by the Provider prior to being granted access to the Provider's applications. For example, prior to being granted access to application “A”, Subscriber End Users at clients 102–103 would be required to be authenticated via authentication database 107. To do so, clients 102–103 would transmit their user ID and password to Provider 1 where a comparison would be made against entries found in authentication database 107. Likewise, in order to access application “B”, clients 102–103 would be required to be authenticated by way of authentication database 109, for example. Even in situations (as with Provider 2) where a single shared authentication database such as database 112 is utilized to authenticate Subscriber End Users for access to multiple Provider applications, the fact remains that the Provider maintains a complete set of user names, passwords, and group membership data independently of the Subscriber, thereby imposing significant administration requirements on the parts of both the Provider and the Subscriber, and forcing the Subscriber to give up control of sensitive information.
Therefore, what is needed is a scalable Subscriber-Provider model that overcomes the limitations of the prior art.