In the environment of establishing a Single Sign-on facility between a reverse proxy and a back-end server, form-based SSO methods are generally inefficient. This is due to the need for both the reverse proxy and back-end server to authenticate every user.
In addition, most reverse proxies and back-end servers use different user registries, which leads to the requirement of having two sets of authentication information to maintain and synchronize. A back-end server is one which does not have direct connection to the outside world, external processes, users, etc.
The prior art related to SSO is identified below, although this prior art fails to solve many of the background problems.
U.S. Pat. No. 6,938,158 relates to a “Single sign-on system and Single Sign-on method for a web site and recording medium” and discloses an optimization of the authentication flows for requests over different back-end servers. The reverse-proxy is designed to provide storage of the previously provided authentication credentials for an already authenticated back-end server and to perform a Single Sign-on at the very next interaction over an http request. A reverse-proxy is a proxy server installed within the neighborhood of one or more servers, and is typically in front of the web server.
U.S. Pat. No. 7,246,230 relates to a “Single sign-on over the Internet using public-key cryptography”. This patent discloses an Enterprise Application Server which may provide access to several applications, some of them residing on the same page context, but each one secured with a different account profile. This patent provides the generation of a security token at the very first authentication request and trusts the same token for any subsequent authentication requests.
U.S. Pat. No. 5,944,824 relates to a “System and method for Single Sign-on to a plurality of network elements” and describes a method for providing Single Sign-on (SSO) network integration across different system components. This includes password management and requires that the end user authenticates only once to a security service provider. The entire SSO logic is on the server side.
U.S. Pat. No. 6,178,511 relates to “Coordinating user target logons in a Single Sign-on (SSO) environment” and discloses a component named Logon Coordinator, which is in charge of administering the login access to a back-end application for a specified user. The entire SSO logic is still implemented on the server side. This has a number of disadvantages. In addition this patent offers no password management, which has obvious disadvantages. Users provisioning on the back-end must be implemented as there is no provision to reduce redundancy in storage of user profiles.