Servers, including presentation servers such as Microsoft Terminal Services and those interacting with Citrix MetaFrame, generally require users to authenticate before granting users access to resources provided by the servers. Servers may be accessed remotely, from a client machine, using a specialized presentation server protocol such as Citrix ICA, Microsoft RDP, or the X protocol.
When a user authenticates directly to a server, the server may use the authentication information the user provided (e.g. a password or certificate) to verify the user's identity. However, in some circumstances, the user will authenticate to a third-party component instead of directly to the server. One reason for authenticating to a third-party component is that, the user may not trust the server with his or her credentials and may not want to provide his or her credentials to the server. Another reason for authenticating to a third-party component is that the user may be in a different security scope than the server. In this case, the user may not have any credentials acceptable to the server because policies of the organization hosting the server may not allow issuance of credentials to external users.
However, authenticating to a third-party component instead of to a server may create several problems. Although a trust relationship may exist between the third-party component and the server (e.g. by using certificates), the server may not trust the third-party component to authenticate a user on behalf of the server. In some circumstances, conventional systems lack the means for the server to use existing user authentication credentials or assertions of a user's identity made by the trusted third-party components to authenticate the user to the server or to authorize the user to access non-web-based resources. In other circumstances, the available credentials associated with the user do not comply with the requirements of the server. For example, a user may have a ticket or certificate but the server accepts only a user name and password. Methods for enabling delegated remote authentication using assertions of identity from trusted third-party components would be desirable.