Embodiments of the present invention relate generally to identity management and access control and more particularly to using a directory enabler and/or profile enabler to support identity management functions.
With the growth of e-business, organizations are wrestling with the challenge of managing secure access to information and applications scattered across a wide range of internal and external computing systems. Furthermore, these organizations need to provide access to a growing number of users, both inside and outside the corporation, without diminishing security or exposing sensitive information. The management of multiple versions of user identities across multiple applications makes the task even more daunting.
Identity management generally includes the concepts of authenticating, i.e., determining that a party is actually who he claims to be, and authorizing, i.e., determining whether a party is authorized or has permission to perform some task, access some resource, etc. Identity management also includes managing attributes e.g., properties, metadata, other identities, preferences, subscriptions, etc., associated with the user. Identity management can also include the notion of anonymizing a user or hiding his identity from those systems or users with which he interacts. However, combining the functions of authentication and authorization with anonymization can be problematic.
Existing methods for combining authentication and authorization with anonymization rely on trust relationships between members of a group or federation. That is, one member of a group may use the authentication and authorization of a user provided by another member of a trusted group. One example of such an arrangement is the use of a single sign-on server. Through a single sign-on server, a user can sign on once and access a number of different servers and/or resources of a group represented by the single sign-on server. Furthermore, the user may be anonymous to the servers of the group. For example, the user may supply his user name and password to the single sign-on server so that he can be authenticated and/or authorized. The single sign-on server may then in turn provide the user with a sign-on identifier or other token that the user can supply to the other servers of the group to prove he is authenticated and/or authorized by the single sign-on server. Since the servers of the group trust the single sign-on server and the tokens supplied by it, the servers can use those tokens rather than the user's other identity information. In this way, the user can remain anonymous to the servers.
However, such trust networks or federations presume that members have perfect knowledge and trust of all other members and require that the network or federation be well established beforehand. This can severely limit the network's ability to expand and handle new users and/or members. The problem is that the federation or “circle of trust” must exist in advance. There is no way for such networks or federations to discover new members as they may be needed or to expand dynamically to handle new members and/or users. That is, current trust relationships must be established and exist before they can be used and there is no way to dynamically discover new members and expand the trust relationship as needed. Hence, there is a need for methods and systems that allow systems to use the existing entities with simple mechanisms to dynamically provide identity management or other services where needed.