By application service provider, it is meant a supplier capable of providing users with a hosted application usable through a network. Since these hosted applications are often usage-based billed and/or available for a limited period of time, the application service providers require authentication of users attempting to access the application.
On the other hand, the application service providers generally enable the authentication to be delegated to entities called identity providers with which the users are registered through mechanisms of authentication delegation and identity federation. This delegation requires a trust link set beforehand between the application service provider and the identity provider.
Groups of users, for example enterprises, thus have the possibilities to install an identity provider to perform authentication of users. It is then the responsibility of the identity provider to optimise the creation (called provisioning in the following) and destruction (called deprovisioning in the following) of user accounts based on the real use, in particular to reduce the number of licenses to be bought at the application service provider.
Most known solutions consist in using a manager for rights and roles of the users to perform provisioning or deprovisioning of a user account at the time when a user acquires or loses the rights for accessing the application. If this solution actually allows the deprovisioning to be made at the time when the right loss information is known, it does not enable the provisioning to be optimised as close to the real use as possible: indeed, the user can acquire the right a long time before its usage, or even never use its right to access the application. At a given instant, thereby there is always more provisioned users (that is users associated with a user account) than users who really use the application.
Solutions of provisioning on the fly exist, but they have to be installed at the application service provider. These solutions rely on user attributes conveyed by protocols enabling authentication proofs to be communicating between the identity provider and the application service provider. The most used protocols are SAML (“Security assertion markup language”), OAuth or even OpenID protocols. These solutions thereby depend on the good will of the application service providers at implementing them. Furthermore, they are restricted to provisioning and do not take deprovisioning into account.