Login| Sign Up| Help| Contact|

Patent Searching and Data


Title:
CONSOLIDATED IDENTITY
Document Type and Number:
WIPO Patent Application WO/2019/125966
Kind Code:
A1
Abstract:
According to various embodiments, a consolidated identity system and method are implemented to provide improved identity management and resource access management, particularly in the context of an enterprise system that requires a tight trust model. In at least one embodiment, the described system and method provide mechanisms for mapping identities among resources. The system and method are able to extract information relevant to a particular entity, such as an employee or user, and to consolidate and/or personalize such information as needed.

Inventors:
YARED, Peter (851 W. Cypress Creek Rd, Ft. Lauderdale, Florida, 33309, US)
KMEC, Tomas (851 W. Cypress Creek Rd, Ft. Lauderdale, Florida, 33309, US)
SUROVEC, Jan (851 W. Cypress Creek Rd, Ft. Lauderdale, Florida, 33309, US)
GAJDOS, Michal (851 W. Cypress Creek Rd, Ft. Lauderdale, Florida, 33309, US)
ELNAGGAR, Omar (851 W. Cypress Creek Rd, Ft. Lauderdale, Florida, 33309, US)
Application Number:
US2018/065855
Publication Date:
June 27, 2019
Filing Date:
December 14, 2018
Export Citation:
Click for automatic bibliography generation   Help
Assignee:
CITRIX SYSTEMS, INC. (851 W. Cypress Creek Rd, Ft. Lauderdale, Florida, 33309, US)
International Classes:
G06F21/62; G06F15/16; G06F21/50; H04L15/16; H04L29/06
Foreign References:
US20030105974A12003-06-05
US20140137262A12014-05-15
US20130081039A12013-03-28
US20090133110A12009-05-21
US20080184349A12008-07-31
US20140007182A12014-01-02
Attorney, Agent or Firm:
MCKENNA, Christopher J. (Foley & Lardner LLP, 3000 K Street NW, 6th Floo, Washington DC, 20007-5109, US)
Download PDF:
Claims:
CLAIMS

What is claimed is:

1. A computer-implemented method for consolidating identity infor- mation across an enterprise comprising a plurality of enterprise systems, comprising:

copying a plurality of entitlements associated with a user from at least one of the enterprise systems to at least one other of the en terprise systems;

authenticating a user at an identity provider;

receiving a request from the user to access a resource associated with one of the enterprise systems;

determining, based on at least one copy of at least one entitlement, whether the user is authorized to access the requested re- source;

responsive to the determination indicating that the user is authorized to access the requested resource, providing access to the re- quested resource; and

responsive to the determination indicating that the user is not author- ized to access the requested resource, denying access to the requested resource.

2. The method of claim 1, wherein:

each entitlement is associated with a group of users; and

determining whether the user is authorized to access the requested re- source comprises determining whether the user belongs to a group that is indicated, in the at least one copy of at least one entitlement, to be authorized to access the requested re source.

3. The method of claim 1, wherein determining whether the user is au- thorized to access the requested resource comprises:

matching the user to an account on the identity provider;

retrieving at least one identity provider authorization for the user; and determining, based on the retrieved at least one identity provider au- thorization, whether the user is authorized to access the re- quested resource.

4. The method of claim 1, wherein determining whether the user is au- thorized to access the requested resource comprises:

mapping the user identity on the identity provider to a second user identity on a service provider;

determining at least one entitlement for the user at a service provider;

and

importing the at least one entitlement from the service provider so as to authorize access to the requested resource.

5. The method of claim 4, wherein importing the at least one entitle- ment from the service provider comprises copying the at least one entitlement into a transient repository.

6. The method of claim 1, wherein determining whether the user is au- thorized to access the requested resource comprises:

mapping the user identity on the identity provider to a second user identity on a service provider;

at the service provider, determining that the user is a member of a

cached service provider group;

at the service provider, based on the membership of the user in the cached service provider group, determining at least one enti- tlement for the user; and importing the at least one entitlement from the service provider so as to authorize access to the requested resource.

7. The method of claim 6, wherein importing the at least one entitle- ment from the service provider comprises copying the at least one entitlement into a transient repository.

8. The method of claim 6, wherein determining at least one entitlement for the user comprises issuing a call to service provider to request permission information, and receiving the requested permission information.

9. The method of claim 1, further comprising:

detecting a user action requiring a writeback to a service provider; identifying an account associated with the user at the service provider; authenticating the user in connection with the identified account; and performing the writeback using the identified account.

10. The method of claim 9, wherein authenticating the user in connec- tion with the identified account comprises authenticating the user based on single-sign-on at the identity provider.

11. The method of claim 9, wherein performing the writeback using the identified account comprises:

presenting the user with a link to a service provider page; and receiving user input via the service provider page to perform the write- back.

12. A non-transitory computer-readable medium for consolidating identity information across an enterprise comprising a plurality of enterprise systems, comprising instructions stored thereon, that when executed by at least one processor, perform the steps of: copying a plurality of entitlements associated with a user from at least one of the enterprise systems to at least one other of the en terprise systems;

authenticating a user at an identity provider;

receiving a request from the user to access a resource associated with one of the enterprise systems;

determining, based on at least one copy of at least one entitlement, whether the user is authorized to access the requested re- source;

responsive to the determination indicating that the user is authorized to access the requested resource, providing access to the re- quested resource; and

responsive to the determination indicating that the user is not author- ized to access the requested resource, denying access to the requested resource.

13. The non-transitory computer-readable medium of claim 12, wherein:

each entitlement is associated with a group of users; and

determining whether the user is authorized to access the requested re- source comprises determining whether the user belongs to a group that is indicated, in the at least one copy of at least one entitlement, to be authorized to access the requested re- source.

14. The non-transitory computer-readable medium of claim 12, wherein determining whether the user is authorized to access the requested resource comprises:

matching the user to an account on the identity provider;

retrieving at least one identity provider authorization for the user; and determining, based on the retrieved at least one identity provider au- thorization, whether the user is authorized to access the re- quested resource.

15. The non-transitory computer-readable medium of claim 12, wherein determining whether the user is authorized to access the requested resource comprises:

mapping the user identity on the identity provider to a second user identity on a service provider;

determining at least one entitlement for the user at a service provider;

and

copying the at least one entitlement from the service provider to a tran- sient repository, so as to authorize access to the requested re- source.

16. The non-transitory computer-readable medium of claim 12, wherein determining whether the user is authorized to access the requested resource comprises:

mapping the user identity on the identity provider to a second user identity on a service provider;

at the service provider, determining that the user is a member of a

cached service provider group;

at the service provider, based on the membership of the user in the cached service provider group, determining at least one enti- tlement for the user; and

copying the at least one entitlement from the service provider to a tran- sient repository, so as to authorize access to the requested re- source.

17. The non-transitory computer-readable medium of claim 16, wherein determining at least one entitlement for the user comprises issuing a call to service provider to request permission information, and receiving the requested permission information.

18. The non-transitory computer-readable medium of claim 12, further comprising instructions stored thereon, that when executed by at least one processor, perform the steps of:

detecting a user action requiring a writeback to a service provider; identifying an account associated with the user at the service provider; authenticating the user in connection with the identified account; and performing the writeback using the identified account.

19. The non-transitory computer-readable medium of claim 18, wherein authenticating the user in connection with the identified account comprises authenticating the user based on single-sign-on at the identity pro- vider.

20. The non-transitory computer-readable medium of claim 18, wherein performing the writeback using the identified account comprises: presenting the user with a link to a service provider page; and receiving user input via the service provider page to perform the write- back.

21. A system for consolidating identity information across an enter- prise comprising a plurality of enterprise systems, comprising:

a processor, configured to:

copy a plurality of entitlements associated with a user from at least one of the enterprise systems to at least one other of the enterprise systems; and

authenticate a user at an identity provider; and

an input device, configured to receive a request from the user to access a resource associated with one of the enterprise systems; wherein the processor is further configured to:

determine, based on at least one copy of at least one entitlement,

whether the user is authorized to access the requested re- source;

responsive to the determination indicating that the user is authorized to access the requested resource, provide access to the re- quested resource; and

responsive to the determination indicating that the user is not author- ized to access the requested resource, deny access to the re- quested resource.

22. The system of claim 21, wherein:

each entitlement is associated with a group of users; and

determining whether the user is authorized to access the requested re- source comprises determining whether the user belongs to a group that is indicated, in the at least one copy of at least one entitlement, to be authorized to access the requested re- source.

23. The system of claim 21, wherein determining whether the user is authorized to access the requested resource comprises:

matching the user to an account on the identity provider;

retrieving at least one identity provider authorization for the user; and determining, based on the retrieved at least one identity provider au- thorization, whether the user is authorized to access the re- quested resource.

24. The system of claim 21, further comprising a transient repository, wherein determining whether the user is authorized to access the requested resource comprises: mapping the user identity on the identity provider to a second user identity on a service provider;

determining at least one entitlement for the user at a service provider;

and

copying the at least one entitlement from the service provider to the transient repository, so as to authorize access to the re- quested resource.

25. The system of claim 21, further comprising a transient repository, wherein determining whether the user is authorized to access the requested resource comprises:

mapping the user identity on the identity provider to a second user identity on a service provider;

at the service provider, determining that the user is a member of a cached service provider group;

at the service provider, based on the membership of the user in the cached service provider group, determining at least one enti- tlement for the user; and

copying the at least one entitlement from the service provider to the transient repository, so as to authorize access to the re- quested resource.

26. The system of claim 25, wherein determining at least one entitle- ment for the user comprises issuing a call to service provider to request per- mission information, and receiving the requested permission information.

27. The system of claim 21, further comprising:

detecting a user action requiring a writeback to a service provider; identifying an account associated with the user at the service provider; authenticating the user in connection with the identified account; and performing the writeback using the identified account.

28. The system of claim 27, wherein authenticating the user in connec- tion with the identified account comprises authenticating the user based on single-sign-on at the identity provider. 29. The system of claim 27, wherein performing the writeback using the identified account comprises:

presenting the user with a link to a service provider page; and receiving user input via the service provider page to perform the write- back.

Description:
CONSOLIDATED IDENTITY

CROSS-REFERENCE TO RELATED APPLICATION

[0001] The present application claims the benefit of U.S. Provisional Appli cation Serial No. 62/ 608,581 for "Consolidated Identity" (Attorney Docket No. SPH004-PROV), filed December 21, 2017, which is incorporated by refer- ence herein in its entirety.

TECHNICAL FIELD

[0002] The present document relates to techniques for managing authenti- cation and identity in online environments.

BACKGROUND

[0003] Identity management is a key aspect of many organizations, provid- ing important information as to which users are authorized to access and use which resources, either within a single organization or across multiple or ganizations. Often, many different resources within an organization are man- aged using multiple identity management systems, each having different ac- cess protocols and maintaining separate sets of user records. Each such iden- tity management system typically relies on an identity provider that main- tains a database of user records that store credentials indicating which users can access which resources. Upon a user's attempt to access a resource, the resource provider can consult an identity provider to verify that the user is authorized to access the resource. If the user is so authorized, the resource grants access to the user. However, when multiple identity management sys- tems are in use for a number of different resources, the task of determining whether to grant access is significantly more complex, especially when the same user may have different electronic identities across different systems.

[0004] Federated identity is a known technique for linking a person's elec- tronic identity and/ or attributes across multiple identity management sys- tems. It allows separate parties to establish a loosely coupled trust relation- ship, such that an identity provider can vouch, to a separate service provider, that a person has logged into the identity provider's system. For example, a user can log into an airline website, and subsequently rent a car from a car rental website without having to manually log in again; rather, the previous login from the airline website is used to automatically identify the user and provide access to his or her identity-associated information at the car rental website. As another example, a user can log into an identity provider such as AOL, and then access another website, such as a weather website; the AOL login is automatically used to identify the user on the weather website, and to provide access to his or her identity-associated information at the weather website.

[0005] In general, federated identity operates in contexts where there is a loose trust model between the identity provider and the service provider. Federated identity systems usually include mechanisms for controlling what identity information should be shared between the identity provider and the service provider. A unique identifier for the identity is shared in order to bind the different accounts with the identity provider and service provider.

[0006] The Liberty Alliance Project has developed guidelines and best prac- tices for identity management, including federated identity. It developed a specification that evolved into Security Assertion Markup Language (SAML), which provides a distinct separation of identity information between an iden- tity provider and service provider, and includes the option of opaque tokens so that a service provider is not given access to any identifiable information about an identity. [0007] Referring now to Fig. 1, there is shown a block diagram depicting a conceptual model for identity management including federated identity, ac- cording to the prior art. User 101 logs in 105 with identity provider 402 (such as AOL). Subsequently, user 101 wants to rent a car from service provider 102 (such as Hertz). An identity binding 106 allows identity provider 402 to pro- vide information to servicer provider 102 that allows service provider 102 to automatically recognize user 101. Once service provider 102 recognizes user

101, service provider 102 can access information specific to user 101, such as rental history 104, that is stored at resources controlled by service provider

102. Notably, however, servicer provider 102 is not given access to informa- tion stored at resources controlled by identity provider 402, such as AOL ac- count history and information 103. In this manner, a separation is maintained between identity provider 402 and servicer provider 102, even though they share enough information to allow users 101 to be identified at both based on authentication at identity provider 402.

[0008] This type of federated identity is well-known; for example, Google and Facebook logins are available on numerous websites, allowing users to be authenticated at other websites based on their Google or Facebook logins.

Due to the pervasiveness of standards such as SAML, federated identity has also gained widespread adoption within enterprise environments such that users can use single sign-on for a variety of both on-premises (e.g., hosted in a customer-owned data center) and cloud systems (e.g., hosted remotely in a third-party data center).

[0009] However, federated identity may not be suitable for enterprise sys- tems that require a tight trust model. Many enterprise environments require very tight trust relationships between an identity provider 402 and a service provider 102. In such a context, many service providers 102 are hosted by the enterprise itself, and those service providers 102 that are external to the enter- prise are subject to intense security controls and compliance to ensure that employee data remains secure. [0010] A direct consequence of federated identity is that all of the data re- lated to an identity is spread across a large number of systems. Employee data, for example, is hosted in numerous systems including payroll, human resources management, financial, and ticketing systems. Thus, federated identity merely provides a limited solution wherein access is provided to various sources of relatively static data.

[0011] In the late 1990s and early 2000s, there was a push to deliver enter- prise portals to user populations that would provide windows or "portlets" into each of the systems that they needed to access. In such an arrangement, each portlet calls a source system and retrieves information relevant to that employee. However, it can be excessively complex to set up the integration for each system. In addition, this arrangement can lead to performance is- sues, as each portlet can be very slow to load, and it can be difficult for em ployees to sort through all of the information across all of the portlets.

[0012] Currently, therefore, identity management within enterprise envi- ronments is inefficient and cumbersome. Although existing solutions provide mechanisms for single-sign-on to multiple resources, access to full data still requires individually accessing each resource that contains relevant data.

SUMMARY

[0013] According to various embodiments, a system and method are de- scribed for implementing an improved mechanism entitled consolidated iden- tity. Consolidated identity addresses the above-described issues, particularly in the context of an enterprise system that requires a tight trust model. For ex- ample, within such a context, the enterprise itself may be the primary identity provider, and the service providers that provide services such as payroll and time-off requests do not hold any data that should not be privy to the enter- prise. As such, there is no need for distinct identity separation between the identity provider and the service provider.

[0014] In at least one embodiment, the described system and method pro- vide mechanisms for mapping identities among resources. The system and method are able to extract information relevant to a particular entity, such as an employee or user, and to consolidate and/or personalize such information as needed.

[0015] Further details and variations are described herein.

BRIEF DESCRIPTION OF THE DRAWINGS

[0016] The accompanying drawings, together with the description, illus- trate several embodiments. One skilled in the art will recognize that the par- ticular embodiments illustrated in the drawings are merely exemplary, and are not intended to limit scope.

[0017] Fig. 1 is a block diagram depicting a conceptual model for identity management including federated identity, according to the prior art.

[0018] Fig. 2 is a block diagram depicting an architecture for storing limited data related to federated identity across numerous systems within an enter- prise.

[0019] Fig. 3 is a diagram depicting a relationship between a user and data about the user that can be hosted in various enterprise systems.

[0020] Fig. 4 is a diagram depicting an example of a method of mapping a user's identity to validate authorization, according to one embodiment.

[0021] Fig. 5 is a diagram depicting a method of chained authentication to enable access to services, according to one embodiment.

[0022] Fig. 6 is a diagram depicting an example of a method of mapping the identity of a user from an identity provider through to a service provider, importing entitlements, and filtering access based on the user's identity, ac- cording to one embodiment.

[0023] Fig. 7 is a diagram depicting an example of a method for copying security authorizations from a service provider in a consolidated identity framework, according to one embodiment.

[0024] Fig. 8 is a diagram depicting an example of a method for using the described techniques in connection with a service provider that uses dynamic, logic-based security authorization, by calling the service provider to request permission information, according to one embodiment. [0025] Fig. 9 is a diagram depicting an example of a method for using dele- gated authentication when writing back to a service provider using an API, according to one embodiment.

[0026] Fig. 10 is a diagram depicting an example of a method for using sin- gle sign-on to automatically log in a user so as to enable writeback in a system that does not support delegated authentication, according to one embodi- ment.

[0027] Fig. 11 is a diagram depicting an example of a method for using deep-linking to a relevant page to perform a writeback action directly, accord- ing to one embodiment.

[0028] Fig. 12 is a diagram depicting an overall conceptual architecture for a consolidated identity system, according to one embodiment.

[0029] Fig. 13 is a block diagram depicting a hardware architecture for a client device that can be used in connection with the architecture depicted in Figs. 12 and/ or 14, according to one embodiment.

[0030] Fig. 14 is a block diagram depicting an overall physical architecture for a consolidated identity system, according to one embodiment.

DETAILED DESCRIPTION OF THE EMBODIMENTS

[0031 ] According to various embodiments, the system can be implemented on any electronic device or set of interconnected electronic devices, each equipped to receive, store, and present information. Each electronic device may be, for example, a server, desktop computer, laptop computer, smart- phone, tablet computer, and/ or the like. As described herein, some devices used in connection with the system described herein are designated as client devices, which are generally operated by end users. Other devices are desig- nated as servers, which generally conduct back-end operations and communi cate with client devices (and/ or with other servers) via a communications network such as the Internet.

[0032] However, one skilled in the art will recognize that the techniques described herein can be implemented in other contexts, and indeed in any suitable device, set of devices, or system capable of interfacing with existing enterprise data storage systems. Accordingly, the following description is in- tended to illustrate various embodiments by way of example, rather than to limit scope.

[0033] As described above, consolidated idenhty provides an improved mechanism that is suited for operation across a high-trust network. At an en terprise, the enterprise itself is the primary identity provider, and the service providers that provide services such as payroll and time-off requests do not hold any data that should not be privy to the enterprise. There is no need for distinct identity separation between the identity provider and the service provider.

[0034] In at least one embodiment, due to the sensitive nature of employee data and the need for self-service access to data, consolidated identity pro- vides additional functionality to satisfy numerous requirements beyond a single customer master scheme wherein all of the information about a cus- tomer is consolidated into a single database.

[0035] Referring now to Fig. 3, there is shown a diagram depicting a rela- tionship between user 101 and data 301 about the user that can be hosted in various enterprise systems. Such data can include, for example, PTO approv- als 301A, PTO requests 301B, purchase orders 301C, expense approvals 301D, service tickets 301E, and metrics 301F.

Providing Access to Limited Data in a Federated identity System

[0036] Referring now to Fig. 2, there is shown a block diagram depicting an architecture for providing access to limited data related to federated identity across numerous systems within an enterprise. In this architecture, user 101 logs in 105 with identity provider 402. Here, identity provider 402 may be im plemented within an enterprise, for example, using a directory service such as Active Directory, available from Microsoft Corporation of Redmond, Wash ington. As in the example of Fig. 1, an identity binding 106 defines a relation- ship between an identity for user 101 at identity provider 402 and an account at service provider 102 (such as, for example, Salesforce.com, Inc. of San Fran- cisco, California). Here, however, because of the tight trust model within the enterprise, identity provider 402 and service provider 102 also share identity attributes 203 that may be stored at resources controlled by identity provider 402, such as location and team, as well as service provider data 204 (such as account history) that may be stored at resources controlled by service pro- vider 102.

Architecture

[0037] Referring now to Fig. 14, there is shown a diagram depicting an overall physical architecture for a consolidated identity system, according to one embodiment.

[0038] Client device 1301 is any electronic device that operates under the control of user 101 and can be used for requesting and receiving information from server-based components via communications network 1309. Commu nications network 1309 can be any suitable electronic network for transmis- sion of electronic data; examples include the Internet, an Intranet, a wireless network, or the like. In at least one embodiment, client device 1301 accesses portal application 1402 running in a data center to request and receive data. In at least one embodiment, Virtual Private Network (VPN) 1401 can be used for improving the security of such access, as is known in the art.

[0039] Consolidated identity module 1206 performs various functions de- scribed herein, including authenticating user 101 based on identity informa- tion obtained from identity provider 402, which may be, for example an Ac- tive Directory. Once user 101 has been authenticated, consolidated identity module 1206 makes data requests on behalf of user 101 from service provider 602, using enterprise software available, for example, from SAP SE of Wall- dorf, Germany. In at least one embodiment, consolidated identity module 1206 caches currently relevant, active data in transient repository 1403; any changes can later be transferred to service provider 602 as described in more detail below. [0040] Referring now to Fig. 12, there is shown a diagram depicting an overall conceptual architecture for a consolidated identity system, according to one embodiment. In at least one embodiment, consolidated identity system 1206 as described herein includes functionality for providing chained authen- tication 1207, user identity mapping 1208, access control 1209, and active data rights 1210 for an enterprise system.

[0041] In at least one embodiment, consolidated identity module 1206 in teracts with various components of the enterprise. Endpoint management systems 401 (for example including enterprise mobility management (EMM) systems), directories 1201, and identity providers 402 provide functionality for user authentication 1202, user identity/ name 1203, access control groups 1204, and/ or user attributes 1205. One example of an endpont management system 401 that can be used in connection with the described system is Citrix Endpoint Management, available from Citrix, Inc. of Fort Lauderdale, Florida and Santa Clara, California. Consolidated identity module 1206 also interacts with various pieces of software functionality, such as on-premises apps 1215, cloud apps 1216, and/ or proprietary apps 1217, each of which can provide app authentication 1211, user identity/ name 12103, access control groups and policies 1213, and/ or active data 1214.

[0042] Referring now to Fig. 13, there is shown a block diagram depicting a hardware architecture for a client device 1301 that can be used in connection with the architecture depicted in Figs. 12 and/ or 14, according to one em bodiment. Client device 1301 may be any electronic device equipped to re- ceive, store, and/ or present information, and to receive user input in connec- tion with such information. Client device 1301 can be, for example, a desktop computer, laptop computer, personal digital assistant (PDA), cellular tele- phone, smartphone, music player, handheld computer, tablet computer, ki- osk, game system, or the like.

[0043] In at least one embodiment, client device 1301 has a number of hard- ware components well known to those skilled in the art. Input device 1302 can be any element that receives input from user 101, including, for example, a keyboard, mouse, stylus, touch-sensitive screen (touchscreen), touchpad, trackball, accelerometer, five-way switch, microphone, or the like. Input can be provided via any suitable mode, including for example, one or more of: pointing, tapping, typing, dragging, and/ or speech. Each user 101 can be, for example, an end user or a system administrator.

[0044] Data store 1306 can be any magnetic, optical, or electronic storage device for data in digital form; examples include flash memory, magnetic hard drive, CD-ROM, DVD-ROM, or the like.

[0045] Display 1303 can be any element that graphically displays informa- tion such as notifications, representations of data, user interface elements, prompts, and/ or the like. Such output may include, for example, raw data, data visualizations, navigational elements, queries requesting confirmation and/ or parameters for information identification, display, or presentation, and/ or the like. In at least one embodiment where only some of the desired output is presented at a time, a dynamic control, such as a scrolling mecha- nism, may be available via input device 1302 to change which information is currently displayed, and/ or to alter the manner in which the information is displayed.

[0046] In at least one embodiment, the information displayed on display 1303 may include data in text and/ or graphical form, and can include various controls and elements for interacting with the displayed data, for example to dismiss alerts, follow links, forward alerts, investigate further, and/ or per- form other actions.

[0047] Processor 1304 can be a conventional microprocessor for performing operations on data under the direction of software, according to well-known techniques. Memory 1305 can be random-access memory, having a structure and architecture as are known in the art, for use by processor 1304 in the course of running software.

[0048] Data store 1306 can be local or remote with respect to the other components of client device 1301. Communications module 1307 provides functionality for communicating other components of the system, via a com- munications network 1309 such as the Internet, for example to issue requests for information, perform authentications, receive notifications, and/ or per- form other operations. Such communication between client device 1301 and other components can take place wirelessly, by Ethernet connection, via a computing network such as the Internet, via a cellular network, or by any other appropriate means.

[0049] In at least one embodiment, data store 1306 is detachable in the form of a CD-ROM, DVD, flash drive, USB hard drive, or the like. In another em bodiment, data store 1306 is fixed within client device 1301.

[0050] In one embodiment, the system can be implemented as software written in any suitable computer programming language, whether in a stand- alone or client/ server architecture. Alternatively, it may be implemented and/ or embedded in hardware.

[0051] The system and method described herein can be implemented on architectures such as those depicted in Figs. 12 and 13. However, one skilled in the art will recognize that other architectures can be used as well. Accord- ingly, the descriptions provided herein are intended to be illustrative and are not intended to limit scope to any particular implementation or architecture.

[0052] In at least one embodiment, a consolidated identity framework in cludes five elements:

(1) consolidated active data;

(2) authentication by one or more identity providers;

(3) authorization by an identity provider;

(4) authorization by a service provider; and

(5) writing back to service providers with either delegated or di- rect authorization.

[0053] One skilled in the art will recognize that these five elements can be implemented singly or in any combination. Each will be described in turn. Consolidated Active Data

[0054] In at least one embodiment, transient repository 1403 contains cur- rently relevant, active data, such as that associated with an employee from each service provider 602. Since access controls for employee data are typi- cally also stored by each service provider 602, the controls are also synced to the transient database.

[0055] In general, it is not necessary to consolidate all data for an employee; rather, only active data need be consolidated. For example, the requests of the consolidated identity could be only for open time-off requests, rather than every time-off request ever made for both active and inactive employees. Thus, active data can be defined as that subset of all data that is of interest at any given time, such as for example open and recently changed records within a data set.

[0056] Sometimes it is not possible to consolidate certain data. Accord- ingly, in at least one embodiment, a fallback is provided by pulling the data on an ad hoc basis, using traditional API mechanisms. For example, if a user is attempting to retrieve information from a database containing a large num ber of records. Given the large number of records, it may not be feasible for all data in all the records to be synchronized and made available from differ- ent sources. Thus, in at least one embodiment, some information may be syn- chronized while other information may only be retrieved from the primary source upon demand.

[0057] In at least one embodiment, when employee data is consolidated, controls are added to maintain data security. Such controls can include, for example, authentication and/ or authorization, as described in more detail be- low.

Authentication by One or More identity Providers

[0058] One benefit of federated identity is the ability to use an identity pro- vider such as Active Directory Federation Services to enable single sign-on (SSO) across multiple service providers such as Salesforce and SAP. However, it is not uncommon to have multiple identity providers that provide authenti- cation, whether due to mergers or for compliance reasons. In at least one em bodiment, the consolidated identity framework described herein embraces authentication via multiple identity providers and also binds a user's account names across multiple identity providers.

[0059] Another common enterprise scenario is chaining identity providers, such as when a user authenticates an endpoint management system, such as Citrix Endpoint Management. For example, when a user 101 uses fingerprint authentication, his or her identity is mapped to the user's account in an iden- tity provider such as Active Directory, in order to validate authorization.

[0060] Referring now to Fig. 4, there is shown a diagram depicting an ex- ample of a method of mapping a user's 101 identity to bind authorizations, according to one embodiment. User 101 logs in 403 via endpoint manage- ment system 401. Based on the log-in information, user 101 is matched 404 to user's account on identity provider 402 (which may, for example be an Active Directory), so as to determine which resources the user 101 is authorized to access. In at least one embodiment, the system does not validate authoriza- tions. Rather, the system relies on the local device to authenticate user 101, for example via a fingerprint or password, and then retrieve information that user 101 is permitted to access.

Authorization by an identity Provider

[0061] In at least one embodiment, an identity provider can provide ap- propriate authorization in connection with a user 101. Typically, identity pro- viders provide coarse-grained authorization via groups and attributes. For example, authorization might be provided for a group such as "East Coast Sales". In a consolidated identity framework as described herein, such au- thorization can be asserted so as to enable access to services.

[0062] Referring now to Fig. 5, there is shown an example of a method of chained authentication to enable access to services, according to one embodi- ment. As in the method of Fig. 4, user 101 logs in 403 via endpoint manage- ment system 401. Based on the log-in information, user 101 is matched 404 to user's account on identity provider 402. Identity provider 402 authorizations for user 101 are then retrieved 501 so as to determine which resources user 101 is authorized to access.

[0063] In this manner, the system is able to determine what authorizations are available to user 101 even if the authenticating device itself does not know this information. The chained authentication mention of Fig. 5 allows for two or more authentication providers to be provided, thus providing improved functionality over conventional systems that provide authorization but not authentication. More specifically, according to the described method, once user 101 has logged in, the system matches user 101 to a record in identity provider 402 to determine what resources user 101 is allowed to access, thus providing a technique of chained authentication. In at least one embodiment, the described method is able to determine authorization via groups and at- tributes to enable access to services.

Authorization by a Service Provider

[0064] In some cases, it may be desirable for service providers to include fine-grained security controls on data and records. For example, human re- sources systems often attempt to ensure that human resources staff can only see data associated with their employee populations.

[0065] The following are three examples of ways that a consolidated iden- tity framework can integrate service provider authorization.

1) Import entitlements that are embedded into data records

[0066] Referring now to Fig. 6, there is shown a diagram depicting an ex- ample of a method of mapping the identity of a user 101 from an identity pro- vider 402 (such as Active Directory 402) through to a service provider 602, importing entitlements, and filtering access based on user's 101 identity, ac- cording to one embodiment. In this manner, user 101 can be known system- wide via dynamic account mapping after logging in at a single location. [0067] Many service providers (such as SAP) include entitlements directly in records, specifying who is authorized to do what to each record (such as, for example, approve a purchase order). In at least one embodiment, the con- solidated identity framework maps the identity of user 101 from identity pro- vider 601 through to service provider 602.

[0068] For example, as shown in Fig. 6, user 101 logs in 601 as "jsmith" with identity provider 402, and is determined to be a member of a group called Managers. On service provider 602 (which in this example is SAP), user 101 is known as "smithj0422" and is entitled to see records (such as pur- chase orders 603) that have smithj0422 as approver. Also, service provider 602 specifies that user 101 is able to approve purchase orders 604. Since these entitlements in the active purchase order can be copied into transient reposi- tory 1403, the consolidated identity framework imports the entitlements that originated from service provider 602, and can filter access appropriately based on user's 101 identity.

2) Synchronize authorization groups and defined record filters

[0069] For service providers that use medium-grained filtering such as es- tablished groups and defined record filters, such security authorizations can be copied into the consolidated identity framework and directly applied to transient data. For example, a manager only needs access to open time-off re- quests, and should only be able to see time-off requests for their employees. An employee should only be able to see their time off requests.

[0070] Referring now to Fig. 7, there is shown a diagram depicting an ex- ample for using the described techniques in connection with a service pro- vider 602, by copying security authorizations (such as security groups) in a consolidated identity framework, and applying such authorizations to cached data from that service provider 602, according to one embodiment. In this ex- ample, user 101 logs in 601 as "jsmith" with identity provider 402. On service provider 602 (which in this example is SAP), user 101 is known as

"smithj0422" and is determined to be a member of a cached identity group called "Managers" which is defined at service provider 602. Security authori- zations are copied from service provider 602 and placed into the consolidated ID framework. Such security authorizations can be associated with individ- ual users and/ or groups.

[0071 ] Accordingly, user 101 is entitled to see cached purchase orders 603 that have smithj0422 as approver. Also, service provider 602 specifies that user 101 is able to approve purchase orders 604.

[0072] This approach can also be combined across systems. For example, relevant employee HR data can be copied into the transient data store from a human resource system, along with group and record filter specifications. The HR data can then be combined with HR data from other systems, each with its own group and record filter specifications. When an HR staff member que- ries the transient data store to pull up a consolidated view of an employee, he or she can only see the specific data they are allowed to see as provisioned in each source system.

3) Inquire with the service provider ad-hoc to learn what a user can do

[0073] Some service providers 602 use very dynamic, logic-based security authorization. In this case, the consolidated identity system calls service pro- vider 602 to ask for permission information. However, the consolidated iden- tity system need not query the actual data from multiple systems, only the permissions to see the data.

[0074] Referring now to Fig. 8, there is shown a diagram depicting an ex- ample of such a method. The method of Fig. 8 is similar to that of Fig. 7. However, here, once it is determined that user 101 is known as "smithj0422" on service provider 602, the system calls service provider 602 to request per- mission information. Once the permission information is provided, the enti- tlements and limitations specified by service provider 602 can be applied, such as the ability for user 101 to see cached purchase orders 603 on which he is the approver, and to approve purchase orders 604.

[0075] The technique depicted in Fig. 8 thus allows for more complicated and/ or specific authorizations. For example, user 101 may be authorized to see records related to specific territories and/or dollar amounts; such specific authorizations can be enabled using the dynamic methodology depicted in Fig. 8.

Writing Back to Service Providers

[0076] In at least one embodiment, since a consolidated identity module 1206 uses transient repository 1403; any data changes are made directly back to service provider 102.

[0077] One critical aspect of a writeback is to validate the coherency of the transient repository. For example, before a purchase order can be approved for a particular amount, the system must first verify that the purchase order is still for the correct amount, and has not been changed to another amount in the source system.

[0078] Depending on the service provider API capabilities and compliance with enterprise policies, any of various mechanisms can be used to perform the writeback to service provider 102. Three examples of such mechanisms are described below.

1) API with delegated authentication using a service account

[0079] In at least one embodiment, a consolidated identity framework can employ delegated authentication when writing back to service provider 102 using an API. Referring now to Fig. 9, there is shown a diagram depicting an example of such a process. User 101 logs into 902 identity provider 402,.

When user 101 performs 903 an action requiring a writeback to service pro- vider 602, the consolidated identity framework uses an API to service pro- vider 602, authenticated by a service account 901 on behalf of user 101. The user's account at service provider 602 is then used 1005 to perform the write- back at service provider 602.

[0080] In various embodiments, service provider 602 records 904 the fact that user 101 performed the action that required writeback, either by re- cording user 101 as the initiator of the writeback, or by appending a note to the record indicating that service account 901 performed the writeback on be- half of user 101. Service provider 602 is the authenticator of the writeback, but the writeback done on behalf of user 101.

2) API with user-based authentication using an SSO

[0081] Some APIs, such as SAP BAPI, do not support delegated authentica- tion and will only perform a writeback if user 101 has logged in him- or her- self. In at least one embodiment, a consolidated identity framework can em ploy delegated authentication when writing back to service provider 102 us- ing an API. Referring now to Fig. 10, there is shown a diagram depicting an example of a method for using single sign-on to automatically log in user 101 so as to enable writeback in a system that does not support delegated authen- tication, according to one embodiment.

[0082] User 101 logs into 1002 the consolidated identity framework via identity provider 402, which supports single sign-on capability 1001 for ser- vice provider 602. When user 101 performs 903 an action requiring a write- back to service provider 602 (step 1), several steps take place. First, user 101 is redirected to the login page of service provider 602, SSO 1001 automatically logs in 1004 user 101 (step 2), and user 101 is then redirected back to the con- solidated identity system (step 3). The consolidated identity system now has the credentials necessarily to perform 1005 the writeback with user's 101 cre- dentials (steps 4 and 5).

3) Pass-through to the service provider using a deep link

[0083] As a third approach, for systems that either do not support API ac- cess or for compliance reasons do not permit API access, user 101 can be deep-linked directly to the relevant page of the service provider application to directly perform a writeback action by clicking a button or other workflow.

[0084] Referring now to Fig. 11, there is shown an example of such a proc- ess. User 101 logs into 1002 the consolidated identity framework via identity provider 402, which supports single sign-on capability 1001 for service pro- vider 602. When user 101 performs 903 an action requiring a writeback to service provider 602, user 101 is deep-linked 1104 to a service provider page and logged in with SSO. User 101 can then manually perform 1105 the write- back action directly within service provider 602. Alternatively, writeback ac- tions can take place automatically.

[0085] One skilled in the art will recognize that the examples depicted and described herein are merely illustrative, and that other arrangements of user interface elements can be used. In addition, some of the depicted elements can be omitted or changed, and additional elements depicted, without depart- ing from the essential characteristics.

[0086] The present system and method have been described in particular detail with respect to possible embodiments. Those of skill in the art will ap- preciate that the system and method may be practiced in other embodiments. First, the particular naming of the components, capitalization of terms, the at- tiibutes, data structures, or any other programming or structural aspect is not mandatory or significant, and the mechanisms and/ or features may have dif ferent names, formats, or protocols. Further, the system may be implemented via a combination of hardware and software, or entirely in hardware ele- ments, or entirely in software elements. Also, the particular division of func- tionality between the various system components described herein is merely exemplary, and not mandatory; functions performed by a single system com ponent may instead be performed by multiple components, and functions performed by multiple components may instead be performed by a single component.

[0087] Reference in the specification to "one embodiment" or to "an em bodiment" means that a particular feature, structure, or characteristic de- scribed in connection with the embodiments is included in at least one em bodiment. The appearances of the phrases "in one embodiment" or "in at least one embodiment" in various places in the specification are not necessar- ily all referring to the same embodiment.

[0088] Various embodiments may include any number of systems and/ or methods for performing the above-described techniques, either singly or in any combination. Another embodiment includes a computer program prod- uct comprising a non-transitory computer-readable storage medium and computer program code, encoded on the medium, for causing a processor in a computing device or other electronic device to perform the above-described techniques.

[0089] Some portions of the above are presented in terms of algorithms and symbolic representations of operations on data bits within a memory of a computing device. These algorithmic descriptions and representations are the means used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of steps (in structions) leading to a desired result. The steps are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical, magnetic or optical signals capable of being stored, transferred, combined, compared and otherwise manipulated.

It is convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like. Furthermore, it is also convenient at times, to refer to certain ar rangements of steps requiring physical manipulations of physical quantities as modules or code devices, without loss of generality.

[0090] It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the following discussion, it is appreciated that throughout the description, discussions utilizing terms such as " process- in g" or "computing" or "calculating" or "displaying" or "determining" or the like, refer to the action and processes of a computer system, or similar elec- tronic computing module and/ or device, that manipulates and transforms data represented as physical (electronic) quantities within the computer sys- tem memories or registers or other such information storage, transmission or display devices. [0091] Certain aspects include process steps and instructions described herein in the form of an algorithm. It should be noted that the process steps and instructions can be embodied in software, firmware and/ or hardware, and when embodied in software, can be downloaded to reside on and be op- erated from different platforms used by a variety of operating systems.

[0092] The present document also relates to an apparatus for performing the operations herein. This apparatus may be specially constructed for the required purposes, or it may comprise a general-purpose computing device selectively activated or reconfigured by a computer program stored in the computing device. Such a computer program may be stored in a computer readable storage medium, such as, but is not limited to, any type of disk in cluding floppy disks, optical disks, CD-ROMs, DVD-ROMs, magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, flash memory, solid state drives, magnetic or optical cards, application specific integrated circuits (ASICs), or any type of media suitable for storing electronic instructions, and each coupled to a computer system bus. Further, the computing devices referred to herein may include a single processor or may be architectures employing multiple processor de- signs for increased computing capability.

[0093] The algorithms and displays presented herein are not inherently re- lated to any particular computing device, virtualized system, or other appara- tus. Various general-purpose systems may also be used with programs in ac- cordance with the teachings herein, or it may prove convenient to construct more specialized apparatus to perform the required method steps. The re- quired structure for a variety of these systems will be apparent from the de- scription provided herein. In addition, the system and method are not de- scribed with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to imple- ment the teachings described herein, and any references above to specific lan- guages are provided for disclosure of enablement and best mode. [0094] Accordingly, various embodiments include software, hardware, and/ or other elements for controlling a computer system, computing device, or other electronic device, or any combination or plurality thereof. Such an electronic device can include, for example, a processor, an input device (such as a keyboard, mouse, touchpad, track pad, joystick, trackball, microphone, and/ or any combination thereof), an output device (such as a screen, speaker, and/ or the like), memory, long-term storage (such as magnetic storage, opti- cal storage, and/ or the like), and/ or network connectivity, according to tech- niques that are well known in the art. Such an electronic device may be port- able or non-portable. Examples of electronic devices that may be used for implementing the described system and method include: a mobile phone, personal digital assistant, smartphone, kiosk, server computer, enterprise computing device, desktop computer, laptop computer, tablet computer, con- sumer electronic device, or the like. An electronic device may use any operat- ing system such as, for example and without limitation: Linux; Microsoft Windows, available from Microsoft Corporation of Redmond, Washington; Mac OS X, available from Apple Inc. of Cupertino, California; iOS, available from Apple Inc. of Cupertino, California; Android, available from Google, Inc. of Mountain View, California; and/ or any other operating system that is adapted for use on the device.

[0095] While a limited number of embodiments have been described herein, those skilled in the art, having benefit of the above description, will appreciate that other embodiments may be devised. In addition, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the subject matter. Accordingly, the disclosure is in- tended to be illustrative, but not limiting, of scope.