Hybrid single sign-on for software applications and services using classic and modern identity providers

摘要

An authentication management system receives a resource request directed to a software service, which may require password-based authentication. The system redirects the resource request to an authentication identity provider (IdP), and receives an authentication token generated by the authentication IdP. The redirecting of the resource request comprises transmission of an authentication request, which includes user identity information that can be authenticated by the IdP but does not include a password for the software service. In response to receiving the authentication token, the system causes a shadow account to be created with the software service. For password-based authentication, this may include setting a temporary, random password for the shadow account. The system is then able to generate authenticated connection information (e.g., an authentication cookie) for the software service and transmit it to a client device, which enables the client device to access the software service via an authenticated connection.