Abstract: An identity provider of a cloud computing service provides authentication for on-premise applications that is subject to a legacy authentication protocol that differs from the cloud-based network authentication protocol used by the identity provider. The identity provider generates a security ticket for use to gain access to the on-premise application. The security ticket is embedded in a security token associated with a cloud-based network authentication protocol. A client application seeking access to the on-premise application extracts the embedded security ticket from the security token which is then used to access the on-premise application via a legacy authentication protocol.

Abstract: An identity provider of a cloud computing service provides authentication for on-premise applications that is subject to a legacy authentication protocol that differs from the cloud-based network authentication protocol used by the identity provider. The identity provider generates a security ticket for use to gain access to the on-premise application. The security ticket is embedded in a security token associated with a cloud-based network authentication protocol. A client application seeking access to the on-premise application extracts the embedded security ticket from the security token which is then used to access the on-premise application via a legacy authentication protocol.

Abstract: An authentication server may not support all types of user credentials. For example, an on-premise authentication server may support credentials based on user secrets (i.e. username and password) and certificate-based credentials, but not hardware-key based credentials. A client device may use an un-supported type of credential to access resources managed by the on-premise authentication server by authenticating with a web-based authentication server. The web-based authentication server may support any type of credential, and the supported types of credentials may change over time. The web-based authentication server returns an authenticated user token indicating the user has been authenticated, but without authorizing access to any resources. The client device uses the on-premise authentication server to exchange the authenticated user token for an authorized user token. The client device then uses the authorized user token to access resources on the on-premise network.

Abstract: An authentication server may not support all types of user credentials. For example, an on-premise authentication server may support credentials based on user secrets (i.e. username and password) and certificate-based credentials, but not hardware-key based credentials. A client device may use an un-supported type of credential to access resources managed by the on-premise authentication server by authenticating with a web-based authentication server. The web-based authentication server may support any type of credential, and the supported types of credentials may change over time. The web-based authentication server returns an authenticated user token indicating the user has been authenticated, but without authorizing access to any resources. The client device uses the on-premise authentication server to exchange the authenticated user token for an authorized user token. The client device then uses the authorized user token to access resources on the on-premise network.