Patent attributes
A system, method, and computer-readable storage medium provide single sign-on (SSO) in a nested virtualization environment by routing authentication tokens received from an authentication server through the hierarchy of virtual machines (VMs) using secure data communications tunnels between each hypervisor and its respective VMs. A key store stores SSO authentication tokens for users of the nested VMs, and a key controller ensures that each login by a user to a separate VM is associated with its own token. Each login request is uniquely tagged to identify the particular VM requesting credentials, so that the responsive authentication token can be properly routed through the hierarchy. Moreover, session preferences may be associated with each user and/or each VM, enabling a rules evaluator to determine, for each login request, whether SSO functionality should be provided or whether the user should be required instead to provide new login credentials.