Client and server group SSO with local openID

What is claimed: 1. A computer-implemented method for enabling authentication of a user of a user device via an identity of a user that has been authenticated for use in a source domain, the method comprising: receiving the user's authenticated source domain identity at a target domain, wherein the user's authenticated source domain identity enables the user to access a source domain service at the source domain; enrolling the user's authenticated source domain identity at the target domain, wherein the enrollment of the user's authenticated source domain identity enables the user to access a target domain service being provided at the target domain using the user's authenticated source domain identity; and authenticating, via an identity provider residing locally on the user device, the user for the access to the target domain service using the enrolled user's authenticated source domain identity, wherein authenticating the user for the access to the target domain service further comprises: deriving a signing key based on a key that is shared with the identity provider; and sending the signing key to a service provider of the target domain service. 2. The method of claim 1 , further comprising: generating a local enrollment parameter for initiating the authentication via the identity provider on the user device; sending the local enrollment parameter to the local identity provider to initiate the authentication via the identity provider; and receiving a signed assertion from the identity provider indicating the authentication of the user at the target domain. 3. The method of claim 2 , further comprising: establishing, at the target domain, a secure channel with the identity provider using a shared key, and wherein the signed assertion is received via the secure channel. 4. The method of claim 1 , wherein enrolling the user's authenticated source domain identity further comprises sending a request for enrollment of the user's authenticated source domain identity to an identity provider aggregation entity. 5. The method of claim 1 , wherein enrolling the user's authenticated source domain identity further comprises: determining a target domain identity associated with the user based on the user's authenticated source domain identity; and storing an association of the target domain identity and the user's authenticated source domain identity for enabling the authentication of the user at the target domain. 6. The method of claim 1 , wherein the method is performed by a gateway residing at the target domain or an identity provider server residing at the target domain. 7. The method of claim 6 , wherein the gateway is one of a plurality of gateways used to control access to the target domain service. 8. The method of claim 1 , wherein enabling the authentication of the user for the access to the target domain service further comprises: rewriting the user's authenticated source domain identity as the target domain identity; and sending the target domain identifier to a service provider of the target domain service. 9. The method of claim 1 , wherein the target domain service is included in a group of services in the target domain that are accessible using the user's authenticated source domain identifier. 10. The method of claim 1 , wherein the user's authenticated source domain identity is received from the user via an enrollment service at the target domain, and wherein the enrollment service sends the user's authenticated source domain identity to an identity provider aggregation entity. 11. The method of claim 1 , wherein the source domain is controlled by an identity provider server that is external to the user device. 12. The method of claim 1 , wherein enrolling the user's authenticated source domain identity at the target domain further comprises sending information to the identity provider via a secondary channel, and wherein the secondary channel is different from a channel on which the authentication is performed. 13. A method for enabling the use of a user's identity which has been authenticated by an identity provider for use in a source domain for obtaining access to a service at a target domain, the method comprising, at a user device: sending the user's authenticated source domain identity to the target domain to obtain access to the service at the target domain, wherein the user's authenticated source domain identity enables the user to access a source domain service at the source domain; receiving a request for an authentication of the user to enable an enrollment of the user's authenticated source domain identity at the target domain; performing, via a local identity provider implemented locally on the user device, the authentication of the user; establishing a secure channel with an enrollment entity at the target domain, wherein the enrollment entity is configured to enable the enrollment of the user's authenticated source domain identity at the target domain; and sending, via the secure channel, the authentication of the user to the enrollment entity, wherein the enrollment entity comprises a gateway or an identity provider server, and the local identity provider comprises a local OpenID provider. 14. The method of claim 13 , further comprising: receiving a request for a second authentication of the user to authenticate the user at the target domain; performing, via the local identity provider, the second authentication of the user; establishing a secure channel with a service provider configured to provide the service at the target domain; and sending, via the secure channel with the service provider, the second authentication of the user to enable access to the services. 15. The method of claim 14 , wherein the secure channel with the service provider is established based on a key shared between the local identity provider and the service provider. 16. The method of claim 15 , wherein the secure channel with the enrollment entity is established based on a key shared between the local identity provider and the service provider. 17. The method of claim 13 , further comprising: receiving a redirect message comprising an address to an authentication entity at the source domain for obtaining the authentication of the user; and determining the address of the local identity provider based on the address of the authentication entity at the source domain. 18. The method of claim 13 , wherein the authentication of the user is performed via a communication between the local identity provider and a local authentication agent. 19. A computer-implemented method for enabling authentication of a user of a user device via an identity of a user that has been authenticated for use in a source domain, the method comprising: receiving the user's authenticated source domain identity at a target domain, wherein the user's authenticated source domain identity enables the user to access a source domain service at the source domain; enrolling the user's authenticated source domain identity at the target domain, wherein the enrollment of the user's authenticated source domain identity enables the user to access a target domain service being provided at the target domain using the user's authenticated source domain identity; authenticating, via an identity provider residing locally on the user device, the user for the access to the target domain service using the enrolled user's authenticated source domain identity; generating a local enrollment parameter for initiating the authentication via the identit