Abstract: Systems, methods, and computer-readable storage media are provided for discovering and disambiguating identity providers such that user knowledge of appropriate identity providers is minimized. Users are presented with options for selecting appropriate providers only when multiple providers have user profiles matching a user identifier. When users are presented with options for selecting appropriate providers, providers that have user profiles matching the identifier are identified utilizing identity information for the application that utilizes the identity provider for its users rather than information identifying the identity provider itself.

Abstract: Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user's login account has been compromised, where the user's login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.

Abstract: Methods and systems are provided that use images to determine lighting information for an object. A computing device can receive an image of the object. For a pixel of the image, the computing device can: apply a first lighting model to determine a first estimate of a bi-directional lighting function (BRDF) for the object at the pixel, apply a second lighting model to determine a second estimate of the BRDF for the object at the pixel, determine a third estimate of the BRDF based on the first and second estimates, and store the third estimate of the BRDF in lighting-storage data. The computing device can provide the lighting-storage data. The BRDF can utilize a number of lighting parameters, such as a normal vector and albedo, reflectivity, and roughness values.

Abstract: Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user's login account has been compromised, where the user's login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.

Abstract: In an embodiment, an administrative computer system receives user login credentials from a user and makes at least one of the following determinations: that the user identifier does not match any existing user account, that the user identifier matches at least one existing user account, but that the user's account is in a locked state, or that the user identifier matches at least one existing user account, but the user's password does not match the user identifier. The administrative computer system then returns to the user the same response message regardless of which determination is made. The response indicates that the user's login credentials are invalid. The response also prevents the user from determining which of the credentials was invalid, as the response message is the same for each determination and is sent to the user after a measured response time that is the same for each determination.

Abstract: Systems, methods, and computer-readable storage media are provided for discovering and disambiguating identity providers such that user knowledge of appropriate identity providers is minimized. Users are presented with options for selecting appropriate providers only when multiple providers have user profiles matching a user identifier. When users are presented with options for selecting appropriate providers, providers that have user profiles matching the identifier are identified utilizing identity information for the application that utilizes the identity provider for its users rather than information identifying the identity provider itself.

Abstract: Methods and systems are provided that use images to determine lighting information for an object. A computing device can receive an image of the object. For a pixel of the image, the computing device can: apply a first lighting model to determine a first estimate of a bi-directional lighting function (BRDF) for the object at the pixel, apply a second lighting model to determine a second estimate of the BRDF for the object at the pixel, determine a third estimate of the BRDF based on the first and second estimates, and store the third estimate of the BRDF in lighting-storage data. The computing device can provide the lighting-storage data. The BRDF can utilize a number of lighting parameters, such as a normal vector and albedo, reflectivity, and roughness values.

Abstract: The authentication of identities within a realm in which some identities are authenticated using direct authentication, and some identities are authenticated using federated authentication. Requests for service from valid identities in the realm that are to be authenticated by direct authentication are responded to with a direct authentication interface. Requests for service from valid identities in the realm that are to be authenticated by federated authentication are responded to with a federated authentication interface. Requests for service from invalid identities are responded to pseudo-randomly with either the direct authentication interface or the federated authentication interface.

Abstract: In an embodiment, an administrative computer system receives user login credentials from a user and makes at least one of the following determinations: that the user identifier does not match any existing user account, that the user identifier matches at least one existing user account, but that the user's account is in a locked state, or that the user identifier matches at least one existing user account, but the user's password does not match the user identifier. The administrative computer system then returns to the user the same response message regardless of which determination is made. The response indicates that the user's login credentials are invalid. The response also prevents the user from determining which of the credentials was invalid, as the response message is the same for each determination and is sent to the user after a measured response time that is the same for each determination.

Abstract: In an embodiment, an administrative computer system receives user login credentials from a user and makes at least one of the following determinations: that the user identifier does not match any existing user account, that the user identifier matches at least one existing user account, but that the user's account is in a locked state, or that the user identifier matches at least one existing user account, but the user's password does not match the user identifier. The administrative computer system then returns to the user the same response message regardless of which determination is made. The response indicates that the user's login credentials are invalid. The response also prevents the user from determining which of the credentials was invalid, as the response message is the same for each determination and is sent to the user after a measured response time that is the same for each determination.

Abstract: The authentication of identities within a realm in which some identities are authenticated using direct authentication, and some identities are authenticated using federated authentication. Requests for service from valid identities in the realm that are to be authenticated by direct authentication are responded to with a direct authentication interface. Requests for service from valid identities in the realm that are to be authenticated by federated authentication are responded to with a federated authentication interface. Requests for service from invalid identities are responded to pseudo-randomly with either the direct authentication interface or the federated authentication interface.

Abstract: The present invention extends to methods, systems, and computer program products for orchestrating notifications between identity platforms and relying parties. Embodiments enable identity platforms to ensure that users consistently receive notifications, even when the identity platforms lack knowledge of which relying parties are notification capable and which relying parties are incapable of notification. Embodiments include an identity platform generating a frameset having a first content frame for displaying a notification and a second content frame for displaying a relying party web page. When the relying party is notification capable, the relying party web page includes functionality for removing the frameset established by the frameset and displaying the notification within the context of the relying party web page. When a client renders the frameset, the client retrieves and renders the relying party web page, removing the frameset and displaying the notification as directed by the relying party.

Abstract: The authentication of identities within a realm in which some identities are authenticated using direct authentication, and some identities are authenticated using federated authentication. Requests for service from valid identities in the realm that are to be authenticated by direct authentication are responded to with a direct authentication interface. Requests for service from valid identities in the realm that are to be authenticated by federated authentication are responded to with a federated authentication interface. Requests for service from invalid identities are responded to pseudo-randomly with either the direct authentication interface or the federated authentication interface.

Abstract: A flexible authentication system is described herein that fluidly switches between a federated authentication model and a local short-lived token model that does not require sophisticated authentication infrastructure at the relying party site. Upon detecting an event that causes the identity provider to be unavailable for authentication, the relying party switches to a temporary token model. The system generates a bearer token or challenge associated with the user's identity and (optionally) associated with time data that limits the period during which the token is valid. The relying party communicates the short-lived token to the user using contact information associated with the user and already stored by the relying party. Upon receiving the short-lived token, the user provides the short-lived token to the relying party, and the relying party processes the token to validate the user's identity and then allows the user to access the relying party's online services.

Abstract: In an embodiment, an administrative computer system receives user login credentials from a user and makes at least one of the following determinations: that the user identifier does not match any existing user account, that the user identifier matches at least one existing user account, but that the user's account is in a locked state, or that the user identifier matches at least one existing user account, but the user's password does not match the user identifier. The administrative computer system then returns to the user the same response message regardless of which determination is made. The response indicates that the user's login credentials are invalid. The response also prevents the user from determining which of the credentials was invalid, as the response message is the same for each determination and is sent to the user after a measured response time that is the same for each determination.

Abstract: The authentication of identities within a realm in which some identities are authenticated using direct authentication, and some identities are authenticated using federated authentication. Requests for service from valid identities in the realm that are to be authenticated by direct authentication are responded to with a direct authentication interface. Requests for service from valid identities in the realm that are to be authenticated by federated authentication are responded to with a federated authentication interface. Requests for service from invalid identities are responded to pseudo-randomly with either the direct authentication interface or the federated authentication interface.

Abstract: The present invention extends to methods, systems, and computer program products for orchestrating notifications between identity platforms and relying parties. Embodiments enable identity platforms to ensure that users consistently receive notifications, even when the identity platforms lack knowledge of which relying parties are notification capable and which relying parties are incapable of notification. Embodiments include an identity platform generating a frameset having a first content frame for displaying a notification and a second content frame for displaying a relying party web page. When the relying party is notification capable, the relying party web page includes functionality for removing the frameset established by the frameset and displaying the notification within the context of the relying party web page. When a client renders the frameset, the client retrieves and renders the relying party web page, removing the frameset and displaying the notification as directed by the relying party.

Abstract: The claimed subject matter provides a system and method for enabling paid-for exchange of identity attributes with minimal disclosure credentials. An exemplary method includes requesting a credential from an identity provider by one of a user or a credential agent. The credential may be presented to a relying party, and the presented credential may be verified. Based on verification of the presented credential, a service of the relying party may be accessed by the user. The user, the relying party, a neutral third party, or the credential agent may provide payment for the credential to the identity provider, and the identity provider is unable to determine whether, where, when or by whom the credential has been used.

Abstract: A flexible authentication system is described herein that fluidly switches between a federated authentication model and a local short-lived token model that does not require sophisticated authentication infrastructure at the relying party site. Upon detecting an event that causes the identity provider to be unavailable for authentication, the relying party switches to a temporary token model. The system generates a bearer token or challenge associated with the user's identity and (optionally) associated with time data that limits the period during which the token is valid. The relying party communicates the short-lived token to the user using contact information associated with the user and already stored by the relying party. Upon receiving the short-lived token, the user provides the short-lived token to the relying party, and the relying party processes the token to validate the user's identity and then allows the user to access the relying party's online services.

Abstract: A method is provided of authenticating a client to access a service provided by a service provider, whereby the service provider queries an identity provider to verify identity of the client and authorize access the service. The method includes: verifying using the identity provider to verify that an identity level corresponding to an earlier authentication of the client is stored with the identity provider, and granting service access authorization to the client, which is performed either (i) directly following the verification step when the identity level required is less than the stored identity level, or (ii) after the following steps when the identity level required is greater than the stored identity level or when no client authentication is available, namely requesting authentication of the client having the required identity level and replacing the stored identity level with the required identity level if the client is authenticated by the identity provider.