Abstract: A method, apparatus and computer program product, for generating a framework for supporting a homogeneous view of an information collection managed in a heterogeneous system of information storage sources. The framework includes an information collection data model mapped to an information source data model, and an information storage services data model mapped to the information source data model. The information collection data model defines information to be collected and stored as an information collection in one or more information storage sources. The information source data model references data sets containing the information defined in the information collection data model. The information storage services data model defines information storage services for accessing and performing operations on the one or more information storage sources storing the information collection.

Abstract: The invention provides federated functionality within a data processing system by means of a set of specialized runtimes, which are instances of an application for providing federation services to requesters. Each of the plurality of specialized runtimes provides requested federation services for selected ones of the requestors according to configuration data of respective federation relationships of the requestors with the identity provider. The configuration data is dynamically retrieved during initialization of the runtimes which allows the respective_runtime to be specialized for a given federation relationship. Requests are routed to the appropriate specialized runtime using the first requestor identity and the given federation relationship. The data, which describes each federation relationship between the identity provider and each of the plurality of requestors, is configured prior to initialization of the runtimes.

Abstract: An approach is provided in which atomic trust scores are computed using a atomic trust factors that are applied to a plurality of metadata. A first set of composite trust scores are computed using some of the atomic trust scores. The composite trust scores are computed using a first set of algorithms. Some of the algorithms use a factor weighting value as input to the algorithm. A second plurality of composite trust scores is computed using some of the composite trust scores that were included in the first set of scores as input. A fact and one of the second set of composite trust scores are presented to a user. The presented composite trust score provides a trustworthiness value that corresponds to the presented fact.

Abstract: A multi-component auditing environment uses a set of log-enabled components that are capable of being triggered during an information flow in a data processing system. A “master”, compliance component receives data from each log-enabled component in the set of log-enabled components, the data indicating a set of logging properties that are associated with or provided by that log-enabled component. The master compliance component determines, for a given compliance policy, which of a set of one or more events are required from one or more of the individual log-enabled components in the set of log-enabled components. As a result of the determining step, the master compliance component then configures one of more of the individual log-enabled components, e.g. by generating one or more configuration events that are then sent to the one or more individual components. This configuration may take place remotely, i.e., over a network connection.

Abstract: A document management (DM), data leak prevention (DLP) or similar application in a data processing system is instrumented with a document protection service provider interface (SPI). The service provider interface is used to call an external function, such as an encryption utility, that is used to facilitate secure document exchange between a sending entity and a receiving entity. The encryption utility may be configured for local download to and installation in the machine on which the SPI is invoked, but a preferred approach is to use the SPI to invoke an external encryption utility as a “service.” In such case, the external encryption utility is implemented by a service provider. When the calling program invokes the SPI, preferably the user is provided with a display panel. Using that panel, the end user provides a password that is used for encryption key generation, together with an indication of the desired encryption strength. The service provider uses the password to generate the encryption key.

Abstract: An approach is provided in which atomic trust scores are computed using a atomic trust factors that are applied to a plurality of metadata. A first set of composite trust scores are computed using some of the atomic trust scores. The composite trust scores are computed using a first set of algorithms. Some of the algorithms use a factor weighting value as input to the algorithm. A second plurality of composite trust scores is computed using some of the composite trust scores that were included in the first set of scores as input. A fact and one of the second set of composite trust scores are presented to a user. The presented composite trust score provides a trustworthiness value that corresponds to the presented fact.

Abstract: An approach is provided for selecting one or more trust factors from trust factors included in a trust index repository. Thresholds are identified corresponding to one or more of the selected trust factors. Actions are identified to perform when the selected trust factors reach the corresponding threshold values. The identified thresholds, identified actions, and selected trust factors are stored in a data store. The selected trust factors are monitored by comparing one or more trust metadata scores with the stored identified thresholds. The stored identified actions that correspond to the selected trust factors are performed when one or more of the trust metadata scores reach the identified thresholds. At least one of the actions includes an event notification that is provided to a trust data consumer.

Abstract: An approach is provided for selecting a trust factor from trust factors that are included in a trust index repository. A trust metaphor is associated with the selected trust factor. The trust metaphor includes various context values. Range values are received and the trust metaphor, context values, and range values are associated with the selected trust factor. A request is received from a data consumer, the request corresponding to a trust factor metadata score that is associated with the selected trust factor. The trust factor metadata score is retrieved and matched with the range values. The matching results in one of the context values being selected based on the retrieved trust factor metadata score. The selected context value is then provided to the data consumer.

Abstract: An approach is provided in which facts are received and then one or more atomic fact trust analyses are performed on the facts. The atomic fact trust analyses result in various atomic trust factor scores. Composite trust analysis is performed using the atomic trust factor scores. The composite trust analyses result in composite trust factor scores. The atomic trust factor scores and the composite trust factor scores are stored in a trust index repository that is managed by a trust index framework. A request is then received for trusted data, the request being from an information consumer. The trust index framework then retrieves one of the composite trust factor scores from the trust index repository, with the retrieved composite trust factor score corresponding to the trusted data request, and this the retrieved composite trust factor score is provided to the information consumer.

Abstract: A method, system, apparatus, and computer program product are presented to support computing systems of different enterprises that interact within a federated computing environment. Federated single-sign-on operations can be initiated at the computing systems of federation partners on behalf of a user even though the user has not established a user account at a federation partner prior to the initiation of the single-sign-on operation. For example, an identity provider can initiate a single-sign-on operation at a service provider while attempting to obtain access to a controlled resource on behalf of a user. When the service provider recognizes that it does not have a linked user account for the user that allows for a single-sign-on operation with the identity provider, the service provider creates a local user account. The service provider can also pull user attributes from the identity provider as necessary to perform the user account creation operation.

Abstract: The invention provides federated functionality within a data processing system by means of a set of specialized runtimes, which are instances of an application for providing federation services to requesters. Each of the plurality of specialized runtimes provides requested federation services for selected ones of the requestors according to configuration data of respective federation relationships of the requestors with the identity provider. The configuration data is dynamically retrieved during initialization of the runtimes which allows the respective_runtime to be specialized for a given federation relationship. Requests are routed to the appropriate specialized runtime using the first requestor identity and the given federation relationship. The data, which describes each federation relationship between the identity provider and each of the plurality of requestors, is configured prior to initialization of the runtimes.

Abstract: The invention provides federated functionality within a data processing system by means of a set of specialized runtimes. Each of the plurality of specialized runtimes provides requested federation services for selected ones of the requestors according to configuration data of respective federation relationships of the requestors with the identity provider. The configuration data is dynamically retrieved during initialization of the runtimes which allows the respective runtime to be specialized for a given federation relationship. Requests are routed to the appropriate specialized runtime using the first requestor identity and the given federation relationship. The data which describes each federation relationship between the identity provider and each of the plurality of requesters is configured prior to initialization of the runtimes.

Abstract: An enterprise computing environment such as a corporate web portal includes an intermediary server, a sign on service, and one or more backend enterprise systems managed by resource managers. Before or after user primary logon, which establishes a user primary account identity, the intermediary server uses its own identity to authenticate to the sign on service its right to retrieve user secondary account identities with respect to the backend enterprise systems. Retrieved secondary account identities are then used by the intermediary server to perform user secondary logons to respective resource managers in the environment. The intermediary server also manages the passing of resource requests and associated replies between the user and the resource managers.

Abstract: A method, system, apparatus, and computer program product are presented for transparently adding digital signature functionality to web servers in order to extend the web servers to generate and enforce signatures on transaction data on behalf of web applications that are processing transactions. A server plug-in intercepts transaction data that is submitted by a client to a web application. The plug-in returns a document containing the intercepted transaction data along with an applet that is executable at the client. When the applet is executed at the client, it generates a digital signature on the transaction data using a key that is stored at the client and returns a different document with the intercepted transaction data and with the newly generated signature. The plug-in validates the signature, records the signature in server-side log file, returns a signature receipt to the client, and forwards the transaction data to the destination web application.

Abstract: A method, system, apparatus, and computer program product are presented for processing certificate revocation lists (CRLs) in a data processing system. Rather than using CRLs for authentication purposes, CRLs are used for authorization purposes, and the responsibility of processing CRLs is placed on a monitoring process within a centralized authorization subsystem rather than the applications that authenticate certificates. A monitoring process obtain newly published CRLs and determines whether revoked certificates are associated with users that possess authorized privileges. If so, then the monitoring process updates one or more authorization databases to reduce or eliminate the authorized privileges for those users.

Abstract: An authentication framework subsystem enables a computer system to authenticate a user with a selected one of a plurality of authentication processes. Each of the authentication processes has a distinct sequence of steps and a unique input/output (I/O) interface for exchanging authentication information with the computer system. The invention includes an authentication framework in the computer system. An application program interface in the authentication framework provides an interface to an I/O component, such as a graphical user interface (GUI), of the computer system. A plurality of authentication modules interface with the framework. Each module has a conversation function driver defining a programmed sequence of steps to authenticate a user with a distinct authentication process.

Abstract: An authentication framework for authenticating clients, each of which is coupled to an authentication device of one of a plurality of permitted authentication device types. An authentication method begins by having a client pass to an application server a request for authentication. The request includes a user id and device id identifying a client and an authentication device coupled thereto. The application server determines which device authentication server the request is intended for, and then forwards authentication data in the request to that server. If the device authentication server verifies that the authentication data is acceptable, an authorization token is returned to the client.

Abstract: The lightweight directory access protocol (LDAP) is extended to include client- and server-based controls for securing sensitive data in the directory service. The set of controls include a client control implemented on a client machine, and/or a server control implemented on a server machine. It is not required that both controls be implemented together, and a client machine may implement the client control irrespective of whether a server involved in the directory operation is running the server control.

Abstract: A single sign-on (SSO) mechanism to enable a given user to access a target application on a target resource in a distributed computer enterprise. One or more configuration directives each identifying a given logon process and any associated methods required to access the target application on the target resource are stored in a locally accessible database (CIM). For each of a set of users, a globally-accessible database (PKM) stores user-specific and application-specific information enabling the user to access and logon to one or more target resources. During a particular session, a logon coordinator (LC) mechanism coordinates given user information with the configuration directive to enable the given user to perform a given action with respect to the target application without specifying the given logon process and the application-specific information.

Abstract: A method of managing passwords of users desiring access to multiple target resources in a computer enterprise environment. For each given user, each of a set of id/password pairs is associated to each of a set of one or more respective targets. Each id/password pair is normally required to access a respective target resource. The targets of each given user are stored in a globally-accessible database. In response to entry by a given user at a client machine of a single-sign on (SSO) id/password, the globally-accessible database is accessed from a personal key manager (PKM) server to retrieve the targets of the given user. The targets are returned to the PKM server, which then uses data therein to access the respective target resources on behalf of the given user at the client machine.