Abstract: A proxy is integrated within an F-SSO environment and interacts with an external identity provider (IdP) instance discovery service. The proxy proxies IdP instance requests to the discovery service and receives responses that include the IdP instance assignments. The proxy maintains a cache of the instance assignment(s). As new instance requests are received, the cached assignment data is used to provide appropriate responses in lieu of proxying these requests to the discovery service, thereby reducing the time needed to identify the required IdP instance. The proxy dynamically maintains and manages its cache by subscribing to updates from the discovery service. The updates identify IdP instance changes (such as servers being taken offline for maintenance, new services being added, etc.) occurring within the set of geographically-distributed instances that comprise the IdP service. The updates are provided via a publication-subscription model such that the proxy receives change notifications proactively.

Abstract: A method of discovering an identity provider instance according to this disclosure begins upon receipt from a service provider (or from a discovery service to which the service provider redirects the user) of a request for an IdP instance. Preferably, the request for an IdP instance is received as a Web services request following receipt at the service provider of an end user client request to access an application. In response to receiving the request, an IdP instance is selected, preferably using one or more criteria, such as user proximity, instance load, instance availability, the existence of a prior IdP binding, or the like. Following the selection, a response to the request is generated and returned to the requesting service provider. Preferably, the response is a redirect to the selected IdP instance.

Abstract: An identity provider instance is discovered upon receipt from a service provider (or from a discovery service to which the service provider redirects the user) of a request for an IdP instance. Preferably, the request for an IdP instance is received as a Web services request following receipt at the service provider of an end user client request to access an application. In response to receiving the request, an IdP instance is selected, preferably using one or more criteria, such as user proximity, instance load, instance availability, the existence of a prior IdP binding, or the like. Following the selection, a response to the request is generated and returned to the requesting service provider. Preferably, the response is a redirect to the selected IdP instance.

Abstract: A proxy is integrated within an F-SSO environment and interacts with an external identity provider (IdP) instance discovery service. The proxy proxies IdP instance requests to the discovery service and receives responses that include the IdP instance assignments. The proxy maintains a cache of the instance assignment(s). As new instance requests are received, the cached assignment data is used to provide appropriate responses in lieu of proxying these requests to the discovery service, thereby reducing the time needed to identify the required IdP instance. The proxy dynamically maintains and manages its cache by subscribing to updates from the discovery service. The updates identify IdP instance changes (such as servers being taken offline for maintenance, new services being added, etc.) occurring within the set of geographically-distributed instances that comprise the IdP service. The updates are provided via a publication-subscription model such that the proxy receives change notifications proactively.

Abstract: A method for communicating between devices in a network includes creating an I/O tunnel between a first device and a second device through the network. The I/O tunnel is associated with I/O resources in both the first device and the second device, and wherein at least one of the I/O resources comprises a buffer resource. A data transfer operation may be sent between the first device and the second device by consuming at least some of the I/O resources associated with the I/O tunnel. A plurality of commands or a plurality of responses can be aggregated into a single buffer resource. Upon completion of the data transfer operation, the I/O resources that are consumed are automatically renewed.

Abstract: An identity provider service comprises a plurality of identity provider instances, with at least one identity provider instance being remote from at least one other identity provider instance. A method of discovering an identity provider instance according to this disclosure begins upon receipt from a service provider (or from a discovery service to which the service provider redirects the user) of a request for an IdP instance. Preferably, the request for an IdP instance is received as a Web services request following receipt at the service provider of an end user client request to access an application. In response to receiving the request, an IdP instance is selected, preferably using one or more criteria, such as user proximity, instance load, instance availability, the existence of a prior IdP binding, or the like. Following the selection, a response to the request is generated and returned to the requesting service provider. Preferably, the response is a redirect to the selected IdP instance.

Abstract: A method for communicating between devices in a network includes creating an I/O tunnel between a first device and a second device through the network. The I/O tunnel is associated with I/O resources in both the first device and the second device, and wherein at least one of the I/O resources comprises a buffer resource. A data transfer operation may be sent between the first device and the second device by consuming at least some of the I/O resources associated with the I/O tunnel. A plurality of commands or a plurality of responses can be aggregated into a single buffer resource. Upon completion of the data transfer operation, the I/O resources that are consumed are automatically renewed.

Abstract: A system for communicating between two devices in a network in which a semi-persistent tunnel is established between the two devices in advance of data communication. The semi-persistent tunnel includes resources that are pre-allocated in a first device at a first end of the communication link by a second device at the second end of the communication link. The first and second devices implement a plurality of processes for handling data transfer operations. Preferably, the semi-persistent tunnel also includes resources that are pre-allocated in a device at the second end of the communication link by the device at the first end of the communication link to allow bi-directional communication. Data transfer operations transmitted through the tunnel include an identification of specific resources of the pre-allocated resources that are to handle the data transfer operation.

Abstract: Instant messages are processed in accordance with restrictions associated with privacy codes. A privacy code is obtained from a sender system prior to acceptance or delivery of any instant messages from the sender system. If a privacy code is received from the sender system, then a recipient system accepts or delivers instant messages from the sender system.

Abstract: A method and system for transparently encrypting (and decrypting) sensitive data stored in a directory (or other database) is provided. Sensitive data, a password for example, may be required by a client in a distributed data processing environment. When the database entry is created, the sensitive data received from a user, or more generally, a client, may be encrypted, and saved in the directory entry in encrypted form. Encryption of sensitive data may be performed in accordance with a predetermined set of policies. When the sensitive information is needed, it may be selectively delivered in encrypted or unencrypted form based on a policy in the set. Policies may include criteria external to the database, and interfaced to the database via a policy engine.

Abstract: A method, apparatus, and computer instructions for managing multi-threaded conversations in an instant messaging system. The present invention provides a menu option to allow the start of a new topic of discussion within the current instant messaging session. When a new topic is selected, a new thread of conversation is created within the messaging window that is segregated from previous topics of discussion. This new thread of conversation may be created at all other locations for all of the parties involved in the instant messaging session. In this manner, each party to a messaging session containing multiple conversations may be able to understand which response is related to which thread of conversation. In addition, a menu option may be provided by the instant messaging application to allow a user to merge one or more of the threaded conversations into a single conversation.

Abstract: A system in which data operations for a data replication group are received in-order, and buffered. When the operations are complete, they are stored in a non-volatile memory atomically with a group sequence number. The cache is preferably mirrored. This creates a persistent association between the data operation and the sequence number. After the atomic store is performed in at least one non-volatile cache, the data operation is propagated to another member of the data replication group along with the group sequence number. In the other member, the data operation is cached at least once in a non-volatile cache atomically with the group sequence number. In this manner, the set of group sequence numbers for a plurality of operations forms a continuous ordering of the data operations.

Abstract: A data storage system adapted to maintain redundant data storage sets at a destination location(s) is disclosed. The data storage system establishes a copy set comprising a source volume and a destination volume. Data written to a source volume is automatically copied to the destination volume. The data storage system maintains a data log that may be activated when the destination volume is inaccessible due to, for example, a malfunction in the destination storage system or in the communication link between the source system and the destination system. I/O commands and the data associated with those commands are written to the data log, and after a destination system becomes available the information in the data log is merged into the destination volume to conform the data in the destination volume to the data in the source volume. The data log competes for disk capacity with other volumes on the system, and log memory is allocated as needed.

Abstract: A method, apparatus, and computer instructions for managing multi-threaded conversations in an instant messaging system. The present invention provides a menu option to allow the start of a new topic of discussion within the current instant messaging session. When a new topic is selected, a new thread of conversation is created within the messaging window that is segregated from previous topics of discussion. This new thread of conversation may be created at all other locations for all of the parties involved in the instant messaging session. In this manner, each party to a messaging session containing multiple conversations may be able to understand which response is related to which thread of conversation. In addition, a menu option may be provided by the instant messaging application to allow a user to merge one or more of the threaded conversations into a single conversation.

Abstract: A method, apparatus, and computer instructions for managing multi-threaded conversations in an instant messaging system. The present invention provides a menu option to allow the start of a new topic of discussion within the current instant messaging session. When a new topic is selected, a new thread of conversation is created within the messaging window that is segregated from previous topics of discussion. This new thread of conversation may be created at all other locations for all of the parties involved in the instant messaging session. In this manner, each party to a messaging session containing multiple conversations may be able to understand which response is related to which thread of conversation. In addition, a menu option may be provided by the instant messaging application to allow a user to merge one or more of the threaded conversations into a single conversation.

Abstract: A method and system for transparently encrypting (and decrypting) sensitive data stored in a directory (or other database) is provided. Sensitive data, a password for example, may be required by a client in a distributed data processing environment. When the database entry is created, the sensitive data received from a user, or more generally, a client, may be encrypted, and saved in the directory entry in encrypted form. Encryption of sensitive data may be performed in accordance with a predetermined set of policies. When the sensitive information is needed, it may be selectively delivered in encrypted or unencrypted form based on a policy in the set. Policies may include criteria external to the database, and interfaced to the database via a policy engine.

Abstract: A method and system for transparently encrypting (and decrypting) sensitive data stored in a directory (or other database) is provided. Sensitive data, a password for example, may be required by a client in a distributed data processing environment. When the database entry is created, the sensitive data received from a user, or more generally, a client, may be encrypted, and saved in the directory entry in encrypted form. Encryption of sensitive data may be performed in accordance with a predetermined set of policies. When the sensitive information is needed, it may be selectively delivered in encrypted or unencrypted form based on a policy in the set. Policies may include criteria external to the database, and interfaced to the database via a policy engine.

Abstract: The present invention contemplates a variety of improved techniques for geo-tagging of digital photo graphs. In some embodiments, this includes automatically updating photograph locations with a stored offset value.

Abstract: Methods and systems are provided for providing machine health information. In one embodiment, a machine may include a storage device that is configured to store collected machine health data. The storage device has a module that is configured to determine a data characteristic and a communication characteristic. The storage device is further configured to determine, based on the data characteristic and the communication characteristic, whether to transmit a set of machine health data to an off-board system. Further, the storage device is coupled to a transmitter that is configured to transmit the set of machine health data to the off-board system.

Abstract: A data storage system adapted to maintain redundant data storage sets at a destination location(s) is disclosed. The data storage system establishes a copy set comprising a source volume and a destination volume. Data written to a source volume is automatically copied to the destination volume. The data storage system maintains a data log that may be activated when the destination volume is inaccessible due to, for example, a malfunction in the destination storage system or in the communication link between the source system and the destination system. I/O commands and the data associated with those commands are written to the data log, and after a destination system becomes available the information in the data log is merged into the destination volume to conform the data in the destination volume to the data in the source volume. The data log competes for disk capacity with other volumes on the system, and log memory is allocated as needed.