Abstract: In various example embodiments, a system and method for transferring an authenticated session of an application running on one electronic device to a second electronic device after determining the second electronic device is a trusted device are presented. In one embodiment, an instruction is received to transfer an authenticated session of an application running on a first device associated with a user account to a second device associated with the user account. The second device is verified to be associated with the user account of the first device. The second device is determined to be a trusted device of an authorized user of the user account. The authenticated session of the application running on the first device is transferred to the second device to reproduce a current state of the authenticated session on the second device.

Abstract: Techniques for authentication and authorization of a user, an application, or a user device for access to web resources are described. For example, a machine identifies an access request to access a remote resource associated with a web service. The access request may be received from an application executing at a user device. The machine retrieves at least one user artifact from a security manager identifier received from the web service. The machine performs fingerprinting of the user device based on the at least one user artifact. The machine transmits the access request to the web service based on the performing of the fingerprinting of the user device. The machine, in response to the transmitting of the access request to the web service, receives a resource access authorization from the web service for the application executing at the user device.

Abstract: In various example embodiments, a system and method for transferring an authenticated session of an application running on one electronic device to a second electronic device after determining the second electronic device is a trusted device are presented. In one embodiment, an instruction is received to transfer an authenticated session of an application running on a first device associated with a user account to a second device associated with the user account. The second device is verified to be associated with the user account of the first device. The second device is determined to be a trusted device of an authorized user of the user account. The authenticated session of the application running on the first device is transferred to the second device to reproduce a current state of the authenticated session on the second device.

Abstract: Techniques for authentication and authorization of a user, an application, or a user device for access to web resources are described. For example, a machine identifies an access request to access a remote resource associated with a web service. The access request may be received from an application executing at a user device. The machine retrieves at least one user artifact from a security manager identifier received from the web service. The machine performs fingerprinting of the user device based on the at least one user artifact. The machine transmits the access request to the web service based on the performing of the fingerprinting of the user device. The machine, in response to the transmitting of the access request to the web service, receives a resource access authorization from the web service for the application executing at the user device.

Abstract: Systems and methods are disclosed to authenticate and authorize a user for web services using user devices. In various embodiments, a method may comprise: identifying, by a user device security manager executing at a user device corresponding to a user of a web service, a first request issued from an application to access remote resources associated with the web service, the application executing at the user device and separate from the user device security manager; acquiring, by the user device security manager, security information of the application in response to the identifying of the first request, the security information including at least one of an application identification, an access scope or a nonce of the application; and transmitting a second request from the user device security manager to the web service to authenticate the application by the web service based, at least in part, on the application identification.

Abstract: A framework is provided for integrating Internet identities in enterprise identity and access management (IAM) infrastructures. A framework is provided for open authorization. A framework is also provided for relying party functionality. A mapping repository can be configured to store a mapping between applications and identity providers. The mapping associates each application of a plurality of applications with one or more identity providers. Identity management logic can be configured to use the mapping to determine that one or more identity providers of a first plurality of identity providers can be used to perform authentication activities on behalf of the first application in response to receiving a first request associated with a first application.

Abstract: A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

Abstract: Systems and methods are disclosed to authenticate and authorize a user for web services using user devices. In various embodiments, a method may comprise: identifying, by a user device security manager executing at a user device corresponding to a user of a web service, a first request issued from an application to access remote resources associated with the web service, the application executing at the user device and separate from the user device security manager; acquiring, by the user device security manager, security information of the application in response to the identifying of the first request, the security information including at least one of an application identification, an access scope or a nonce of the application; and transmitting a second request from the user device security manager to the web service to authenticate the application by the web service based, at least in part, on the application identification.

Abstract: A method for managing a security lifecycle of a federated web service provider (WSP) is described. The method includes populating a graphical user interface with available security mechanisms, receiving a selection of a selected security mechanism from a user, and creating a deployment time policy generator for instantiating the selected security mechanism in outgoing messages generated by the WSP. A system and machine readable-medium for a deployment tool for performing the method are also described.

Abstract: A framework is provided for integrating Internet identities in enterprise identity and access management (IAM) infrastructures. A framework is provided for open authorization. A framework is also provided for relying party functionality.

Abstract: A federation participant in communication with other participants of a federation according to a federation protocol is described. The web service participant includes business logic and a security provider. The business logic implements a web service consumer (WSC) or a web service provider (WSP) business logic. The business logic is configured to generate an outgoing message for transmission to a recipient and receive an incoming message from the recipient, the recipient being a WSP if the business logic is a WSC business logic and a WSC if the business logic is a WSP business logic. The security provider is configured to receive the generated messages and apply header information to the outgoing message according to the federation protocol to form a modified outgoing message. The security provider then transmits the modified outgoing message to the recipient. Methods of operation for the WSC and WSP are also described.

Abstract: A method for multi-protocol logout. The method includes receiving, by a first identity provider, a logout request from a user agent, wherein the first identity provider executes in a federation manager, and initiating a logout on a service provider associated with the first identity provider based on the logout request by the first identity provider. The method further includes identifying, by the federation manager, a plurality of identity providers associated with the user agent, wherein the plurality of identity providers communicate using heterogeneous federation protocols, and initiating, by the federation manager, a logout on each of the plurality of identity providers based on the logout request using the plurality of heterogeneous federation protocols. The method further includes initiating, by the plurality of identity providers, a logout of each service provider corresponding to the plurality of identity providers, identifying a status of each logout, and sending the status to the user agent.

Abstract: A distributed session failover mechanism is disclosed for facilitating the replication and retrieval of session information. A first server, in a trusted network, providing a single sign-on (SSO) solution, stores session information pertaining to a particular client requesting services associated with the server. In order to provide session failover, the first server sends a copy of the session information to a bus mechanism, which is connected to one or more persistent repositories. When a second server attempts to validate the client, the second server may discover that the first server failed. The second server then requests a copy of the session information pertaining to the client from the bus mechanism. The bus mechanism retrieves the copy from a persistent repository and provides the copy to the second server.

Abstract: A method to limit active sessions connecting user access to a computer network is presented. First, a request to initiate a new user session in the computer network is authenticated. The authentication is operatively conducted within a single sign-on provider. A session quota is then determined through a session quota logic of the single sign-on provider with the session quota logic retrieving a stored session quota. Then the number of active sessions is compared with the determined session quota. The determined session quota is enforced though a session quota enforcement logic of the SSO provider.

Abstract: A mechanism is disclosed for enabling an attribute provider service (APS), which provides access to one or more attributes, to control access to the attributes at the attribute level. In one implementation, a request is received, which specifies a particular attribute that is desired to be accessed from an attribute repository. In response to this request, a policy that applies to the particular attribute is accessed. The policy is then processed to determine whether access to the particular attribute is to be allowed or denied. With the above mechanism, it is possible to control access to attributes at the attribute level rather than at the service level. Because access control is exercised at such a low level, an administrator can exercise much tighter and precise control over how attributes provided by an APS are accessed.

Abstract: A system for identifying a principal consisting of a service provider in a first circle of trust, where the first circle of trust is implemented using a first architecture; a first identity provider operatively connected to the service provider in the first circle of trust; and a second identity provider in a second circle of trust, where the second circle of trust is implemented using a second architecture, where the first identity provider is configured to contact the second identity provider, in compliance with the second architecture, as a virtual service provider in the second circle of trust to obtain identity information associated with the principal thereby allowing the first identity provider to identify the principal in the first circle of trust.

Abstract: A system and method for managing network devices using a metadata gateway. The metadata gateway provides translation of metadata to and from a database format and Interface Definition Language (IDL), which is operable across a plurality of platforms and across a plurality of programming languages. Metadata may be retrieved through the metadata gateway by a client manager application sending a request for type information for a managed object attribute or event in IDL through a CORBA Object Request Broker (ORB) to the metadata gateway, which then reads the type information from a metadata repository, where the type information is stored in a database format. The metadata gateway then translates the retrieved type information from the database format to IDL and sends the translated type information to the ORB, which sends the translated type information for the attribute or event to the client manager application.

Abstract: A thread-safe debugging system and method including a thread-safe debug service library and a thread-safe remote control library residing on at least one client computer system. The client and server libraries provide APIs which allow multi-threaded applications executing on the client computer system to take advantage of debug services in a thread-safe and dynamic manner. The remote control library provides third party applications the capability to initiate and manage the debug services on the client dynamically and remotely. The debug services may include providing debug output, listing the one or more debug objects in the multi-threaded application, listing the state of each debug object, turning on or off any debug object by name or pattern, directing the debug output to a remote location, allowing multiple remote diagnostic applications to view the debug output of the application, and logging statistical or performance information.

Abstract: A method for multi-protocol logout. The method includes receiving, by a first identity provider, a logout request from a user agent, wherein the first identity provider executes in a federation manager, and initiating a logout on a service provider associated with the first identity provider based on the logout request by the first identity provider. The method further includes identifying, by the federation manager, a plurality of identity providers associated with the user agent, wherein the plurality of identity providers communicate using heterogeneous federation protocols, and initiating, by the federation manager, a logout on each of the plurality of identity providers based on the logout request using the plurality of heterogeneous federation protocols. The method further includes initiating, by the plurality of identity providers, a logout of each service provider corresponding to the plurality of identity providers, identifying a status of each logout, and sending the status to the user agent.

Abstract: A mechanism is disclosed for providing a user's web service provider's (WSP's) access information to a web service consumer (WSC). In one embodiment, a directory service provider (DSP) receives, from a WSC, a request for a particular user's WSP access information. The request contains identifying information that is associated with the particular user. A repository indicates, for each user, an associated user characteristic. Each user characteristic is associated with a separate template object that indicates one or more WSP instances' access information. In response to receiving the request, the DSP determines, from the repository, the user characteristic that is associated with the particular user. The DSP sends, in a response to the WSC's request, the one or more WSP instances' access information that is indicated in the template object that is associated with the particular user's associated user characteristic. The WSC may use the WSP access information to direct a query to a particular WSP.