Abstract: An extensible mechanism for providing access control for logical objects in a network environment. A security broker is able to dynamically register one or more claims providers, each of which can assert one or more claims about logical objects. The claims providers may be purpose built or may be third party applications which expose data or business rules for use. Claims may be augmented by additional claims providers after the original claim is asserted. The applicability of claims may be scope limited either at the time the claims provider is registered or when the user requests that a security token be issued.

Abstract: Displaying organizational information of an entity includes storing data representing nodes associated with members of the entity in a database accessible by members of the entity. Data representing connections between the nodes that represent hierarchical relationships between the members is stored. An organizational chart comprising the nodes and connections is displayed on a presentation surface associated with a particular member of the entity. Input to create new nodes and connections is received from the particular member of the entity. When the new nodes are associated with a group that is associated with the particular member, the displayed nodes and connections are updated in response to the received input.

Abstract: A request, from a requester, is received to view user information on a user's personal site associated with a user. A relationship is determined between the requester and the user. User information is provided to the requester based on the requester's relationship to the user.

Abstract: Displaying organizational information of an entity includes storing data representing nodes associated with members of the entity in a database accessible by members of the entity. Data representing connections between the nodes that represent hierarchical relationships between the members is stored. An organizational chart comprising the nodes and connections is displayed on a presentation surface associated with a particular member of the entity. Input to create new nodes and connections is received from the particular member of the entity. When the new nodes are associated with a group that is associated with the particular member, the displayed nodes and connections are updated in response to the received input.

Abstract: A method for sign-on and sign-out for a computer system. The method includes receiving a first sign-on request for the computer system and obtaining, from the first sign-on request, a first user identifier where the first user identifier corresponds to a first user for the computer system. The method then includes obtaining, from the first sign-on request, a first uniform resource locator (URL) and determining whether the first URL includes a first root name for the computer system. When a determination is made that the first URL includes the first root name for the computer system a first cookie associated with the first user is issued and a first sub-domain name is obtained from the first URL. Also, a second cookie may be issued associated with the first sub-domain name and, when the first cookie and the second cookie are issued, the first user may sign-on to the computer system. In one or more embodiments, the method may include receiving a sign-out request.

Abstract: An extensible mechanism for providing access control for logical objects in a network environment. A security broker is able to dynamically register one or more claims providers, each of which can assert one or more claims about logical objects. The claims providers may be purpose built or may be third party applications which expose data or business rules for use. Claims may be augmented by additional claims providers after the original claim is asserted. The applicability of claims may be scope limited either at the time the claims provider is registered or when the user requests that a security token be issued.

Abstract: An application submits a permission request to a resource server. In response to receiving the request, the resource server generates a user interface that asks the user to grant or deny the requested permissions. If the permissions are granted, data is stored indicating that the application has the requested permissions. When a runtime request for a resource is received, the resource server determines whether the request has been made by a user, by an application, or by an application on behalf of a user. If the request is made by an application only, the request is granted only if the application has permission to access the resource by way of a direct call not on behalf of a user. If the request is made by an application on behalf of a user, the request is granted only if both the user and the application have sufficient permission.

Abstract: An extensible mechanism for providing access control for logical objects in a network environment. A security broker is able to dynamically register one or more claims providers, each of which can assert one or more claims about logical objects. The claims providers may be purpose built or may be third party applications which expose data or business rules for use. Claims may be augmented by additional claims providers after the original claim is asserted. The applicability of claims may be scope limited either at the time the claims provider is registered or when the user requests that a security token be issued.

Abstract: An enterprise-based social networking application. Events for individuals may be collected from various enterprise-based information systems automatically using adaptors that are specially tailored for particular types of information systems. Such events may then be used to populate event feeds regarding individuals in that enterprise. A filtering model for formulating event feeds identifies events by individual, event type, and event time. The filter also identifies which individuals are in which group of a participant, and identifies which groups correspond to which event types. Incoming events may then be filtered into the event feeds depending on the group to which the individual belongs. Filtering an event from an events pool to formulate an event feed is also provided.

Abstract: A request, from a requester, is received to view user information on a user's personal site associated with a user. A relationship is determined between the requester and the user. User information is provided to the requester based on the requester's relationship to the user.

Abstract: An enterprise-based social networking application. Events for individuals may be collected from various enterprise-based information systems automatically using adaptors that are specially tailored for particular types of information systems. Such events may then be used to populate event feeds regarding individuals in that enterprise. A filtering model for formulating event feeds identifies events by individual, event type, and event time. The filter also identifies which individuals are in which group of a participant, and identifies which groups correspond to which event types. Incoming events may then be filtered into the event feeds depending on the group to which the individual belongs. A user interface for a participant to view and edit group membership is also provided.

Abstract: A server system receives and installs multiple claim provider plug-ins. Each of the claim provider plug-ins implements the same software interface. However, each of the claim provider plug-ins can provide claims that assert different things. Claims provided by the claim provider plug-ins can be used to control access of users to a resource.

Abstract: A request, from a requester, is received to view user information on a user's personal site associated with a user. A relationship is determined between the requester and the user. User information is provided to the requester based on the requester's relationship to the user.

Abstract: A method for sign-on and sign-out for a computer system includes: receiving a first sign-on request for the computer system; obtaining, from the first sign-on request, a first user identifier, the first user identifier corresponding to a first user for the computer system; obtaining, from the first sign-on request, a first uniform resource locator (URL); determining whether the first URL includes a first root name for the computer system; when a determination is made that the first URL includes the first root name for the computer system: issuing a first cookie; associating the first cookie with the first user; obtaining a first sub-domain name from the first URL; issuing a second cookie, the second cookie being different from the first cookie; associating the second cookie with the first sub-domain name; and when the first cookie and the second cookie are issued, signing-on the first user to the computer system.

Abstract: An application submits a permission request to a resource server. In response to receiving the request, the resource server generates a user interface that asks the user to grant or deny the requested permissions. If the permissions are granted, data is stored indicating that the application has the requested permissions. When a runtime request for a resource is received, the resource server determines whether the request has been made by a user, by an application, or by an application on behalf of a user. If the request is made by an application only, the request is granted only if the application has permission to access the resource by way of a direct call not on behalf of a user. If the request is made by an application on behalf of a user, the request is granted only if both the user and the application have sufficient permission.

Abstract: A server system sends a first credential request to a passive requestor at a client device. After sending the first credential request, the server system receives a credential for a user of the client device. If the credential is valid, the server system can provide the passive requestor with access to a resource provided by the server system. After providing the passive requestor with access to the resource, the server system provides an active requestor at the client device with access to the resource without sending a second credential request to the active requestor. Consequently, it may not be necessary for a user of the client device to provide credentials twice in order for the passive requestor and the active requestor to access the resource.

Abstract: The present invention provides a system and method for targeting content to audiences. The audience is defined by rules that may be based on properties as well as organizational structure associated with the users. Each of the rules is compiled to determine the group of members belonging to the rule. Logical operators are then applied to the groups to determine the audience membership. Compiling the rules enhances performance as the rules do not have to be run each time. Instead, a simple check against the rules results is performed. The rules making up the audience may be compiled at predetermined times in order to keep the audience up-to-date. Audiences are then selected and tagged to content so that the content may be viewed by the selected audiences.

Abstract: A server system sends a first credential request to a passive requestor at a client device. After sending the first credential request, the server system receives a credential for a user of the client device. If the credential is valid, the server system can provide the passive requestor with access to a resource provided by the server system. After providing the passive requestor with access to the resource, the server system provides an active requestor at the client device with access to the resource without sending a second credential request to the active requestor. Consequently, it may not be necessary for a user of the client device to provide credentials twice in order for the passive requestor and the active requestor to access the resource.

Abstract: A server system receives and installs multiple claim provider plug-ins. Each of the claim provider plug-ins implements the same software interface. However, each of the claim provider plug-ins can provide claims that assert different things. Claims provided by the claim provider plug-ins can be used to control access of users to a resource.

Abstract: Various embodiments can be configured to provide a social networking computing environment. In an embodiment, a networked computing system can be used to provide informational feeds and commenting functionality to users of a social computing environment. In one embodiment, an enterprise-based social computing system can be configured to provide informational feeds to social networking application users. An informational feed can be populated with events and other information associated with one or more users of interest of an application user, but is not so limited. In one embodiment, a social computing environment can be configured to allow user commenting to feed items or events that are associated with a user or group of users.