Abstract: The disclosure relates to techniques for enforcing a limit on single sign-on (SSO) sessions for users across multiple data centers in a multi data center deployment. Users may request access to resources that are governed by an access manager deployed across multiple data centers, with each data center being associated with its own identifier. Each user may be associated with an identity attribute preserved in identity stores across the multiple data centers. The prerequisite for session creation at a data center may be to update the identity attribute of the user to that data center's identifier. If the identity attribute can be updated successfully, the access manager can create a new SSO session at that data center. Updates to the identity attribute may be synchronized across all of the data centers, with each data center aware of any existing sessions based on the current value of the identity attribute.

Abstract: The present disclosure relates generally to threat detection, and more particularly, to techniques for managing user access to resources in an enterprise environment. Some aspects are directed to the concept of managing access to a target resource based on a threat perception of a user that is calculated using a rule or policy based risk for the user and a behavior based risk for the user. Other aspects are directed to preventing insider attacks in a system based on a threat perception for each user logged into the system that is calculated using a rule or policy based risk for each user and a behavior based risk for each user. Yet other aspects are directed to providing a consolidated view of users, applications being accessed by users, and the threat perception, if any, generated for each of the users.

Abstract: The present disclosure relates generally to threat detection, and more particularly, to techniques for managing user access to resources in an enterprise environment. Some aspects are directed to the concept of managing access to a target resource based on a threat perception of a user that is calculated using a rule or policy based risk for the user and a behavior based risk for the user. Other aspects are directed to preventing insider attacks in a system based on a threat perception for each user logged into the system that is calculated using a rule or policy based risk for each user and a behavior based risk for each user. Yet other aspects are directed to providing a consolidated view of users, applications being accessed by users, and the threat perception, if any, generated for each of the users.

Abstract: The present disclosure relates generally to threat detection, and more particularly, to techniques for managing user access to resources in an enterprise environment. Some aspects are directed to the concept of managing access to a target resource based on a threat perception of a user that is calculated using a rule or policy based risk for the user and a behavior based risk for the user. Other aspects are directed to preventing insider attacks in a system based on a threat perception for each user logged into the system that is calculated using a rule or policy based risk for each user and a behavior based risk for each user. Yet other aspects are directed to providing a consolidated view of users, applications being accessed by users, and the threat perception, if any, generated for each of the users.

Abstract: Location-based authentication may be provided by an access management system on a server. The location-based authentication may determine whether a device should be granted access to a resource. The resource may either be located on or remote from the server. The location-based authentication may provide an additional authentication factor that is based on a past location of a user and/or device associated with the user requesting authentication. The past location may be associated with a user-configured question. The user-configured question may be provided to the device for an additional level of security. An answer received in response to a user-configured question may be compared to a user-configured answer that is associated with the user-configured question. In other examples, the answer may be compared to one or more possible answers that are determined by the access management system.

Abstract: Location-based authentication may be provided by an access management system on a server. The location-based authentication may determine whether a device should be granted access to a resource. The resource may either be located on or remote from the server. The location-based authentication may provide an additional authentication factor that is based on a past location of a user and/or device associated with the user requesting authentication. The past location may be associated with a user-configured question. The user-configured question may be provided to the device for an additional level of security. An answer received in response to a user-configured question may be compared to a user-configured answer that is associated with the user-configured question. In other examples, the answer may be compared to one or more possible answers that are determined by the access management system.

Abstract: The disclosure relates to techniques for enforcing a limit on single sign-on (SSO) sessions for users across multiple data centers in a multi data center deployment. Users may request access to resources that are governed by an access manager deployed across multiple data centers, with each data center being associated with its own identifier. Each user may be associated with an identity attribute preserved in identity stores across the multiple data centers. The prerequisite for session creation at a data center may be to update the identity attribute of the user to that data center's identifier. If the identity attribute can be updated successfully, the access manager can create a new SSO session at that data center. Updates to the identity attribute may be synchronized across all of the data centers, with each data center aware of any existing sessions based on the current value of the identity attribute.

Abstract: The present disclosure relates generally to threat detection, and more particularly, to techniques for managing user access to resources in an enterprise environment. Some aspects are directed to the concept of managing access to a target resource based on a threat perception of a user that is calculated using a rule or policy based risk for the user and a behavior based risk for the user. Other aspects are directed to preventing insider attacks in a system based on a threat perception for each user logged into the system that is calculated using a rule or policy based risk for each user and a behavior based risk for each user. Yet other aspects are directed to providing a consolidated view of users, applications being accessed by users, and the threat perception, if any, generated for each of the users.

Abstract: A method of applying a timeout protocol by an access manager to a plurality of resources may include storing the timeout protocol comprising at least one criterion, and receiving a request for a first resource. Each of the resources can be segregated into separate application domains, the first resource can be associated with a first attribute, and the first attribute can be assigned a first value. The method may also include determining that the first value satisfies the at least one criterion, associating the timeout protocol with the first resource, and associating the timeout protocol with each resource that is associated with the first attribute assigned a value that satisfies the at least one criterion. The method may further include granting access to the first resource according to the timeout protocol.

Abstract: A method of applying a timeout protocol by an access manager to a plurality of resources may include storing the timeout protocol comprising at least one criterion, and receiving a request for a first resource. Each of the resources can be segregated into separate application domains, the first resource can be associated with a first attribute, and the first attribute can be assigned a first value. The method may also include determining that the first value satisfies the at least one criterion, associating the timeout protocol with the first resource, and associating the timeout protocol with each resource that is associated with the first attribute assigned a value that satisfies the at least one criterion. The method may further include granting access to the first resource according to the timeout protocol.

Abstract: This disclosure describes, generally, methods and systems for implementing policy based trust management. The method includes receiving, at an host server, a trust request from a partner, and identifying, at the host server via a trust policy enforcer, parameters and attributes associated with the partner. The method further includes identifying, at the host server via the trust policy enforcer, parameters and attributes associated with the requested resource, and accessing, by the trust policy enforcer, a policy database. Furthermore, the method includes retrieving, by the trust policy enforcer, one or more trust policies associated with the requested resource, and based on the attributes and parameters of the partner, applying, by the trust policy enforcer, the one or more associated trust policies to the request. Further, the method includes based on conformity with the one or more trust policies, providing the partner with access to the requested resource.

Abstract: This disclosure describes, generally, methods and systems for implementing policy based trust management. The method includes receiving, at an host server, a trust request from a partner, and identifying, at the host server via a trust policy enforcer, parameters and attributes associated with the partner. The method further includes identifying, at the host server via the trust policy enforcer, parameters and attributes associated with the requested resource, and accessing, by the trust policy enforcer, a policy database. Furthermore, the method includes retrieving, by the trust policy enforcer, one or more trust policies associated with the requested resource, and based on the attributes and parameters of the partner, applying, by the trust policy enforcer, the one or more associated trust policies to the request. Further, the method includes based on conformity with the one or more trust policies, providing the partner with access to the requested resource.