Abstract: Access controls for a Web service (which controls are based on abstract WSDL definitions) are defined for a WSDL defined protected object space and, as such, are loosely coupled with the concrete WSDL binding derived from those definitions, preferably on a per binding level. This WSDL-defined POS is in turn loosely bound to a resource-specific protected object space definition. This loose coupling is leveraged to allow changes (e.g., updates) to the abstract WSDL binding's protected object space to be transitively applied to the application-specific protected object space. If appropriate, changes to the resource-specific protected object space may be applied to the WSDL's protected object space. Thus, according to the invention, the coupling may be one-way (typically, from the WSDL POS to the resource level POS) or two-way (from the WSDL POS to the resource level POS and vice versa).

Abstract: A mobile device identifier (such as an MSISDN) that typically accompanies a mobile device request is replaced with an “enriched” identifier that exposes the mobile device user's home operator but obfuscates the mobile device's (and, thus, the device user's) identity. In one embodiment, the identifier comprises a first part, and a second part. The first part comprises a data string that identifies (either directly or through a database lookup) the mobile device user's home operator. The second part, however, is an opaque data string, such as a one-time-use unique identifier (UID) or a value that is otherwise derived as a function of the MSISDN (or the like). The opaque data string encodes the mobile device's identity in a manner that preferably can be recovered only by the user's home operator. The present invention describes a method and apparatus for use in a home network to manage the generation, storage and use of the unique identifiers.

Abstract: Electronic communication is susceptible to SPAM, phishing attacks, and other unwanted communications because of a recipient's limited control over communication transmitted by a sender. Functionality can be implemented to employ a multi-level approach to establishing trust between a sender and a recipient prior to transmitting any communication to prevent unwanted content from being transmitted to a recipient. Initial levels of trust may be established by requiring the sender to provide trust establishment information about the recipient. Based on the validity and percent accuracy of the provided trust establishment information, the communication may be discarded or transmitted to the recipient. A final level of trust depends on the approval of a trust validation request sent to the recipient on behalf of the sender.

Abstract: Policy controls for Web service resource objects in a hierarchical resource space are loosely coupled so that policy changes are applied and enforced across the objects. This technique ensures that different policies are not applied unintentionally to the same resource (for example, one at the Web services entry level, and the other at the resource level). By synchronizing the object in the manner described, neither the entity that deploys the application nor the security administrator need to be aware of the differences between the various types of requests that occur within a Web services environment. In a representative embodiment, resource objects are linked within a hierarchical resource space to provide synchronized policy control, where the policy is an audit policy, a quality-of-service (QoS) policy, a service level agreement (SLA) policy, a governance policy, a compliance policy, a patch management/vulnerability management policy, a user management policy, or a rights management policy.

Abstract: A web browser is provided with a logout enablement function that traps a browser or page shutdown request and prevents that request from completing until the browser (or page) has logged out from one or more current server-side application sessions. The logout enablement function ensures that server-side resources that have been invoked for a given session are released before the web browser can be shutdown. The function is implemented as native browser code, a web page applet, a Java server page, a script, a control associated with the browser, and a browser plug-in.

Abstract: The invention describes techniques for enforcing password policy within a distributed directory environment that includes one or more distributed directory servers and a proxy server that acts as an intermediate agent between a client and the distributed directory environment. In one aspect, the proxy server is enhanced to support the passing (from the backend server to the client) of password policy controls. In particular, controls returned from a backend server are parsed and cached (for re-use) for the life of a given client connection. According to another aspect, the proxy server ensures that all compare operations for a single user's password are directed to the same backend server in the distributed directory environment. This insures that a user's most current password is used, and that failed operation counts, resets and operational attributes are up-to-date.

Abstract: A method operative at a service provider enforces a digital rights management (DRM) scheme associated with a piece of content. The service provider typically is a content provider. The service provider is an entity that participates in a “federation” with one or more other entities including, for example, an identity provider, a DRM privileges provider, and a DRM policy provider. In one embodiment, the method begins upon receipt at the service provider of a single sip on (SSO) message generated by the identity provider entity that includes a reference to a set of DRM privileges associated with an end user requesting access to the piece of content. In response to receiving the message, the service provider as necessary obtains the DRM privileges and at least one applicable DRM policy. It then evaluates the DRM privileges associated with the end user against the DRM policy, and provides the end user a response.

Abstract: An RFID tag includes a sensor for determining a transient state or condition of a product to which the tag is associated, and a display. The tag may be passive, semi-passive, or active. In response to receipt at the tag of a read signal that includes a first value associated with the transient state or condition, a comparison is performed. The comparison compares the first value, with a second value generated by the sensor in response to receipt of the read signal. As a result of the comparison, an indication is provided on the display. The information displayed is a function of the comparison. In one embodiment, the display provides different color indications depending on the transient state or condition sensed. In an alternative embodiment, the RFID tag display includes an electrical or thermal charge-induced pigment release medium, e.g., an electronic ink, and the tag is used to communicate information about the state of a product to which the tag is associated.

Abstract: A method, a system, an apparatus, and a computer program product is presented for performing federation protocol operations within a data processing system. A message is received. In response to a determination that subsequent processing of the message requires execution of a first federation protocol operation, the message is filtered against a set of policies to determine a subset of one or more applicable policies. An applicable policy is enforced by performing a second federation protocol operation as indicated by the applicable policy prior to performing the first federation protocol operation. In response to concluding enforcement of the applicable policy, the first federation protocol operation is initiated.

Abstract: Federated single sign on (F-SSO) uses a token service that fulfills requests by executing a module chain comprising a set of modules. F-SSO runtime processing is enhanced by enabling a federated entity user to define a custom module to include in the chain. The custom module includes one or more name-value pairs, wherein a given name-value pair has a value that may be validated against an entity-defined rule. The rule is determined during the processing of the custom module based on one or more invocation parameters of the module chain. In a runtime operation, F-SSO begins in response to receipt of a token. In response, the processing of the module chain that includes the custom module is initiated. During processing of the custom module, an attempt is made to validate the value of a name-value pair based on the rule. If the value of the name-value pair based on the rule can be validated, processing of the module chain continues.

Abstract: A method of managing user personal information across a set of service provider sites is implemented, preferably as a web browser plug-in function. As a user navigates to a service provider web site and performs an interaction involving user identity attribute data, the interaction is recorded for later replay. Typically, the interaction is a graphical user interface (GUI) interaction. At a later time, previously-recorded interactions at service provider sites are replayed automatically, i.e., without requiring the user to navigate back to the individual sites and perform the interactions, and (during the replay operation) the user's previously-entered identity attribute data is located and retrieved. A display of the identity attribute data collected from the service provider sites then can be examined, e.g., for any inconsistency among the data.

Abstract: A system is presented for facilitating management of user attribute information at one or more attribute information providers (AIPs), which can manage the user's attribute information in accordance with user-selected or administratively-determined options, including options that are stored in attribute release policies and/or dynamically determined during a transaction. E-commerce service providers (ECSPs), such as online banks or merchants, also maintain a relationship with an AIP such that the ECSP can trust the user attribute information that is provided by the AIP on behalf of the user. The user can complete transactions that require user attribute information at any ECSP without having to have previously established a relationship with that particular ECSP. If the ECSP has a relationship with one of the user's AIPs, then the user will be able to direct the ECSP to an AIP when the ECSP needs user attribute information to complete a transaction for the user.

Abstract: An identity management system provides for a computationally efficient approach to monitor group changes, or events, on a directory service. Group events are monitored by use of a domain crawler process launched by an event monitoring process of the identity management system that gathers group event data and reports the collected and consolidated changes to the identity management system.

Abstract: A mobile device identifier (such as an MSISDN) that typically accompanies a mobile device request is replaced with an “enriched” identifier that exposes the mobile device user's home operator but obfuscates the mobile device's (and, thus, the device user's) identity. In one embodiment, the identifier comprises a first part, and a second part. The first part comprises a data string that identifies (either directly or through a database lookup) the mobile device user's home operator. The second part, however, is an opaque data string, such as a one-time-use unique identifier (UID) or a value that is otherwise derived as a function of the MSISDN (or the like). The opaque data string encodes the mobile device's identity in a manner that preferably can be recovered only by the user's home operator (or an entity authorized thereby). When the mobile device user roams into a foreign network, that network receives the enriched identifier in lieu of an MSISDN.

Abstract: A method, system, and computer program product is presented for providing access to a set of resources in a distributed data processing system. A reverse proxy server receives a resource request from a client and determines whether or not it is managing a session identifier that was previously associated with the client by the reverse proxy server; if so, it retrieves the session identifier, otherwise it obtains a session identifier and associates the session identifier with the client using information that is managed by the reverse proxy server. The reverse proxy server then modifies the resource request to include the session identifier and forwards the modified resource request to an application server.

Abstract: An electronic device includes a computer keyboard having keys that are each capable of individual illumination. An electronic dictionary is provided for determining a set of most likely keys to be needed for an application, wherein the electronic dictionary is updated to include new words typed on the keyboard. The keyboard is operated with a user enabled/disabled function of selective illumination of respective keyboard keys so that a set of most likely alphabet keys according to the electronic dictionary along with an enter key and space bar are illuminated if a word processor application is running. Numeric keys are illuminated if a calculator application is running. The selective illumination is automatically disabled if user identification and password fields are being filled. All of the keys are automatically illuminated after a configured timeframe in which none of the suggested keys have been pressed.

Abstract: An unattended computer-based machine is authenticated by the present invention method, system or apparatus. The subject machine may be an auto-restarted machine or similar machine configured to be unattended. Upon receipt of initializing input from a user at a subject computer-based machine, a working process authenticates the user and generates resulting credentials. The working process stores the generated credentials in a memory area of the subject machine. Separate from and independent of the working process is a security monitor of the present invention. A monitoring module of the present invention monitors user activity on the subject machine and upon detecting suspect activity destroys the stored credentials of the working process. Suspect activity includes any activity raising a suspicion of compromise.

Abstract: A solution is proposed for facilitating the selection of execution servers to be used in a scheduler for submitting the execution of jobs. Each job is defined by a corresponding descriptor. The descriptor specifies the execution servers to be used by the jobs in a formal way (through their properties); in addition, the descriptor may also include the definition of formal relationships to be satisfied by the execution server with other resources of the system (in turn defined in a formal way through their properties). A query is created according to the descriptor for selecting (concrete) execution servers having the desired properties and satisfying the desired relationships with the resources of the system. This query is then run on a central database, wherein all the concrete execution servers, resources and relationships are defined. In this way, it is possible to obtain a list of concrete execution servers eligible to execute the job in a single transaction.

Abstract: A system is presented for facilitating management of user attribute information at one or more attribute information providers (AIPs), which can manage the user's attribute information in accordance with user-selected or administratively-determined options, including options that are stored in attribute release policies and/or dynamically determined during a transaction. E-commerce service providers (ECSPs), such as online banks or merchants, also maintain a relationship with an AIP such that the ECSP can trust the user attribute information that is provided by the AIP on behalf of the user. The user can complete transactions that require user attribute information at any ECSP without having to have previously established a relationship with that particular ECSP. If the ECSP has a relationship with one of the user's AIPs, then the user will be able to direct the ECSP to an AIP when the ECSP needs user attribute information to complete a transaction for the user.

Abstract: Methods, apparatuses, and computer program products are provided for assigning Access Control Lists (‘ACLs’) to a hierarchical namespace to optimize ACL inheritance. Embodiments include creating an entitlement matrix for a plurality of resources; creating a tree structure having a plurality of nodes for the hierarchical namespace in dependence upon the entitlement matrix; creating a plurality of ACLs in dependence upon the entitlement matrix; identifying a plurality of attachment points in the hierarchical namespace for the ACLs in dependence upon ACL attachment rules; and attaching the ACLs to the attachment points. Creating an entitlement matrix for a plurality of resources may be carried out by creating a matrix of resources and permissions for users.