Abstract: A method is presented in which federated domains interact within a federated environment. Domains within a federation can initiate federated single-sign-on operations for a user at other federated domains. A point-of-contact server within a domain relies upon a trust proxy within the domain to manage trust relationships between the domain and the federation. Trust proxies interpret assertions from other federated domains as necessary. Trust proxies may have a trust relationship with one or more trust brokers, and a trust proxy may rely upon a trust broker for assistance in interpreting assertions.

Abstract: A method is presented for managing authentication credentials for a user. A session management server performs session management with respect to the user for a domain that includes a protected resource. The session management server receives a request to access the protected resource, which requires authentication credentials that have been generated for a first type of authentication context. In response to determining that authentication credentials for the user have been generated for a second type of authentication context, the session management server sends to an authentication proxy server a first message that contains the authentication credentials for the user and an indicator for the first type of authentication context. The session management server subsequently receives a second message that contains updated authentication credentials for the user that indicate that the updated authentication credentials have been generated for the first type of authentication context.

Abstract: A solution is proposed for exchanging messages (such as e-mails) among a plurality of data processing entities, such as client computers (105). A corresponding method starts with the step of sending (403-412) an original message from a sender entity to a set of original receiver entities; the original message includes an original information content and an indication of the original receiver entities. The method continues by sending (415-424) a correction message from the sender entity at least partially to the original receiver entities and completely to a set of missing receiver entities being missing in the original message; the correction message includes the original information content and an indication of the original receiver entities and the missing receiver entities. The original message for each original receiver entity is then corrected (427-496) according to the correction message.

Abstract: A method, system, apparatus, and computer program product are presented for processing cookies that are transmitted from a server through a proxy server to a client that is operated by a user. The proxy server detects that a response message from the server for the client has an associated cookie. The proxy server extracts a domain identifier associated with the server from the response message, and the proxy server retrieves a set of parameters that contain domain identifiers that are associated with indications of whether to block transmission of cookies from servers associated with the domain identifiers. The proxy server then processes the cookie in the response message in accordance with the retrieved set of parameters and the extracted domain identifier, either blocking or not blocking cookies from the identified domain. Blocked cookies are cached for subsequent use. Multiple sets of parameters may be configured by the user.

Abstract: A method, system, apparatus, or computer program product is presented for routing event messages between data processing systems based on privacy policies associated with the data processing systems and based on event policies associated with event types for the event messages. When a system attempts to publish an event message for a particular type of event or to subscribe to those event messages, an event policy is checked to determine whether the system may publish messages for that type of event or may subscribe to those messages. Moreover, if a publishing system publishes an event message that contains personally identifiable information for a user of a data processing system, and a subscribing system has subscribed to event messages having the same event type, then the privacy policies associated with the systems are compared to determine compatibility or incompatibility between the privacy policies before routing a message between the systems.

Abstract: A solution (200) for discovering inventory information in a data processing system is proposed. For this purpose, a corresponding discovery request is submitted (A1) to an inventory tool (200); the discovery request specifies a selected query pattern for the desired inventory information (for example, all the files included in a specific directory). Multiple providers (210)—such as of the interactive, cached or monitor type—are available for executing the required discovery operation. A predictive model (220) is associated with each provider; the models are used to estimate (A2,A3a,A3b-A4) the expected performance of the different providers for discovering the inventory information (according to the selected query pattern). In this way, it is possible to select (A5-A9) the provider, among the available ones, which is best suited for this purpose. The selected provider is then invoked (A10-A12) to discover the inventory information matching the selected query pattern.

Abstract: A method and system is presented for configuring a group of OCSP (Online Certificate Status Protocol) responders so that they are highly available. Each of the grouped OCSP responders share a common public key. When responding to an OCSP request, an OCSP responder generates an OCSP response that is signed with a group digital signature; the certificate for the common or group public key can be attached to the OCSP response. An OCSP client uses the group public key to verify the group digital signature on an OCSP response from any of the OCSP responders. For an OCSP client, the availability of this group of responders is greater than the availability of any one member of the group.

Abstract: A method is presented for transferring data objects between federated entities within a federated computational environment using artifacts. A first federated entity receives artifacts from a second federated entity that generates data objects, such as assertions, for use at or by the first federated entity. An artifact references a data object that is locally stored by the second federated entity, which is implemented as a distributed system having multiple data processing systems, each of which can generate artifacts and associated data objects and can proxy retrieval requests to systems within the second federated entity. Each artifact includes a tag that indicates the data processing system within the second federated entity that generated the artifact. When the second federated entity receives a retrieval request with an artifact from the first federated entity, the appropriate data object is retrieved from within the distributed data processing system using the artifact and the tag.

Abstract: A method is presented for transferring data objects between federated entities within a federation using artifacts. A first federated entity, such as a service provider, receives artifacts from a second federated entity, such as an identity provider, which generates data objects, such as assertions, for use at or by the first federated entity. The artifact references a data object that is locally stored by the second federated entity, which is implemented as a distributed data processing system with a set of data processing systems, each of which can generate artifacts and artifact-referenced data objects, and each of which can proxy data object retrieval requests to other data processing systems within the distributed data processing system. When the second federated entity receives a data object retrieval request with an artifact from the first federated entity, the artifact-referenced data object is retrieved from within the distributed data processing system using the artifact.

Abstract: A database comprising a plurality of tables is interrogated by generating a database query, and a data map, the data map describing the structure of table instances implicated in the database query. Next, the database query is submitted to the database. A response is received from the database. The data map is traversed so as to iteratively apply a data extraction process to components of the response corresponding to each table instance associated with the database query, thereby extracting the required data from the response.

Abstract: A method is presented for enforcing a privacy policy concerning management of personally identifiable information in a centralized manner through a privacy proxy agent. A proxy intercepts a message from a first system to a second system, e.g., from a server to a client, and determines whether the message is associated with an operation on personally identifiable information; if not, then the proxy sends the message to the second system, but if so, then the proxy determines whether the operation on the personally identifiable information is compliant with a privacy policy and with user preference information with respect to the privacy policy for a user who is associated the personally identifiable information. If the message is compliant with the privacy policy and user preference data, then the proxy sends the first message to the second system; otherwise, an error indication is returned to the first system.

Abstract: A system is presented for facilitating management of user attribute information at one or more attribute information providers (AIPs), which can manage the user's attribute information in accordance with user-selected or administratively-determined options, including options that are stored in attribute release policies and/or dynamically determined during a transaction. E-commerce service providers (ECSPs), such as online banks or merchants, also maintain a relationship with an AIP such that the ECSP can trust the user attribute information that is provided by the AIP on behalf of the user. The user can complete transactions that require user attribute information at any ECSP without having to have previously established a relationship with that particular ECSP. If the ECSP has a relationship with one of the user's AIPS, then the user will be able to direct the ECSP to an AIP when the ECSP needs user attribute information to complete a transaction for the user.

Abstract: The number of concurrent systems locks supported on a Sysplex is limited. Since persistent system locks may not be released for a long time, the limit may be reached resulting in outage periods. Access to resources may be managed through shared variables across a cluster of computing systems. Processes running on the cluster can use shared variables that are either exclusive or non-exclusive. An exclusive shared variable associates a resource with a process that has exclusive control of the resource. Since each exclusive shared variable is unique across the cluster, another application cannot create a second exclusive shared variable to control the resource. There is no limit on the number of exclusive shared variables that can be created on a cluster. Using exclusive shared variables instead of persistent system locks can prevent a system from reaching the limit of concurrent system locks while allowing processes exclusive use of resources.

Abstract: This invention automates the selection of purpose usages when a user agent interacts with a web site that has been enabled for automated purpose usage information exchange. A user first configures the purpose usage automation in his or her user agent. At this stage, which typically occurs off-line, the user decides on a level of automation when specifying the one or more purpose usages. If desired, this preference may depend on how “trusted” the site is to the user. Later, when the user navigates to an organization's web site, the user agent communicates the purpose usage settings to the organization according to the level of purpose usage automation that has been configured. In particular, when a user's agent visits a web site, the user agent detects that “automated purpose usage” is enabled for the web site. The web site then provides the user agent with a list of one or more purpose usage options required or desired by the organization.

Abstract: A computer system is presented for facilitating storage and retrieval of user attribute information within a federated environment at entities that manage such information as a service. Through enrollment processes, certain domains inform online service providers of identities of attribute information providers that may be used to retrieve user attribute information for a particular user. When performing a user-specific operation with respect to a requested resource, e.g., for personalizing documents using user attribute information or for determining user access privileges for the resource, an e-commerce service provider requires user attribute information, which is retrieved from an attribute information provider that has been previously specified through an enrollment operation. The e-commerce service provider may store the identity of the user's attribute information providers in a persistent token, e.g., an HTTP cookie, that is available when the user sends a request for access to a resource.

Abstract: A method and a system are presented in which federated domains interact within a federated environment. Domains within a federation can initiate federated operations for a user at other federated domains. A point-of-contact server within a domain relies upon a trust proxy within the domain to manage trust relationships between the domain and the federation. The point-of-contact server receives incoming requests directed to the domain and interfaces with a first application server and a second application server, wherein the first application server responds to requests for access to controlled resources and the second application server responds to requests for access to federated user lifecycle management functions, which are implemented using one or more pluggable modules that interface with the second application server.

Abstract: A method, system, apparatus, or computer program product is presented for morphing a honeypot system on a dynamic and configurable basis. The morphing honeypot emulates a variety of services while falsely presenting information about potential vulnerabilities within the system that supports the honeypot. The morphing honeypot has the ability to dynamically change its personality or displayed characteristics using a variety of algorithms and a database of known operating system and service vulnerabilities. The morphing honeypot's personality can be changed on a timed or scheduled basis, on the basis of activity that is generated by the presented honeypot personality, or on some other basis. The morphing honeypot can also be integrated with intrusion detection systems and other types of computer security incident recognition systems to correlate its personality with detected nefarious activities.

Abstract: A method is presented for performing an identity provider migration operation with respect to a user within a federated computational environment, wherein the user has a first user account at a first identity provider, a second user account at a second identity provider, and a third user account at a service provider. A request to access a resource is received by the service provider, after which a federated single-sign-on operation for the user is performed between the service provider and the first identity provider. Prior to sending a response to the request to access the protected resource, information in the third user account is modified to indicate that the service provider relies upon the second identity provider to authenticate the user on behalf of the service provider rather than the first identity provider. A response for the request to access the resource is then returned by the service provider.

Abstract: A method, system, apparatus, and computer program product are presented to support computing systems of different enterprises that interact within a federated computing environment. Federated single-sign-on operations can be initiated at the computing systems of federation partners on behalf of a user even though the user has not established a user account at a federation partner prior to the initiation of the single-sign-on operation. For example, an identity provider can initiate a single-sign-on operation at a service provider while attempting to obtain access to a controlled resource on behalf of a user. When the service provider recognizes that it does not have a linked user account for the user that allows for a single-sign-on operation with the identity provider, the service provider creates a local user account. The service provider can also pull user attributes from the identity provider as necessary to perform the user account creation operation.

Abstract: A computer system is presented for facilitating user enrollment at service providers, particularly with respect to storage and retrieval of user attribute information within a federated environment at entities that manage such information as a service. One domain can inform other domains of identities of service providers that are to be associated with a user, thereby enrolling information about the user at those domains. In addition, an enrollment operation can be invoked by a first service provider through a second service provider such that the user becomes enrolled at a third service provider. During an enrollment operation, information about multiple service providers may be associated with a user, and these service providers may be prioritized. The user may be provided an opportunity to reprioritize the service providers during the enrollment operation so that the service providers are subsequently contacted or used in a particular priority order.