Abstract: Disclosed is a method for authenticating a user by user identifier and associated graphical password. The graphical password includes a sequence of several images belonging to a group of images. The user provides a user identifier to an application, and graphically selects a sequence of several images in this group of images, the image order being randomly displayed by the application with each authentication of the user. The application identifies the position of each selected image in the sequence, establishes the correspondence between the sequence of the positions and the sequence of the identifiers of the selected images, compares the sequence of the selected images identifiers with the registered sequence, the application being the only entity able to establish this correspondence and/or the application being the only entity able to make this comparison, and authenticates the user if the comparison is positive but refuses authentication for negative comparison.

Abstract: The invention relates to a device and a method for authenticating a user utilizing an internet access client (10) for accessing remote resources of a computer infrastructure, said access comprising a first authentication (130) of the internet access client (10) and a second authentication (140) of the user of the internet access client (10). The method includes sending (132), to a token security module (21), by the internet access client (10), a client certificate (220), said client certificate (220) being associated with items of identification information of the internet access client (10); and receiving (133), by the internet access client (10), an authentication token (210) generated by the token security module when the client certificate (220) sent has been verified by the token security module.

Abstract: A method (M) for controlling access to a production system (SIP) of a computer system not connected to an information system (SIC), includes: A) an initial phase of enrolling a user via a terminal (1) in the production system (SIP), which includes: a) providing a private encrypted key (Cph) associated with each account of the user in the production system (SIP); b) the terminal transmitting the encrypted private key (Cph) to the information system and the system (SIC) registering the encrypted private key; B) for each request to access the production system, a phase of authentication by the production system, which includes: the terminal of the user recovering a challenge (QRCb) generated by the production system, that only the encrypted key stored in the information system makes it possible to solve, the key only being capable of being obtained after the terminal has been authenticated by the information system.

Abstract: A method for managing user accounts in an application of an application provider, includes: receiving a request for proof of authentication to authenticate a user attempting to access the application, the user being registered with an identity provider having a trust relationship with the application provider; obtaining, from a local database, user data including authentication data and access rights data; authenticating the user by the authentication data; determining the user right to access the application, by the access rights data; determining the existence or absence of a user account associated with the user, by querying an external database managed by the application provider; if the user has the right to access the application and there is no user account associated with the user: triggering provisioning of the user account at an entity, generating a proof of authentication associated with the user, sending the proof of authentication to the application provider.

Abstract: A method for changing the status, locked or unlocked, of a target machine including a security service and a session management module includes receiving, by the security service, a query corresponding to a request to change the status of the target machine, the query including at least one piece of identification information from a user of a source machine; from the security service, verifying if access rights to the target machine related to the user of the source machine allow a change in the status of the target machine by the user; if so, sending, from the security service, a status change message to the session management module of the target machine and proceeding to the status change made by the session management module.

Abstract: A method for propagating session management events between a plurality of machines forming a machine cluster includes generating, with a session management user interface, a session management event on a first machine of the machine cluster; detecting, with an installment of the interface, the generated event; sending, from the installment to a first security service related to the first machine, a set of specific information that is related to the detected event; determining, with the first security service, a set of target machines; sending the specific information from the first security service to target security services that are related to the target machines; and processing the specific information at each target security service of the target machines so as to execute, on each target machine that has received the specific information, the session management event generated on the first machine.

Abstract: A method for opening a session of a first machine using a session checking service for a set of machines including the first machine and a second machine, the second machine including a security service, the method including: receiving a request to open a session on the first machine, the request including an item of identification information of a user; verifying that the item of identification information is associated with an item of identification data of the second machine in a repository; checking that the user has the right to open a session on the first machine; if the verification and check are positive, sending a session status modification request of the second machine to the security service of the second machine; and if the session status of the second machine is modified, sending a request to authorize opening of a session to the first machine; and storing the identification information item that is associated with an item of identifying data of the first machine in the repository.

Abstract: A method for propagating session management events between a plurality of machines forming a machine cluster includes generating, with a session management user interface, a session management event on a first machine of the machine cluster; detecting, with an installment of the interface, the generated event; sending, from the installment to a first security service related to the first machine, a set of specific information that is related to the detected event; determining, with the first security service, a set of target machines; sending the specific information from the first security service to target security services that are related to the target machines; and processing the specific information at each target security service of the target machines so as to execute, on each target machine that has received the specific information, the session management event generated on the first machine.

Abstract: A method for changing the status, locked or unlocked, of a target machine including a security service and a session management module includes receiving, by the security service, a query corresponding to a request to change the status of the target machine, the query including at least one piece of identification information from a user of a source machine; from the security service, verifying if access rights to the target machine related to the user of the source machine allow a change in the status of the target machine by the user; if so, sending, from the security service, a status change message to the session management module of the target machine and proceeding to the status change made by the session management module.

Abstract: A process for creating and managing pairs of asymmetrical cryptographic keys and/or certificates associated with the pairs of keys, each pair of keys and associated certificates being intended for an object managed by a computer system. The process includes creating an individual request for creating and/or certifying at least one pair of keys for an object of the system that lacks a pair of keys or a certificate for its pair of keys.

Abstract: A method and device for configuring a firewall in a computer system employing a rule for controlling access between a source resource and a destination resource only if said source and destination resources belong to the same protection domain. At a central configuration machine, an access control rule is specified, including a scope, for each resource group, the scope, and thus the access control rule is capable of being interpreted by each of the plurality of firewalls differently depending on the value of the scope and network resource characteristics associated with each of the plurality of firewalls.