Abstract: The technology disclosed teaches performing biometric app free authentication or authorization of a user to access a web-based application, with the user interacting with a workstation browser running on a workstation to access the web-based application using built-in resources of a smart/mobile device. A web application uses methods to authenticate and authorize users before the users are permitted to access the application. A demand exists for improving the security and ease of use of authentication and access management. Access management and authentication of users has evolved to more than just entering a username and password. Multi-factor authentication (MFA) is common. The numerous paths involved in authentication use numerous forms of identification of users during the authentication journey.

Abstract: Disclosed is technology that verifies, in pairwise manner, proof of ownership-association of decentralized online resources owned by or affiliated with a single entity by visiting a first resource using a first location identifier, ingesting a first scannable image that contains a first plurality of assertions of ownership of online resources by a single entity and extracting a first public key of the first resource. The technology also visits a second resource using a second location identifier, ingests a second scannable image that contains a second plurality of assertions and extracts a second public key of the second resource. Then, the technology verifies, using the first public key, a signature from the first complementary assertion, verifies, using the second public key, a signature from the second complementary assertion, and determines, based on the pair of verifications, whether the first and second resources are owned by a single entity.

Abstract: The disclosed technology teaches a method of identifying roles to coalesce. The disclosed role coalescence engine includes compiling roles from an enterprise database and associated role features respective to each role (such as members who belong to a particular role or access privileges assigned to a particular role), computing a similarity measure between pairs of roles with respect to a single role feature, and clustering role pairs based on the similarity measure. The method further includes generating a cluster visualization based on the clustered role pairs and causing display of the cluster visualization to a user with controls for selecting a particular cluster of the cluster visualization. Coalescence of role databases results in improved security for identity governance and administration tools by reducing unauthorized or inappropriate access.

Abstract: Disclosed is technology that creates proof of ownership-association of online resources owned by or associated with a single entity. The technology generating resource references for a set of resources owned by or associated with an owning entity, the set of resources including online resources, obtains private and public key pairs for respective resources in the set of resources, and generating for posting on a current resource a scannable image that encapsulates both a self-assertion that includes a self-reference to the current resource, and the public key for the current resource; and a set of assertions for each other resource in the set of resources, each assertion for a respective resource including a respective reference to the respective resource, and a signed reference to the current resource that is generated using the private key of the respective resource.

Abstract: The disclosed technology teaches a method for customers of an organization to perform configuration at runtime for authentication journeys used by the customer's users, to simplify authentication trees, and to delegate configuration to the customer's administrators, wherein an authentication tree implements an authentication journey, the authentication tree including authentication nodes and edges connecting the authentication nodes. The method includes configuring an editable script and an authentication node used in the authentication tree in response to a user invocation of the authentication journey by executing a factory method that applies configuration parameters to the editable script and to parameters used to access an API.

Abstract: The disclosed technology teaches granular sharing of parts of an authorization token among individual microservices in a microservice chain, including packaging in an encrypted token base information used by the chain, overall, and respective individual portions of information for respective microservices in the chain. Also disclosed is receiving the token, with a service request message, at an entry point to the chain, decrypting the base information and verifying authorization for initiation of the service chain with an authorization service.

Abstract: The disclosed technology teaches safely attaching an access token to a browser-based request from a first app loaded by a webpage, without exposing the token to malicious code loaded by the webpage, providing an identity proxy that transparently determines which network requests to relay and a secrets management proxy that provides access tokens transparently to the requests. The identity proxy intercepts an access request from the first app to the resource server and relays the request via the secrets management proxy, which forwards the request to the resource server with an access token, receives a response from the resource server and forwards the response to the identity proxy for return to the first app. The secrets management proxy is implemented in an iFrame that has isolated storage subject to a browser-enforced same origin policy that makes the isolated storage used by the iFrame inaccessible to malicious code on the webpage.

Abstract: The disclosed technology teaches integrating theme management of user interfaces that implement an authentication journey for hosted services, receiving user input and responsively configuring a switch block node used in the journey. A first configured control of the node selects an authentication-related state variable to set a switch and a second configured control specifies alternative settings. Also receiving user input and responsively composing a script used in the node to process the state variable and select among the switch settings, responsive to the state variable, and receiving user input and responsively creating a visual branding theme. Further included is receiving user input and responsively composing a directed graph in which nodes that implement the authentication journey are connected, applying the themes to named theme nodes, positioning and connecting the switch block node to subsequent named theme nodes, to which the switch block node alternatively directs a flow of the journey.

Abstract: The disclosed technology teaches initializing an application instance using a SaaS model in a project implemented on a cloud-based computing service, including running a configuration engine that links a service provider for SaaS application to set configuration parameters for the project and initializing the project in which an application instance will be built, then removing the authorization of the configuration engine to access the project and removing access to set the parameters. The technology also includes running a SaaS application infrastructure builder autonomously, without the service provider having access to the builder, to build the instance, and then delivering the application as a SaaS service.

Abstract: The disclosed technology teaches delegating authorization to access a resource server contingent upon group membership confirmation by a third-party identity management provider. As part of the technology, a client obtains a Macaroon Access Token with a third-party caveat that requires the client to obtain a one-time Discharge Macaroon Authorization from a third-party authority, and identifies both user group membership that needs to be checked, and a hint how to find the third-party authority. The client provides the Macaroon Access Token to the third-party authority. The client obtains, from the third-party authority, a Discharge Macaroon Access Token that identifies user group membership, and sends the Macaroon Access Token and the Discharge Macaroon Authorization to the resource server as proof of authorization.

Abstract: The technology disclosed relates to maintaining a cache of effective properties in an identity management system employing a graph. In particular, it relates to handling vertex/edge and/or graph topology updates in accordance with update notification requirements configured from a schema and, in conjunction with detecting updating of vertex/edge attributes and/or graph topology, recalculating effective attributes in accordance with the configured notification requirements.

Abstract: The disclosed technology teaches safely attaching an access token to a browser-based request from a first app loaded by a webpage, without exposing the token to malicious code loaded by the webpage, providing an identity proxy that transparently determines which network requests to relay and a secrets management proxy that provides access tokens transparently to the requests. The identity proxy intercepts an access request from the first app to the resource server and relays the request via the secrets management proxy, which forwards the request to the resource server with an access token, receives a response from the resource server and forwards the response to the identity proxy for return to the first app. The secrets management proxy is implemented in an iFrame that has isolated storage subject to a browser-enforced same origin policy that makes the isolated storage used by the iFrame inaccessible to malicious code on the webpage.

Abstract: The disclosed technology teaches rejecting, during validation, a sequence of components intended for interacting with a user. Included are providing a sequence setup GUI supporting construction of an executable sequence by connecting at least five components in a directed graph, and tracing multiple paths through the directed graph, including from at least one conditional branch at a first up-chain component, in which down-chain components accept as input and depend on output from at least one up-chain component, referred to as input chain dependencies. Also included are locating at least one error in use of a particular down-chain component when invoked following one of the multiple paths, where the error results from failure to satisfy any of the input chain dependencies of the particular down-chain component, and reporting the error during validation to a user of the GUI, before passing the sequence of components from validation to use in production.

Abstract: The disclosed technology teaches granular sharing of parts of an authorization token among individual microservices in a microservice chain, including packaging in an encrypted token base information used by the chain, overall, and respective individual portions of information for respective microservices in the chain. Also disclosed is receiving the token, with a service request message, at an entry point to the chain, decrypting the base information and verifying authorization for initiation of the service chain with an authorization service.

Abstract: The disclosed technology teaches a computer-implemented method of enabling identity governance administration to examine the state of identity management objects at an arbitrary prior time. The method includes maintaining a data store of identity management objects used for identity governance administration, including specification of user roles from which permissions or authorizations derive and recording in the data store copies of identity management objects with an as-of time stamp at each creation, change and deletion of each identity management object. Also included is retaining time-stamped versions of the objects for a queryable time window. The method also includes receiving a query with an as-of time criteria for at least some of the identity management objects and returning responsive objects from which the permissions or authorizations were derived at the as-of-time. Responding to the query with the responsive objects that correspond to the as-of time criteria in the query is also disclosed.

Abstract: The disclosed technology teaches a method of coalescing candidate roles discovered by role mining with active roles that preexisted the role mining, including calculating pairwise proximities between the candidate roles and the active roles by counting differences between pairs over attribute lists for entitlement, driving factors and access patterns, with a penalty for lack of overlap between attribute lists to produce a total difference score. Also included is selecting pairs of candidate and active roles that have a low total difference scores that also are below a threshold. For the selected pairs, the disclosed method includes proposing to assign entitlements from the active role to the paired candidate role, and receiving user feedback on whether to proceed with merging of candidate roles in the pair into corresponding active roles, while retaining entitlements of the active roles.

Abstract: The disclosed technology teaches providing limited usage of a first device that includes local resources for verifying authenticity of a Macaroon access token with caveats (MATwC), a unique key and a local proximity interface. A second device used by the service technician receives the MATwC, establishes a connection with the first device over the local proximity interface using the MATwC, and sends a request to enter limited usage mode. The MATwC originated with an authentication server as a MAT, using the unique key of the first device and modified by appending caveats that narrowed authorization provided by the MAT with the limited usage mode, and applied a message authentication code chaining algorithm to sign a resulting the MATwC. The first device performs local authentication of the MATwC, evaluating the appended caveats and enters the limited usage mode consistent with the appended caveats, without requiring connected resources to authenticate the MATwC.

Abstract: The technology disclosed relates to maintaining a cache of effective properties in an identity management system employing a graph. In particular, it relates to handling vertex/edge and/or graph topology updates in accordance with update notification requirements configured from a schema and, in conjunction with detecting updating of vertex/edge attributes and/or graph topology, recalculating effective attributes in accordance with the configured notification requirements.

Abstract: The disclosed technology teaches confirming proper deployment of sensors, with an authorization server (AS) issuing to a first client a Macaroon access token (MAT), optionally with caveats, including a root signature, and providing the MAT to a client. The client modifies the MAT to produce multiple instances by appending caveats that add a deployment location to each of the instances, and applies a message authentication code (MAC) chaining algorithm to generate updated signatures to include in the instances of a MAT with caveats (MATwC). The first client forwards the multiple instances of the MATwC to respective sensor instances, and a second client receives, from the sensor instances, sensed data and location indicative data, accompanied by respective MATwC instances. The second client verifies that the location indicative data is consistent with the deployment location caveat in the respective MATwC and utilizes instances of the sensed data that are verified as consistent.

Abstract: The disclosed technology teaches confirming delegation of authorization from an authorization server (AS) by a client to a service, including an AS issuing an OAuth2 access token in the form of a Macaroon (MAT), optionally with caveats, including a root signature, and providing the MAT to a client. Included is the client modifying the OA2 access token by appending caveats that narrow authorization, and by applying a message authentication code (MAC) chaining algorithm to generate an updated signature to include in the resulting MAT with caveats (MATwC), the client delegating authorization to a service by forwarding the MATwC to the service and the service using the MATwC to access a resource server (RS), the RS passing the MATwC to the AS, and the AS determining authenticity of the MATwC as a bearer token and evaluating scope of authorization from the MAT as narrowed by the caveats, and reporting results.