Abstract: An aspect of the present invention facilitates flexible credential collection in an authentication server employing diverse authentication schemes. In an embodiment, an access manager in the authentication server determines that an authentication scheme is to be used for allowing access to a resource requested by a user. A custom module (implementing the authentication scheme) in the authentication server then sends to the access manager commands indicating corresponding sets of credentials to be collected. The access manager, in response to receiving each command, collects the corresponding credentials from the user and checks whether the collected credentials authenticates the user. The custom module sends each command after the checking of the previously collected credentials. Accordingly, a developer of the custom module is enabled to request for and to perform the authentication of the user based on different sets of credentials.

Abstract: Methods and systems are described for state driven orchestration of authentication components to access a resource protected by an access manager framework. In response to a client request for a protected resource, relevant authentication components and their respective order are determined. Upon successful authentication of the first authentication component, proper state information of the authentication process is stored by the client indicating the next authentication component. In response to a request for additional credential information for the authentication process from the next authentication component, the client provides the stored state information so that the authentication process continues with the second authentication component according to the determined order of the authentication components within an authentication process.

Abstract: Methods and systems are described for state driven orchestration of authentication components to access a resource protected by an access manager framework. In response to a client request for a protected resource, relevant authentication components and their respective order are determined. Upon successful authentication of the first authentication component, proper state information of the authentication process is stored by the client indicating the next authentication component. In response to a request for additional credential information for the authentication process from the next authentication component, the client provides the stored state information so that the authentication process continues with the second authentication component according to the determined order of the authentication components within an authentication process.

Abstract: Various arrangements for providing authentication information to a user are presented. A single-point authentication manager executed by a computer system may receive a request to access a resource from a remote client computer system. The single-point authentication manager may manage access to a plurality of resources including the resource. The single-point authentication manager may communicate with an authentication plug-in application that performs a type of authentication. Authentication of the user may be performed. In response to performing authentication of the user, the authentication plug-in application may generate a message to be transmitted to the remote client computer system. The message may include an indication that the message is to be passed to the remote client computer system and information regarding the authentication of the user. In response to receiving the message from the authentication plug-in application, the message may be transmitted to the remote client computer system.

Abstract: Various arrangements for providing authentication information to a user are presented. A single-point authentication manager executed by a computer system may receive a request to access a resource from a remote client computer system. The single-point authentication manager may manage access to a plurality of resources including the resource. The single-point authentication manager may communicate with an authentication plug-in application that performs a type of authentication. Authentication of the user may be performed. In response to performing authentication of the user, the authentication plug-in application may generate a message to be transmitted to the remote client computer system. The message may include an indication that the message is to be passed to the remote client computer system and information regarding the authentication of the user. In response to receiving the message from the authentication plug-in application, the message may be transmitted to the remote client computer system.

Abstract: A method of using an access manager server to establish a communication session between a resource and a user device may include receiving a request from the user device to access the resource, determining that the client system is registered as a trusted partner, sending the client system a first encrypted token that includes a resource identifier where the client system has access to a first cryptographic key that decrypts the first encrypted token. The method may also include receiving a second encrypted token that signifies that access to the resource has been granted by the client system where the second token comprises a user identifier and the access manager server has access to a second cryptographic key that decrypts the second token. The method may additionally include decrypting the second token and establishing the communication session between the user device and the resource using the user identifier.

Abstract: An aspect of the present invention facilitates flexible credential collection in an authentication server employing diverse authentication schemes. In an embodiment, an access manager in the authentication server determines that an authentication scheme is to be used for allowing access to a resource requested by a user. A custom module (implementing the authentication scheme) in the authentication server then sends to the access manager commands indicating corresponding sets of credentials to be collected. The access manager, in response to receiving each command, collects the corresponding credentials from the user and checks whether the collected credentials authenticates the user. The custom module sends each command after the checking of the previously collected credentials. Accordingly, a developer of the custom module is enabled to request for and to perform the authentication of the user based on different sets of credentials.

Abstract: Methods and systems are described for state driven orchestration of authentication components to access a resource protected by an access manager framework. In response to a client request for a protected resource, relevant authentication components and their respective order are determined. Upon successful authentication of the first authentication component, proper state information of the authentication process is stored by the client indicating the next authentication component. In response to a request for additional credential information for the authentication process from the next authentication component, the client provides the stored state information so that the authentication process continues with the second authentication component according to the determined order of the authentication components within an authentication process.

Abstract: A method of using an access manager server to establish a communication session between a resource and a user device may include receiving a request from the user device to access the resource, determining that the client system is registered as a trusted partner, sending the client system a first encrypted token that includes a resource identifier where the client system has access to a first cryptographic key that decrypts the first encrypted token. The method may also include receiving a second encrypted token that signifies that access to the resource has been granted by the client system where the second token comprises a user identifier and the access manager server has access to a second cryptographic key that decrypts the second token. The method may additionally include decrypting the second token and establishing the communication session between the user device and the resource using the user identifier.

Abstract: Various arrangements for providing authentication information to a user are presented. A single-point authentication manager executed by a computer system may receive a request to access a resource from a remote client computer system. The single-point authentication manager may manage access to a plurality of resources including the resource. The single-point authentication manager may communicate with an authentication plug-in application that performs a type of authentication. Authentication of the user may be performed. In response to performing authentication of the user, the authentication plug-in application may generate a message to be transmitted to the remote client computer system. The message may include an indication that the message is to be passed to the remote client computer system and information regarding the authentication of the user. In response to receiving the message from the authentication plug-in application, the message may be transmitted to the remote client computer system.

Abstract: A method of applying a timeout protocol by an access manager to a plurality of resources may include storing the timeout protocol comprising at least one criterion, and receiving a request for a first resource. Each of the resources can be segregated into separate application domains, the first resource can be associated with a first attribute, and the first attribute can be assigned a first value. The method may also include determining that the first value satisfies the at least one criterion, associating the timeout protocol with the first resource, and associating the timeout protocol with each resource that is associated with the first attribute assigned a value that satisfies the at least one criterion. The method may further include granting access to the first resource according to the timeout protocol.

Abstract: An aspect of the present invention facilitates flexible credential collection in an authentication server employing diverse authentication schemes. In an embodiment, an access manager in the authentication server determines that an authentication scheme is to be used for allowing access to a resource requested by a user. A custom module (implementing the authentication scheme) in the authentication server then sends to the access manager commands indicating corresponding sets of credentials to be collected. The access manager, in response to receiving each command, collects the corresponding credentials from the user and checks whether the collected credentials authenticates the user. The custom module sends each command after the checking of the previously collected credentials. Accordingly, a developer of the custom module is enabled to request for and to perform the authentication of the user based on different sets of credentials.