Abstract: A method for facilitating transactions by tenants in a multi-tenant architecture system is discussed. The method includes generating, with a multi-tenant computer system, a first representation of an entity in a first hierarchical data structure associated with an entity interface tenant of the multi-tenant computer system. The method includes receiving, with the multi-tenant computer system, a set of entity-specific policies useable to generate requests to individual ones of a plurality of transaction processing computer systems. The method includes generating, with the multi-tenant computer system, a second representation of the entity in a second hierarchical data structure associated with a particular transaction processing service tenant of a plurality of transaction processing service tenants of the multi-tenant computer system.

Abstract: A white label merchant stored value account peer linking/funding system includes a payment service provider database storing associations between different merchants and respective groups of white label merchant stored value accounts. A payment service provider links, in the database, a first user identifier received from a first user device with a first white label merchant stored value account that is included in a first group of white label merchant stored value accounts that are associated with a first merchant in the database. The payment service provider device then receives second user identifiers from the first user device, and links each of the second user identifiers with the first white label merchant stored value account in the database. The payment service provider device then receives respective second user account information from the second user devices and funds the first white label merchant stored value account with respective first funding amounts.

Abstract: A white label merchant stored value account peer linking/funding system includes a payment service provider database storing associations between different merchants and respective groups of white label merchant stored value accounts. A payment service provider links, in the database, a first user identifier received from a first user device with a first white label merchant stored value account that is included in a first group of white label merchant stored value accounts that are associated with a first merchant in the database. The payment service provider device then receives second user identifiers from the first user device, and links each of the second user identifiers with the first white label merchant stored value account in the database. The payment service provider device then receives respective second user account information from the second user devices and funds the first white label merchant stored value account with respective first funding amounts.

Abstract: A method for managing entities in a multi-tenant marketplace architecture system is discussed. The method includes determining that a merchant is represented as a first representation in a first hierarchical data structure and as a second representation in a second hierarchical data structure, where both the first and second hierarchical data structures are managed by a first service provider. The merchant is being managed via a full representation in an original hierarchical data structure by a marketplace service provider. The first and second representations provide outbound services via the first hierarchical data structure and via the second hierarchical data structure, respectively. The method also includes linking the first representation with the second representation to configure the first and second representations for propagating results of an inbound service applied to one of the first and second representations to a remaining one of the first and second representations.

Abstract: A method for processing disputes in a multi-tenant architecture system includes receiving, at a first service provider, a dispute request from a second service provider that manages entity identities of a plurality of customers. The dispute request indicates a disputed transaction between a customer of the plurality of customers and another entity. The method includes accessing an identity manager to determine a customer representation, the identity manager previously onboarded the plurality of customers as a plurality of customer representations. The identity manager is hosted by the first service provider that manages customer representations corresponding to entity identities of the customers. The dispute request is propagated with the customer representation to a dispute management engine that determines an outcome for the dispute, the determination based on characteristics of the disputed transaction and on characteristics of the customer.

Abstract: A method for facilitating transactions between tenants in a multi-tenant architecture system is discussed. The method includes receiving a request, at a multi-tenant platform, from a first service of a first tenant of the multi-tenant platform to access a second service of a second tenant of the multi-tenant platform to perform a transaction, in which the request includes a first access token usable to authenticate the transaction with the first tenant. The method includes generating, by the multi-tenant platform using the first access token, a universal access token. The method includes generating, by the multi-tenant platform using the universal access token, a second access token useable to authenticate the transaction with the second tenant. The method includes using, by the multi-tenant platform, the second access token to communicate with the second service to perform the transaction.

Abstract: A method for using unified identities in a multi-tenant architecture system is discussed. The method includes receiving a request, at a first service provider, to provide a service for a user. The method includes accessing a representation of a second service provider in a first hierarchical data structure managed by the first service provider. The method includes determining that user data required for the service is managed by the second service provider that manages user identity of the user. The method includes determining that the representation is linked with a full identity reference for the second service provider in a second hierarchical data structure managed by the second service provider. The method includes accessing the user data at the second hierarchical data structure using the full identity reference. The method includes accessing the service via the lightweight identity reference and using the user data at the first service provider.

Abstract: A method for applying agency and regulation modeling in a multi-tenant architecture system includes accessing merchant's representation in an identity manager. The merchant is managed via a full representation by an original identity manager. The method includes performing a first service for the merchant via the representation, and determining, based on results of the first service and on policies of the first service provider, that performance of a second service is required for completion of the first service. The second service is provided by a second service provider onboarded into the first service provider, where the second service amends policy requirements of the first service provider. The method includes accessing a first subservice of the second service using the representation to generate second results for use at a second subservice of the second service, the second subservice configured to use transaction resources of the first representation.

Abstract: A method for using unified transaction services in a multi-tenant architecture system is discussed. The method includes receiving a request, at a first service provider, to provide a first transaction service for a user. The method includes accessing a first representation of the first service provider in a first hierarchical data structure, the first hierarchical data structure being managed by a second service provider, the second service provider managing user identity of the user. The method includes determining, based on the first representation, that transaction resources required for completion of the first transaction service are provided at the second service provider using a resource representation. The method also includes, responsive to determining that the transaction resources are accessible at the first service provider, accessing, at the first service provider, the transaction resources via the resource representation.

Abstract: A white label merchant stored value account peer linking/funding system includes a payment service provider database storing associations between different merchants and respective groups of white label merchant stored value accounts. A payment service provider links, in the database, a first user identifier received from a first user device with a first white label merchant stored value account that is included in a first group of white label merchant stored value accounts that are associated with a first merchant in the database. The payment service provider device then receives second user identifiers from the first user device, and links each of the second user identifiers with the first white label merchant stored value account in the database. The payment service provider device then receives respective second user account information from the second user devices and funds the first white label merchant stored value account with respective first funding amounts.

Abstract: Systems and methods for managing user data across multiple applications and devices are disclosed. An example method includes: detecting a user is conducting a transaction using a first application installed on a user device; determining that the user is requesting one or more payment options from a first merchant associated with the first application; determining that a global payment method is selected by the user; determining that the user device is a trusted device associated with the user; and in response to determining that the user device is a trusted device, providing the global payment method to the user in the first application on that same device or a different device.

Abstract: Systems and methods for providing a secure key based trust chain among several user devices are disclosed. An example method includes, obtaining a first request to authenticate a user on a first user device based on a user identifier; in response to the obtaining, transmitting to, a second user device, a second request to authenticate the user on the first user device. The second user device is a trusted user device on which the user has been authenticated. The method further includes, obtaining an indication that the user has approved the second request on the second user device without providing a password corresponding to the user identifier; and in response to obtaining the indication, authenticating the user on the first user device without requiring, from the user, the password corresponding to the user identifier.

Abstract: A processor-executed access manager with an identity management framework receives a first query from a user of a client device connected to a network for a system. The query seeks information as to identity types supported by the system. The access manager responds to the first query with a list of supported identity types. The supported identity types include at least a hardware device, a role, and a user. The list is retrieved from a global configuration data structure in a global data store. The access manager receives a second query from the user for identities of the hardware devices associated with one of the supported identity types. And the access manager responds to the second query with the identity of a specific hardware device, if the user is permitted to access the specific hardware device according to permissions obtained through the global configuration data structure.

Abstract: A system and/or method may be provided to silently authenticate a user. An example method of silently authenticating a user includes receiving a request to complete a transaction associated with a merchant application. The request includes a data file including an identifier from the user device. The request is from a user device. The method also includes determining whether the data file includes a refresh token and determining whether the refresh token is valid if the data file includes the refresh token. The method further includes receiving an access token from the user device if the refresh token is valid. The access token includes an authorization scope. The method also includes determining whether the transaction is within the authorization scope. The method further includes authenticating a user if the transaction is within the authorization scope.

Abstract: A system for authenticating a request to access a protected network resource behind two security layers is disclosed. The system includes a client which contains a web browser, a first server tier, and second server tier. The first server tier is protected behind a first security layer and hosts a first software object and second software object. The first server tier is operatively coupled to the client system via a first connection wherein the first software object and second software object are configured to be in communications with the web browser. The second server tier is protected behind the first security layer and second security layer and hosts an authentication service. The second server tier is operatively coupled to the first server tier via a second connection wherein the authentication service is configured to be in communications with the second software object.

Abstract: A distributed network identity is provided. An identity provider stores a portion of a user's personal information. A service provider accesses user information from one or more identity providers. System entities such as identity providers and service providers can be linked to enable information sharing and aggregation. User policies and privacy preferences are provided to control how information is shared. A single sign-on architecture is provided where an identity provider is used to facilitate cross-domain authentication and to enhance user convenience. Service delegation features are also provided.

Abstract: A distributed network identity is provided. An identity provider stores a portion of a user's personal information. A service provider accesses user information from one or more identity providers. System entities such as identity providers and service providers can be linked to enable information sharing and aggregation. User policies and privacy preferences are provided to control how information is shared. A single sign-on architecture is provided where an identity provider is used to facilitate cross-domain authentication and to enhance user convenience. Service delegation features are also provided.

Abstract: A method for managing access to multiple applications using a central server. The method includes receiving a user name and password from an application for a user, generating identity assertion information using the user name and password, generating an artifact associated with the identity assertion information, sending the artifact to the application, receiving the artifact and a request for the identity assertion information from a second application, verifying the validity of the artifact, and sending the identity assertion information to the second application. The second application uses the identity assertion information to authorize the user to access the second application.

Abstract: Embodiments of the present invention provide a circle of trust on a network. The circle of trust is configured by exchanging credential of a first and a second affiliated entity. The credentials of the first affiliated entity is stored in a trusted partner list of the second affiliated entity. The credentials of the second affiliated entity is stored in a trusted partner list of the first affiliated entity. Thereafter, a circle of trust session may be provided when a client device initiates use of a resource on a relying party device by providing an authentication assertion reference. The identity of the issuing party of the authentication is determined as a function of the authentication assertion reference. The relying party sends an authentication query containing its credential to the issuing party. The issuing party determines if the relying party is a trusted entity based upon whether the relying party's credential is contained in the trusted partner list of the issuing party.

Abstract: A method and system for resource based authentication may include, in response to a client attempting to access a protected resource of a system, implementing resource based authentication. A policy agent may intercept the client access request and redirect it to an appropriate authentication gateway module based upon authentication polices. If the protected resource is not associated with any resource specific authentication technique, the policy agent may apply a default authentication technique. If, however, the protected resource is associated with a particular resource specific authentication technique, the policy agent may apply the resource specific authentication technique without applying the default authentication technique.