Abstract: A distributed network identity is provided. An identity provider stores a portion of a user's personal information. A service provider accesses user information from one or more identity providers. System entities such as identity providers and service providers can be linked to enable information sharing and aggregation. User policies and privacy preferences are provided to control how information is shared. A single sign-on architecture is provided where an identity provider is used to facilitate cross-domain authentication and to enhance user convenience. Service delegation features are also provided.

Abstract: Methods and systems thereof for controlling access to resources are described. When a user attempts to access a resource via a remote interface such as a Web server, the request is initially evaluated by a source of policy definitions such as a policy server. This source returns a policy decision to the remote interface. The policy decision is stored in memory by the remote interface. The remote interface can then evaluate subsequent requests from the user for the resource using the stored policy decision instead of having to communicate again with the source for the policy decision. Enhancements to this approach are also described. Accordingly, policy definitions and decisions are more efficiently implemented.

Abstract: A distributed network identity is provided. An identity provider stores a portion of a user's personal information. A service provider accesses user information from one or more identity providers. System entities such as identity providers and service providers can be linked to enable information sharing and aggregation. User policies and privacy preferences are provided to control how information is shared. A single sign-on architecture is provided where an identity provider is used to facilitate cross-domain authentication and to enhance user convenience. Service delegation features are also provided.

Abstract: A distributed network identity is provided. An identity provider stores a portion of a user's personal information. A service provider accesses user information from one or more identity providers. System entities such as identity providers and service providers can be linked to enable information sharing and aggregation. User policies and privacy preferences are provided to control how information is shared. A single sign-on architecture is provided where an identity provider is used to facilitate cross-domain authentication and to enhance user convenience. Service delegation features are also provided.

Abstract: An architecture for allowing extensibility to policies. The architecture has a policy component program that is able to evaluate and enforce polices. The architecture also has plugin modules for allowing a user to customize the polices. The policy component program is able to present interfaces to the user for customizing the polices. The policy component program is further able to integrate customized polices into a framework of the policy component program in response to user input that is based on the interfaces presented to the user. The presented interfaces may be for defining subjects in the policy program, defining conditions in the policy program, defining referrals in the policy program, defining resource names in the policy program, and defining how conflicts will be resolved in the policy program. The interfaces may be compliant with the JAVA programming language.

Abstract: Embodiments of the present invention provide an open and interoperable single sign-on session in a heterogeneous communication network. The open and interoperable single sign-on system is configured by exchanging an entity identifier, an account mapping, an attribute mapping, a site attribute list, an action mapping and/or the like. The entity identifier, account mapping, attribute mapping, site attribute list, action mapping and the like for each partner entity is stored in a partner list accessable to the particular entity. Thereafter, the open and interoperable single sign-on session may be provided upon receipt of a SAML request or assertion containing an entity identifier. The entity identifier contained in the SAML request or assertion is looked-up in the partner list of the particular entity which received the SAML request or assertion. A record containing a matching entity identifier provides the applicable account mapping, attribute mapping, site attribute list, and/or action mapping.

Abstract: A method for system management of configuration data used by server or groups of servers. In one embodiment, the present invention is comprised of providing information relative to components of the system being managed. A common language is utilized to express the information. An interface is provided to enable inputting of said information. The interface also enables management of the inputted information. In one embodiment, the information is validated during inputting. The validation of inputted information ensures that the information inputted is compliant with a schema of the information. In one embodiment, the information is comprised of defined tasks that are performed by the components of the system. The information is further comprised of specified configurations relative to the defined tasks. The information further comprises a declared schema for representing the information.

Abstract: In an enterprise server system having a server, a web-base applications single sign-on method and system. The single sign-on system includes logic for assigning and retrieving uniquely identifying tokens that are assigned to a user attempting to access one of many applications in the server. The token is assigned after the user has successfully logged into the server. The assigned token enables the user to access different applications in the server without having to authenticate every time the user goes from one application to the other. In one embodiment of the present invention, the single sign-on system includes a token that provides a listening mechanism for the applications that need to be notified when a token expires in order to deny access to the particular user identified with the expired token.

Abstract: Embodiments of the present invention provide a circle of trust on a network. The circle of trust is configured by exchanging credential of a first and a second affiliated entity. The credentials of the first affiliated entity is stored in a trusted partner list of the second affiliated entity. The credentials of the second affiliated entity is stored in a trusted partner list of the first affiliated entity. Thereafter, a circle of trust session may be provided when a client device initiates use of a resource on a relying party device by providing an authentication assertion reference. The identity of the issuing party of the authentication is determined as a function of the authentication assertion reference. The relying party sends an authentication query containing its credential to the issuing party. The issuing party determines if the relying party is a trusted entity based upon whether the relying party's credential is contained in the trusted partner list of the issuing party.

Abstract: Methods and systems thereof for controlling access to resources are described. When a user attempts to access a resource via a remote interface such as a Web server, the request is initially evaluated by a source of policy definitions such as a policy server. This source returns a policy decision to the remote interface. The policy decision is stored in memory by the remote interface. The remote interface can then evaluate subsequent requests from the user for the resource using the stored policy decision instead of having to communicate again with the source for the policy decision. Enhancements to this approach are also described. Accordingly, policy definitions and decisions are more efficiently implemented.

Abstract: Embodiments of the present invention provide an open and interoperable single sign-on session in a heterogeneous communication network. The open and interoperable single sign-on system is configured by exchanging an entity identifier, an account mapping, an attribute mapping, a site attribute list, an action mapping and/or the like. The entity identifier, account mapping, attribute mapping, site attribute list, action mapping and the like for each partner entity is stored in a partner list accessable to the particular entity. Thereafter, the open and interoperable single sign-on session may be provided upon receipt of a SAML request or assertion containing an entity identifier. The entity identifier contained in the SAML request or assertion is looked-up in the partner list of the particular entity which received the SAML request or assertion. A record containing a matching entity identifier provides the applicable account mapping, attribute mapping, site attribute list, and/or action mapping.

Abstract: Methods and systems thereof for managing resources are described. A list of resources is accessed. The names of the resources are compared so that relationships between the resources can be determined. For example, one resource can be identified as a sub-resource of another resource. The resources can then be represented in an organizational structure based on their relationships. The organizational structure can be readily traversed to locate a resource by name. Once the resource is located by name, a determination can be made as to whether the resource is subject to an access control policy.

Abstract: An architecture for allowing extensibility to policies. The architecture has a policy component program that is able to evaluate and enforce polices. The architecture also has plugin modules for allowing a user to customize the polices. The policy component program is able to present interfaces to the user for customizing the polices. The policy component program is further able to integrate customized polices into a framework of the policy component program in response to user input that is based on the interfaces presented to the user. The presented interfaces may be for defining subjects in the policy program, defining conditions in the policy program, defining referrals in the policy program, defining resource names in the policy program, and defining how conflicts will be resolved in the policy program. The interfaces may be compliant with the JAVA programming language.

Abstract: A method and system thereof for controlling access to resources. Access to a resource is controlled by a policy definition. A request for access to a resource is received at a first agent. The first agent is authorized to refer policy definitions to other agents. The policy definition for the resource is delegated to a second agent by the first agent using a referral policy. The referral policy includes identification of the resource and identification of the second agent. The second agent is the source of the policy definition that governs access to the resource. The request for access is forwarded to the second agent according to the referral policy. Based on the policy definition, a decision can be made regarding whether the request for access to the resource is granted. The decision can also indicate the actions that may be performed using the resource.

Abstract: A system and associated method for authorizing, or withholding authorization of, user access to a selected computer application or other resource, based on the user's response to one or more user authentication tests. If the user satisfies one or more authentication tests but satisfies less than all the tests, the system optionally allows the user access to a selected subset of the resource. Alternatively, the user loses access to a selected subset of the application for each test not satisfied by the user. An authentication test or its associated weight may change at a selected time, and the selected time may be determined with reference to a time at which the resource changes.

Abstract: A system and associated method for authorizing, or withholding authorization of, user access to a selected computer application or other resource, based on the user's response to one or more user authentication tests. If the user is presented with two or more authentication tests, each with an associated test weight, the system optionally sums the weights of the tests satisfied by the user; and if this sum is greater than a selected test score threshold, the user is granted access to the resource. Alternatively, the user is granted access to selected subsets of the application, including an empty or non-empty default subset, depending upon the sum of the weights of the tests satisfied by the user. An authentication test or its associated weight may change at a selected time, and the selected time may be determined with reference to a time at which the resource changes. A smartcard may be used to respond to one or more authentication tests.

Abstract: In an enterprise server system having a server, a web-base applications single sign-on method and system. The single sign-on system includes logic for assigning and retrieving uniquely identifying tokens that are assigned to a user attempting to access one of many applications in the server. The token is assigned after the user has successfully logged into the server. The assigned token enables the user to access different applications in the server without having to authenticate every time the user goes from one application to the other. In one embodiment of the present invention, the single sign-on system includes a token that provides a listening mechanism for the applications that need to be notified when a token expires in order to deny access to the particular user identified with the expired token.

Abstract: A method for system management of configuration data used by server or groups of servers. In one embodiment, the present invention is comprised of providing information relative to components of the system being managed. A common language is utilized to express the information. An interface is provided to enable inputting of said information. The interface also enables management of the inputted information. In one embodiment, the information is validated during inputting. The validation of inputted information ensures that the information inputted is compliant with a schema of the information. In one embodiment, the information is comprised of defined tasks that are performed by the components of the system. The information is further comprised of specified configurations relative to the defined tasks. The information further comprises a declared schema for representing the information.

Abstract: A distributed network identity is provided. An identity provider stores a portion of a user's personal information. A service provider accesses user information from one or more identity providers. System entities such as identity providers and service providers can be linked to enable information sharing and aggregation. User policies and privacy preferences are provided to control how information is shared. A single sign-on architecture is provided where an identity provider is used to facilitate cross-domain authentication and to enhance user convenience. Service delegation features are also provided.