Abstract: User privacy information related to an application or service handling of user privacy is received by a computer device. A formatted declaration based on the user privacy information is populated by the computer device. Privacy disclosure to the user based on the populated formatted declaration is provided by the computer device.

Abstract: A least-privilege permission or permissions is automatically assigned to a client application in order to ensure that the client application is able to perform the bare minimum actions on a resource. The client application accesses the protected resource using a web API. The determination of the least-privilege permission(s) is based on actions previously performed on the resource by the client application. The identity provider monitors the actions performed on a resource by the client application and determines the bare minimum permission needed for the client application.

Abstract: Generally discussed herein are devices, systems, and methods for guiding a user through a cloud application creation or deployment process using a development platform, the method performed by a checklist engine, the method comprising receiving, from the development platform, application data indicating a state of the cloud application, determining, based on the application data, that an item of a checklist has been completed, the checklist indicating tasks to be performed for configuring and securing the cloud application for deployment, storing data indicating the completed item is completed in a checklist data database, and causing a view of the checklist to be provided on a display.

Abstract: Generally discussed herein are devices, systems, and methods for guiding a user through a cloud application creation or deployment process using a development platform, the method performed by a checklist engine, the method comprising receiving, from the development platform, application data indicating a state of the cloud application, determining, based on the application data, that an item of a checklist has been completed, the checklist indicating tasks to be performed for configuring and securing the cloud application for deployment, storing data indicating the completed item is completed in a checklist data database, and causing a view of the checklist to be provided on a display.

Abstract: A least-privilege permission or permissions is automatically assigned to a client application in order to ensure that the client application is able to perform the bare minimum actions on a resource. The client application accesses the protected resource using a web API. The determination of the least-privilege permission(s) is based on actions previously performed on the resource by the client application. The identity provider monitors the actions performed on a resource by the client application and determines the bare minimum permission needed for the client application.

Abstract: Performing late binding of a social network identification (ID) to a guest ID for use in an identity platform. A guest ID is created for a second user that gives access to a shared application of an identity platform that is associated with a first user. Subsequent to creating the guest ID, permission is requested from the second user to bind social network IDs of social networks of which the second user is a member to the guest ID. In response to receiving permission, binding the social network IDs to the guest ID is performed. The binding gives the identity platform access to profile attributes of the second user from the social networks, and allows it to write information such as a merit badge back on the second user's social network profile. A federation binding may also be created that allows the second user to sign into the shared application using their social network ID.

Abstract: Performing late binding of a social network identification (ID) to a guest ID for use in an identity platform. A guest ID is created for a second user that gives access to a shared application of an identity platform that is associated with a first user. Subsequent to creating the guest ID, permission is requested from the second user to bind social network IDs of social networks of which the second user is a member to the guest ID. In response to receiving permission, binding the social network IDs to the guest ID is performed. The binding gives the identity platform access to profile attributes of the second user from the social networks, and allows it to write information such as a merit badge back on the second user's social network profile. A federation binding may also be created that allows the second user to sign into the shared application using their social network ID.

Abstract: The automatic selection of an identity provider to be used to authenticate users when requesting to access network resources for a tenant. The authentication is initiated by checking the username against the directory of the tenant. If that check results in finding an entry for the username in that directory, the entry is checked for an identity provider. If that check results in finding an identity provider, the user is directed to that found identity provider for authentication. Thus, in many, most, or all cases, an identity provider is found and selected for authentication of the user without the user having to manually select the identity provider. The username may be an internal user of an entity. The selection of the identity provider works in either case since there would still be an entry for that user in the directory of the tenant.

Abstract: User privacy information related to an application or service handling of user privacy is received by a computer device. A formatted declaration based on the user privacy information is populated by the computer device. Privacy disclosure to the user based on the populated formatted declaration is provided by the computer device.

Abstract: The automatic selection of an identity provider to be used to authenticate users when requesting to access network resources for a tenant. The authentication is initiated by checking the username against the directory of the tenant. If that check results in finding an entry for the username in that directory, the entry is checked for an identity provider. If that check results in finding an identity provider, the user is directed to that found identity provider for authentication. Thus, in many, most, or all cases, an identity provider is found and selected for authentication of the user without the user having to manually select the identity provider. The username may be an internal user of an entity. The selection of the identity provider works in either case since there would still be an entry for that user in the directory of the tenant.

Abstract: Authenticating issues involving the re-authenticating of a first device that was previously authenticated are resolved by use of a second device which receives a notification of the failed authentication. The second device sends a response to the notification which is operable to facilitate re-authentication of the primary device and without requiring the user to provide credentials at the first device prior to obtaining the re-authentication at the primary device and/or without requiring the primary device to obtain a code to be entered into the secondary device and/or prior to the primary device being notified of a failure condition associated with the primary device.

Abstract: User-authentication-based approval of a first device via communication with a second device over a channel (e.g., an insecure channel) is described. The first device receives a session ID and first user-observable information, or an identifier thereof, from an identity provider, presents the first user-observable information to a user, and sends the session ID to the second device. The second device sends the session ID to the identity provider to obtain therefrom second user-observable information, or an identifier thereof, and a security challenge. The second user-observable information bears a user-discernable relationship to the first user-observable information and is presented to the user by the second device. The second device is capable of generating a response to the security challenge for transmission to the identity provider based at least on input received from the user, the response to the security challenge being indicative of the suitability of the first device for approval.

Abstract: Authenticating issues involving the re-authenticating of a first device that was previously authenticated are resolved by use of a second device which receives a notification of the failed authentication. The second device sends a response to the notification which is operable to facilitate re-authentication of the primary device and without requiring the user to provide credentials at the first device prior to obtaining the re-authentication at the primary device and/or without requiring the primary device to obtain a code to be entered into the secondary device and/or prior to the primary device being notified of a failure condition associated with the primary device.

Abstract: User-authentication-based approval of a first device via communication with a second device over a channel (e.g., an insecure channel) is described. The first device receives a session ID and first user-observable information, or an identifier thereof, from an identity provider, presents the first user-observable information to a user, and sends the session ID to the second device. The second device sends the session ID to the identity provider to obtain therefrom second user-observable information, or an identifier thereof, and a security challenge. The second user-observable information bears a user-discernable relationship to the first user-observable information and is presented to the user by the second device. The second device is capable of generating a response to the security challenge for transmission to the identity provider based at least on input received from the user, the response to the security challenge being indicative of the suitability of the first device for approval.

Abstract: Methods, systems, apparatuses, and computer program products are provided for authentication of users in a service-to-service context. At a first service, a user authentication token is received from a client device that was obtained from an identity provider. The user authentication token was received to enable access to the first service by a user. The user is authenticated based on the user authentication token. A second service is determined to be needed to be accessed by the first service on behalf of the user. The user authentication token is converted into a proxy token that is not convertible back to the user authentication token. The proxy token is forwarded from the first service to the second service to enable access to the second service. A response is received by the first service from the second service due to the user having been authenticated based on the proxy token.