Abstract: A certificate management system provides automated management of certificate lifecycles and certificate distribution. Rather than depend upon an administrator to manually distribute and manage certificates, the system self-generates certificates, distributes the certificates to appropriate servers or other parties, and transitions from old certificates to new certificates in a well-defined manner that avoids breaking functionality. After generating one or more certificates, the system securely shares certificates in a way that parties that use them can find the new certificates without an administrator manually distributing the certificates. When it is time to update certificates, the system generates new certificates and shares the new certificates in a similar way. During a transition period, the system provides a protocol by which both old and new certificates can be used to perform authenticated access to resources, so that the transition from an old to a new certificate does not break services.

Abstract: A system and method for provisioning digital identity representations (“DIRs”) uses various techniques and structures to ease administration, increase accuracy, and decrease inconsistencies of a digital-identity provisioning system. Various methods are provided for creating new DIRs, requesting DIRs, notifying principals of available DIRs, and approving issuance of new DIRs.

Abstract: A system and method for provisioning digital identity representations (“DIRs”) uses various techniques and structures to ease administration, increase accuracy, and decrease inconsistencies of a digital-identity provisioning system. A system is provided using a common identity data store for both DIR issuance and identity token issuance, decreasing synchronization issues. Various methods are provided for creating new DIRs, notifying principals of available DIRs, and approving issuance of new DIRs.

Abstract: A certificate management system provides automated management of certificate lifecycles and certificate distribution. Rather than depend upon an administrator to manually distribute and manage certificates, the system self-generates certificates, distributes the certificates to appropriate servers or other parties, and transitions from old certificates to new certificates in a well-defined manner that avoids breaking functionality. After generating one or more certificates, the system securely shares certificates in a way that parties that use them can find the new certificates without an administrator manually distributing the certificates. When it is time to update certificates, the system generates new certificates and shares the new certificates in a similar way. During a transition period, the system provides a protocol by which both old and new certificates can be used to perform authenticated access to resources, so that the transition from an old to a new certificate does not break services.

Abstract: Accessing a data set with secret and non-secret data. A method includes accessing a data set image. The data set image comprises secret data. The data set image is derived from an authorized data set associated with a master key that authorizes access to the secret data. The master key is not provided with the data set image. The method further comprises restoring the data set image to a computing system to create a degraded data set. Data in the degraded data set other than the secret data is accessed without restoring the master key.

Abstract: Accessing a data set with secret and non-secret data. A method includes accessing a data set image. The data set image comprises secret data. The data set image is derived from an authorized data set associated with a master key that authorizes access to the secret data. The master key is not provided with the data set image. The method further comprises restoring the data set image to a computing system to create a degraded data set. Data in the degraded data set other than the secret data is accessed without restoring the master key.

Abstract: A federated identity verification system includes an identity provider that provides security tokens ultimately to one or more relying parties for access by the client to services at a relying party. Specifically, the relying party can validate the security token from an identity provider (whether directly or via a client) when verifying that the received security token conforms to security configuration data previously exchanged with the identity provider. To establish the trust relationship, the identity provider and one or more relying parties exchange security configuration information through an agreed-to communication channel. The security configuration information indicates the settings that the other party needs to use for establishing, maintaining, and/or monitoring the trust relationship. The communication channel allows both parties to flexibly and continually synchronize changes to security configurations, and thus maintain, change, or end the trust relationship automatically, as desired.

Abstract: A system and method for provisioning digital identity representations (“DIRs”) uses various techniques and structures to ease administration, increase accuracy, and decrease inconsistencies of a digital-identity provisioning system. Various methods are provided for creating new DIRs, requesting DIRs, notifying principals of available DIRs, and approving issuance of new DIRs.

Abstract: A system and method for provisioning digital identity representations (“DIRs”) uses various techniques and structures to ease administration, increase accuracy, and decrease inconsistencies of a digital-identity provisioning system. A system is provided using a common identity data store for both DIR issuance and identity token issuance, decreasing synchronization issues. Various methods are provided for creating new DIRs, notifying principals of available DIRs, and approving issuance of new DIRs.

Abstract: A network system server, at a first network site, maintains network access information that identifies users authorized to access a network and a network controller, at a second network site, caches the network access information for individual users that request access to the network from the second network site. The network controller tracks the individual users that request access to the network from the second network site and updates the cached network access information for the individual users that request access to the network from the second network site within a defined time interval.

Abstract: A system for multi-master unique identifier allocation comprises a server for allocating pools of identifiers to requesting servers and at least one server for requesting pools of identifiers and allocating individual identifiers as necessary. A single master server allocates “pools” of unique identifiers to network servers upon request. The network servers in turn allocate unique identifiers from their pool as necessary when the server generates new system objects. When a network server's pool of unique identifiers is nearly depleted, the network server requests an additional pool of identifiers from the master server.

Abstract: A Knowledge Consistency Checker (KCC) that periodically executes on each server of the computer network is provided. The KCC interacts with a data structure contained within a copy of a database located on each server, and with a replication program that executes on each server when called by the KCC. The data structure contains a list of server objects representing the servers in the network. Associated with each server objects is a list or replication objects that describe how the server is obtain a copy of a change to the database. Each replication object represents a server other than the server with which it is associated. The KCC uses the replication objects to inform the replication program from which servers to periodically request an update to the database and to the data structure. Thus, while each KCC is only responsible for creating the objects required for its own server, the replication topology of the entire network is provided to every server in the network by the periodic requests.

Abstract: A network system server, at a first network site, maintains network access information that identifies users authorized to access a network and a network controller, at a second network site, caches the network access information for individual users that request access to the network from the second network site. The network controller tracks the individual users that request access to the network from the second network site and updates the cached network access information for the individual users that request access to the network from the second network site within a defined time interval.