Patents by Inventor David Scott Kern
David Scott Kern has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 9699168Abstract: A rich client performs single sign-on (SSO) to access a web- or cloud-based application. According to the described SSO approach, the rich client delegates to its native application server the task of obtaining a credential, such as a SAML assertion. The native server, acting on behalf of the user, obtains an assertion from a federated identity provider (IdP) that is then returned to the rich client. The rich client provides the assertion to a cloud-based proxy, which presents the assertion to an identity manager to attempt to prove that the user is entitled to access the web- or cloud-based application using the rich client. If the assertion can be verified, it is exchanged with a signed token, such as a token designed to protect against cross-site request forgery (CSRF). The rich client then accesses the web- or cloud-based application making a REST call that includes the signed token. The application, which recognizes the request as trustworthy, responds to the call with the requested data.Type: GrantFiled: December 13, 2010Date of Patent: July 4, 2017Assignee: International Business Machines CorporationInventors: Olgierd Stanislaw Pieczul, Mark Alexander McGloin, Mary Ellen Zurko, David Scott Kern, Brent Allan Hepburn
-
Patent number: 9690920Abstract: A secure database includes a catalog of information about one or more identity providers (IdPs) that are trusted by a service provider (SP) to authenticate users on the SP's behalf. The catalog securely stores one or more IdP configurations. An entry in the database stores information associated with the trusted IdP including artifacts to identify the IdP, artifacts used by the IdP for cryptographic operations, and a specification of one or more website(s) serviced by the trusted identity provider. Upon receipt by the SP of identity information representing a user that has authenticated to an IdP, information in the catalog of information is used to determine whether the IdP is trusted to authenticate the user on the service provider's behalf. The determination verifies that the SP uses the IdP and that a binding between an IdP identifier and at least one IdP cryptographic artifact is valid.Type: GrantFiled: August 30, 2012Date of Patent: June 27, 2017Assignee: International Business Machines CorporationInventors: Jane B. Marcus, Alan D. Eldridge, David Scott Kern, Jr., Michael J. Kerrigan, Patrick Charles Mancuso, Robert John Paganetti
-
Patent number: 9462068Abstract: In a cloud computing environment, a user authenticates to multiple cloud services concurrently. A master service has knowledge of or tracks the cloud service(s) to which a user is authenticated. Each cloud service may enforce its own inactivity period, and the inactivity period of at least first and second cloud services may be distinct from one another. When the master service receives an indication that the authenticated user is attempting to take an action at a first cloud service despite an activity timeout there, the master service issues a status request to at least the second cloud service to determine whether the user is still active at the second cloud service (despite its different inactivity period). If the user is still active at the second cloud service, the master service provides a response, selectively overriding (re-setting) the activity timeout at the first cloud service to permit the action.Type: GrantFiled: September 16, 2013Date of Patent: October 4, 2016Assignee: International Business Machines CorporationInventors: Olgierd Stanislaw Pieczul, Brent Allan Hepburn, David Scott Kern, Mark McGloin, Mark Lawrence Rovelli
-
Publication number: 20150081876Abstract: In a cloud computing environment, a user authenticates to multiple cloud services concurrently. A master service has knowledge of or tracks the cloud service(s) to which a user is authenticated. Each cloud service may enforce its own inactivity period, and the inactivity period of at least first and second cloud services may be distinct from one another. When the master service receives an indication that the authenticated user is attempting to take an action at a first cloud service despite an activity timeout there, the master service issues a status request to at least the second cloud service to determine whether the user is still active at the second cloud service (despite its different inactivity period). If the user is still active at the second cloud service, the master service provides a response, selectively overriding (re-setting) the activity timeout at the first cloud service to permit the action.Type: ApplicationFiled: September 16, 2013Publication date: March 19, 2015Applicant: International Business Machines CorporationInventors: Olgierd Stanislaw Pieczul, Brent Allan Hepburn, David Scott Kern, Mark McGloin, Mark Lawrence Rovelli
-
Patent number: 8984616Abstract: Efficient routing for a client-server session or connection is provided in an application layer of multi-layered systems interconnect stack by caching a plurality of application-specific information at an intermediary network point; using the application specific information to route messages for an application connection; and indexing the application-specific information with a key provided by the application. Optionally, a second key may be used to retrieve the application-specific information if the first key is not provided in an application connection request, where the second key is optionally opaque to the application program. The intermediary network point may be an edge of network Internet Protocol (IP) switch, and the application layer in which the routing is performed may be layer seven of the Open Systems Interconnection model.Type: GrantFiled: December 8, 2010Date of Patent: March 17, 2015Assignee: International Business Machines CorporationInventors: Daniel M Jamrog, David Scott Kern, Jason Dana LaVoie, Chester E Ryder, III
-
Publication number: 20140068743Abstract: A secure database includes a catalog of information about one or more identity providers (IdPs) that are trusted by a service provider (SP) to authenticate users on the SP's behalf. The catalog securely stores one or more IdP configurations. An entry in the database stores information associated with the trusted IdP including artifacts to identify the IdP, artifacts used by the IdP for cryptographic operations, and a specification of one or more website(s) serviced by the trusted identity provider. Upon receipt by the SP of identity information representing a user that has authenticated to an IdP, information in the catalog of information is used to determine whether the IdP is trusted to authenticate the user on the service provider's behalf. The determination verifies that the SP uses the IdP and that a binding between an IdP identifier and at least one IdP cryptographic artifact is valid.Type: ApplicationFiled: August 30, 2012Publication date: March 6, 2014Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Jane B. Marcus, Alan D. Eldridge, David Scott Kern, Michael J. Kerrigan, Patrick Charles Mancuso, Robert John Paganetti
-
Publication number: 20120151568Abstract: A rich client performs single sign-on (SSO) to access a web- or cloud-based application. According to the described SSO approach, the rich client delegates to its native application server the task of obtaining a credential, such as a SAML assertion. The native server, acting on behalf of the user, obtains an assertion from a federated identity provider (IdP) that is then returned to the rich client. The rich client provides the assertion to a cloud-based proxy, which presents the assertion to an identity manager to attempt to prove that the user is entitled to access the web- or cloud-based application using the rich client. If the assertion can be verified, it is exchanged with a signed token, such as a token designed to protect against cross-site request forgery (CSRF). The rich client then accesses the web- or cloud-based application making a REST call that includes the signed token. The application, which recognizes the request as trustworthy, responds to the call with the requested data.Type: ApplicationFiled: December 13, 2010Publication date: June 14, 2012Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Olgierd Stanislaw Pieczul, Mark Alexander McGloin, Mary Ellen Zurko, David Scott Kern, Brent Allan Hepburn
-
Patent number: 8166072Abstract: One or more data structures are received by a computing device, wherein the one or more data structures include at least one or more user credentials. The one or more user credentials are normalized by the computing device to generate a first graph. One or more nodes of the first graph and one or more nodes of at least a second graph are analyzed by the computing device, wherein analyzing includes at least identifying a logical correlation between the one or more nodes of the first graph and the one or more nodes of at least the second graph. A third graph is generated by the computing device based, at least in part, upon the analysis of the one or more nodes of the first graph and the one or more nodes of at least the second graph. An output data structure is generated by the computing device based, at least in part, upon the third graph.Type: GrantFiled: April 17, 2009Date of Patent: April 24, 2012Assignee: International Business Machines CorporationInventors: David Scott Kern, Richard Francis Annicchiarico, Nancy Ellen Kho, Robert John Paganetti
-
Publication number: 20100268747Abstract: One or more data structures are received by a computing device, wherein the one or more data structures include at least one or more user credentials. The one or more user credentials are normalized by the computing device to generate a first graph. One or more nodes of the first graph and one or more nodes of at least a second graph are analyzed by the computing device, wherein analyzing includes at least identifying a logical correlation between the one or more nodes of the first graph and the one or more nodes of at least the second graph. A third graph is generated by the computing device based, at least in part, upon the analysis of the one or more nodes of the first graph and the one or more nodes of at least the second graph. An output data structure is generated by the computing device based, at least in part, upon the third graph.Type: ApplicationFiled: April 17, 2009Publication date: October 21, 2010Inventors: David Scott Kern, Richard Francis Annicchiarico, Nancy Ellen Kho, Robert John Paganetti