Abstract: A rich client performs single sign-on (SSO) to access a web- or cloud-based application. According to the described SSO approach, the rich client delegates to its native application server the task of obtaining a credential, such as a SAML assertion. The native server, acting on behalf of the user, obtains an assertion from a federated identity provider (IdP) that is then returned to the rich client. The rich client provides the assertion to a cloud-based proxy, which presents the assertion to an identity manager to attempt to prove that the user is entitled to access the web- or cloud-based application using the rich client. If the assertion can be verified, it is exchanged with a signed token, such as a token designed to protect against cross-site request forgery (CSRF). The rich client then accesses the web- or cloud-based application making a REST call that includes the signed token. The application, which recognizes the request as trustworthy, responds to the call with the requested data.

Abstract: A secure database includes a catalog of information about one or more identity providers (IdPs) that are trusted by a service provider (SP) to authenticate users on the SP's behalf. The catalog securely stores one or more IdP configurations. An entry in the database stores information associated with the trusted IdP including artifacts to identify the IdP, artifacts used by the IdP for cryptographic operations, and a specification of one or more website(s) serviced by the trusted identity provider. Upon receipt by the SP of identity information representing a user that has authenticated to an IdP, information in the catalog of information is used to determine whether the IdP is trusted to authenticate the user on the service provider's behalf. The determination verifies that the SP uses the IdP and that a binding between an IdP identifier and at least one IdP cryptographic artifact is valid.

Abstract: In a cloud computing environment, a user authenticates to multiple cloud services concurrently. A master service has knowledge of or tracks the cloud service(s) to which a user is authenticated. Each cloud service may enforce its own inactivity period, and the inactivity period of at least first and second cloud services may be distinct from one another. When the master service receives an indication that the authenticated user is attempting to take an action at a first cloud service despite an activity timeout there, the master service issues a status request to at least the second cloud service to determine whether the user is still active at the second cloud service (despite its different inactivity period). If the user is still active at the second cloud service, the master service provides a response, selectively overriding (re-setting) the activity timeout at the first cloud service to permit the action.

Abstract: In a cloud computing environment, a user authenticates to multiple cloud services concurrently. A master service has knowledge of or tracks the cloud service(s) to which a user is authenticated. Each cloud service may enforce its own inactivity period, and the inactivity period of at least first and second cloud services may be distinct from one another. When the master service receives an indication that the authenticated user is attempting to take an action at a first cloud service despite an activity timeout there, the master service issues a status request to at least the second cloud service to determine whether the user is still active at the second cloud service (despite its different inactivity period). If the user is still active at the second cloud service, the master service provides a response, selectively overriding (re-setting) the activity timeout at the first cloud service to permit the action.

Abstract: Efficient routing for a client-server session or connection is provided in an application layer of multi-layered systems interconnect stack by caching a plurality of application-specific information at an intermediary network point; using the application specific information to route messages for an application connection; and indexing the application-specific information with a key provided by the application. Optionally, a second key may be used to retrieve the application-specific information if the first key is not provided in an application connection request, where the second key is optionally opaque to the application program. The intermediary network point may be an edge of network Internet Protocol (IP) switch, and the application layer in which the routing is performed may be layer seven of the Open Systems Interconnection model.

Abstract: A secure database includes a catalog of information about one or more identity providers (IdPs) that are trusted by a service provider (SP) to authenticate users on the SP's behalf. The catalog securely stores one or more IdP configurations. An entry in the database stores information associated with the trusted IdP including artifacts to identify the IdP, artifacts used by the IdP for cryptographic operations, and a specification of one or more website(s) serviced by the trusted identity provider. Upon receipt by the SP of identity information representing a user that has authenticated to an IdP, information in the catalog of information is used to determine whether the IdP is trusted to authenticate the user on the service provider's behalf. The determination verifies that the SP uses the IdP and that a binding between an IdP identifier and at least one IdP cryptographic artifact is valid.

Abstract: A rich client performs single sign-on (SSO) to access a web- or cloud-based application. According to the described SSO approach, the rich client delegates to its native application server the task of obtaining a credential, such as a SAML assertion. The native server, acting on behalf of the user, obtains an assertion from a federated identity provider (IdP) that is then returned to the rich client. The rich client provides the assertion to a cloud-based proxy, which presents the assertion to an identity manager to attempt to prove that the user is entitled to access the web- or cloud-based application using the rich client. If the assertion can be verified, it is exchanged with a signed token, such as a token designed to protect against cross-site request forgery (CSRF). The rich client then accesses the web- or cloud-based application making a REST call that includes the signed token. The application, which recognizes the request as trustworthy, responds to the call with the requested data.

Abstract: One or more data structures are received by a computing device, wherein the one or more data structures include at least one or more user credentials. The one or more user credentials are normalized by the computing device to generate a first graph. One or more nodes of the first graph and one or more nodes of at least a second graph are analyzed by the computing device, wherein analyzing includes at least identifying a logical correlation between the one or more nodes of the first graph and the one or more nodes of at least the second graph. A third graph is generated by the computing device based, at least in part, upon the analysis of the one or more nodes of the first graph and the one or more nodes of at least the second graph. An output data structure is generated by the computing device based, at least in part, upon the third graph.

Abstract: One or more data structures are received by a computing device, wherein the one or more data structures include at least one or more user credentials. The one or more user credentials are normalized by the computing device to generate a first graph. One or more nodes of the first graph and one or more nodes of at least a second graph are analyzed by the computing device, wherein analyzing includes at least identifying a logical correlation between the one or more nodes of the first graph and the one or more nodes of at least the second graph. A third graph is generated by the computing device based, at least in part, upon the analysis of the one or more nodes of the first graph and the one or more nodes of at least the second graph. An output data structure is generated by the computing device based, at least in part, upon the third graph.