Abstract: A method operative at an identity provider enforces a digital rights management (DRM) scheme associated with a piece of content. The identity provider is an entity that participates in a “federation” with one or more other entities including, for example, an service provider (e.g., a content provider), a DRM privileges provider, and a DRM policy provider. In one embodiment, the method begins by having the identity provider obtain and evaluate against a DRM policy a set of DRM privileges associated with the end user requesting access to the piece of content. Based on the evaluation, the identity provider generates a single sign on (SSO) message that includes a reference to the set of DRM privileges. The message is then forward to the service provider entity, which provides the end user a response.

Abstract: An application is instrumented with a document protection service provider interface (SPI). The interface is used to call an external function, e.g., an encryption utility, to facilitate secure document exchange between a sending entity and a receiving entity. When the application invokes the SPI, the user is provided with a display panel. The end user provides a password for encryption key generation, together with an indication of desired encryption strength. The service provider uses the password to generate an encryption key. In one embodiment, the service provider provides the key to the service provider interface, which then uses the key to encrypt the document and to complete the file transfer operation. In the alternative, the service provider itself performs encryption. The SPI generates and sends a message to the receiving entity that includes the key or a link to enable the receiving entity to retrieve the key.

Abstract: A method, system, and computer usable program product for verifying and enforcing certificate use are provided in the illustrative embodiments. A certificate is received from a sender. The certificate is validated before communicating a message associated with the certificate to a receiver. If the certificate is invalid, a policy is selected based on a type of invalidity of the certificate. An action is taken to enforce the policy for using the certificate. The certificate may be received from the sender at a proxy. The validating may further include verifying the validity of the certificate using a certificate from a certificate database accessible to the proxy over a network. the proxy may copy a part of the certificate database to a second certificate database local to the proxy. The validating may further include verifying the validity of the certificate using a certificate revocation list accessible to the proxy over a network.

Abstract: A multi-component auditing environment uses a set of log-enabled components that are capable of being triggered during an information flow in a data processing system. A “master” compliance component receives data from each log-enabled component in the set of log-enabled components, the data indicating a set of logging properties that are associated with or provided by that log-enabled component. The master compliance component determines, for a given compliance policy, which of a set of one or more events are required from one or more of the individual log-enabled components in the set of log-enabled components. As a result of the determining step, the master compliance component then configures one of more of the individual log-enabled components, e.g. by generating one or more configuration events that are then sent to the one or more individual components. This configuration may take place remotely, i.e., over a network connection.

Abstract: An application is instrumented with a document protection service provider interface (SPI). The interface is used to call an external function, e.g., an encryption utility, to facilitate secure document exchange between a sending entity and a receiving entity. When the application invokes the SPI, the user is provided with a display panel. The end user provides a password for encryption key generation, together with an indication of desired encryption strength. The service provider uses the password to generate an encryption key. In one embodiment, the service provider provides the key to the service provider interface, which then uses the key to encrypt the document and to complete the file transfer operation. In the alternative, the service provider itself performs encryption. The SPI generates and sends a message to the receiving entity that includes the key or a link to enable the receiving entity to retrieve the key.

Abstract: A method operative at an identity provider enforces a digital rights management (DRM) scheme associated with a piece of content. The identity provider is an entity that participates in a “federation” with one or more other entities including, for example, an service provider (e.g., a content provider), a DRM privileges provider, and a DRM policy provider. In one embodiment, the method begins by having the identity provider obtain and evaluate against a DRM policy a set of DRM privileges associated with the end user requesting access to the piece of content. Based on the evaluation, the identity provider generates a single sign on (SSO) message that includes a reference to the set of DRM privileges. The message is then forward to the service provider entity, which provides the end user a response.

Abstract: A method operative at an identity provider enforces a digital rights management (DRM) scheme associated with a piece of content. The identity provider is an entity that participates in a “federation” with one or more other entities including, for example, an service provider (e.g., a content provider), a DRM privileges provider, and a DRM policy provider. In one embodiment, the method begins by having the identity provider obtain and evaluate against a DRM policy a set of DRM privileges associated with the end user requesting access to the piece of content. Based on the evaluation, the identity provider generates a single sign on (SSO) message that includes a reference to the set of DRM privileges. The message is then forward to the service provider entity, which provides the end user a response.

Abstract: A mobile device identifier (such as an MSISDN) that typically accompanies a mobile device request is replaced with an “enriched” identifier that exposes the mobile device user's home operator but obfuscates the mobile device's (and, thus, the device user's) identity. In one embodiment, the identifier comprises a first part, and a second part. The first part comprises a data string that identifies (either directly or through a database lookup) the mobile device user's home operator. The second part, however, is an opaque data string, such as a one-time-use unique identifier (UID) or a value that is otherwise derived as a function of the MSISDN (or the like). The opaque data string encodes the mobile device's identity in a manner that preferably can be recovered only by the user's home operator (or an entity authorized thereby). When the mobile device user roams into a foreign network, that network receives the enriched identifier in lieu of an MSISDN.

Abstract: An application is instrumented with a document protection service provider interface (SPI). The interface is used to call an external function, e.g., an encryption utility, to facilitate secure document exchange between a sending entity and a receiving entity. When the application invokes the SPI, the user is provided with a display panel. The end user provides a password for encryption key generation, together with an indication of desired encryption strength. The service provider uses the password to generate an encryption key. In one embodiment, the service provider provides the key to the service provider interface, which then uses the key to encrypt the document and to complete the file transfer operation. In the alternative, the service provider itself performs encryption. The SPI generates and sends a message to the receiving entity that includes the key or a link to enable the receiving entity to retrieve the key.

Abstract: A method carried out at a point of contact (e.g., reverse proxy, a web server plug-in, or the like) that serves as an intermediary between a client browser and one or more back-end applications (or application component), wherein each back-end application has the capability to set its own server-side session management data with respect to the point of contact that is independent of any client-side session management data set by the point of contact and used by the point of contact to manage a user session. The method begins as a given back-end application returns a response to a first request that has been issued from the client browser (the first request having been received at the point of contact and passed to a back end application or component for processing).

Abstract: An application is instrumented with a document protection service provider interface (SPI). The interface is used to call an external function, e.g., an encryption utility, to facilitate secure document exchange between a sending entity and a receiving entity. When the application invokes the SPI, the user is provided with a display panel. The end user provides a password for encryption key generation, together with an indication of desired encryption strength. The service provider uses the password to generate an encryption key. In one embodiment, the service provider provides the key to the service provider interface, which then uses the key to encrypt the document and to complete the file transfer operation. In the alternative, the service provider itself performs encryption. The SPI generates and sends a message to the receiving entity that includes the key or a link to enable the receiving entity to retrieve the key.

Abstract: A proxy is integrated within an F-SSO environment and interacts with an external identity provider (IdP) instance discovery service. The proxy proxies IdP instance requests to the discovery service and receives responses that include the IdP instance assignments. The proxy maintains a cache of the instance assignment(s). As new instance requests are received, the cached assignment data is used to provide appropriate responses in lieu of proxying these requests to the discovery service, thereby reducing the time needed to identify the required IdP instance. The proxy dynamically maintains and manages its cache by subscribing to updates from the discovery service. The updates identify IdP instance changes (such as servers being taken offline for maintenance, new services being added, etc.) occurring within the set of geographically-distributed instances that comprise the IdP service. The updates are provided via a publication-subscription model such that the proxy receives change notifications proactively.

Abstract: A proxy is integrated within an F-SSO environment and interacts with an external identity provider (IdP) instance discovery service. The proxy proxies IdP instance requests to the discovery service and receives responses that include the IdP instance assignments. The proxy maintains a cache of the instance assignment(s). As new instance requests are received, the cached assignment data is used to provide appropriate responses in lieu of proxying these requests to the discovery service, thereby reducing the time needed to identify the required IdP instance. The proxy dynamically maintains and manages its cache by subscribing to updates from the discovery service. The updates identify IdP instance changes (such as servers being taken offline for maintenance, new services being added, etc.) occurring within the set of geographically-distributed instances that comprise the IdP service. The updates are provided via a publication-subscription model such that the proxy receives change notifications proactively.

Abstract: A document management (DM), data leak prevention (DLP) or similar application in a data processing system is instrumented with a document protection service provider interface (SPI). The service provider interface is used to call an external function, such as an encryption utility, that is used to facilitate secure document exchange between a sending entity and a receiving entity. The encryption utility may be configured for local download to and installation in the machine on which the SPI is invoked, but a preferred approach is to use the SPI to invoke an external encryption utility as a “service.” In such case, the external encryption utility is implemented by a service provider. When the calling program invokes the SPI, preferably the user is provided with a display panel. Using that panel, the end user provides a password that is used for encryption key generation, together with an indication of the desired encryption strength. The service provider uses the password to generate the encryption key.

Abstract: A method, system, and computer usable program product for token caching in a trust chain processing are provided in the illustrative embodiments. An information in a token associated with a first request is mapped. A determination is made whether a requester of the first request has provided a constraint in the first request, the constraint concerning the token, the constraint forming a client constraint. The client constraint is stored. The information and the mapped information is stored, forming stored information. The token is received in a second request. The stored information is reused if the client constraint allows reusing the stored information. A further determination may be made whether a target system receiving the mapped information has provided a server constraint, the second constraint concerning the mapped information, the second constraint forming a server constraint. The stored information may be reused if the server constraint allows reusing the stored information.

Abstract: A method, a system, an apparatus, and a computer program product are presented for improving a register name identifier profile within a federated computing environment such that the register name identifier profile is enhanced to be more securely binding between two federated entities within the federated computing environment, such as an identity provider and a service provider. After the first federated entity sends a register name identifier request for a principal to the second federated entity, the second federated entity performs an authentication operation for the principal. In response to successfully completing the authentication operation, the second federated entity registers or modifies a name identifier for the principal that has been extracted from the received register name identifier request.

Abstract: A method, system and computer program for business process automation facilitates transforming a user's identity/credentials as part of the enablement of transaction fulfillment, e.g., within a SOA environment. In one embodiment, identity and attribute information is added to one or more business process models that each represents a sub-transaction within an overall transaction fulfillment business process flow. As the business model is mapped to an execution environment, the identity and attribute information in the model is used to configure appropriate tooling to define the identity/attribute transformation required to complete the particular portion of the transaction represented by the model.

Abstract: The present invention provides identification and access control for an end user mobile device in a disconnected mode environment, which refers generally to the situation where, in a mobile environment, a mobile device is disconnected from or otherwise unable to connect to a wireless network. The inventive method provides the mobile device with a “long term” token, which is obtained from an identity provider coupled to the network. The token may be valid for a given time period. During that time period, the mobile device can enter a disconnected mode but still obtain a mobile device-aided function (e.g., access to a resource) by presenting for authentication the long term token. Upon a given occurrence (e.g., loss of or theft of the mobile device) the long term token is canceled to restrict unauthorized further use of the mobile device in disconnected mode.

Abstract: A method correlates audit information in a multi-tenant computing infrastructure. The method leverages a user's authentication to the infrastructure, such as via federated single sign-on (F-SSO) from an identity provider. Preferably, the user's tenant identifier in the environment is derived based on identity information obtained during the F-SSO exchange. This tenant identifier is propagated to one or more other components in the infrastructure that are accessed by the user. As audit event from multiple components in the computing infrastructure are generated, these audit events are annotated with the tenant identifier and stored in an audit repository. In response to a request to view the tenant's audit data, a collection of tenant-specific audit events are then retrieved from the audit repository and displayed in a single tenant view. This approach ensures that audit event information is not leaked inadvertently between tenants.

Abstract: A method, system, and computer usable program product for dynamic access to radio networks are provided in the illustrative embodiments. A new radio network having a characteristic more suitable than a corresponding characteristic of a present radio network is detected. A request for access to the new radio network is sent, the request including a token, which includes structured information about a user, a device, a home network, or a billing service. Access to the new radio network is received. Switching is performed from the present radio network to the new radio network for wireless communication. The request for access to a radio network is received such that the requester is not known to a provider of the radio network. The requester is verified using a billing service provider or a home network provider identified in a token in the request. Upon verification, access is granted to the radio network.