Abstract: Service onboarding can include registering an artifact of a service with a control service. Service onboarding can include assigning a credential to a service account associated with a service, wherein the credentials include a limited authorization. Service onboarding can include managing, according to the authorization, a service based on a node attribute definition maintained by an infrastructure automation framework, the framework including a component to call a representational state transfer (REST) application program interface (API) of the control service.

Abstract: Service onboarding can include registering an artifact of a service with a control service. Service onboarding can include assigning a credential to a service account associated with a service, wherein the credentials include a limited authorization. Service onboarding can include managing, according to the authorization, a service based on a node attribute definition maintained by an infrastructure automation framework, the framework including a component to call a representational state transfer (REST) application program interface (API) of the control service.

Abstract: A process of onboarding a resource into an identity management system is disclosed. The identity management system is configured to connect users with resources and manage user identities and security entitlements of the connected resources. The process of onboarding a resource includes marking or tagging resource fields with semantic markers.

Abstract: A data processing system implements push artifact binding for communication in a federated identity system. A federated identity system in the data processing system comprises an initiator that handles a federated action by determining that a user is to be conveyed to a recipient, constructing an appropriate message request or assertion to be sent to the recipient, and sending the message as a push message over a back-channel communication pathway directed to the recipient's location. The federated identity system further comprises a recipient that handles the federated action by responding to the message by forming a Uniform Resource Locator (URL) to which the user can be directed. The initiator redirects the user to the URL specified in the recipient response.

Abstract: A process of onboarding a resource into an identity management system is disclosed. The identity management system is configured to connect users with resources and manage user identities and security entitlements of the connected resources. The process of onboarding a resource includes marking or tagging resource fields with semantic markers.

Abstract: A data processing system implements push artifact binding for communication in a federated identity system. A federated identity system in the data processing system comprises an initiator that handles a federated action by determining that a user is to be conveyed to a recipient, constructing an appropriate message request or assertion to be sent to the recipient, and sending the message as a push message over a back-channel communication pathway directed to the recipient's location. The federated identity system further comprises a recipient that handles the federated action by responding to the message by forming a Uniform Resource Locator (URL) to which the user can be directed. The initiator redirects the user to the URL specified in the recipient response.

Abstract: A method of multi-domain authorization/authentication on a computer network comprises: a user making a request to a policy enforcement point of a computer for access to information on the computer; providing a location address for a user's authorization and/or authentication information, a policy decision point of the service on the computer network then verifying the authorization/authentication information; and the user being given access by the PEP to the information or the service requested, if the request is accepted, wherein the user's authorization/authentication and/or further information is located on a meta policy decision point (MPDP).

Abstract: In an embodiment, a method to provide client session failover, includes using a security assertion to re-establish a session with a client to permit the client to failover to a failover server. In another embodiment, an apparatus to provide client session failover, includes: a client; a first server configured to provide a security assertion to the client; and a failover server configured to re-establish a session with a client based upon the security assertion.

Abstract: In an embodiment, a method to provide client session failover, includes using a security assertion to re-establish a session with a client to permit the client to failover to a failover server. In another embodiment, an apparatus to provide client session failover, includes: a client; a first server configured to provide a security assertion to the client; and a failover server configured to re-establish a session with a client based upon the security assertion.

Abstract: A method of multi-domain authorisation/authentication on a computer network comprises: a user making a request to a policy enforcement point of a computer for access to information on the computer; providing a location address for a user's authorisation and/or authentication information, a policy decision point of the service on the computer network then verifying the authorisation/authentication information; and the user being given access by the PEP to the information or the service requested, if the request is accepted, wherein the user's authorisation/authentication and/or further information is located on a meta policy decision point (MPDP).