Abstract: A computing system configured to support entities having the ability to indicate capability information for capabilities of the entities is illustrated. Embodiments may include an identity provider computer system comprising at least one processor. The identity provider computer system is configured to receive requests for access tokens from entities. The requests include capability information for the entities. The identity provider computer system is further configured to provide access tokens to the entities which include the capability information. The computing system further includes a resource provider computer system comprising at least one processor configured to receive resource requests and access tokens from entities. The access tokens include the capability information. The resource providers are further configured to provide responses to the entities according to the capability information.

Abstract: Authenticating computing entities. A method includes at an identity provider, providing a first access token to an entity for use by the entity in obtaining resources from a resource provider. The method further includes, at the identity provider, receiving response information from the entity. The response information from the entity is provided to the entity from the resource provider as a result of the resource provider enforcing policy at the resource provider. At the identity provider, a second access token is provided to the entity. The second access token is provided based on the response information, such that the second access token can be used by the entity to obtain the resources from the resource provider.

Abstract: Managing user sessions in a networked computing environment. A method includes, at an identity provider computer system, providing a first id token to a resource provider for an entity. The first id token has therein a first policy check interval having a value defining a period when the first id token should be revalidated. Due to expiration of the first policy check interval, a first refresh token is received from a resource provider computer system that received the first id token. As a result of receiving the first refresh token from the resource provider computer system, the identity provider computer system evaluates conditional access policy for the entity. If the identity provider computer system determines that the conditional access policy for the entity has been met, the identity provider computer system provides a new id token and a new refresh token to the resource provider computer system.

Abstract: Session lifetime can be adapted based on session reputation. Session reputation can be computed based on sign-in risk and device risk, among other things. Session lifetime corresponds to a length of time a session is valid and can be determined automatically based on the session reputation. Subsequently, a token can be generated and returned in response to successful authentication that identifies a session and is valid for the determined lifetime.

Abstract: Managing user sessions in a networked computing environment. A method includes, at an identity provider computer system, providing a first id token to a resource provider for an entity. The first id token has therein a first policy check interval having a value defining a period when the first id token should be revalidated. Due to expiration of the first policy check interval, a first refresh token is received from a resource provider computer system that received the first id token. As a result of receiving the first refresh token from the resource provider computer system, the identity provider computer system evaluates conditional access policy for the entity. If the identity provider computer system determines that the conditional access policy for the entity has been met, the identity provider computer system provides a new id token and a new refresh token to the resource provider computer system.

Abstract: Authenticating computing entities. A method includes at an identity provider, providing a first access token to an entity for use by the entity in obtaining resources from a resource provider. The method further includes, at the identity provider, receiving response information from the entity. The response information from the entity is provided to the entity from the resource provider as a result of the resource provider enforcing policy at the resource provider. At the identity provider, a second access token is provided to the entity. The second access token is provided based on the response information, such that the second access token can be used by the entity to obtain the resources from the resource provider.

Abstract: A computing system configured to support entities having the ability to indicate capability information for capabilities of the entities is illustrated. Embodiments may include an identity provider computer system comprising at least one processor. The identity provider computer system is configured to receive requests for access tokens from entities. The requests include capability information for the entities. The identity provider computer system is further configured to provide access tokens to the entities which include the capability information. The computing system further includes a resource provider computer system comprising at least one processor configured to receive resource requests and access tokens from entities. The access tokens include the capability information. The resource providers are further configured to provide responses to the entities according to the capability information.

Abstract: A CRL can be divided into a number of segments. The number of segments into which the CRL is divided can be determined by using a predefined number of serial numbers per segment. The segment in which a particular certificate is included can be determined by application of a consistent hashing algorithm to the serial number of the certificate to determine in which segment the serial number will be found if revoked, thereby increasing the efficiency of determining the revocation status of the certificate. Metadata common to each CRL can be cached on each server and on the remote cache. The segments themselves can be cached in the remote cache. Storing the segments only in the remote cache decreases resource consumption (e.g., amount of memory used in the local cache). Storing the segments in the remote cache enables optimization for locality.

Abstract: Session lifetime can be adapted based on session reputation. Session reputation can be computed based on sign-in risk and device risk, among other things. Session lifetime corresponds to a length of time a session is valid and can be determined automatically based on the session reputation. Subsequently, a token can be generated and returned in response to successful authentication that identifies a session and is valid for the determined lifetime.

Abstract: A CRL can be divided into a number of segments. The number of segments into which the CRL is divided can be determined by using a predefined number of serial numbers per segment. The segment in which a particular certificate is included can be determined by application of a consistent hashing algorithm to the serial number of the certificate to determine in which segment the serial number will be found if revoked, thereby increasing the efficiency of determining the revocation status of the certificate. Metadata common to each CRL can be cached on each server and on the remote cache. The segments themselves can be cached in the remote cache. Storing the segments only in the remote cache decreases resource consumption (e.g., amount of memory used in the local cache). Storing the segments in the remote cache enables optimization for locality.