Abstract: Techniques for enabling impersonation without requiring an access manager (AM) controlling access to a computing resource to have direct access to user information. The AM receives an impersonation request for a first user to impersonate a second user, the request being received during a first session initiated by the first user. The second user has an access privilege that permits access to the computing resource. The AM causes information to be obtained from an identity provider, the information being stored in a location inaccessible to the AM and indicating whether the first user has been granted permission to impersonate the second user. An impersonation session is initiated based on determining, using the information obtained from the identity provider, that the first user has been granted permission to impersonate the second user. The initiating comprises switching a user associated with the first session from the first user to the second user.

Abstract: Techniques for transaction-specific authentication. An access manager receives information for a transaction. The information can be received in an authentication request from an application that is to perform the transaction or received as part of a transaction request. The information identifies an attribute associated with the transaction and includes a value for the attribute. The access manager uses the value to generate a first one-time password (OTP). The first OTP is compared to a second OTP received from a client device of a user who requested the transaction. Matching of the first OTP and the second OTP indicates that the value received in the information for the transaction matches a value provided by the user to the client device. Based on determining that the first OTP matches the second OTP, the access manager transmits an indication to the application that the user is successfully authenticated for the transaction.

Abstract: Techniques are disclosed for restricting access to resources accessible in a SSO session. An access management system may provide access one or more resources by implementing an SSO system to provide a SSO session. An SSO session may provide an authenticated user with access to protected resources to which the user is entitled to access. In some instances, a user sharing a computer with other users may want to access a particular protected resource so as to restrict other users sharing the computer from accessing other protected resources accessible to the user in an SSO session. The access management system may enable the user to dynamically choose, such as during login, the protected resources which to restrict and/or permit. Upon successful authentication, a session may be established for only those protected resources that are permitted based on the user's selection, while the other resources are restricted.

Abstract: Techniques are disclosed for enabling a user to validate the authenticity of a computing system (e.g., an access management system) such as one which controls access to one or more resources. A user can determine the authenticity of an access management system before the user provides credential information to the access management system. A user can be presented at a client system with an interface to request authentication of an access management system. The access management system may provide the user at the client system with temporary access information to submit back to the access management system. The access management system may provide recent personal information to the user at the client system to verify the access management system. Upon verification of the personal information, the access management system may prompt the user for credential information to establish a session.

Abstract: Techniques are provided for of constructing a whitelist of redirection uniform resource locators (URLs). A method can include receiving, by a computing system executing an access manager application, a request to log out a user from an application executing on a device; determining, by the access manager application, a redirection address for the application; validating, by the access manager application, the redirection address; and based on the validation, causing, by the access manager application, the application to perform one of redirecting the user to the redirection address and determining addition of the redirection address to a list of valid redirection addresses.

Abstract: Techniques are disclosed for providing users of an access management system the capability to manage the user's active sessions. The system may receive a first request by a user at a first device to modify one or more sessions established for the user. The system may access session information about the one or more sessions that are associated with the user, wherein a session of the one or more sessions provides the user with access to one or more resources. The system may send the session information to the first device, the session information causing the first device to display a graphical interface including the session information about the one or more sessions. The system may receive, from the first device, a second request indicating a modification to the session. The system may modify the session in accordance with the modification indicated in the second request.

Abstract: Techniques are disclosed for facilitating impersonation for accessing resources through an access management system. When a user (“impersonator”) requests access to impersonate another user (“impersonatee”), the access management system may generate security data having two parts. One part may include a first security key that is sent to the impersonator and a second part may include a second security key that is sent to the impersonatee. Receipt of the second security key notifies the impersonatee about a request for impersonation to access a resource according to access permitted to the impersonatee. The impersonatee, if consenting to impersonation, may provide the security key received to the impersonator, thereby implicitly providing the impersonator with trust at run-time to access the resource. Upon verification of both security keys, by the access management system, access to a resource is provided to the impersonator based on access to the resource permitted to the impersonatee.

Abstract: Techniques for enabling impersonation without requiring an access manager (AM) controlling access to a computing resource to have direct access to user information. The AM receives an impersonation request for a first user to impersonate a second user, the request being received during a first session initiated by the first user. The second user has an access privilege that permits access to the computing resource. The AM causes information to be obtained from an identity provider, the information being stored in a location inaccessible to the AM and indicating whether the first user has been granted permission to impersonate the second user. An impersonation session is initiated based on determining, using the information obtained from the identity provider, that the first user has been granted permission to impersonate the second user. The initiating comprises switching a user associated with the first session from the first user to the second user.

Abstract: Techniques are disclosed for using a global unified session identifier across data centers. Upon creating an initial session in the data center for a user first accessing the data center, a session identifier is generated for the user session. Because the initial session is the first session created for that user, the initial session identifier is designated as the global unified session identifier for all sessions that may be created for the user in other data centers within the enterprise network. Data centers may then map the global unified session identifiers to locally generated session identifiers for the user. A global unified session identifier enables various user session actions to be performed globally across the data centers, including global logout, global session termination, global session updates, and/or the like. A global unified session identifier prevents the risk of collision that can occur between randomly generated numbers of different data centers.

Abstract: An embodiment of the invention is directed to a method comprising associating at least one action with at least one of a plurality of action buttons; customizing associations of the associated actions; and including the customized associated actions, corresponding to one of the plurality of action buttons, in an expandable action menu when said corresponding action button is selected, wherein the customized associated actions and the plurality of action buttons are accessible on a common navigation level.