Abstract: Techniques for proxing services with a single sign on are provided. A principal authenticates to a first identity service. The first identity service is in a trusted relationship with a second identity service. An authentication request is sent to the second identity service and the request includes an authentication response supplied by the first identity service in response to successful authentication of the principal to the first identity service. In response to the authentication request and the accompanying response, the principal is authenticated for access to the second identity service. Furthermore, targeted services accessible to the second identity service are proxied from and to the principal during interactions between the principal and an external service of that principal.

Abstract: Techniques for validating identities are provided. A sign-on request is authenticated for a given principal. Attributes associated with that principal are acquired from an identity service and compared against local maintained attributes for that principal. If the identity-service acquired attributes match the local attributes, then the principal is validated for access. During principal access, selective events drive updates to the identity-service acquired attributes, and the comparison with the local attributes is performed again to determine whether the validated principal is to be invalidated or is to remain validated.

Abstract: Techniques for establishing implicit trust of authorship certification are provided. A message's domain is validated in response to a valid domain certificate. A message's author is validated in response to an author identification, which is acquired from the message and which is supplied to a domain service of the author. The domain service is implicitly trusted based on the domain being validated via the domain certificate. The domain service uses the author's identification to traverse to a specific location within the domain that houses an author certificate for the author. The author certificate is compared against a message certificate that accompanies the message in order to establish trust with the author and the author's message.

Abstract: Techniques for providing role-based security with instance-level granularity are provided. A security service detects a request made by a principal for access to a resource. Access to the resource is conditioned on a status of a role. The role is associated with the request, the principal, and the resource. The security service evaluates a constraint associated with the role to determine the status. The status is subsequently consumed to determine whether access to the resource for the purposes of satisfying the request is permissible.

Abstract: Techniques for attesting to content received from an author (sender) are provided. A sender's content is represented by a message digest. The message digest is signed by an identity service. The signed message digest represents an attestation as to the authenticity of the content from the sender. The sender transmits the signed message digest and content in a message to a recipient. The recipient verifies the signature and message digest to authenticate the content from the sender.

Abstract: Techniques are provided for serializing events of a data stream. Meta information defines information unit separators and context for events within the data stream. The data stream is parsed according to the instructions of the meta information and event data associated with the events of the data stream are retained. The event data is packaged into selective groupings of event data and transmitted to one or more services in data formats used by the services. The services perform one or more actions based on the received selective groupings of event data.

Abstract: Techniques for proxing services with a single sign on are provided. A principal authenticates to a first identity service. The first identity service is in a trusted relationship with a second identity service. An authentication request is sent to the second identity service and the request includes an authentication response supplied by the first identity service in response to successful authentication of the principal to the first identity service. In response to the authentication request and the accompanying response, the principal is authenticated for access to the second identity service. Furthermore, targeted services accessible to the second identity service are proxied from and to the principal during interactions between the principal and an external service of that principal.

Abstract: Techniques for validating identities are provided. A sign-on request is authenticated for a given principal. Attributes associated with that principal are acquired from an identity service and compared against local maintained attributes for that principal. If the identity-service acquired attributes match the local attributes, then the principal is validated for access. During principal access, selective events drive updates to the identity-service acquired attributes, and the comparison with the local attributes is performed again to determine whether the validated principal is to be invalidated or is to remain validated.