Abstract: Providing access to a cloud service includes a system receiving an application request to access a cloud service. In response, the system sends an identity provider (IP) a token request, comprising an application identifier (ID), an operating system (OS) cloud credential associated with login credentials of a user of an OS hosting the application, and a cloud service ID of the cloud service. Based on sending the token request, and on the IP authenticating the user and verifying the application ID is valid, the system receives a token from the IP. The token, which is signed with an IP signature, comprises the cloud service ID, the application ID, and a user assigned ID associated with the cloud service. The system provides the token to the application for submission to a cloud service provider for access, and obtains cloud service access based on the cloud service provider validating the IP signature.

Abstract: Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user's login account has been compromised, where the user's login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.

Abstract: One or more techniques and/or systems are provided for obtaining access to a cloud service. In particular, a user may log into a client device using an operating system (OS) cloud login ID. The user may access cloud services (e.g., a music streaming service, a data storage service, etc.) through applications executing on the client device using merely the OS cloud login ID without providing additional login credentials specific to the cloud services. A client side application may request a token to access a cloud service. The token may be generated by an identity provider based upon the identity provider verifying an application ID identifying the application, a cloud service ID identifying the cloud service and/or OS cloud credentials. In this way, the application may present the token to a cloud service provider for verification to gain access to the cloud service hosted by the cloud service provider.

Abstract: Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user's login account has been compromised, where the user's login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.

Abstract: Network services may include data associated with one or more entities. An aggregator service may host respective application programming interfaces (APIs) of the services at a single endpoint of the network such that the entities, including associations and relationships between entities, may be federated. For example, the services may register the entities of which the data of each of the services is associated with through a declarative entity model to establish an API schema for each of the services, which may be published at the aggregator service. In response to receipt of a request for entity related data from a client, the aggregator service may employ the declarative entity model to determine which of the services are associated with the entity related data such that a query may be submitted to the services, and how to aggregate responses to the query received from the services for transmission to the client.

Abstract: One or more techniques and/or systems are provided for obtaining access to a cloud service. In particular, a user may log into a client device using an operating system (OS) cloud login ID. The user may access cloud services (e.g., a music streaming service, a data storage service, etc.) through applications executing on the client device using merely the OS cloud login ID without providing additional login credentials specific to the cloud services. A client side application may request a token to access a cloud service. The token may be generated by an identity provider based upon the identity provider verifying an application ID identifying the application, a cloud service ID identifying the cloud service and/or OS cloud credentials. In this way, the application may present the token to a cloud service provider for verification to gain access to the cloud service hosted by the cloud service provider.

Abstract: Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user's login account has been compromised, where the user's login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.

Abstract: In one embodiment, a user authentication server may use geo-location tracking to determine whether to present an enhanced identity challenge. A communication interface 180 may receive a user login attempt by a user and a current location of the user login attempt. A data storage 150 may store a user location profile of the user. A processor 120 may execute a comparison of the current location to the user location profile. The communication interface 180 may present the user with an enhanced identity challenge before allowing user access based on the comparison.

Abstract: In one embodiment, a user authentication server may use geo-location tracking to determine whether to present an enhanced identity challenge. A communication interface 180 may receive a user login attempt by a user and a current location of the user login attempt. A data storage 150 may store a user location profile of the user. A processor 120 may execute a comparison of the current location to the user location profile. The communication interface 180 may present the user with an enhanced identity challenge before allowing user access based on the comparison.

Abstract: An authentication system combines device credential verification with user credential verification to provide a more robust authentication mechanism that is convenient to the user and effective across enterprise boundaries. In one implementation, user credential verification and device credential verification are combined to provide a convenient two-factor authentication. In this manner, an account authority service or other authentication provider verify both factors and provide a security token in accordance with the security policy of the account network resource the user is intending to access. The level of privilege granted by the target account network resource can vary depending on the number and type of factors verified by the account authority service.

Abstract: Scalable session management is achieved by generating a cookie that includes an encrypted session key and encrypted cookie data. The cookie data is encrypted using the session key. The session key is then signed and encrypted using one or more public/private key pairs. The encrypted session key can be decrypted and verified using the same private/public key pair(s). Once verified, the decrypted session key can then be used to decrypt and verify the encrypted cookie data. A first server having the private/public key pair(s) may generate the cookie using a randomly generated session key. A second server having the same private/public key pair(s) may decrypt and verify the cookie even if the session key is not initially installed on the second server. A session key cache may be used to provide session key lookup to save public/private key operations on the servers.

Abstract: A federated realm discovery system within a federation determines a “home” realm associated with a portion of the user's credentials before the user's secret information (such as a password) is passed to a non-home realm. A login user interface accepts a user identifier and, based on the user identifier, can use various methods to identify an account authority service within the federation that can authenticate the user. In one method, a realm list of the user device can be used to direct the login to the appropriate home realm of the user. In another method, an account authority service in a non-home realm can look up the user's home realm and provide realm information directing the user device to login at the home realm.

Abstract: Embodiments of the claimed subject matter provide a method and an apparatus for enabling delegated authentication for web services. Delegated authentication is provided without divulging the information the user requires to complete an authorization procedure of another web service or otherwise subjecting the user to unnecessary risk. Furthermore, delegated authentication is granted for a limited duration and access is subject to further limitations to prevent unnecessary intrusion to the user, the user's data, and the host web service. One embodiment of the claimed subject matter is implemented as a method for enabling delegated authentication to allow a third party service access to protected data on a host service. A user attempting to utilize functionality of a third party website that requests access to the user's data stored on a separate host website is enabled as a delegate with authorization to access the data stored on the host website.

Abstract: One or more techniques and/or systems are provided for obtaining access to a cloud service. In particular, a user may log into a client device using an operating system (OS) cloud login ID. The user may access cloud services (e.g., a music streaming service, a data storage service, etc.) through applications executing on the client device using merely the OS cloud login ID without providing additional login credentials specific to the cloud services. A client side application may request a token to access a cloud service. The token may be generated by an identity provider based upon the identity provider verifying an application ID identifying the application, a cloud service ID identifying the cloud service and/or OS cloud credentials. In this way, the application may present the token to a cloud service provider for verification to gain access to the cloud service hosted by the cloud service provider.

Abstract: A device operated by a user may store an object to which access is to be regulated, which may be achieved by encrypting the object with an encryption key and sending the key to a server having a key store. When a user of the device requests access to the object, the server may authenticate the user (e.g., according to a credential submitted by the user) and verify a trust identifier of the device (e.g., authorization to access the object through the device, and/or the integrity of the device), before sending to the device a ticket granting access to the key. The device may send the ticket to the server, receive the key from the server, decrypt the stored encrypted object, and provide the object to the user. This mechanism promotes rapid access upon request and efficient use of the server, and enables remote revocation of access.

Abstract: In one embodiment, a user authentication server may use geo-location tracking to determine whether to present an enhanced identity challenge. A communication interface 180 may receive a user login attempt by a user and a current location of the user login attempt. A data storage 150 may store a user location profile of the user. A processor 120 may execute a comparison of the current location to the user location profile. The communication interface 180 may present the user with an enhanced identity challenge before allowing user access based on the comparison.

Abstract: A device identifier (ID) is used across enterprise boundaries. A user can use the device ID to publish a device for sharing with other remote users. The remote users can discover devices that are shared by other users based on device IDs, connect to a selected device, and then verify that they have connected to the correct device based on its device ID. An account authority service may be used to manage the publication and/or discovery of the shared devices and their device IDs.

Abstract: A system provides single sign-on capabilities for accessing a Web application through a passive client across multiple realms within a federation. A federation refers to different organizations or realms that have employed agreements, standards, and/or cooperative technologies to make user identity and entitlements portable between the organizations. Communications are redirected through a client in one realm to obtain a security token that can allow the resource server in the other realm to authenticate the user for access to the Web application.

Abstract: An authentication system combines device credential verification with user credential verification to provide a more robust authentication mechanism that is convenient to the user and effective across enterprise boundaries. In one implementation, user credential verification and device credential verification are combined to provide a convenient two-factor authentication. In this manner, an account authority service or other authentication provider verify both factors and provide a security token in accordance with the security policy of the account network resource the user is intending to access. The level of privilege granted by the target account network resource can vary depending on the number and type of factors verified by the account authority service.

Abstract: An authentication system combines device credential verification with user credential verification to provide a more robust authentication mechanism that is convenient to the user and effective across enterprise boundaries. In one implementation, user credential verification and device credential verification are combined to provide a convenient two-factor authentication. In this manner, an account authority service or other authentication provider verify both factors and provide a security token in accordance with the security policy of the account network resource the user is intending to access. The level of privilege granted by the target account network resource can vary depending on the number and type of factors verified by the account authority service.