Abstract: A primary request is received that includes a primary identity. The service is within a service container group project hosted by a cloud provider. A shadow request is generated from the primary request. The shadow request includes a shadow identity linked to the primary identity. The shadow request is authorized by verifying that the shadow identity has access to the service. A tenant token is generated for the shadow identity in response to authorizing the shadow request. An access token is obtained using native authorization of the cloud provider in exchange for the tenant token. Tenant data is accessed from a tenant data repository using the access token. A shadow response is obtained that is generated for the shadow identity and includes processed tenant data generated. A primary response is sent that is for the primary identity and is generated from the shadow response.

Abstract: In a user credential control system, an access control server includes a token issuing unit that issues, to a service provider server, a token in which a user credential that can be acquired by the service provider server is described according to the company name and the type of a service of the service provider server described in an electronic certificate, a policy registration unit that registers a policy of an access authority of the service provider server to the user credential based on the company name or the type of the service of the service provider server, and a notification reception unit that, when the user credential of the user terminal has been changed, acquires the service provider server with the access authority to the user credential from a token according to the registered policy to notify the service provider server of the change of the user credential.

Abstract: According to some embodiments, the disclosed systems and methods provide non-native functionality to a distributed network for administrative customizations and control of network-hosted and/or blockchain-related application program interfaces (APIs). The disclosed technology provides novel techniques and mechanisms for administrating and/or configuring microservice API requests, whereby customized definitions, operations and executable instructions may cause and/or otherwise have associated information stored in a distributed ledger (e.g., blockchain). In some embodiments, the disclosed functionality and capabilities provided by the disclosed framework enable capabilities for API administration and configuration respective to how workflows of microservices are hosted, executed and stored within and respective to data structures and nodes of a blockchain.

Abstract: The disclosed embodiments relate to authenticating devices to a cellular network. In one embodiment, a method is disclosed comprising reading a mobile identifier from a storage area of a memory device, the mobile identifier comprising a value associated with a subscriber of a cellular network; signing the mobile identifier using a private key to generate a digital signature, the private key generated using a physically unclonable function (PUF); transmitting the digital signature and a public key to a cellular network, the public key associated with the private key; and receiving, from the cellular network, a confirmation of access to the cellular network, the confirmation generated based on the public key and the digital signature.

Abstract: Provided are a method for realizing a video conference, and a terminal and an SIP gateway. The method for realizing a video conference is applied to a WebRTC terminal, and comprises: performing interaction of SIP signaling with an SIP gateway by means of an SIP account, so as to establish a video conference connection with an SIP terminal, wherein SIP signaling between the WebRTC terminal and the SIP gateway is transmitted by means of a WebSocket protocol, and the WebRTC terminal can parse the received SIP signaling transmitted by means of the WebSocket protocol; and sending a locally collected video stream, and/or receiving a video stream of the SIP terminal, and playing same by means of a browser.

Abstract: The disclosed technology relates to a process of evaluating any number of different identity providers (IDPs) and their respective set of credentials that are used to authenticate corresponding users to assist with the onboarding of the different IDPs in connection with Wi-Fi identity federations. In particular, the process allows a person's electronic identity and attributes (stored across one or more IDPs) to be determined once using a standard. Once trust has been established for the user, that trust can then be utilized across a number of different systems (e.g., Single-sign on). The same trust determination can be used without the need for the authenticity of the user identity to be re-evaluated with each new access request.

Abstract: An authentication device includes an authentication unit, a history information generator and a communication unit. The authentication unit executes, when a user terminal accesses a service provider system, an authentication process based on an authentication request that includes a description pertaining to an authentication condition and an authentication method that correspond to the service provider system. The history information generator generates history information. The history information includes information indicating whether the authentication condition is satisfied and information indicating a result of executing the authentication process by using the authentication method. The communication unit transmits the history information to the user terminal.

Abstract: A system, method, and computer-readable medium for performing a data center monitoring and management operation. The data center monitoring and management operation includes: receiving data center asset workload data; capturing a set of the data center asset workload data at predefined time intervals; monitoring data center workload performance using the set of the data center asset workload data; and, predicting an anomaly associated with data center workload performance based upon the monitoring.

Abstract: A method for facilitating application authentication bypass based on proximate with time using device authentication is disclosed. The method includes receiving a request from a user to access an application on a user device, the request including an application authentication request; accessing the user device via a device application programming interface; retrieving, via the device application programming interface, device authentication data, the device authentication data including a timeline of successful device authentications; determining whether the device authentication data is within a predetermined threshold; authenticating the request by using the device authentication data when the device authentication data is within the predetermined threshold; and permitting access to the application based on a result of the authenticating.

Abstract: Systems and methods for conducting direct peer-to-peer real time communications are disclosed. The system comprises a domain communication server. The system includes logic to receive a request on behalf of a first user, to initiate a direct peer-to-peer communication session specifying a domain name of a second user. The second user is a registered and authorized user having the domain name registered with a domain name server and authorized by the domain communication server to participate in the direct peer-to-peer real time communication with other users using the domain name. The system includes logic to offer to the second user based upon the domain name specified in the request, to initiate direct peer-to-peer communications with the first user. The system includes logic to, upon acceptance from the second user, initiate the direct peer-to-peer communication session between the first user and the second user.

Abstract: Examples provide a cloud-based distributed secure shell (SSH) file transfer protocol (SFTP) server system for responding to client requests. A load balancer assigns client requests to available SFTP servers within the cloud based distributed SFTP server cluster. Each SFTP server is hosted on an individual VM associated with a cloud server. An authentication service authenticates the client requests using a single user profile. A registry table on a first cloud storage maintains metadata describing all the data records stored within a second cloud storage. The registry table and the data records are accessible to all the SFTP servers within the server cluster. In this manner, any server within the cluster can authenticate a user and respond to a client request while providing a seamless and uniform user experience while simultaneously reducing resource usage and improving scalability.

Abstract: An information processing system includes a linkage database in which a person is linked with a property; a person database in which the person is associated with a role of the person and one or more functions that can be used by the person; a property database in which the property is associated with one or more functions used in the property; a first permission management unit configured to manage one or more functions that can be used by the person in the property, by using the person database and the property database; and a second permission management unit configured to manage one or more properties whose information can be accessed by the person, by using the linkage database.

Abstract: A method for facilitating identity and access management in a cloud environment based on a zero-trust configuration is provided. The method includes retrieving, via a job, a token from a corresponding identity provider, the job including a unit of work and a unit of execution that corresponds to a change; retrieving, via the job, a change authorization from a change management system, the change authorization including a signed change authorization; retrieving, via the job, a change artifact from an artifact repository, the change artifact including a signed change artifact; requesting, via the job, a change orchestrator to execute the change, the request including the token, the change authorization, and the change artifact; instructing, via the change orchestrator, a service broker to execute the change; and executing, via the service broker, the change within the cloud environment.

Abstract: The present disclosure generally relates to managing passwords. In some examples, a computer system displays an autofill user interface object corresponding to a one-time password generated by the computer system and for use in authenticating a user with a remotely-authenticated service. In some examples, a computer system enters, saves, and submits a new username and a new password created via a password manager to a remotely-authenticated service.

Abstract: A method for delegated authorization at a security edge protection proxy (SEPP) includes intercepting, from a consumer network function (NF) that does not support access token based authorization, a service based interface (SBI) service request for accessing a service provided by a producer NF that requires access token based authorization. The method further includes operating as an access token authorization client to obtain a first access token on behalf of the consumer NF. The method further includes using the first access token to enable the consumer NF to access the service provided by the first producer NF. The SEPP may also operate as an access token authorization server on behalf of an NRF that does not support access-token-based authorization.

Abstract: A method of providing a chat service in a map-based virtual space includes receiving a place selection signal based on map information and/or a motion detection signal from user terminals, determining location information and FoV information of the corresponding account in the virtual space, determining image information of a perspective view and one or more other accounts to be displayed on the corresponding user terminal, receiving a chat request from a first user terminal, receiving a result regarding whether to accept a chat in response to the chat request from a second user terminal, determining whether an account of the first user terminal and the other account of the second user terminal on the street view satisfy a preset condition, and providing the chat service between the first user terminal and the second user terminal based on whether the chat is accepted and whether the preset condition is satisfied.

Abstract: A method of providing login information may include sending, from a service web page executed on a browser, a login request to an authentication web page executed on the browser, executing, by the authentication web page, a single sign on (SSO) agent in an electronic device, sending, by the authentication web page, a request for authentication information of a user to the SSO agent, generating and transmitting, by the SSO agent, a random number to the authentication web page, generating and transmitting an encrypted eigenvalue on an authentication web server based on the random number to the SSO agent, calling, by the SSO agent, an authentication application programming interface (API) server, and transmitting the eigenvalue, validating the eigenvalue on the authentication API server, and receiving, by the SSO agent, a result of the validating from the authentication API server, and transmitting the authentication information to the authentication web server.

Abstract: Methods and systems for a media guidance application that provides advanced parental control features such as allowing parents to establish parental controls in a dynamic and individualized manner and allowing parents to track and/or limit the amount of time that a child views media content of a particular type.

Abstract: A method, system, and computer program product is provided for third-party authorization. The method includes generating an authorization code, encrypting the authorization code with a public key associated with a first system, resulting in an encrypted authorization code, transmitting the encrypted authorization code to the first system, receiving, from the first system, a digitally signed authorization code generated by the first system based on the authorization code and a private key corresponding to the public key associated with the first system, verifying the digitally signed authorization code based on the public key and the authorization code, and in response to verifying the digitally signed authorization code, transmitting an access token to the first system, wherein the access token is configured to authorize a user with the first system.

Abstract: A method for providing secure single sign on includes receiving a first data object from an application hosting server, the first data object indicating at least a service provider name and identifying a configuration file corresponding to the service provider name, wherein the configuration file includes at least trusted identity information. The method also includes determining, using the configuration file corresponding to the service provider name, whether the first data object is valid and, in response to a determination that the first data object is valid, generating a response message.

Abstract: A system and method for onboarding and managing assets in a decentralized identity network is disclosed. The method may include receiving an authorization proof from a member of a team of an enterprise to access an asset in the decentralized identity network. The method may further include validating the member of the team through a set of validator nodes. The method may further include provisioning the asset on the decentralized identity network. The method may further include onboarding the provisioned asset on the decentralized identity network. The method may further include generating a set of derived credentials of the onboarded asset. The method may further include validating a user access request corresponding to at least one of owners of an application and user to access the asset. The method may further include dynamically validating an employee access request from an employee and the unique asset DID to access the asset.

Abstract: Methods and systems are described for verifying an identity of a user through contextual knowledge-based authentication. The system described uses contextual knowledge-based authentication. By verifying an identity of a user through contextual knowledge-based authentication, the verification is both more secure and more intuitive to the user. For example, by relying on confidential and/or proprietary information, the system may generate verification questions, the answers to which are known only by the user.

Abstract: The systems and methods described herein can enable the indirect transmission of session data between different domains. The system can pass the session data through a hashing function so that the data from a given domain remains private and secure to the specific domain. The system can generate clusters of associated domains for a given client device that the system can use to maintain a session between the client device and the domain.

Abstract: First and second devices store respective device data and private keys. The first-device data is additionally stored by the second device and by a proxy; and the second-device data is additionally stored by the first device and by the proxy. In a commitment phase, each of the first and second devices uses its respective device data, private key and a random nonce to generate a respective one-time first-device or second-device commitment value, which it sends to the proxy. In a checking phase, the devices communicate secret-key information to the proxy, which verifies the received one-time commitment values. In a digest phase, the proxy calculates a one-time digest, which it sends to the second device. The second device then verifies the received one-time digest to authenticate the first device.

Abstract: A computing platform is configurable to cause initiating a communication session with a user, the user having a user account associated with a workflow data object, the workflow data object being configured to represent a plurality of operations included in a workflow. The computing platform is also configurable to cause identifying a verified status indicator associated with at least one of the plurality of operations, the verified status indicator comprising a verified credential associated with at least one of the plurality of operations. The computing platform is also configurable to cause identifying a transfer operation associated with the verified status indicator and identifying a target entity associated with the transfer operation. The computing platform is also configurable to cause implementing the identified transfer operation based, at least in part, on identified target entity.

Abstract: Systems and methods for authorizing data transfers are disclosed. Exemplary implementations may: receive a data transfer authorization request based on a data transfer initiated by a customer computing device; when the customer computing device is associated with a system of trust: send a third-party second-factor authentication message to trustee computing device(s) without sending any message to the customer computing device, and authorize the data transfer system to complete the data transfer request in response to receipt of a third-party authentication confirmation from the trustee computing device(s) and in the absence of any authentication confirmation from the customer computing device.

Abstract: A connection request is received from a user device associated with a user. The connection request includes an identifier associated with a profile associated with the user, the profile being a static profile or a dynamic profile. An observability profile associated with the user is identified based on the profile when the profile is a static profile and based on a current traffic profile associated with the user device when the profile is a dynamic profile. Measurements associated with a data session are executed for the user device based on the observability profile and one or more configurations are adjusted in a network to improve performance of the data session based on the measurements.

Abstract: A system uses a keyboard application to encrypt and decrypt e-mail, messages, and other digital data. By using quantum random number generators, the system has improved data security. Using a quantum random number, an agent (at a sender side) generates an encryption key which is used to automatically encrypt a message. The encryption key is stored at a key server. The encrypted message will be sent by an application using its standard transmission means such as SMTP, SMS, and others. The encrypted message can be automatically unencrypted by using an agent (at a recipient side) and retrieving the key from the key server. The system also provides an optional double encryption, where the message is encrypted with a user-generated password before being encrypted using the encryption key.

Abstract: In embodiments, a computer system of a primary entity receives from a secondary entity a first communication about a relationship instance between the primary entity and the secondary entity, and transmits to an Online Service Provider (OSP) a second communication with a dataset. The dataset has dataset parameters about the relationship instance. The second communication causes the OSP to select a file template per the dataset, to produce a resource for the dataset, and to prepare a digital exhibit that is arranged to report the resource as answering the identified requirement. The OSP then transmits to the computer system a third communication that includes an access indicator adapted to facilitate viewing the digital exhibit. Upon receiving the third communication, the computer system transmits a fourth communication to the device of the secondary entity, the fourth communication including the access indicator.

Abstract: An identity set may be selected from an identity pool of an identity management service. The identity set may be selected based on a threshold quantity of unnecessary permissions relative to one or more existing managed policies provided by the identity management service. The identity set may be grouped into a plurality of identity subsets. The grouping may be performed based at least in part on services accessed by the identity set. A plurality of candidate policies may be generated, such as by generating, for each identity subset of the plurality of identity subsets, based at least in part on a plurality of policy generation rules, a respective candidate policy. At least one candidate policy of the plurality of candidate policies may be selected as a new managed policy that is provided by the identity management service to users.

Abstract: A security function is provided by an intermediate device located between hosts and devices requesting for access to the hosts in a computerized network. The intermediate device receives a request for access to a host, and obtains at least one authenticator for use in the requested access to the host. The intermediate device then monitors for communications that use the at least one authenticator.

Abstract: A single sign-on system using blockchain is disclosed. The single sign-on system may interconnect various organization systems over a peer-to-peer network, with each organization system having a blockchain node and an application programming interface (API). The blockchain node invokes and uses a smart contract to write registration credentials to the blockchain during a registration process. During a login process, the blockchain node invokes the smart contract to determine whether login credentials match stored login credentials in the blockchain. In response to matching login credentials, the API may generate a single sign-on token that can be used by a user device to access one or more organization systems connected over the network.

Abstract: Examples described herein may include a playback device receiving, from a control device, a validation-key that includes an application identifier corresponding to a controller application. The playback device may create a session identifier and transmit the session identifier to the control device. The playback device may receive, from the control device, a playback request comprising the session identifier and a playback command. The playback device may determine that the session identifier is valid and then execute the playback command. A computing system may receive identification information related to a controller application and generate the validation-key based on the controller application meeting at least one quality-control metric. The controller application may receive the validation-key from the computing system.

Abstract: The disclosure describes systems, methods and devices relating to a sign-on and management hub or service for users of multiple internal, external or Software-as-a-Service (SaaS) software applications (Apps), with options for centralized management and sharing of accounts without needing to provide login credentials to individual users.

Abstract: A method and apparatus of a device that converts an account associated with an application to use a single sign-on service is described. In an exemplary embodiment, the device receives an indication of a weak password associated with the account. The device further sends a request to verify an account credential for a user associated with the device. In addition, the device receives the verification of the account credential. The device additionally requests a single sign-on credential for the account and receives the single sign-on credential. Furthermore, the device sends a message to a server associated with a service for the application that the application is registered for the single sign-on service.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for transmitting/processing requests to control information stored at multiple content platforms/servers. In one aspect, a client device can send a request to verify the device's trustworthiness to a device trustworthiness server. The client device can receive, from the device trustworthiness server, data indicating that the client device is trustworthy, in response to which, the client device can send, to a relay server, a request to control user data stored at a plurality of servers. The client device can receive, via the relay server, a response from each of the plurality of servers. Based on the responses, the client device can determine that at least a subset of the plurality of servers that included the user data has performed the action specified in the request to control the user data.

Abstract: A wearable device collects a fingerprint pattern input by a user and speech input by the user. The wearable device sends the fingerprint pattern to an electronic device, to enable the electronic device to perform authentication on the fingerprint pattern input by a user. The wearable device sends the speech to the electronic device, and, upon a determination that the authentication succeeds, the electronic device is enabled to execute a function corresponding to the speech.

Abstract: Methods, apparatus, and processor-readable storage media for dynamically unifying disparate UI applications in a cloud native environment are provided herein.

Abstract: Encryption and decryption techniques based on one or more transposition vectors. A secret key is used to generate vectors that describe permutation (or repositioning) of characters within a segment length equal to a length of the transposition vector. The transposition vector is then inherited by the encryption process, which shifts characters and encrypts those characters using a variety of encryption processes, all completely reversible. In one embodiment, one or more auxiliary keys, transmitted as clear text header values, are used as initial values to vary the transposition vectors generated from the secret key, e.g., from encryption-to-encryption. Any number of rounds of encryption can be applied, each having associated headers used to “detokenize” encryption data and perform rounds to decryption to recover the original data (or parent token information). Format preserving encryption (FPE) techniques are also provided with application to, e.g., payment processing.

Abstract: A disclosed method includes assigning a unique identifier to a computer product instance, such as a server, switch, router, or storage device, to be deployed at a data center or other location on behalf of a customer, generating security credentials for the computer product dependent on the identifier, obtaining the credentials by a customer-side automated deployment agent, and using them by the deployment agent during deployment of the computer product. The credentials may be generated by a supplier-side credential management system, then requested and received by the deployment agent over a secure communication channel. The credentials may be generated by a program shared between the supplier-side credential management system and the deployment agent. The identifier may identify a hardware or software component or be selected by the supplier or customer. The credentials may include a username, password, token, cryptographic key, or digital certificate for a first login.

Abstract: Methods and systems for managing the performance of workloads in a distributed system are disclosed. The distributed system may include any number of clients, deployments, and data sources operably to one another. To service the workloads, container instances may be deployed to various deployments. When deciding where to deploy the container instances, the hardware resources of the deployments and/or resource expectations associated with the container instances may be taken into account. By doing so, container instances may be more likely to be deployed to deployments that meet their resource expectations. The resource expectations may be embedded as metadata in resources specific build files.

Abstract: An apparatus relating to authorization of network functions includes at least one processor and at least one memory including computer program code. The at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to: send, from a first network function service consumer instance to an authorization server, a request for an access token for use in accessing a service provided by a network function service producer; receive, at the first network function service consumer instance from the authorization server, an access token for use in accessing the service provided by the network function service producer; and send, from the first network function service consumer instance to the network function service producer, a request to access the service provided by the network function service producer, the request to access the service including the access token.

Abstract: There are provided systems and methods for split one-time password digits for secure transmissions to selected devices. Authentication credentials and one-time password operations by a service provider, such as an electronic transaction processor for digital transactions, may be compromised by malicious computing attacks or other actions that compromise the security of data and communications. To increase security of the data within a communication and authentication operations, a split one-time password system may be implemented. A user may preset a number of known digits for a one-time password with a profile and/or account. When multifactor authentication is required, randomized digits may be generated using a hash algorithm and may be transmitted to the user with instructions for completion of the one-time password. The user may be required to specifically enter the known digits with the randomized digits to properly pass the multifactor authentication.

Abstract: Techniques for integrating a trusted execution platform with a function-based service framework are disclosed. For example, a method obtains an application program comprising a first set of one or more functions for execution within a secure execution area of a function-based service framework and a second set of one or more functions for execution within a non-secure execution area of the function-based service framework. A client attests an attestation delegator and the attestation delegator attests one or more secure containers prior to receipt of a function execution request to execute a function in the function-based service framework.

Abstract: An apparatus comprises a processing device configured to receive, from a given client at a single sign-on manager coupled to a database cluster comprising a plurality of databases, an access request comprising an identifier of a given one of the plurality of databases in the database cluster and single sign-on credentials for the given client to access the database cluster. The processing device is also configured to authenticate, at the single sign-on manager, the single sign-on credentials in the access request and, responsive to authenticating the single sign-on credentials in the access request, to establish a connection between the given client and the given one of the plurality of databases in the database cluster utilizing a session established between the single sign-on manager and the given one of the plurality of databases in the database cluster.

Abstract: Systems and methods for embodiments of artificial intelligence systems for identity management are disclosed. Specifically, embodiments of an identity management system may provide identity management in association with cloud services used by an enterprise and, in particular, may provide identity management in association with cloud based services that may be accessed through federated access providers.

Abstract: Systems and methods are provided for a computer-implemented method of implementing an on-demand computing network environment. A network specification is received from a user. Resources from one or more resource providers are provisioned including an audio server resource. The on-demand computing network is configured, where configuring includes assigning a first provisioned resource as a hub device. One or more second provisioned resources are assigned as rim devices, where rim devices are configured to communicate with one another only via the hub device. One rim device is a proxy server to which the user connects using a device having an address, where the audio server transmits audio data to the user via the proxy server without knowledge of the address of the user device.

Abstract: This disclosure relates to data security and cryptography. In one aspect, a method includes receiving a request for a subscription token for a given user by a data security system from a publisher computing system of a publisher. The request includes user identification information provided to the publisher by the given user when subscribing to electronic content of the publisher. The data security system generates the subscription token which includes a set of data that includes a first encrypted user identifier generated by encrypting a first user identifier for the given user using an encryption key of the data security system, and, for each of one or more content platforms, an attachment element that includes a second encrypted user identifier generated by encrypting a second user identifier for the given user using an encryption key of the content platform and transmitting the subscription token to the publisher computing system.

Abstract: The invention method comprises: authenticating successfully, by a user authentication server, through a logon agent in a device, a device user; sending, by the user authentication server, to the logon agent, session data relating to the successful authentication session; sending, by the logon agent, to a logon application the session data; receiving, by at least one browser, from the device user, a first request for accessing the service with a first server identifier; sending, by the logon application, to the at least one browser, the session data; sending, by the browser, based on the first server identifier, to a first receiving server, the session data; verifying, by the first receiving server, whether the session data is or is not valid, and, if yes, authorizing access to the service.

Abstract: A method of enabling single sign-on (SSO) access to an application executing in an enterprise, wherein authorized, secure access to specific enterprise applications are facilitated via an enterprise-based connector. In response to successful authentication of an end user via a first authentication method, a credential associated with the successful authentication is encrypted to generate an encrypted user token. The encrypted user token is then forwarded for storage in a database accessible by the enterprise-based connector. Following a redirect (e.g., from a login server instance) that returns the end user to the enterprise-based connector, the encrypted user token is fetched and decrypted to recover the credential. The credential so recovered is then used to attempt to authenticate the user to an application via a second authentication method distinct from the first authentication method.