Abstract: A method is used in validating association of client devices with sessions. Information of a client device executing a user agent is gathered by a server for creating a device identifier for the client device upon receiving a request from the user agent for establishing a session between the user agent and the server. The device identifier includes information identifying the client device. The device identifier is associated with the session. The client device is validated by the server upon receiving subsequent requests from the client device during the session. Validating the client device includes gathering information of the client device sending each subsequent request for creating a device identifier for the client device and comparing the device identifier created from the information gathered during each subsequent request with the device identifier associated with the session.

Abstract: A user accesses a remote session, the connection to which is managed by a connection broker, according to a single sign-on (SSO) process. The SSO process includes the user entering his or her credentials and being authenticated to the connection broker. In addition to user authentication, the SSO process includes connection broker authentication to confirm that the connection broker is trustworthy. When the connection broker is authenticated, the user credentials are transmitted to the connection broker in a secure manner and the connection broker forwards them onto a machine hosting the remote session so that the user can be logged into the remote session without entering his or her credentials again.

Abstract: An authentication mechanism in a local area network may use a cloud authentication mechanism to allow or deny authentication requests. A user may gain access within a local area network by entering a cloud identification and password, which may be verified by a cloud authentication mechanism. If the authentication is successful from the cloud authentication mechanism, the user identification and password are stored locally for subsequent authentication requests. In some embodiments, the cloud password may be periodically flushed so that subsequent requests may be passed to the cloud authentication mechanism. The authentication mechanism may be used in both domain and workgroup local area networks, and may operate in parallel with other users who may have local area network or client credentials which may not be authenticated from the cloud.

Abstract: An apparatus for, and method of, single sign-on collaboration among a plurality of mobile devices, includes a server for issuing a first identity token to subsequently authenticate a user of a first of the mobile devices to a service provider, and for generating and sending a collaboration key to the first device based on the first identity token or user authentication. The first device generates and sends a collaboration credential based on the collaboration key to a second device paired with the first device. The server also issues a second identity token to subsequently authenticate to the service provider the user of the second device based on the collaboration credential received from the first device, to support single sign-on collaboration for the user across the plurality of mobile devices.

Abstract: Methods and systems for facilitating sign-on procedures in connection with a converged system are provided. An authentication plug-in operates to receive authentication credentials in connection with a request to access an application by a client. The authentication plug-in is capable of operating in different contexts in a converged system. After an initial sign-on, subsequent sign-on requests can be fulfilled by accessing authentication credentials stored in a cache.

Abstract: A method of facilitating zero sign-on access to media services depending on trust credentials. The trust credentials may be cookies, certificates, and other data sets operable to be stored on a device used to access the media services such that information included therein may be used to control the zero sign-on capabilities of the user device.

Abstract: The disclosure generally describes computer-implemented methods, software, and systems for cloud-based single sign-on (SSO) capabilities. A computer-implemented method includes operations for identifying a first system for single sign-on capabilities, identifying a second system disparate from the first system for providing a single sign-on capability with the first system through a cloud-based SSO configuration manager, automatically accessing metadata associated with the sign-on information of the second system, the set of metadata identifying sign-on-related information for sharing at least one credential/certificate for logging in to the second system, using the metadata to obtain an authorization for a single sign-on between the first and second systems, receiving a request from the first system for authorization at the second system, and, in response to the request, providing the authorization and creating a cloud-based SSO system that includes the first and second systems.

Abstract: A first server is configured to receive a first token from a user device, determine whether the first token is valid, request the user device to provide a set of credentials to a second server, based on determining that the first token is invalid, and receive a first response from the user device. The first response may include information identifying whether the user device is authenticated to communicate with the first server. The first server is further configured to send the first response to a third server. The third server may generate a second response to indicate authentication of the user device to communicate with the first server. The first server is further configured to receive the second response from the third server, generate a second token, based on receiving the second response, and send the second token to the user device.

Abstract: In some examples, a contents providing apparatus that provides contents to multiple devices may include a user information management unit, a contents management unit, a contents usage information management unit, and a contents usage information searching unit.

Abstract: Methods and apparatus, including computer program products, implementing and using techniques for providing user credentials over a network to a remote computer application. User credentials for the remote computer application are stored in a central repository that is accessible through the network. A request is sent to a service to perform, on behalf of a user, a particular task involving the remote computer application. It is determined whether the service has been granted permission to act on behalf of the user with respect to the remote computer application. When the service has permission to act on behalf of the user, the service is used to retrieve the user's credentials for the remote computer application from the central repository and to supply the retrieved user credentials to the remote computer application.

Abstract: A computer system and related features and functionality are presented here. The computer system may be implemented as a multi-tenant database system that supports a number of users via web browser interfaces. The system supports a user authentication method that maintains access tokens at a local client device level for purposes of single sign-on to different tenants or to different native local applications. The system also supports a method of testing computer executable code. The testing procedure defines and tests a plurality of different browser-based functions, and generates a consolidated code coverage report that includes the results of the tests.

Abstract: Systems and method for authenticating users are presented. A system can send a passkey to a user interface of a known device. A user can then send a messaging service message with the passkey from a second device to the system. After receiving the message from the user, the system can extract the passkey from the message, and compare the received passkey against the passkey originally sent to the user. The known device and the second device can each have separate and unique device identifiers.

Abstract: Disclosed is a method for protecting a single sign-on domain from credential leakage. In the method, an authentication server provides an authentication cookie to a browser client. The cookie has at least one user authentication credential for the domain, and is associated with an authentication subdomain of the domain. The server receives the cookie from the browser client. Upon authentication of the user authentication credential in the received cookie, the server responds to the access request by forwarding, to the browser client, a limited-use cookie for the domain. The server receives a request from the content server to validate a session identifier of the limited-use cookie received from the browser client. Upon validation of the session identifier of the limited-use cookie, the server provides a valid session message to the content server for enabling the content server to forward requested content to the browser client.

Abstract: Exemplary network infrastructures and methods employing a Security Gateway utilize client authentication for use of a secure connection between an application client and an application server of a protected network. Once a secure connection has been set up, a Security Gateway can start a timer for establishing a period within which a password and username are to be received from the application client before traffic is allowed to exit the Security Gateway. If a username and password are provided while the timer is running, the Security Gateway can contact a single sign on (SSO) server to check whether the username and password are correct. If the username and password are valid, the Security Gateway can start relaying traffic externally to the application server. If an invalid username and password are provided or the timer times out before receipt of a username and password, the secure connection can be terminated.

Abstract: The present invention discloses a method for accessing a storage server of an IM service system and an IM service system. The method comprises: IM client sending registration request message to IM service system using first user identifier; after receiving registration request message, IM service system obtaining other user identifiers associated with the first user identifier, sending registration success response message comprising other user identifiers associated with the first user identifier to IM client; IM storage client sending login request comprising any one of multiple user identifiers to storage server; storage server receiving login request and obtaining other user identifiers associated with the user identifier in login request; the storage server passing identity verification of multiple user identifiers.

Abstract: An information processing system stores key information for determining an authentication device and information about the authentication device by associating these information pieces with each other and extract the key information from access of an unauthenticated user. Based on the information about the authentication device associated with the key information, the access of the unauthenticated user is redirected.

Abstract: A method and system for authenticating a user at a first computer to first and second applications installed in a second computer. The second computer receives from the user a first request to access the first application, and in response, the second computer redirects the first request to a third computer, and in response, the third computer determines that the user was previously authenticated and so notifies the second computer, and in response, the second computer returns a first session key to the third computer. The first session key enables a session with the first application but not with the second application. The second computer receives from the user a second request with a second session key to access the first and/or second application, and in response the second computer determines that the user is authentic and notifying the first and/or second application that the user is authentic.

Abstract: Methods and systems are described herein for performing attribute authentication for use by a relying party in providing access to a resource as requested by a user. Attribute authentication may be performed entirely by a single identity service provider, or by multiple identity service providers each authenticating a subset of a plurality of user attributes, such as name, address, phone, email, and the like. Each attribute may be authenticated with a level of assurance. Levels of assurance may vary from attribute to attribute. Different levels of assurance may be required for different attributes before the relying party may grant access to the user-desired resource. An authentication broker may act as a registry or broker of identity service providers, and may store information usable by relying parties to establish a trust relationship with a particular identity service provider on demand, as needed by a relying party.

Abstract: A system for and method of providing a mobile device user with a mobile single sign-on (MSSO) platform that can interface with multiple mobile applications on the mobile device. A user having a mobile device may access a mobile application on the mobile device. The mobile application may be enabled to interface with the MSSO platform. The MSSO platform may capture the user credentials sent over a wireless link and provide them to a remote server. The remote server may establish a session over a wireless link with the mobile device based on the user credentials. The MSSO platform may make this session available to other applications on the mobile device seamlessly. The wireless link may be part of a publicly accessible communication network.

Abstract: Systems and methods of controlling access to one or more mobile applications are provided. In some examples, a plurality of business groups may be identified. One or more mobile applications may be associated with each business group. An individual determined to be associated with the business group may then receive, on a mobile device, access to the one or more mobile applications associated with the business group with which he/she is associated. In some examples, the one or more mobile applications may include native applications, web or Internet based applications and/or third party applications provided in a portal. In some examples, the portal may “take over” or mimic the desktop of the mobile device. The systems, methods, and the like may also prevent access to one or more applications not associated with the business group of the individual.

Abstract: Scaling and highly available clustering for large scale real-time applications is provided. A ring may be formed which includes multiple nodes for providing a set of services in a system. When a network partition is detected which affects communications between each of the nodes in the ring, the formation of additional rings is prevented by shutting down nodes which include a minority of voting nodes in the ring while maintaining the availability of the nodes which include a majority of the voting nodes to continue providing the set of services in the system.

Abstract: Methods, systems and computer readable media for multi-device single network sign-on are described. For example, a method can include authenticating a first device for network access via a first authentication process, the first device being associated with a user account. The method can also include receiving an access request from a second device associated with the user account, and determining whether the second device is within an access perimeter of the first device. The method can further include permitting the second device to access the network without a second authentication process when the second device is within the access perimeter of the first device.

Abstract: Features are disclosed for authentication of mobile device applications using a native, independent browser using a single-sign-on system. An authentication module within the mobile application can direct the mobile device's native browser to a URL to initiate authentication with an authentication appliance. The mobile browser can receive and store a browser-accessible token to indicate previous authentication performed by the user. The mobile application can receive from the application appliance and store a client application ID token that may be presented to network services for access. A second mobile device application may direct the same browser to the authentication appliance. The authentication appliance may inspect the persistent browser-accessible token and issue a second client application ID identity to the second application without collecting additional authentication information, or collecting additional authentication information that is different from the first authentication information.

Abstract: A system and method for recognizing traffic generated from an authenticated a device roaming in a wireless local area network and related aspects are provided. An authentication server is arranged to authorize communications traffic originating from a wireless access point to use a roaming service, the traffic comprising an NAT translated IP address. The server first authorizes a WLAN roaming device, and then processes a meta-data message received from a WLAN access point in which the source address of the message comprises the source address of the roaming device at the WLAN access point. The server then determines, from the information provided in the meta-data message when it is received by the authentication server, which includes at this point a NAT translated source address in the meta-data message what the NAT translated source address of traffic from said NAT translated source address.

Abstract: One embodiment of a method of integrating software applications includes customizing properties of an InfoVista application to accept a format of login strings provided by a SiteMinder application; modifying authentication information in properties of the InfoVista application to match authentication information that is to be sent from the SiteMinder application; and customizing the SiteMinder application to pass authentication information needed by the InfoVista application for login of a user into the InfoVista application using a single sign-on interface provided by the SiteMinder application. Other methods and systems are also provided.

Abstract: A system and method for facilitating the establishment of a virtual private network between a network and a remote computer, the system having: a mobile device connectable to the remote computer and storing a user profile, virtual private network information, and password information; virtual private network software being located on one of the mobile device and the remote computer; an access point communicating with the network; and communication means for communications between the access point and one of the mobile device and the remote computer, wherein the user profile, virtual private network information, and password information is passed to the virtual private network software upon connection of the mobile device to the remote computer, the virtual private network software using the user profile, virtual private network information, and password information to establish a virtual private network through the communications means and the access point to the network.

Abstract: Methods and systems for third party client authentication of a client. A method includes displaying a user interface on a display of the client, the user interface including an option to select a supported credential type of a third party authentication server, receiving a command selecting the supported credential type, and sending credential information and the selected supported credential type to an authentication server for third party authentication by the third party authentication server. The third party authentication server may support a token-based authentication protocol for implementing single sign on (SSO).

Abstract: A method, device and system for network security protection comprise: according to a received scan task, a network security device performs a security bug scan of the scan task appointed web site, and when a scan result is obtained, transmits the scan result to a network application firewall, so that the network application firewall can configure a individuality security strategy for the web site according to the received scan result. The problem that it can not he implemented complete individuality security configuration of the web site can be solved in this way.

Abstract: Disclosed are various embodiments for the synchronizing of files between a networked storage system and a third party system. A file can be stored in a storage location in a networked storage system. A determination can be whether the storage location is associated with a third party system. An authentication credential can be retrieved that is associated with the third party system. Upload of the file to the third party system can be initiated.

Abstract: The objective of the present invention is to disable functionality of an additional-function unit if an unauthorized program has been installed in an information processing device, thereby preventing an unauthorized program from acquiring, in an unauthorized manner, information from the additional-function unit.

Abstract: Methods, systems, computer-readable media, and apparatuses for providing mobile device management functionalities are presented. In various embodiments, a mobile device management agent may monitor state information associated with a mobile computing device. The monitored state information may be analyzed on the mobile computing device and/or by one or more policy management servers. In some instances, the one or more policy management servers may provide management information to the mobile computing device, and the management information may include one or more commands (which may, e.g., cause the mobile computing device to enforce one or more policies) and/or one or more policy updates. Subsequently, one or more policies may be enforced on the mobile computing device based on the monitored state information and/or based on the management information.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for automated mobile device management profile distribution. One of the methods includes receiving a first request for access to a first network resource from a client device, the first network resource corresponding to one of a plurality of restricted resources accessible only by devices enrolled with a mobile device management system, determining that the client device is not enrolled with the mobile device management system, preventing the client device access to the first network resource, providing to the client device a redirect to a mobile device management resource that is different from the first network resource, providing instructions for presentation of a user interface to the client device, and enrolling the client device with the mobile device management system, the enrolling comprising providing a copy of the mobile device management profile to the client device.

Abstract: An apparatus for enforcing a media stream delivery restriction uses a stream control service (SCS). The SCS is implemented in a distributed network, such as a CDN, in which a given media stream is delivered to authorized end users from multiple delivery servers, but where an authorized end user is associated with a single log-in identifier that is not intended to be shared with other end users. According to the method, an enforcement server of the SCS identifies first and second copies of the given media stream associated with the single log-in identifier being delivered from multiple delivery servers. It then issues message to terminate delivery of the given media stream from at least one of the multiple delivery servers.

Abstract: Methods and systems for secure client-side communication between multiple domains is provided. Such methods and systems can provide for decreased communication latency particularly effective for dynamic multi-domain and/or multi-tenant environments while allowing for granular security or specific security of messages and operations with regard to users, user sessions, groups, organizations, permissions sets, applications, or any other logical delineation. Such methods and systems may involve a variety of security components, for example, at least one set of instructions including a plurality of defined instruction to be utilized by users of the set of instructions to communicate, and cryptographic construct data in order to verify the data integrity and the authenticity of messages sent and received using the secure client-side communication between multiple domains.

Abstract: A method and apparatus for directing a client to establish a secure connection with a server across a public network. The server and the client exchange a Server Authentication Public Key, a Client Authentication Public Key, and a Remote Service Unique Identifier (RSUID) during a registration process. In one embodiment, the method includes the client transmitting to the server a client information package having the RSUID and a client challenge information package encrypted with the Server Authentication Public Key, the client receiving from the server a server information package having the RSUID and a server challenge information package and a portion of the received client challenge information encrypted with the Client Authentication Public Key, the client decrypting and verifying the server challenge information package with the Client Authentication Private Key, and, the client transmitting to the server an encrypted portion of the received client challenge information.

Abstract: An approach is provided for providing separation of authentication protocols and/or authentication contexts for client-server and server-server communication in network communication. A proxy server receives a request to initiate a service session. The request includes a first authentication context. The proxy server request verification of the first authentication context from an authentication server and validates the first authentication context based, at least in part, on the verification. The proxy server implements a second authentication context based, at least in part, on the verification of the first authentication context to initiate the service session.

Abstract: An aspect of the present invention simplifies signing-off from multiple domains. In an embodiment, upon receiving a sign-off request from a user signed-on to multiple domains, the user is signed-off from at least two, but not all, the signed-on domains in due course. According to another aspect, the domains of an enterprise are organized as groups of domains. In response to receiving a request for signing-off from a first domain, the user is signed-off from each of a group of domains corresponding to the first domain (in addition to the first domain). In an embodiment, an administrator of the enterprise specifies a master domain for each group, to facilitate identification of the group to be signed-off. According to another aspect, a user selects a set of domains to sign-off from. The user is signed-off from only the selected set of domains.

Abstract: A system and a method for single-sign-on (SSO) in a virtual desktop infrastructure (VDI) environment are disclosed. The system includes a VDI service server configured to provide a virtual desktop environment to a user terminal according to a request from the user terminal, and a VDI authentication interworking gateway configured to receive VDI environment information of the user terminal from the VDI service server and carry out delegated user authentication for a target system in the virtual desktop environment using the VDI environment information.

Abstract: A method and a system for managing login using a cookie are described. The method includes receiving from a respective client system a request for document information, and receiving from the respective client system a cookie that identifies a plurality of user names logged into the server system from the respective client system. The plurality of logged-in user names includes a first user name and a second user name distinct from the first user name. The method also includes redirecting the received request to a location associated with a selected user name of the plurality of logged-in user names, and receiving the redirected request. The method furthermore includes, in response to the redirected request, processing the request as a request from the selected user name and sending to the respective client system document information corresponding to the request from the selected user name.

Abstract: A media monitoring system that allows a monitoring device to control the media content that can be downloaded by a monitored device. The monitoring device reviews requests for media content from the monitored device and makes a decision whether to allow the monitored device access to the media content. Authorization may occur interactively or automatically using media settings associated with the monitored device. The monitored device is prevented from accessing media content until the media content is authorized. The media monitoring system may operate in a wired and/or wireless network.

Abstract: A system and method that include receiving a service provider identity request through a federated authentication protocol; transmitting a proxy identity request to a configured identity provider; receiving an identity assertion; facilitating execution of a second layer of authentication; determining a proxy identity assertion based on the identity assertion and the second layer of authentication; and transmitting the proxy identity assertion to the service provider.

Abstract: To authenticate a user of a mobile communication device for login or transaction authorization, a first application on the device directs transmission of a request for authentication of the user to a security server. A second application on the device receives the request for authentication from the security server and directs presentation of the received request for authentication to the user by the device. The second application receives a user input to the device indicating that the requested authentication should proceed and in response directs transmission of an indication that the requested authorization should proceed, to the security server. In response to this latter transmission, the second application receives a PIN from the authentication server. The first application directs transmission of the PIN received by the second application to the network site, which validates the transmitted PIN, in order to authenticate the user or the transaction to the network site.

Abstract: An un-authenticated user attempts to access a protected resource at a Web- or cloud-based application from within a rich client. The client has an associated local HTTP server. Upon being refused access, a browser-based login dialog is opened automatically within an embedded browser panel. After receipt of the user's login credential in the panel, the browser passes the credential server application. If the user is authenticated, the browser-based dialog receives a cookie establishing that the user is authenticated for a session. The browser then automatically makes a request to the HTTP server, passing the cookie. Upon receipt of the request at the rich client HTTP server, the rich client saves the cookie in an associated data store, shuts down the login dialog, and re-issues the original request to the server, this time passing the cookie. The rich client, having provided the cookie, is then permitted to access the resource.

Abstract: An approach is provided for determining that a user has been authenticated for an access to at least one service using a federated identity (401). The approach also comprises determining federated account information associated with the user based, at least in part, on one or more user accounts associated with the federated identity, the at least one service, the at least one or more other services, or a combination thereof (403). The approach further comprises determining one or more functions of the at least one service, the at least one or more other services, or a combination thereof to make available to the user based, at least in part, on the federated account information (411).

Abstract: A handover method of a mobile terminal between heterogeneous networks for facilitating the handover with pre-authentication procedure is provided. A handover method between heterogeneous networks includes receiving, at a mobile terminal connected to a source network, information on at least one target authenticator of a target network from a source authenticator in response to an attach request; creating an authentication key between the mobile terminal and the target authenticator selected among the at least one target authenticator through a pre-authentication process; determining, when the mobile terminal transmits a handover request to the selected target authenticator, whether the authentication key contained in the handover request matches with the authentication key stored in the selected target authenticator; and connecting, when the authentication keys match with each other, to the target network via the selected target authenticator.

Abstract: A wireless device may perform a local authentication to reduce the traffic on a network. The local authentication may be performed using a local web server and/or a local OpenID provider (OP) associated with the wireless device. The local web server and/or local OP may be implemented on a security module, such as a smartcard or a trusted execution environment for example. The local OP and/or local web server may be used to implement a provisioning phase to derive a session key, associated with a service provider, from an authentication between the wireless device and the network. The session key may be reusable for subsequent local authentications to locally authenticate a user of the wireless device to the service provider.

Abstract: Techniques are described for enabling administrators of teams that use a particular service to specify which sign-on options, of multiple possible sign-on options, are assigned to the members of the teams to which the administrators belong. For example, an administrator may assign a first sign-on option, which only allows users to use native authentication, to one set of members of the team. At the same time, the administrator may assign a second sign-on option, which only allows users to use third-party single-sign-on authentication, to another set of members of the same team.

Abstract: An application launcher is disclosed for retrieving and permitting launch of multiple mobile applications through a single, secure authentication process, and a method of use. The method includes receiving a request to launch one or more applications through a single authentication process. The method further includes authenticating a user through an application launcher. The method further includes appending a security token to one or more applications upon authentication of the user to enable the user to launch the one or more applications through the single authentication process provided by the application launcher.

Abstract: A first computer sends a request to the second computer to access the application. The second computer determines that the user has not yet been authenticated to the application. The second computer redirects the request to a third computer. The third computer determines that the user has been authenticated to the third computer. The third computer authenticates the user to the application. The second computer returns a session key to the third computer for a session between the application and the user. The session has a scope of the second computer or the application but not a scope of a domain. The third computer generates another session key with a scope of the domain and sends the domain-scope session key to the first computer.

Abstract: The present invention relates to various aspects for maintaining and utilizing login preference information of users of a network-based transaction facility. In one embodiment, user interface information is communicated to a client via a communications network. The user interface information includes information concerning a plurality of features within the network-based transaction facility. The user interface information also specifies a login interface that facilitates user input of login preference information pertaining to each of the plurality of features. Further, the login preference information is received from the client via the communications network and utilized to control user access to any of the plurality of features within the network-based transaction facility via the communications network.