Abstract: In accordance with embodiments, there are provided mechanisms and methods for facilitating dynamic and continuous testing of security assertion markup language (SAML) credentials in an on-demand services environment. In one embodiment and by way of example, a method includes identifying, at a computing device, an organization using a SAML process in an on-demand service environment, obtaining SAML credentials relating to the identified organization, and testing the SAML credentials relating to the identified organization. The testing includes asserting a set of test credentials against the SAML credentials relating to the identified organization. The method may further include generating one or more new codes based on testing results obtained from testing.

Abstract: A system and method for cross-domain web browser single sign-on is described. A client accesses a workflow view from a service provider. An identity provider of the service provider generates an authentication process view. The authentication process view has the workflow view provided by the service provider and a logon form view provided by the identity provider.

Abstract: One object is to restrain unauthorized logins without significantly reducing usability. In accordance with one aspect, a server device according to an embodiment includes: an information storage unit for storing information; a setting unit for setting a value conversion rule used for login authentication; an information generating unit for generating login authentication information in response to a display request for a login screen sent from a terminal device; a sending unit for sending login screen data for displaying the login screen on the terminal device; a receiving unit for receiving login information from the terminal device; a determination unit for determining whether a login is permitted based on the received login information; a monitoring unit for monitoring the situation of unauthorized logins to the server device; and a selection unit for selecting a candidate for a new value conversion rule in accordance with the situation of unauthorized logins.

Abstract: According to the present application, systems, devices and methods for sharing media files may promote sharing of media without permitting the media to be downloaded. Such systems, devices and methods for sharing media may further enable lists of files to be shared and responses to be delivered to the media owner during playback by a user. A local device may be utilized to enable the storing and sharing of media that is hosted off the cloud. Streaming from the file sharing system or the local device is facilitated through the system.

Abstract: An improved authentication technique employs a user's mobile device to obtain a picture of the user from which facial geometry is extracted and applied as part of an authentication operation of the user to the remote network. In some examples, a server stores facial geometry for different users along with associated PINs. By matching facial geometry of the user with facial geometry on the server, the user's PIN can be obtained, without the user ever having to register or remember the PIN.

Abstract: According to one embodiment, an apparatus may receive a first data token indicating a request for data associated with the resource, a subject token indicating that at least one form of authentication has been completed, and a network token indicating that at least one form of encryption has been performed. The apparatus may determine at least one token-based rule based at least in part upon the first data token, the subject token, and the network token. The apparatus may determine, based at least in part upon the at least one token-based rule, that a second data token representing the data should be generated. The apparatus may generate a message indicating the determination that the second data token should be generated and then transmit the message.

Abstract: Access to backup information, such as at network attached storage compliant with NDMP, is managed by interfacing a backup authentication mechanism with a primary authentication system and responding to requests for backup information according to permissions defined by the primary authentication system. A data management application requests access to backup information with an NDMP MD5 hash and includes a domain name and password for an LDAP or AD authentication through a pluggable authentication module. Access to backup information is provided based upon the permissions associated with the domain of the primary authentication mechanism.

Abstract: A data replication mechanism is proposed that relies on existing federation infrastructure enabling distributed authentication instead of storing and using explicit credentials for a remote forest. The data replication mechanism requests a federation token with data replication capabilities targeted to the remote forest and passes this token to the remote forest in lieu of explicit credentials.

Abstract: According to one embodiment, a system including a memory and a processor is provided. The memory may be operable to store a plurality of accounts. Each account may be associated with a user and with a mobile device. The processor may be coupled to the memory and operable to receive user credentials, sent by a requesting user and originating from a requesting device, in conjunction with a request for authentication. The user credentials may include an account identifier. The processor may be further operable to retrieve, from the plurality of accounts, the account associated with the account identifier that matches the account identifier included in the user credentials. The processor may compare information included within the user credentials with information associated the account. If the information included within the user credentials matches the information associated with the account, the processor may send an authentication-confirmation message to a second device.

Abstract: According to one embodiment, an apparatus may store a plurality of tokens. The apparatus may receive a first token indicating that access to a resource has been requested by a device. The apparatus may determine at least one token-based rule based at least in part upon the first token. The at least one token-based rule may condition access to the resource upon a second token. The apparatus may determine the geographic location of the device based on a token in the plurality of tokens. The apparatus may determine, based on the geographic location of the device, that the second token should be requested from an entity and transmit a request to the entity for the second token. The apparatus may receive the second token from the entity and generate a session token based at least in part upon the first token and the second token.

Abstract: In an information communication system, user personal information is batch-managed in a user management center apparatus. The center apparatus issues temporary information, which includes temporary user information and temporary authentication information, in response to a log-in request from a user terminal apparatus that designates a net-shop apparatus, and sends the information to the user terminal apparatus and the designated net-shop apparatus. Thereby, if the user terminal apparatus sends an authentication request to the net-shop apparatus on the basis of the information, the net-shop apparatus can authenticate the user terminal apparatus on the basis of the information from the user management center apparatus. At this time, the user personal information does not go to the net-shop apparatus, and there is no need for the net-shop apparatus to manage the user personal information.

Abstract: The mock tool can be configured to create a mock execution environment for supporting software development processes. The mock execution environment is isolated from resources of the computing system supporting the mock execution environment and other mock execution environments. Further, the mock execution environment can be created to simulate disabling on any features of the operating system supporting the mock execution environment that could cause problems in the software development process.

Abstract: Methods, apparatus, systems and computer program products are described and claimed that provide for automatically and positively determining that an associate accessing a business domain/application using an application-specific associate identifier is the same associate that is accessing another business domain/application using another application-specific associate identifier. Once the positive determination of same associate is made, a federated identifier key is generated and applied to all of the platforms in which the associate can be positively identified, so as to globally identify the associates across multiple enterprise-wide domains/applications. As such, the present invention eliminates the need to manually analyze associate data to determine if an associate interfacing with one domain/application is the same associate interfacing with another domain/application.

Abstract: Information useful for authenticating an entity is sent over a back channel during the authentication of an entity to a RESTful service. The delivery of the entity-related information is triggered by the validation of a service ticket received by the authentication component of the RESTful service.

Abstract: An online content publishing and consumption environment can be modeled such that communities of content consumers (users), such as educational institutes and libraries, are categorized as Content Brokers; content providers, such as book, music, and multimedia publishers, and news sources, are categorized as Content Providers; and a Content Bridge, a standalone component providing the functionalities of the presently claimed invention in the online content publishing and consumption environment. The Content Bridge allows a simpler and loosely-coupled integration with lowered integration cost and effort, as the Content Broker is required to integrate once only with the Content Bridge instead of having to integrate individually with every Content Provider.

Abstract: A first device implements an application platform that is shared with a second device. The application platform can be implemented so that the first device and the second device operate to have a same identity to at least the network service. The first device provides a user interface in order to receive input for accessing or using the network service. Additionally, the first device communicates input received in response to providing the user interface to the network service. The first device can receive a token from the network service in response to communicating the input. Additionally, the first device can communicate a set of data items to the second device. The set of data items includes the token and one or more identifiers that enable the second device to access and use the network service while appearing as the first device to the network service.

Abstract: A client-server computing system includes a computer cluster for hosting certain resources, applications, programs, processes, files, and/or data that are published to users who are accessing the computer cluster remotely. The computer cluster includes a network of one or more host computers, a gateway server, a gateway service database, and a user database. A single sign-on (SSO) method of the disclosure includes performing a computer cluster authentication process in which a user enters his/her credentials followed by a resource authentication process in which there is no need for the user to reenter his/her credentials, having entered them already in the computer cluster authentication process.

Abstract: A client-server computing system includes a computer cluster for hosting certain resources, applications, programs, processes, files, and/or data that are published to users who are accessing the computer cluster remotely. The computer cluster includes a network of one or more host computers, a gateway server, a gateway service database, and a user database. A single sign-on (SSO) method of the disclosure includes performing a computer cluster authentication process in which a user enters his/her credentials followed by a resource authentication process in which there is no need for the user to reenter his/her credentials, having entered them already in the computer cluster authentication process.

Abstract: A persistent connection is used for real-time or near real-time data transfer from a push platform on a network to a mobile station. To establish and maintain the persistent connection between the mobile station and push platform on the network, various protocols are defined over a packet connection between the mobile station and push platform. The real-time or near real-time data is pushed or sent by the push platform to the mobile station, as the data becomes available from a data source. In particular, heartbeat messages are used to determine whether or not the persistent connection is alive and available for real-time or near real-time data transfer. When the persistent connection is lost, the mobile station uses a retry connection scheme based on the number of connection attempts made by the mobile station for establishing a new persistent connection to the push platform.

Abstract: In response to a service request designating a service identifier, a proxy server reads out at least two processing system identifiers corresponding to the designated service identifier from a first storage unit, and transmits an acquisition request containing the read-out at least two processing identifiers to a management server. The management server acquires respective authentication information items corresponding to the at least two processing identifiers contained in the received acquisition request from a second storage unit, and transmits the acquired authentication information items to the proxy server. The proxy server transmits user authentication requests for respective processing systems containing the received authentication information items to the at least two processing systems, respectively.

Abstract: Systems and methods for providing a login context operate a virtual machine, wherein the virtual machine includes an open services platform and an authentication service, wherein the authentication service includes a classloader, and an initial classloader is designated as the classloader of the authentication service, register a login module, receive an authentication request from a first application, and responsive to receiving the authentication request designate a classloader associated with the login module as the classloader of the authentication service, generate a login context of the login module, and provide the login context of the login module to the first application, whereby the first application uses the login context to perform an authentication.

Abstract: A method may include authenticating a device to a first server, where the device includes an agent; receiving a request, in the first server from a second server, to verify the authenticity of the device, where the device is not authenticated to the second server; sending a browser plug-in to the device to communicate with the agent for verifying the authenticity of the device; receiving, in the first server, a message from the agent verifying the authenticity of the device; and sending a message from the first server to the second server to authenticate the device to the second server.

Abstract: A method for processing identity information may include: a first identity for logging into a first website is obtained; a user logs into a second website by using the first identity; a second identity for logging into the second website is obtained; a relation which associates the first identity with the second identity is established.

Abstract: Systems and methods are provided for enhancement of single sign-on protection. For example, information associated with one or more executable files related to an application process is acquired at a beginning of the application process; whether the one or more executable files are included in a pre-established white-list database is determined based on at least information associated with the executable files; a target uniform-resource locator (URL) associated with the application process is acquired in response to the one or more executable files being not included in the pre-established white-list database; and in response to the target URL being included in a pre-established log-in URL database on an authentication server, the application process is intercepted, and/or a risk notification is provided to a user.

Abstract: Systems, computer-implemented methods, and computer-readable media for establishing an online account with a resource provider are provided. An authentication token including identification of a user from an authentication server is received. The identification of the user from the authentication token is utilized to establish an online account for the user with the resource provider. Additional credentialing information from the user for the online account is received. The additional information received from the user is associated with the online account for the user with the resource provider.

Abstract: For enabling single sign-on among applications, a linkage ID indicating connection between the authentication apparatus 1 including the client function and the server apparatus 2 is shared among a plurality of applications. For that, a SV information management unit Aa of the authentication apparatus 1 having the client function manages the linkage ID by storing it in a predetermined storing unit. An AP information management unit Ab manages and stores connection information between applications in a predetermined storing unit, wherein the connection information includes an application name corresponding to an application. Then, an AP decision unit determines whether an application name included in a received linkage ID request is registered in the AP information management unit Ab, obtains the linkage ID from the SV information management unit Aa when the application name is registered in the AP information management unit Ab, and returns the linkage ID to a source of the linkage ID request.

Abstract: A method of managing content related to a plurality of social networking websites. The method comprises accessing a first account that stores user's authentication information of the plurality of the networking websites and connecting to the plurality of social networking websites. Content associated with a second account is obtained from each of the plurality of social networking websites and service capabilities of each of the plurality of social networking websites are tracked. The obtained content from all the social networking websites is displayed on a single page and service information applicable to content is provided.

Abstract: The present disclosure describes a method and an apparatus for obtaining application information of multiple websites. A corresponding relationship between a main account and multiple pieces of association information is saved in advance. Each piece of association information comprises application authorization information and authentication information of a third-party website. A login request carrying the main account transmitted by a user is received and authenticated. After the user logs in, the multiple pieces of association information is obtained from the corresponding relationship according to the main account carried in the login request. An application information obtaining request is transmitted to multiple third-party websites corresponding to the multiple pieces of association information. A requested result of the application information obtaining request is returned to the user.

Abstract: Systems and methods which facilitate secure multicast communications between any valid node of a cluster using authentication between a node joining the cluster and any single node which is validly part of the cluster are disclosed. In accordance with embodiments, a cluster key is utilized to provide security with respect to intra-cluster communications. The cluster key of embodiments is shared by a node which is already part of the cluster with a node joining the cluster only after these two nodes mutually authenticate one another. The mutual authentication handshake of embodiments implements a protocol in which a session key is calculated by both nodes, thereby providing a secure means by which a cluster key may be shared. Having the cluster key, each node of the cluster is enabled to securely communicate with any other node of the cluster, whether individually (e.g., unicast) or collectively (e.g., multicast), according to embodiments.

Abstract: Aspects described herein allow multiple devices to function as a coherent whole, allowing each device to take on distinct functions that are complementary to one another. Aspects described herein also allow the devices function as a coherent whole when interconnected devices and their respective applications are configured to operate in various operation modes, when management policies are employed to control the operation of the interconnected devices and their respective applications, when transferring content between the interconnected devices and storing the content at those devices, when obtaining access credentials for the interconnected devices that enable the devices to access enterprise resources, when a policy agent applies management policies to control operation of and interaction between the interconnected devices, and when the interconnected devices are used to access an enterprise application store.

Abstract: A wireless network accessing method adaptable to a portable electronic device is provided. The wireless network accessing method includes following steps. A wireless access point (WAP) is connected. An authentication webpage is received from the WAP. A layout of the authentication webpage is analyzed by using a database to find out an account field and a password field of the authentication webpage. An account and a password input by a user are received. The account field filled with the account and the password field filled with the password are sent to the WAP.

Abstract: A switch sends an authentication request message to a client at intervals of a preset duration. A response message sent by the client is received. The response message carries authentication information of a user carried on the client. An authentication message is sent to a server according to the response message. An authentication reply message sent by the server is received. The authentication reply message carries information about an authentication domain authorized by the server to the user. It is determined, according to the authentication reply message, whether the authentication domain of the user is changed. If the authentication domain of the user is changed, an authentication domain change message is sent to the client according to the authentication reply message, so that the client obtains an IP address again.

Abstract: A client-server computing system includes a computer cluster for hosting certain resources, applications, programs, processes, files, and/or data that are published to users who are accessing the computer cluster remotely. The computer cluster includes a network of one or more host computers, a gateway server, a gateway service database, and a user database. A single sign-on (SSO) method of the disclosure includes performing a computer cluster authentication process in which a user enters his/her credentials followed by a resource authentication process in which there is no need for the user to reenter his/her credentials, having entered them already in the computer cluster authentication process.

Abstract: A circuit for enabling communication of cryptographic data in an integrated circuit is disclosed. The circuit comprises a first interface coupled to receive data having a first security level; a second interface coupled to receive data having a second security level; a cryptographic application; and a routing block coupled between the first and second interfaces and the cryptographic application, the routing block comprising configurable logic, wherein the routing block is configurable to selectively route the data having the first security level by way of the first interface and to route data having the second security level by way of the second interface. A method of enabling communication of cryptographic data in an integrated circuit is also disclosed.

Abstract: A system and methods for coordinating the operation of a client security module and a host security module on a mobile electronic device. The modules communicate with each other through a platform abstraction layer using application programming interfaces to coordinate their activities. In particular, the client security module instructs the host security module when to lock and unlock the device, and the host security module alerts the client security module to attempts by the user to lock or unlock the device.

Abstract: Tools and techniques related to progressively discovering and integrating services are provided. These tools may receive electronic communications addressed to users of communications platform software. In turn, these tools may analyze the electronic communications, and generate upsells for presentation to the users. These upsells may relate to updating profile records associated with the users.

Abstract: Systems and methods for weak authentication data reinforcement are described. In some embodiments, authentication data is received in a request to authenticate a user. In response to detecting weak authentication data, the systems and methods determine whether the user was previously authenticated as a human user. An example embodiment may include initiating an authentication process based on determining that the user was previously authenticated as a human user.

Abstract: A method and apparatus for password management and single sign-on (SSO) access based on trusted computing (TC) technology. The methods implement the Trusted Computing Group (TCG)'s trusted platform module (TPM), which interacts with both proxy SSO unit and web-accessing applications to provide a secure, trusted mechanism to generate, store, and retrieve passwords and SSO credentials. The various embodiments of the present invention allow a user to hop securely and transparently from one site to another that belong to a pre-identified group of sites, after signing on just once to a secured proxy residing at the user's device.

Abstract: Methods and apparatus, including computer program products, implementing and using techniques for providing user credentials over a network to a remote computer application. User credentials for the remote computer application are stored in a central repository that is accessible through the network. A request is sent to a service to perform, on behalf of a user, a particular task involving the remote computer application. It is determined whether the service has been granted permission to act on behalf of the user with respect to the remote computer application. When the service has permission to act on behalf of the user, the service is used to retrieve the user's credentials for the remote computer application from the central repository and to supply the retrieved user credentials to the remote computer application.

Abstract: A method and system for cross-system authentication or credentialing of clients. Credentials from one system (e.g., system 2) are placed on a client, such as with a cookie on a browser, and the credentials are then extracted by another system (e.g., system 1), and used by system 1 to impersonate the client to system 2. If the client's credentials with system 2 are valid, system 2 provides that information to system 1 (which is impersonating the client), and system 1 uses the validity of the credentials from system 2 to grant the client access to protected resources on system 1.

Abstract: Methods and apparatus, including computer program products, implementing and using techniques for providing user credentials over a network to a remote computer application. User credentials for the remote computer application are stored in a central repository that is accessible through the network. A request is sent to a service to perform, on behalf of a user, a particular task involving the remote computer application. It is determined whether the service has been granted permission to act on behalf of the user with respect to the remote computer application. When the service has permission to act on behalf of the user, the service is used to retrieve the user's credentials for the remote computer application from the central repository and to supply the retrieved user credentials to the remote computer application.

Abstract: A system for providing communication between one or more clients (50) and one or more service providers (70) is disclosed. The system comprises an access gateway (10) for maintaining transport-specific connections for one or more connections between the client (50) and the access gateway (10), an application level router (20) for routing messages between clients (50) and service providers (70), an authentication provider (40) for verifying the identity of users of clients (50), and a look-up service (30) for keeping a registry of currently available services. Various methods related to the system are also disclosed.

Abstract: A system and method is provided for a distributed computing system where a user can login to a client computer and access a number of different applications installed on web servers. These applications are then provided access to data in mainframe systems without a user having to enter mainframe user id or password information for gaining access to the mainframe system. The system and method can utilize a sign on object which is installed onto the client computer. The sign on object operates to obtain and transmit a security token which authorizes access to the mainframe system, and the security token does not require the use of the cookie data. This system and method can pass the security token through the web server and the web application in an encrypted form which limits security risks.

Abstract: One embodiment of the present invention provides a system that associates a digital certificate with an enterprise profile. During operation, an identity store receives a digital certificate from a client. Next, the identity store searches for a mapping rule which determines if an enterprise profile is associated with the digital certificate, wherein the enterprise profile facilitates in identifying user capabilities. If a mapping rule is found, the identity store executes the mapping rule to determine if an enterprise profile is associated with the digital certificate. If so, the enterprise profile, which is associated with the digital certificate, is returned to the client.

Abstract: The invention relates to a method for planning an automation system project, a method for authenticating a user during access to an automation device in an automation system, an automation system and a computer program for planning an automation system project. To improve the security concept in automation systems, the provision of a single sign-on authentication method for an automation system is proposed. A user is thus able to simultaneously register at all automation devices within an automation project using a single authentication. A fundamental part of the invention is thus to centrally project plan the single sign-on method. In other words, the basic provision of the basis for the subsequent authentication already takes place during the project planning of the automation project based on a project database. This procedure allows the realization of a single sign-on method for the complete projected automation system and thus simultaneously for all automation devices contained in the automation system.

Abstract: Techniques are described for providing customizable sign-on functionality, such as via an access manager system that provides single sign-on functionality and other functionality to other services for use with those services' users. The access manager system may maintain various sign-on and other account information for various users, and provide single sign-on functionality for those users using that maintained information on behalf of multiple unrelated services with which those users interact. The access manager may allow a variety of types of customizations to single sign-on functionality and/or other functionality available from the access manager, such as on a per-service basis via configuration by an operator of the service, such as co-branding customizations, customizations of information to be gathered from users, customizations of authority that may be delegated to other services to act on behalf of users, etc.

Abstract: A partner registration module can provide for an automatic registration of partners to a central server. An entire partner registration process can be automated from end to end, providing a unified process for registering partners. The partner registration module can be fully compatible with current registration agents and next generation registration agents.

Abstract: In a computer system including a computer terminal, an operating system installed on said computer terminal, a virtual machine running on the operating system, a server communicatively coupled to the computer terminal and a process including instructions that when executed on a virtual machine define a user interface; a Single Sign On (SSO) system comprising a database of authentication credentials accessible to the computer terminal, and instructions executable on the virtual machine operative to: obtain user interface state data from the process; query the virtual machine to obtain component data related to the user interface state data; and manipulate the component data so as to deliver authentication credentials to the process.

Abstract: Methods and apparatuses, including computer program products, are described for establishing and controlling communication sessions between SIP devices and website application servers. An access portal computing device is coupled between one or more SIP devices and one or more website application servers. The access portal is configured to authenticate SIP user credentials based upon receipt of a SIP message from a SIP device and determine website user credentials associated with a website application server based on the SIP user credentials. The access portal is configured to receive, from the website application server, a communication services application based upon transmission of the website credentials to the website application server, translate SIP requests received from the SIP device into web-based commands for transmission to the website application server, and translate web-based commands received from the website application server into SIP requests for transmission to the SIP device.

Abstract: Architecture for providing pre-authenticated information from an endpoint for subsequently authenticating a device and/or user associated with the previously-authenticated information. A pre-authentication module of the architecture can be a trust component as part of an application that facilitates the utilization of user information and/or endpoint information in a media session protocol message to replace information that would otherwise be gathered via a dialog. In the context of IP-based voice communications, a call can be made from a client that is pre-authenticable, and no longer requires that an IP-based telephone interact with the phone user to facilitate sign-on.