Abstract: The system and method described herein for discovery enrichment in an intelligent workload management system may include a computing environment having a model-driven, service-oriented architecture for creating collaborative threads to manage workloads. In particular, the management threads may converge information for managing identities and access credentials, which may provide information that can enrich discovery of physical and virtual infrastructure resources. For example, a discovery engine may reference federated identity information stored in an identity vault and enrich a discovered infrastructure model with the federated identity information. Thus, the model may generally include information describing physical and virtualized resources in the infrastructure, applications and services running in the infrastructure, and information derived from the federated identity information that describes dependencies between the physical resources, the virtualized resources, the applications, and the services.

Abstract: Systems and methods for managing a user identity on a mobile device are provided. The system comprises the mobile device comprising a user agent and a client application, the user agent and the client application in communication with each other. The system further comprises an identity provider in communication with the mobile device, and a client service in communication with the mobile device. The user agent is configured to communicate with the identity provider and retrieve the user identity for the client application, and the client application is configured to transmit the user identity to the client service.

Abstract: A method for unique authentication of a user including federating an identity of said user for said service provider and an identity of the user for an identity provider, the federating including the steps of generating a user alias for that service provider and sending said identity provider a masked alias deduced from said alias, the identity provider associating said masked alias for that service provider with the identity of the user for the identity provider and sending the user elements for calculation by the user of a signature of a message containing the non-masked alias calculating said signature and sending the service provider said message with said signature, and the service provider verifying said signature, authenticating the user, and associating said alias with the user's identity.

Abstract: An improved system and method are disclosed for peer-to-peer communications. In one example, the method enables the creation of a virtual endpoint that may operate within a peer-to-peer network to represent a device that is unable to operate as an endpoint.

Abstract: A federated credentialing system, and a correspond method, includes credential issuers that interact with relying parties to provide system users with access to protected resources within the system. The system includes a relying party federated domain server including devices for identifying users and authenticating user access credentials and a credential issuer domain server including devices for verifying user identities and access credentials. The access credentials may be single smart cards. The single smart cards are operative to provide user access to both logical and physical protected resources of the relying party. The system also includes a federated trust broker in communication in communication with the relying party and credential issuer federated domain servers.

Abstract: Leveraging a persistent connection to provide a client access to a secured service may include establishing a persistent connection with a client in response to a first request from the client, and brokering a connection between the client and a secured service based on a second request from the client by leveraging the persistent connection with the client. The brokering may occur before the client attempts to connect to the secured service directly and the connection may be established between the client and the secured service without provision by the client of authentication information duplicative or additional to authentication information provided by the client to establish the persistent connection.

Abstract: A method and system provide dynamic communities of interest on an end user workstation utilizing commercial off the shelf products, with central management and the ability for a users to log on only once (also known as “single sign on” or “SSO”). The software images that make up the virtual machine can be patched and updated with other required changes from a central storage area where the image can be administratively updated just once. A digital signature can be applied to the software images to ensure authenticity and integrity, along with determining whether a software image is up to date.

Abstract: A server system receives and installs multiple claim provider plug-ins. Each of the claim provider plug-ins implements the same software interface. However, each of the claim provider plug-ins can provide claims that assert different things. Claims provided by the claim provider plug-ins can be used to control access of users to a resource.

Abstract: The disclosed embodiments provide a system that authenticates a user. During operation, the system identifies a first tenant associated with a first request for a first resource from the user and obtains an authentication policy for the first tenant. Next, the system uses an authentication mechanism associated with the authentication policy to authenticate the user. Upon authenticating the user, the system provides a first security token for enabling access to the first resource by the user.

Abstract: Embodiments of the invention facilitate the use of a contactless memory token to automate log-on procedures to a remote access server using dynamic one-time passwords (OTPs). A series of workflow steps establishes the identity of the user and charges a token with a number of dynamic OTPs that can be subsequently verified using, for example, a Radius server sitting behind a VPN or SSL/VPN server.

Abstract: A system, method and computer program product for using delegation as a mechanism to manage business activity by taking on a shared identity. In some implementations, the system includes a user interface module for receiving input signals from and sending information to a user, a delegate authentication module and an identity translation module. The delegate authentication module is operable to determine that an individual user identity is authorized to act as a delegate for an organization having an identity on a network-based software application and generate a verification signal. The delegate authentication module is coupled to the user interface module to receive the input signals from the user. The identity translation module is operable to translate the input signals from the user to a format such that they appear to be from the identity of the organization.

Abstract: A flexible rule engine allows a network operator to dynamically create and modify business rules that govern a subscriber's access to a communications network. The flexible rule engine governs subscriber transitions between various session states by testing for subscriber conditions, network conditions, and then performing specified actions based on these conditions. A rule editor provides the network operator with the ability to compose, edit and delete one or more rules in real time, using an appropriate user interface.

Abstract: A system and method for authenticating a user in a secure computer system. A client computer transmits a request for a sign-on page, the secure computer system responds by transmitting a prompt for a first user identifier, and the client computer transmits a request including a first identifier, a second identifier stored in an object stored at the client computer and a plurality of request header attributes. A server module authenticates the first and second user identifiers, and compares the transmitted plurality of request header attributes with request header attributes stored at the computer system and associated with the first and second user identifiers. If the first and second user identifiers are authenticated, and if a predetermined number of transmitted request header attributes match stored request header attributes, the server software module transmits a success message, and the user is allowed to access the secure computer system.

Abstract: A method and apparatus is provided for populating and submitting electronic forms by proxy over a data-packet-network. The apparatus comprises software running on a system of network-connected servers that enables a user, connected to one of the servers, to navigate to a site containing an electronic form and obtain data about the site and the form. The data obtained is used in conjunction with data about the user to construct a machine readable job order upon user request that may be executed for the purpose of automatic form population and submission to a host sponsoring the site. Upon acceptance of the submitted form, data used for log-in is stored where it is entered along with site data as a new registered site item for a user such that future navigation to the site, auto log-in and data return is performed automatically on behalf of the user.

Abstract: A system for application access control is disclosed. First, a business coordinator needs to register a user developed tool (UDT) containing an application to be protected with the system via a software program. After registration, a random encrypted password is generated by the application access control server and stored in its back-end database as well as a local break-glass database corresponding to the UDT. When an entitled user accesses the application in the registered UDT later on, the system will check whether he/she is entitled to access the requested application. If yes, the system will retrieve the encrypted password for that application and thus launch the application.

Abstract: A computer implemented method and system for, via a global communications network, serving subscribed contents from various subscribed content sources to end users without the need of end users subscribing and signing in at each individual subscribed content source. An embodiment system of present invention may use pre-stored access credentials specific to the embodiment system for fetching the requested subscribed contents from various subscribed content sources. The embodiment system may remove the aforementioned access credentials when forwarding the fetched subscribed contents to corresponding requesting end users. The end users may be served according to their viewing credits and other permissions. The viewing credits of end users may be adjusted according to the served subscribed contents.

Abstract: Features are disclosed for authentication of mobile device applications using a native, independent browser using a single-sign-on system. An authentication module within the mobile application can direct the mobile device's native browser to a URL to initiate authentication with an authentication appliance. The mobile browser can receive and store a browser-accessible token to indicate previous authentication performed by the user. The mobile application can receive from the application appliance and store a client application ID token that may be presented to network services for access. A second mobile device application may direct the same browser to the authentication appliance. The authentication appliance may inspect the persistent browser-accessible token and issue a second client application ID identity to the second application without collecting additional authentication information, or collecting additional authentication information that is different from the first authentication information.

Abstract: An access control method including: receiving a log information item indicating use history of electrical equipment that is used together with an intended product; receiving product information including information for identifying the intended product; storing the log information item received in the receiving of a log information item and the product information received in the receiving of product information, in association with each other; and controlling whether or not to allow access to the log information item based on the product information associated with the log information item when access to the log information item is attempted.

Abstract: A firewall cluster having three or more firewall processing nodes sharing the same shared IP address. Port numbers are assigned to the firewall processing nodes within the cluster and are used to distinguish between traffic sent to the cluster. Each network connection is assigned a destination port number. Each node receives the network connection and its assigned port number and determines if the assigned destination port number matches one of its assigned port numbers. If so, the node processes the network connection. If the assigned destination port number does not match one of its assigned port numbers, the network connection is discarded.

Abstract: A computer, such as a WINDOWS® operating system-based PC, has associated with it a Subscriber Identity Module (or SIM), such as of the type used in a GSM cellular telephone system. The SIM can be authenticated by the telephone network, in the same way as for authenticating SIMs of telephone handset users in the network, and can in this way authenticate the user of the PC or the PC itself. Such authentication can, for example, permit use of the PC in relation to a particular application which is released to the PC after the authentication is satisfactorily completed. The application may be released to the PC by a third party after and in response to the satisfactory completion of the authentication process. A charge for the session can be debited to the user by the telecommunications network and then passed on to the third party.

Abstract: A user is allowed to access any of a number of domains associated with an enterprise using a credential for any one of the domains. An exemplary method includes steps of receiving, from a user and at a first domain of the enterprise, a user identification and a password; determining, at the first domain, whether the user identification is associated with the first domain; and upon determination that the user identification is not associated with the first domain, determining, at the first domain, whether the user identification is associated with a second domain of the enterprise. The user identification and the password are authenticated at the first domain, upon determination that the user identification is associated with the second domain. Upon successful authentication, the user is enabled to access the second domain of the enterprise. The user identification does not need to include a character directly reflecting a domain name.

Abstract: A system and method for issuing electronic vouchers representing value. An issuing server generates an eVoucher that a recipient may use to purchase goods and services from a merchant's e-commerce Web site. The eVoucher includes an image, such as a corporate logo, that identifies the issuing merchant. Nonimage data, such as a unique identifier for the eVoucher and encrypted arbitrary text, is embedded in the eVoucher image and is used to track the use of the eVoucher and to verify its authenticity.

Abstract: A secure database includes a catalog of information about one or more identity providers (IdPs) that are trusted by a service provider (SP) to authenticate users on the SP's behalf. The catalog securely stores one or more IdP configurations. An entry in the database stores information associated with the trusted IdP including artifacts to identify the IdP, artifacts used by the IdP for cryptographic operations, and a specification of one or more website(s) serviced by the trusted identity provider. Upon receipt by the SP of identity information representing a user that has authenticated to an IdP, information in the catalog of information is used to determine whether the IdP is trusted to authenticate the user on the service provider's behalf. The determination verifies that the SP uses the IdP and that a binding between an IdP identifier and at least one IdP cryptographic artifact is valid.

Abstract: In an information communication system, user personal information is batch-managed in a user management center apparatus. The center apparatus issues temporary information, which includes temporary user information and temporary authentication information, in response to a log-in request from a user terminal apparatus that designates a net-shop apparatus, and sends the information to the user terminal apparatus and the designated net-shop apparatus. Thereby, if the user terminal apparatus sends an authentication request to the net-shop apparatus on the basis of the information, the net-shop apparatus can authenticate the user terminal apparatus on the basis of the information from the user management center apparatus. At this time, the user personal information does not go to the net-shop apparatus, and there is no need for the net-shop apparatus to manage the user personal information.

Abstract: This invention includes a system and method to enable a device to determine the presence information of another device over a secure communication network. First, the device and a presence server establish a secure connection. Next, while the initial secure connection with the presence server is established, the device generates a randomly created token and provides it to the presence server. The token is used as a shared-secret by the device and the presence server to secure future presence communications over a non-secure connection. Next, without the need to again enter a password or establish a secure connection with the presence server, the device uses the shared-secret to sign, encrypt and convey presence information to the presence server over an arbitrary connection. Finally, the presence server may share the first device's presence information with another device.

Abstract: Systems and methods are disclosed for providing automated user authentication utilizing available authentication data associated with a computing device. By utilizing a mobile identification number verified during an authentication, authorization, and accounting (AAA) process performed when a mobile computing device is powered on, access to a privileged content or service may be granted, allowing a user to bypass manual entry of user authentication information (user ID and password). Utilizing a verified mobile identification number, service features and functionalities may be communicated between billing systems of a service provider, which may provide for further converged, customized services.

Abstract: The present is a system and method for preserving user account security privileges during a migration or re-direction of data from one network attached storage (“NAS”) system to another. Certain NAS systems authenticate user accounts using Kerberos Delegation Technology. In addition, some NAS systems feature the ability to constrain delegation to certain services. While effective in limiting access and promoting network security, this constrained delegation restricts the ability of a storage virtualization system to migrate or re-direct data to other NAS systems, especially if the other NAS system resides or is identified by a different domain name. The present invention is a system and method for storing user account credentials that work with the former NAS system, and providing a way to translate these credentials to a new NAS system with a new domain, permitting seamless data migration and re-direction across domains.

Abstract: Establishing trust according to historical usage of selected hardware involves providing a usage history for a selected client device; and extending trust to a selected user based on the user's usage history of the client device. The usage history is embodied as signed statements issued by a third party or an authentication server. The issued statement is stored either on the client device, or on an authentication server. The usage history is updated every time a user is authenticated from the selected client device. By combining the usage history with conventional user authentication, an enhanced trust level is readily established. The enhanced, hardware-based trust provided by logging on from a trusted client may eliminate the necessity of requiring secondary authentication for e-commerce and financial services transactions, and may also be used to facilitate password recovery and conflict resolution in the case of stolen passwords.

Abstract: A method includes receiving by an OpenID network device a user log in; logging in, by the OpenID network device, the user to an OpenID account; receiving, by the OpenID network device and from a third party service provider network device, a request to authenticate the user and a request to receive user data associated with the user; providing, by the OpenID network device, a user interface to an end device to allow the user to confirm his/her sign-in to the third party service provider network device and release of the user data; receiving, by the OpenID network device, a confirmation with regard to the user's sign-in to the third party service provider network device and release of the user data; and sending, by the OpenID network device and to the third party service provider network device, a message indicating that the user is authenticated and the user data.

Abstract: A method, system and computer program product is disclosed for supporting role-based access control in a collaborative environment, wherein pluralities of users work together in a collaborative process using a software system. The method comprises componentizing the software system into a multitude of software components, and limiting access to specific software components to certain users based on roles assigned to the users as defined by a run-time state of the collaborative process. The set of components that a user can access is dynamic, that set can change based on the “context” or the step where the user is in a collaborative workflow/process.

Abstract: The contemplated embodiments of the invention provide a method for implementing a mandatory integrity control (MIC) system that provides access control for each and every object and subject that need access control, but in a way that allows legacy operating systems to continue with little modification. The invention provides a novel method that selects an integrity level designator for a subject, when the subject logs onto the computer system. The selected integrity level designator is then added to an existing data structure in the computer system. The existing data structure may be a part of a security descriptor stored in a system access control list of an object. The existing data structure may be a part of a list of security permissions that constitute an access token for a process executing as a subject.

Abstract: A method for accessing an application on an internal network comprises configuring a first host name in a computer as associated with an internal network. A second host name in the computer is configured as associated with an external data communication network, where the second host name is an alias that resolves to an internet protocol address of an authentication server in the internal network. A first application hosted over the internal network is invoked. In response to the invocation of the first application, a request to invoke the first application including stored user authentication credentials is transmitted to the authentication server. A restricted application hosted over the internal network is invoked where the invocation command includes the second host name. In response to the invocation of the restricted application, a request that does not include user authentication credentials is transmitted to invoke the restricted application to the authentication server.

Abstract: Embodiments of the invention provide for authenticating users of web-based applications by presenting a previously acquired signed digital signature. Examples establish secure user sessions between a client and a user in response to a verification of an identification of the user by the client, the client creating a unique username for the user and unlocking access by the user to a client digital signature for use with a request for service from a third party web server. A secure facilitator session is established between the client and a third party web server, wherein messages exchanged with the unique username and a unique session identification indicia of the secure facilitator session signed by the unlocked digital signature result in executed processes requested by the service identifier data if the messages are validated without the client requiring the user to verify user identification for any message until a secure facilitator session ends.

Abstract: Systems, methods, and media for synthesizing a view of a file system are provided herein. Methods may include receiving a request to obtain a view of at least a portion of a file system backup for a device, responsive to the request, mounting one or more backup files for the device on a backup node, generating a view of the at least a portion of a file system created from the one or more mounted backup files, the view being accessible via the intermediary node that is communicatively coupled with the backup node.

Abstract: Techniques are provided for leveraging narrowband connectivity (such as dial-up communications or other types of low bandwidth communications) to provision or configure broadband connectivity between a broadband access provider and a broadband device, such as a DSL modem or a cable modem. Specifically, because narrowband connectivity does not require advance configuration or provisioning by the host system of connectivity parameters for an access-seeking device, a modem at an access-seeking device may be leveraged to establish a narrowband connection between that device and a host system and to enable an exchange or negotiation of connectivity parameters necessary to enable future broadband connectivity. Thus, once established, the narrowband connection may be used as a conduit for communicating required provisioning information between the broadband-enabling host and the access-seeking device to enable broadband connectivity by the device in the future.

Abstract: An image processing apparatus for providing at least a service to a service requester receives a service execution request and authentication information of a service requester from the service requester and issues a request for authenticating the service requester to an authentication service. Also, the image processing apparatus executes the requested service based on an authentication result transmitted from the authentication service. Further, the image processing apparatus manages an execution state of the executed service and an authentication state of the service requestor by associating the execution state with the authentication state.

Abstract: A system and method is described for controlling the password(s) of one or more programs through a universal program. The universal control program allows access to one or more other programs and allows editing of the passwords of the other programs directly through the universal access program.

Abstract: In one embodiment of the present invention a computerized method includes receiving at a personal-mobile device a first communication, which includes information for requesting user verification for logging into an account of a user, via a computing device. The account is with a service provided by an application server. The method includes starting a personal-authentication application on the personal-mobile device in response to receiving the first communication, and receiving in the personal-authentication application a user verification for confirming logging into the account. The method includes logging into the account via the computing device based on receipt of the user verification. Embodiments of the present invention provide enhanced security for logging into an account that a user may have with a service by providing that a personal-mobile device, such as a mobile telephone, which is personal to a user, is configured as a security token for login to the account.

Abstract: A method for providing network service and apparatus thereof are described. The method includes the following steps: acquiring a network identity information of a user wherein the network identity information stored in a browser is a kind of information with an unique recognition; matching the network identity information with a local identity database to determine whether the local identity database stores a binding relationship between the network identity information and a server account information of the user; querying the server account information stored in the local identity database based on the network identity information of the binding relationship if the network identity information is matched with the local identity database to be found in the local identity database; and automatically logging in the web server based on the server account information of the user.

Abstract: A method, apparatus and computer program product for detecting that a computing device may not be secure based on inconsistent identity associations identified during Federated Single Sign-On (F-SSO). A detection proxy detects when a user with a particular session is accessing an identity provider (IdP) that is associated with an account that is not the current user's account. When a user performs a login to an F-SSO-enabled IdP, the proxy performs an F-SSO, and the results are compared with known aliases for that particular federation partner. If an anomaly is detected (e.g., the in-line device sees that a user logs into a web site as someone else), a workflow is initiated to perform a given action, such as blocking access, issuing an alert, or the like.

Abstract: A confidence-based authentication discovery scheme is implemented at a proxy. The scheme assumes that some level of unauthenticated browsing is allowed prior to enforcing authentication at the proxy. Once a known and trusted set of identity providers has been accessed and the user is required to authenticate at the proxy (e.g., as a result of policy), the proxy initiates Federated Single Sign-On (F-SSO) to one or more (or, preferably, all) known sites accessed by the browser. This F-SSO operation is performed seamlessly, preferably without the user's knowledge (after the user allows an initial trust decision between the proxy acting as a service provider and the external identity provider). The proxy collates the results and, based on the trust it has with those sites, produces a confidence score. That score is then used as input into policy around whether or not a user should be permitted to access a particular site.

Abstract: Systems and methods for providing a login context operate a virtual machine, wherein the virtual machine includes an open services platform and an authentication service, wherein the authentication service includes a classloader, and an initial classloader is designated as the classloader of the authentication service, register a login module, receive an authentication request from a first application, and responsive to receiving the authentication request designate a classloader associated with the login module as the classloader of the authentication service, generate a login context of the login module, and provide the login context of the login module to the first application, whereby the first application uses the login context to perform an authentication.

Abstract: Managing a lifecycle of a shared privileged account via a proxy service which comprises an Identity Management (IdM) system that defines and manages identity services, which in turn manage privileged accounts used to access managed targets. Each of the identity services is mapped to a privilege group of the proxy service and an ID pool manager is implemented to manage sharing of the privileged accounts. A request is generated to access a managed target with a privileged account. A shared privileges module generates a shared ID authorization account and associates it with the requestor. The shared ID authorization account is populated with sign out information for a shared privileged account, which the requestor uses to access the corresponding managed target. When use of the shared privileged account is ended, the shared privileges module disassociates the requestor with the shared privileged account by deleting the shared ID authorization account.

Abstract: In accordance with a broad aspect, a method is provided to securely configure a computing device. A configuration indication is received into the computing device, including receiving a digital signature generated based on the configuration indication. Generation of the digital signature accounts for a unique identifier nominally associated with the computing device. The received configuration indication may be verified to be authentic including processing the unique identifier, the received configuration indication and the received digital signature. The computing device may be operated or interoperated with in accordance with the received configuration indication. In one example, a service interoperates with the computing device. For example, the computing device may be a portable media player, and the service may provide media to the computing device based on a capacity indication of the configuration indication.

Abstract: A user provisioning system is extended to enable account reconciliation to occur in conjunction with a provisioning request. In response to a user provisioning request, a determination is made whether the user provisioning request is to be extended by including a reconciliation request. If so, the reconciliation request is piggy-backed on top of the provisioning request. This approach enables the reconciliation operation to be scoped to just the particular user account that is the subject to the provisioning operation, and it enables reconciliation to be carried out much more frequently as compared to the periodic, batch-oriented approach of prior techniques.

Abstract: Managing a lifecycle of a shared privileged account via a proxy service which comprises an Identity Management (IdM) system that defines and manages identity services, which in turn manage privileged accounts used to access managed targets. Each of the identity services is mapped to a privilege group of the proxy service and an ID pool manager is implemented to manage sharing of the privileged accounts. A request is generated to access a managed target with a privileged account. A shared privileges module generates a shared ID authorization account and associates it with the requestor. The shared ID authorization account is populated with sign out information for a shared privileged account, which the requestor uses to access the corresponding managed target. When use of the shared privileged account is ended, the shared privileges module disassociates the requestor with the shared privileged account by deleting the shared ID authorization account.

Abstract: Systems and methods for single sign on to a cloud. The system includes a cloud service provider and a tenant. The cloud service provider has a consumer unit and a portal. The consumer unit provides an interface for a user to connect to the cloud service provider. The portal providing a cloud service to the user, the portal has a first authentication system that issues a security token request and that is connected to the consumer unit. The tenant includes the user and a second authentication system. The second authentication system signs the security token request. The consumer unit is adapted to communicate with the first authentication system using a first protocol and adapted to communicate with the second authentication system using a second protocol.

Abstract: Scalable session management is achieved by generating a cookie that includes an encrypted session key and encrypted cookie data. The cookie data is encrypted using the session key. The session key is then signed and encrypted using one or more public/private key pairs. The encrypted session key can be decrypted and verified using the same private/public key pair(s). Once verified, the decrypted session key can then be used to decrypt and verify the encrypted cookie data. A first server having the private/public key pair(s) may generate the cookie using a randomly generated session key. A second server having the same private/public key pair(s) may decrypt and verify the cookie even if the session key is not initially installed on the second server. A session key cache may be used to provide session key lookup to save public/private key operations on the servers.

Abstract: Processing within a computing environment is facilitated by: determining by a local security manager of a first system in a first security domain whether a local security context of a user is acceptable to a second system in a second security domain; responsive to the user's security context being unacceptable to the second system, creating by a local security manager of the second system a runtime security context for the user in the second system; and providing the first system with a reference to the runtime security context for the user in the second system which is resolvable within the computing environment or a portable representation of the runtime security context for the user in the second system, the reference or the portable representation being subsequently returned to the second system with a request from the first system to process work at the second system.

Abstract: A method of communicating over a communications system includes determining that a communication event at a user terminal of the communications system requires use of a feature for processing data, the communication event being over the communications system and determining that the feature required by the communication event is not enabled for use at the user terminal when the communication event is initiated. Following the step of determining that the feature is not enabled, the method further includes retrieving a certificate enabling the use of the feature at the user terminal and using the feature at the user terminal to process data of the communication event.