Abstract: Systems and methods for continuous secure single sign on for secure access services. A user device stores a first authentication factor associated with a user for authorizing access. An authentication server receives an authentication request by the user to a secure access service and establishes a secure communication channel between the authentication server and the user device. The user device performs a user authentication according to a second authentication factor, generates an authentication response indicating the first authentication factor and confirming the authentication, the authentication response and transmits the response to the authentication server via the secure communication channel.

Abstract: A provider receives a message from a user device requesting that the provider share user credentials associated with a user of the user device with a second provider when the user is attempting to enroll with or access goods or services associated with the second provider via an application on the user device. The message requests that the provider send the user credentials to the user device. The provider determines whether the user has been authenticated by the provider and whether a trust relationship exists between the provider and the second provider. The provider sends the user credentials to the user device when the user has been authenticated by the provider and when the trust relationship exists between the provider and the second provider. The user device forwards the user credentials to the second provider and the second provider authenticates the user based on the user credentials.

Abstract: An authentication system for providing shared credential authentication includes a client information handling (IHS) system having a resource service application, and a mobile IHS having a shared authentication application. The shared authentication token indicates that an authenticated state between the client IHS and the mobile IHS exists. The resource service application receives a request to access the resource, and sends an authentication request to an authentication server to authorize access to the resource. The shared authentication application receives a query from the authentication server to verify a status of a shared authentication token, and, when the shared authentication token is valid, responds to the query that the shared authentication token is valid. The resource service application further receives a response to the authentication request, and grants access to the resource when the authentication token indicates that the shared authentication token is valid.

Abstract: Methods, systems, and computer storage media for providing escorted-access management based on an escort-admin session engine are provided. The escort-admin session engine approves an external administrator's access to a resource instance based on a service team policy, while approving an escort operator to escort the external administrator in an escort-admin session that provides access to the resource. In operation, an external administrator's request for access to a resource is evaluated based on the service team policy that is managed by a service team. The request is approved with access rights to the resource identified in the policy. An escort operator is identified for the external administrator. The escort operator is approved to escort the external administrator for access to the resource during an escort-admin session. The escort-admin session includes an escort operator context referring to the escort operator having access rights based on the access rights approved using the policy.

Abstract: Embodiments are directed to a method of enabling cloud applications to act on behalf of a user, including: providing, by the processor, a plugin integrated with a web browser; configuring, by the processor, a plurality of cloud applications and one or more identity providers in the plugin; wherein the plurality of configured cloud applications are associated with the one or more identity providers; authenticating, by the processor, a user identity through one of the plurality of configured cloud applications; generating, by the one or more identity providers, an identity token responsive to authentication; providing, by the one or more identity providers, each of the plurality of configured cloud applications with the identity token; and acting, by any of the plurality of configured cloud applications, on behalf of the user with the identity token.

Abstract: A method for updating a SELinux security policy and a terminal. The method includes receiving, by the terminal, a security policy file sent by a server. The method further includes, performing, by the terminal in a power-on status, storing the security policy file in preset storage space by using a first service or process, modifying, by the terminal, a value of a preset attribute value from a first value to a second value by using the first service or process, reading, when it is detected that the value of the preset attribute value is changed from the first value to the second value, the security policy file from the preset storage space by using a second service or process and writing the security policy file into a memory, and loading, by the terminal, the security policy file in the memory by using the second service or process.

Abstract: Methods, systems, and media for authenticating users using blockchains are provided. In some embodiments, the method comprises: receiving, at a user device of a user, user credentials for authentication to an application associated with the user device; determining whether the user credentials are valid for the application using a local blockchain stored on the user device; in response to determining that the user credentials are valid, generating a new block to be added to the local blockchain; adding the new block to the local blockchain; and granting access to the application based on the validated user credentials.

Abstract: At least some embodiments are directed to a system that receives from an online portal loaded in a computing device, a user request to instantiate a server cluster in a hybrid computer network. The system authenticates and redirects the user request via a proxy service to a selected computer network configured in the hybrid computer network. The system instantiates the server cluster in the selected computer network causing the server cluster to initiate a microservice agent during bootup. The system sends a command to the server cluster to initiate the execution of a process and receives from the microservice agent event data associated with the process. The system inputs the event data into a trained machine learning model to determine a first execution state of the process and sends a command to change the first execution state of the process to a second execution state.

Abstract: Aspects of the disclosure relate to processing systems using improved domain pass-through authentication techniques. A computing platform may send, to an external cloud computing platform, one or more registration requests that each may cause an RLS endpoint corresponding to each of a plurality of resource location connectors to be stored at the external cloud computing host platform. The computing platform may receive one or more requests for a resource location identifier. The computing platform may determine an accessible resource location connector and may send, to the user device, a corresponding resource location identifier. After receiving a pass-through authentication request, the computing platform may receive, from the ticketing service stored on the external cloud computing platform, a one-time ticket. The computing platform may send, to the user device, the one-time ticket, which may allow the user device to perform pass-through authentication with the external cloud computing platform.

Abstract: Various embodiments of the present invention relate to a method for managing a companion device, and an electronic device using the same, the electronic device comprising: a communication unit for connecting a communication channel with at least one first external electronic device; and at least one processor functionally connected with the communication unit, wherein the at least one processor requests, from the at least one first external electronic device, information (companion device authentication information) necessary for registering the at least one first external electronic device as a companion device of a second external electronic device, in response to the connection with the at least one first external electronic device, receives and stores the companion device authentication information, registers the electronic device as a companion device of the second external electronic device when the electronic device is connected with the second external electronic device, and transmits the stored compa

Abstract: A method and system for password mediation including receiving, within an operating system network stack of a client device, a hypertext transfer protocol (HTTP) request message issued by a client application executing on the client device, the HTTP request message indicating an operation to be performed for a user of the client application at a destination system; requesting, by the client device, security information for the user with respect to the destination system; modifying, by the client device, the received HTTP request message to include the security information; and sending, by the client device, the modified HTTP request message to the destination system.

Abstract: An identity provider, within a directory service, provides an automatic technique for configuring the single sign-on settings of a service provider. The directory service contains pre-configured templates for each service provider supported by the directory service which include the details of the service provider's SSO configuration settings web page. A configuration sign-on script is generated to automatically fill in the configuration settings so that the principal can perform single sign-on with the service provider's preferred authentication and authorization protocol.

Abstract: To revoke a digital certificate, activation of the digital certificate is blocked by withholding an activation code from the certificate user. The certificates are generated by a plurality of entities in a robust process that preserves user privacy (e.g. anonymity) even in case of collusion of some of the entities. The process is suitable for connected vehicles, e.g. as an improvement for Security Credential Management System (SCMS).

Abstract: A login method includes: after a login process of a service apparatus is triggered, acquiring verification information of a target primary account, and sending the verification information to an identity management apparatus; after receiving the verification information by the identity management apparatus, performing identity verification on the target primary account by using an identification information set of a registered primary account, and after the identity verification is passed, acquiring login information of at least one sub-account associated for the service apparatus in advance with the target primary account and sending the login information to the service apparatus; and determining, by the service apparatus, a target sub-account based on the login information and logging in to a server side.

Abstract: Provided is a base wireless communication terminal that communicates with a Long Range (LR) wireless communication terminal supporting LR wireless communication. The base wireless communication terminal includes a transceiver and a processor. The processor is configured to set length information included in a non-LR preamble, which is a preamble for a non-LR wireless communication terminal that does not support LR wireless communication, to be longer than a length from a predetermined point in a Physical layer Protocol Data Unit (PPDU) to an end point of the PPDU, and transmits the PPDU including the non-LR preamble to the LR wireless communication terminal using the transceiver. In this case, the length information is information for indicating a length from a predetermined point in the PPDU to an end point of the PPDU.

Abstract: Disclosed are various approaches for workflow service back end integration. In some examples, a service request is identified. The service request is associated with a network service. A single sign-on (SSO) token is received. The SSO token represents a user account authenticated with an identity manager. Authentication data for the network service is identified based on the SSO token. A hosting location of a connector for the network service is identified based on the authentication data. An authentication header is appended to the service request. The service request with the authentication header is transmitted to the connector.

Abstract: Data item transfer between mobile devices is provided. Network association and proximity of a plurality of mobile devices of a requested data item by a requesting mobile device are determined using a shared ledger of mobile device inventory data, mobile device network connection data, and mobile device geolocation data. A target mobile device that contains the requested data item, is connected to a same local network as the requesting mobile device, and is geographically located proximate with a threshold to the requesting mobile device is identified based on the determined network association and proximity of the plurality of mobile devices and data in the shared ledger. A transfer of the requested data item from the target mobile device to the requesting mobile device is initiated via the same local network based on mobile device management policies.

Abstract: Disclosed are various approaches for extending a single sign-on (SSO) session to multiple devices. If a device is enrolled as a managed device with a management service, a SSO session can be extended to the device if the user has previously authenticated with an identity provider from another device. The user is authenticated on the second device using a user-and-device token issued by the management service with which the device is enrolled as a managed device.

Abstract: A method for accessing a secure computer resource by a computer application having no human-machine interaction for inputting authentication information comprises: a) a first initialization step comprising the creation of a temporary cryptographic key consisting of applying a cryptographic process to a plurality of information that is invariant over time and of encrypting, using the thus calculated key, authentication data of an account authorized to access a vault with passwords and b) steps for automatic access by the application to the secure computer resource consisting of creating a temporary cryptographic key consisting of applying a cryptographic process to the plurality of information that is invariant over time, reading the credentials file created during the initialization step and decrypting the credentials file with the temporary cryptographic key calculated in the preceding step, then transferring, to the calling application, the data coming from the computer resource.

Abstract: Disclosed are various approaches for retrieving contacts from a plurality of federated services. A query is received from a client application executing on a client device, the query comprising a single sign-on token that identifies a user and a character string. A number of federated services that the user has permission to access are then identified. A plurality of authentication tokens are then retrieved from an authentication service, each of the plurality of authentication tokens identifying the user to a respective one of the plurality of federated services. Next, the authentication token and the character string are provided to a respective connector for each of the plurality of federated services that the user has permission to access. A plurality of responses are received, each of the plurality of responses being received from the respective connector corresponding to each of the plurality of federated services that the user has permission to access.

Abstract: The disclosed computer-implemented method for providing single sign-on capability may include intercepting, during an authentication session with a network resource, a single sign-on request generated by an application executing on a computing device, redirecting the single sign-on request to a separate computing device for execution, receiving, in response to authentication of at least one user credential from the separate computing device, an authentication decision that the separate computing device obtained from an identity provider (IDP) by executing the single sign-on request and injecting the authentication decision received from the separate computing device into the application where the single sign-on request was originally generated to complete the authentication session.

Abstract: A threat management facility detects a device on an enterprise network and determines whether the device is one of a set of managed devices for the enterprise network. When the device is not one of the set of managed devices, the device may be directed to a portal that manages admission of unrecognized devices onto the enterprise network. Based on a response of the unrecognized device to the portal (e.g., if the unrecognized device does not respond to the portal), the device may be listed on an unclaimed device page published by the portal and accessible to authorized users of the enterprise network. An authorized user may claim the unrecognized device from the unclaimed device page and, in the process, may provide additional information regarding the unrecognized device. Once claimed, the previously unrecognized device may be permitted to communicate over the enterprise network.

Abstract: Particular embodiments described herein provide for a network element that can be configured to receive, from an electronic device, a request to access a network service. In response to the request, the network element can send data related to the network service to the electronic device and add a test link to the data related to the network service. The network element can also be configured to determine if the test link was successfully executed and classify the electronic device as untrusted if the test link was not successfully executed.

Abstract: A display apparatus capable of omitting a device discovery process and a service discovery process and simplifying a W-Fi Direct connection procedure includes a memory; a display; communication circuitry configured to communicate with the server and the source device; and a controller configured to execute the screen mirroring service with the source device. The controller is configured to, when a start command of the screen mirroring service is input by a user, control the display to display the source device connected to a cloud account, in response to an input of the user who selects the source device, to perform the Wi-Fi Direct connection with the source device based on first Wi-Fi Direct configuration information stored in the memory and second Wi-Fi Direct configuration information obtained from the server, and to control the display to output a screen of the source device.

Abstract: A method for providing a token code in conjunction with a value token is disclosed. The token code serves as a shared secret for authenticating the use of the value token. Multiple token holders can possess the same value token, but each token holder may have a different token code for use with the value token.

Abstract: A method and proxy device for securing an access to a cloud-based application are presented. In an embodiment, the method includes receiving an authentication token that includes an identity of a user of a client device requesting an access to the cloud-based application. The method further includes receiving, from an agent executed in the client device, a client certificate; retrieving, from a compliance server, a device posture of the client device, wherein the device posture is retrieved respective of the received client certificate; identifying an access policy for the client device to access the cloud-based application, and determining whether to grant an access to the cloud-based application based in part on the compliance of the client device with the identified access policy. In an embodiment, the access policy is identified based at least on the retrieved device posture.

Abstract: A threat management facility detects a device on an enterprise network and determines whether the device is one of a set of managed devices for the enterprise network. When the device is not one of the set of managed devices, the device may be directed to a portal that manages admission of unrecognized devices onto the enterprise network. Based on a response of the unrecognized device to the portal (e.g., if the unrecognized device does not respond to the portal), the device may be listed on an unclaimed device page published by the portal and accessible to authorized users of the enterprise network. An authorized user may claim the unrecognized device from the unclaimed device page and, in the process, may provide additional information regarding the unrecognized device. Once claimed, the previously unrecognized device may be permitted to communicate over the enterprise network.

Abstract: A virtual smart card entity enabling a data processing apparatus to request for access to at least one service provider host in the computer network is disclosed. A credential management server provides credential information associated with the virtual smart card entity to the data processing apparatus where after the virtual smart card entity is configured according to the credential information. The data processing apparatus can then send a request for access to at least one service provider host using the configured virtual smart card entity.

Abstract: A computing device includes a memory and one or more processors coupled to the memory.

Abstract: An embodiment controls access to a resource, the access controlled by a multi-tenant system. Embodiments receive, at a web server, a request for the resource from a user via a web browser, the request including a Uniform Resource Locator (“URL”) associated with the resource and an identity of a tenant corresponding to the user. Embodiments determine an access policy for authenticating the user that is associated with the resource, the access policy based in part on the identity of the tenant. Embodiments then authenticate the user based on the determined access policy.

Abstract: A controller may be used to create and process an assertion, in some cases, to implement single-sign on (SSO) in a computer network. In some examples, the controller includes processing circuitry coupled to a storage device. The processing circuitry is configured to create the assertion, where the assertion includes information indicative of a set of attributes and parse the assertion to determine the set of attributes. Additionally, the processing circuitry is configured to determine if each attribute of the set of attributes maps to a plurality of primary user groups stored in the storage device. Based on determining that an attribute of the set of attributes does not map to at least one primary user group of the plurality of primary user groups, the processing circuitry is configured to create a set of secondary user groups and a set of secondary user group names corresponding to the attribute.

Abstract: A method, system and computer program product for handling potential service load interruptions. The utilization of resources, such as servers in a service infrastructure of a SaaS provider, are monitored. If the utilization of a resource exceeds a threshold, then the resource is identified as having an excessive service load leading to a potential service load interruption. When a request is received from a user requesting to access such a resource, one or more action items to be completed by the user are generated and presented to the user. “Action items” refer to any activity that is required by the user to be performed thereby providing the SaaS provider additional time to address the potential service load interruption in an appropriate manner. Additional action item(s) will be presented to the user until the SaaS provider addresses the potential service load interruption, at which point, the request will be serviced.

Abstract: The technology disclosed relates to non-intrusively enforcing security during federated single sign-on (SSO) authentication without modifying a trust relationship between a service provider (SP) and an identity provider (IDP). In particular, it relates to configuring the IDP to use a proxy-URL for forwarding an assertion generated when a user logs into the SP, in place of an assertion consumer service (ACS)-URL of the SP. It also relates to configuring an assertion proxy, at the proxy-URL, to use the SP's ACS-URL for forwarding the assertion to the SP. It further relates to inserting the assertion proxy in between the user's client and an ACS of the SP by forwarding the assertion to the SP's ACS-URL to establish a federated SSO authenticated session through the inserted assertion proxy.

Abstract: A method for creating a virtual SIP user agent by use of a webRTC enabled web browser comprises a user logging in to a web application server via a webRTC enabled web browser. The web application server uses the logged on user identity to lookup an associated SIP user identity along with a registrar server address and the web application server initiates a SIP registration procedure using its IP address as the registered contact.

Abstract: A default pre-shared key is provided from a first device to a second device. The first device is configured to control network access to a network. A first authentication request is obtained at the first device from a third device. The first authentication request includes data indicative of the second device. A first response to the first authentication request is provided from the first device to the third device. The first response includes the default pre-shared key. A second authentication request containing a private pre-shared key and the data indicative of the second device is obtained at the first device from the third device. Stored data at the first device is updated in response to the second authentication request with the private pre-shared key and the data indicative of the second device to provision the first device to provide network access to the network to the second device.

Abstract: Techniques described herein may be used to centralize authentication and authorization for accessing cloud services provided by different cloud platform deployments. A user equipment (UE) may provide user information to a cloud admin device. The cloud admin device may authenticate and authorize the UE locally and then initiate a sign on procedure with each cloud platform deployment. The sign on procedure may include obtaining user group information for the user and providing the user group information to the cloud platform deployments so that the cloud platform deployments may return permission information without having to each perform an authentication and authorization procedure. The cloud admin device may relay the permission information to the UE, and the UE may use the permission information to access any/all of the cloud services.

Abstract: Disclosed is a secure element used in a host terminal, including several communication interfaces for communication with the outside, several applications and a runtime environment. At least two applications are issuer security domains instantiating two GlobalPlatform configurations, typically GP configurations UICC and eSE. The runtime environment is configured to receive a command over a communication interface, to determine a target application for executing that command according to that communication interface and to send, over that same interface, a response to the command. This ensures the independence of the two configurations by providing that the runtime environment only authorizes access to an application resource of the secure element for executing the command by the target application if that application resource is associated with the communication interface for receiving the command.

Abstract: Disclosed is a system for delegating authentication of an untrusted application executing on a client device. For delegated authentication, an untrusted application relies on a trusted application executing in the same environment for authentication purposes. The delegated authentication process avoids requiring the user of the untrusted application to provide authentication credentials. The disclosed system for delegating authentication enables any trusted application executing in the same computing environment to authenticate the untrusted application.

Abstract: A threat management facility detects a device on an enterprise network and determines whether the device is one of a set of managed devices for the enterprise network. When the device is not one of the set of managed devices, the threat management facility may determine whether the device is manageable. When the device is unrecognized and unmanageable, a portal may provide support to a user of the device by listing the device on an unclaimed device page published by the portal and accessible to authorized users of the enterprise network. An authorized user may claim the unrecognized device from the unclaimed device page and, in the process, may provide additional information regarding the unrecognized device. Once claimed, the previously unrecognized device may be permitted to communicate over the enterprise network.

Abstract: A query referencing a function associated with a remote software component is received by a network-based data warehouse system. Temporary security credentials corresponding to a role at a cloud computing service platform are obtained. The role has permission to send calls to a web endpoint corresponding to the remote software component. A request comprising input data and electronically signed using the temporary security credentials is sent to a web Application Programming Interface (API) management system of the cloud computing service platform. The request, when received by the web API management system, causes the web API management system to invoke external functionality provided by the remote software component at the web endpoint with respect to the input data. A response comprising a result of invoking the external functionality is received from the web API management system, and the result data is processed according to the query.

Abstract: An application control system (ACS) in a computer device intercepts a request to launch a requested application by a calling process, and determines, based on the requested application, that user interaction is required before launch. In response, the ACS establishes whether or not the calling process is associated with a controlling terminal and, if so, performs the user interactions using that controlling terminal. Where the user interactions are successful then the intended application is permitted to launch or, conversely, the intended application may be denied. Other solutions are provided in the event that the calling process is not associated with the controlling terminal.

Abstract: When a user attempts to access a first application installed on a user device, it can send an authentication request to an authentication server. The authentication server can assign a unique request token to the request and load a script to a component of the operating system executing on the user device that displays content within the first application. The script can cause a portal application to launch on the user device. The portal application can send a request to the authentication server on behalf of the user, including the unique request token and an access token stored by, or accessible to, the portal application. The authentication server can receive the request from the portal application and validate the request based on the unique request token and the access token. Upon validating the request, the authentication server can authenticate the user at the first application.

Abstract: A threat management facility detects a device on an enterprise network and determines whether the device is one of a set of managed devices for the enterprise network. When the device is not one of the set of managed devices, the threat management facility may determine whether the device is manageable. When the device is unrecognized and unmanageable, a portal may provide support to a user of the device by listing the device on an unclaimed device page published by the portal and accessible to authorized users of the enterprise network. An authorized user may claim the unrecognized device from the unclaimed device page and, in the process, may provide additional information regarding the unrecognized device. Once claimed, the previously unrecognized device may be permitted to communicate over the enterprise network.

Abstract: A client apparatus converts second input authentication information having a data content compliant with a second authentication method different from a first authentication method into authentication target information in a data format compliant with the first authentication method and transmits information corresponding to the authentication target information to a communication server apparatus. A server apparatus is capable of carrying out both a first process of providing a first authentication server apparatus that carries out an authentication process compliant with the first authentication method with first information corresponding to the authentication target information and a second process of providing a second authentication server apparatus that carries out an authentication process compliant with the second authentication method with second information corresponding to the authentication target information.

Abstract: A method for security and/or automation systems is described. In one embodiment, the method may include detecting a proximity of a user at a home automation device. The method may further include projecting an external display of home automation system information from the home automation device onto a surface. In some embodiments, the external display may be projected based, at least in part, on the detected proximity of the user at the home automation device.

Abstract: Methods and systems for multiple channel authentication are described. In one embodiment, a request for an interaction is initiated from within a mobile application. The request may include authentication information and contextual information relating to a current exchange between the mobile application and an organization. The user may be authenticated with the authentication information and the request may be routed to a representative based on the contextual information to continue the exchange.

Abstract: An approach is described for securely and automatically handling credentials when used for accessing endpoints, and/or applications and resources on the endpoints, and more particularly accessing web endpoints and/or web applications and resources on the web endpoints. The approach involves selecting and injecting credentials at an endpoint by an accessor and/or protocol agent to log into the endpoint, running applications, or gaining access to resources on the endpoint, without full credential information traversing the accessor's machine.

Abstract: A method and associated systems improve access time of a federated repository that represents a set of individual data repositories as a virtualized aggregated repository. An analyzer module counts the number of entries in each individual repository that are associated with each possible value of a selected concordance parameter. The analyzer stores these counts in a Concordance Frequency Table. When the federated-repository manager receives a data-access request, the analyzer associates the requested data element with a corresponding value of the concordance parameter. The analyzer then uses information stored in the Table to select an optimal sequence in which the federated-repository manager should search the repositories for the requested data. This optimal sequence orders the repositories such that the first repositories to be searched will be those that contain the greatest number of entries associated with the concordance-parameter value of the requested data.

Abstract: The present invention discloses a hardware control logic based data forwarding control method and a corresponding data forwarding control system. The method includes: externally connecting a terminal protection device to a protected host, and taking over all the data interfaces of the protected host; and controlling by a hardware control logic in the terminal protection device the connection and/or disconnection of a physical circuit corresponding to data forwarding when an external device interacts data with the protected host via the terminal protection device, so as to control the data interaction between the external device and the protected host.

Abstract: Techniques are disclosed to leverage third party “cookie stitchers” for cross-device user identification, which may be used by a network server to selectively provide content to a user. The techniques include a cookie stitcher associating a user with multiple computing devices, which in turn notifies the network server when the same user requests access to provided content on separate occasions from different computing devices. The cookie stitcher may also have access to a user record regarding the identified user, and may provide this record data to the network server to identify other characteristics about the user. Based upon the particular type of information that is identified, the network server may provide varying degrees of access to content and/or allow the user to interact with one or more applications supported by the network server in different ways.