Abstract: Techniques are described for providing customizable sign-on functionality, such as via an access manager system that provides single sign-on functionality and other functionality to other services for use with those services' users. The access manager system may maintain various sign-on and other account information for various users, and provide single sign-on functionality for those users using that maintained information on behalf of multiple unrelated services with which those users interact. The access manager may allow a variety of types of customizations to single sign-on functionality and/or other functionality available from the access manager, such as on a per-service basis via configuration by an operator of the service, such as co-branding customizations, customizations of information to be gathered from users, customizations of authority that may be delegated to other services to act on behalf of users, etc.

Abstract: Methods and systems for distributed data verification between a relying party server and a client device using data attested by at least one attestation server. Entities are loosely coupled, while still allowing for authentication data and transaction data to be tightly coupled in any given interaction. There need not be any prior relationships between relying parties and attestation servers, or between relying parties and users. A common syntax enables a relying party to define what types of attested data items will be accepted for a particular transaction, without having to predetermine all possible sources of identification a user may wish to provide. The relying party may not know the source of the attested data items a priori, but can nevertheless determine if they are satisfactory once they are received.

Abstract: Technologies related to resending hypertext transfer protocol (HTTP) requests are disclosed. One or more operations performed on a first web page is monitored. One or more HTTP requests that include the monitored one or more operations are sent to a server. Information associated with the one or more HTTP requests are recorded. Upon determining that an HTTP request of the one or more HTTP requests has failed to be sent, the HTTP request is recorded to a list of HTTP requests that failed to be sent. The HTTP request recorded to the list is deleted after receiving a normal response message from the server, and whether the list of HTTP requests that failed to be sent is empty is determined when redirecting from the first web page to a second web page.

Abstract: In offline access of data in mobile devices, a request to access a document is received at a mobile server. The document is fetched from a BI platform to the mobile server. Plurality of requests is sent from the mobile server to the BI platform to retrieve data packages from the BI platform. The data packages is converted to a plurality relational database management tables at the mobile server. The plurality of relational database management tables is compressed to a compressed database. The compressed database is sent to the mobile device and stored. A new request is received at the mobile device for operations on the document. Based on the new request, operations are performed on the document based on the compressed database stored in the mobile device, when the mobile device is not connected to the mobile server.

Abstract: A method comprises a portable device obtaining a graphical encoded information item which is displayed on a display of a computing apparatus, decoding the encoded information from the encoded information item, and transmitting a first message to first server apparatus, the first message including the decoded information and a first identifier identifying the device or a user of the device, wherein the decoded information includes an apparatus identification information item for allowing identification of the computing apparatus, and the first server apparatus receiving the first message from the device, establishing the identity of the user of the device, wherein establishing the identity of the user comprises using the first identifier to determine if the user is registered with the first server apparatus in response to establishing the identity of the user, authorising the user to access a service, and providing the service to the user via the computing apparatus using the apparatus identification informati

Abstract: Software services are managed from a single machine performing a service. Service providers offering SaaS applications solicit the single machine. Each service provider provides roles and device requirements for performing the corresponding SaaS. The single machine maintains a database that logs the software services offered by the service providers. Whenever a software service is needed, the single machine inventories its client devices for their resource capabilities and compares to the device requirements in the database. The database reveals the client machine(s) that best performs the role for the corresponding SaaS. Software services are thus integrated and managed from the single machine, thus allowing software services to be efficiently and quickly selected as network resources emerge.

Abstract: Apparatuses, methods, systems, and program products are disclosed for secure data handling and storage. A method includes receiving a plurality of keys for unlocking an encryption engine. Each key may be associated with a key holder. At least a subset of the plurality of keys are combined to generate a master key. An encryption engine is unlocked using the master key. Encrypted data is received at the encryption engine on a continuous basis. The encrypted data is encrypted using a first encryption key, and includes sensitive information for one or more users. The encrypted data is decrypted using the first encryption key. The decrypted data is re-encrypted using a second encryption key that is newer than the first encryption key.

Abstract: This specification presents methods and apparatus in a device and a network node implementing a Bootstrapping Server Function, BSF, for enabling multiple service functions/clients in the device sharing a common public identity and each performing its own registration to one or more (IMS) core network, to use a common bootstrapping of application security based on the Generic Bootstrapping Architecture, GBA/Generic Authentication Architecture, GAA, infrastructure. Therefore, when using Extensible Markup Language, XML, Configuration Access Protocol, XCAP, or the likes, the multiple service functions in the device use the same authentication method for all XCAP traffic or the likes, such as GBA/GAA but enabling it to use the same key sets (e.g., same B-TID).

Abstract: A virtual machine migration method and apparatus are provided, which pertain to the field of computer technologies. The method includes: obtaining a first mapping relationship, pre-stored on a source cloud platform, between a source VM and a specified user when data in the source VM is migrated to a destination VM (201); configuring the destination VM and the specified user to form a second mapping relationship according to the obtained first mapping relationship (202); and storing the second mapping relationship on a destination cloud platform (203). Therefore, a user that has registered on the source VM can log in to a virtual desktop corresponding to the destination VM and does not need to register on the destination VM again.

Abstract: According to one aspect, embodiments of the invention provide a router having a first I/O terminal and a second I/O terminal, wherein the first I/O terminal is configured to be in communication with at least one client via a first network, wherein the second I/O terminal is configured to be in communication with a plurality of remote servers via a second network, and wherein the router is configured to receive, at the first I/O terminal via the first network, a web services request from the at least one client, identify, based on the web services request from the at least one client, a group of the plurality of remote servers that are capable of fulfilling the web services request, and transmit, in parallel via the second I/O terminal and the second network, the received web services request to each one of the plurality of remote servers within the group.

Abstract: Disclosed are various examples for client device migration to utilize management platform features. In one example, the client device is enrolled with a management service. Enterprise status data is requested and received from a client device. The status data indicates that the client device is compatible with a management platform. An indication that migration is accepted is received from the client device. A previous management profile is uninstalled on the client device. A device record that is compatible with the management platform is created. A management profile that is compatible with the management platform is installed on the client device.

Abstract: A method for providing one or more dynamic modifications relating to an electronic device are described. In some embodiments, methods may include receiving a workspace framework, receiving one or more applications relating to the workspace framework, receiving user input, and modifying at least one of the workspace framework and the one or more applications based at least in part on receiving the user input.

Abstract: Techniques are disclosed to leverage third party “cookie stitchers” for cross-device user identification, which may be used by a network server to selectively provide content to a user. The techniques include a cookie stitcher associating a user with multiple computing devices, which in turn notifies the network server when the same user requests access to provided content on separate occasions from different computing devices. The cookie stitcher may also have access to a user record regarding the identified user, and may provide this record data to the network server to identify other characteristics about the user. Based upon the particular type of information that is identified, the network server may provide varying degrees of access to content and/or allow the user to interact with one or more applications supported by the network server in different ways.

Abstract: Methods, systems, computer-readable media, and apparatuses may provide password encryption for hybrid cloud services. A workspace cloud connector internally residing with an entity may intercept user credentials associated with an internal application being transmitted to an external cloud service. The workspace cloud connector may generate an encryption key and encrypt the user credentials via a reversible encryption methodology. The workspace cloud connector may encrypt the encryption key using an irreversible encryption methodology (e.g., use a hashing function to produce a first hash). The workspace cloud connector may transmit the encrypted user credentials and the first hash to a virtual delivery agent via a first path (e.g., via the external cloud service). In response, the workspace cloud connector may receive an address of the virtual delivery agent and, using the address, may send the encryption key to the virtual delivery agent via a second path different from the first path.

Abstract: Systems and methods for password-based authentication are described. A password hardening method may include a step of receiving input provided by a user, wherein the user-provided input includes a password provided by the user for an application, and wherein at least a portion of the application is protected by a password-based authentication service. The method may also include a step of obtaining a hardened password for the user for the application, wherein the hardened password is based, at least in part, on the user-provided password, identification data associated with the application, and at least a portion of an entropy datastore associated with the user. The method may also include a step of providing the hardened password to the password-based authentication service, wherein the authentication service grants the user access to the password-protected portion of the application based, at least in part, on the provided hardened password.

Abstract: According to an example, to authenticate a user of a computing device, a user login request with at least one primary credential is received from a computing device. At least one primary credential is validated to authenticate the user, and a first device token is created and transmitted to the computing device. A secondary credential is received from the computing device, and a server token and a reference to the server token is created. The server token is encrypted and stored and the server token reference is sent to computing device for use in a subsequent authentication with the secondary credential.

Abstract: A system may delegate authority to manage aspects of a security policy developed by administrative personnel to standard users (e.g. non-administrative personnel) corresponding to managed accounts within an administrative hierarchy. An exemplary security policy may include application management settings that allow or deny individual applications with access to various enterprise resources. The system may expose one or more user interfaces to standard users of an enterprise network to enable these standard users to modify the security policy being deployed for their managed account and/or to at least temporarily exempt a particular application from the enterprise's security policy. For example, upon a standard user attempting to access enterprise data with a particular application that is not permitted such access, the system may enable this standard user to change the security policy as applied to her device or to simply exempt the particular application from the security policy.

Abstract: The described technology provides a single sign-on capability so that a user who is already signed on to a web application from a client application may not be required to sign-on again when he/she later needs access to the web application from the same or another client application. The technology also provides a multiple login prevention capability to detect multiple sign-on events using the same credentials and disable one or more of the associated multiple sessions.

Abstract: Embodiments of this application provide a near-field wireless communication service processing method performed at a first computing device. While running a social networking application, the first computing device listens to a near-field wireless communication signal broadcasted by a second computing device. After detecting the near-field wireless communication signal broadcasted by the second computing device, first computing device processes the near-field wireless communication signal to obtain identification information associated with the second computing device. The first computing device sends the identification information associated with the second computing device to a remote server supporting the social networking application and obtains a preset service page corresponding to the identification information associated with the second computing device from the server, and displays the preset service page within the social networking application on the first computing device.

Abstract: An access control service to provide access control for operations between resources and/or between resources and users in a cloud computing environment. The access control service receives a request to perform an operation. The requested operation could be initiated by a resource with respect to another resource. The requested operation could also be initiated by a user with respect to a resource. The access control service determines whether the requested operation is permitted. If the requested operation is permitted, the access control service provides the credentials required to perform the requested operation.

Abstract: The invention relates to a telecommunications assembly (10) and a method for traversing an application layer gateway firewall (40) during the establishment of an RTC communication connection between an RTC client (20) and an RTC server (30) using a proprietary RTC signalling protocol, wherein the firewall (40) has no specific knowledge of the proprietary RTC signalling protocol.

Abstract: Disclosed are techniques that use devices with corresponding identity wallet applications that execute on an electronic processor device of the devices, and which identity wallets store identity information and encrypt the stored identity information. A distributed ledger system, and a broker system that interfaces to the wallet and the distributed ledger are used for various information exchange scenarios in which a requesting system and user devices, the distributed ledger system, the broker system and the requesting system are interconnected via an electronic network through respective network interface devices.

Abstract: Embodiments of the invention are directed to systems and methods for validating transactions using a cryptogram. One embodiment of the invention is directed to a method of processing a remote transaction initiated by a communication device provisioned with a token. The method comprises receiving, by a service provider computer, from an application on the communication device, a request for a token authentication cryptogram, wherein the token authentication cryptogram includes encrypted user exclusive data. The service provider computer may generate the token authentication cryptogram to include the user exclusive data. The service provider computer may send the token authentication cryptogram to the application, where the token authentication cryptogram can be used to validate the transaction, and the user exclusive data is extracted from the token authentication cryptogram during validation.

Abstract: A cloud authentication system is disclosed. A request for an authentication setup for a first user of a first service provider is received. Additional information, such as authentication criteria, can further be received, such as from the first service provider. A set of stimuli to associate with a first user profile of the first user of the first service provider is stored.

Abstract: Examples of data management for tenants are described herein. In an example, a storage system includes a management tree for each of a plurality of tenants associated with the storage system. The management tree includes data management policies defined by the tenant. Further, the management tree includes a storage tree, which is mapped to a storage domain. The storage domain may hold data pertaining to the tenant. The data may be managed based on the data management policies defined by one of the management tree and the storage tree.

Abstract: In a non-transitory computer-readable storage medium having instructions embodied therein that when executed cause a computer system to perform a method of sharing information between pre-configured hyper-converged computing devices over a wide area network via a distributed peer-to-peer protocol. The method includes automatically discovering pre-configured hyper-converged computing devices in a local area network, and sharing information between pre-configured hyper-converged computing devices over a wide area network via a distributed peer-to-peer protocol such that there is no single point of failure for the sharing information between the pre-configured hyper-converged computing devices over the wide area network.

Abstract: A method and apparatus are provided for web-based real-time communication. The method includes receiving, from a user equipment (UE), a message requesting information about an Internet Protocol Multimedia Subsystem (IMS) network to which the user equipment (UE) is to access; transmitting, to the UE, address information of the IMS network to which the UE is to access, in response to the received message; and transmitting, to a network device of the IMS network, information about the UE to request establishment of a bearer for a web-based real-time data service. A signaling message for the web-based real-time data service is transmitted between the UE and the IMS network through the bearer.

Abstract: Techniques to apply and share remote policies on personal devices are described. In an embodiment, a technique includes contacting an enterprise server from an enterprise application operating on a personal device. The enterprise application may receive policies from the enterprise server. The policies may be applied to the enterprise application. When a second enterprise application on the personal device is launched, the policies may also be applied to the second enterprise application. When a policy is changed on the enterprise server, notification is pushed to the personal device and all related enterprise applications on the personal device may be updated to enforce the policy change. Other embodiments are described and claimed.

Abstract: A technique for promoting network security employs a vault appliance that serves as a local security hub for users and their devices. The vault appliance securely stores user information and definitions of rights, i.e., activities that user devices may perform, and securely dispatches those rights in response to right-requests from devices and subject to verification.

Abstract: Embodiments of a system and method for sharing media content are generally described herein. A method may include receiving, from a first clearing device, a first indication of approval for sharing media content from an originating device, the first indication identifying the originating device, sending an encryption key for sharing the media content to the originating device, receiving an encrypted file, the encrypted file including the media content encrypted using the encryption key from the originating device, sending the encryption key and the encrypted file to a second clearing device, receiving, from the second clearing device, a second indication of approval for viewing media content, the second indication identifying a destination device, and sending, in response to receiving the second indication of approval, the encryption key and the encrypted file to the destination device.

Abstract: A pre-configured hyper-converged computing device for supporting a virtualization infrastructure includes one or more independent server nodes each comprising a CPU, memory, and storage. The device also includes a peer-to-peer communication agent, that when executed, provides peer-to-peer communication between pre-configured hyper-converged computing devices in a wide area network, and enables a federated single sign-on to the wide area network.

Abstract: Methods and systems for managing access to a resource by one of a plurality of applications. The method comprises: storing, in a first storage area associated with a first application, a first credential for use in accessing the resource; receiving, at a second application, a message comprising data for determining that the first application stores a validated credential for accessing the resource; sending a request for the validated credential from the second application to the first application; receiving the first credential at the second application from the first application in response to the request sent; and storing the first credential in a second storage area associated with the second application; wherein the message received at the second application is received from a server system, remote from the plurality of applications, which maintains data indicating a subset of the plurality of applications which store respective validated credentials for accessing the resource.

Abstract: Methods, systems, and computer-readable media for using derived credentials to enroll a mobile computing device with an enterprise mobile device management system are described herein. In various embodiments, a mobile computing device, responsive to a command to enroll with an enterprise mobile device management server, may launch an enrollment application; send an enrollment request message to the enterprise mobile device management server; switch to a certificate management system application on the mobile computing device; request one or more derived credentials from a certificate management system server; store the one or more derived credentials in a shared vault on the mobile computing device; switch to the enrollment application; retrieve a derived credential of the one or more derived credentials stored in the shared vault; and, provide the derived credential to the enterprise mobile device management server to enroll the mobile computing device with at least one mobile device management service.

Abstract: Systems, methods, and software can be used to share content. In some aspect, an enterprise mobility management (EMM) server receives a command for provisioning a user for an enterprise service at an identity provider (IDP). The EMM server sends a user provisioning request to the IDP. The user provisioning request includes a user identity attribute and a user entitlement attribute, the user identity attribute identifies the user, and the user entitlement attribute indicates an access level associated with the user for the enterprise service. The EMM server receives a user provisioning response from the IDP. The user provisioning response indicates that the user is provisioned at the IDP for the enterprise service.

Abstract: Methods are provided for authenticating user authentication data, associated with a user ID, at an authentication system. The authentication system comprises an authentication server connected to a network, and a secure cryptoprocessor operatively coupled to the authentication server. A first token for the user ID is provided in data storage operatively coupled to the authentication server. The first token is produced by the secure cryptoprocessor by encoding the user authentication data associated with the user ID via an encoding process dependent on a secret key of the secure cryptoprocessor. The authentication server receives an authentication request for the user ID from a remote computer via the network. The authentication request comprises a ciphertext encrypting user authentication data under a public key of a first public-private key pair, the private key of which is secret to the secure cryptoprocessor.

Abstract: The present disclosure relates to protecting computer systems from installation of rogue shared libraries when executable files are launched. An example method generally includes detecting that a downloaded file has been written to an insecure location on the computing device. A computing device determines that the downloaded file includes at least a first executable component and, upon determining that the downloaded file includes executable components, generates a copy of the executable component in a protected repository on the computing device. The computing device overwrites the contents of the executable component with at least instructions to launch the copy of the downloaded file from the protected repository.

Abstract: A single sign-on system accepts master credentials from a user device and/or application, and automatically signs on to supported services using account credentials corresponding to those services. If the user has not created an account used by a particular device or application, the system can automatically interact with the account service to create the account. Similarly, if the device or application that relies on the account has not already been registered with the account, the system automatically interacts with the account to register the device or account.

Abstract: An approach is described for securely and automatically handling credentials when used for accessing endpoints, and/or applications and resources on the endpoints, and more particularly accessing web endpoints and/or web applications and resources on the web endpoints. The approach involves selecting and injecting credentials at an endpoint by an accessor and/or protocol agent to log into the endpoint, running applications, or gaining access to resources on the endpoint, without full credential information traversing the accessor's machine.

Abstract: One embodiment of the invention is directed to a computer-implemented method comprising, receiving registration information for one or more application programming interfaces (APIs) at a registrar computer system associated with a federated network of computing devices. The method further comprises generating a unique address for each API included in the registration information. The method further comprises generating a token confirming the registration of the APIs where the token identifies a trust relationship within the federated network of computing devices. The method further comprises receiving a request for the token from another registrar computer system that includes a canonical address for a particular API of the one or more APIs. The method further comprises providing the token to establish a secure connection with the federated network of computing devices.

Abstract: Web-based single sign-on can enable a user to log in to a single interface (such as through a web browser or thin client) and then provide SSO services to the user for one or more web applications. The web-based SSO system can be extended to support one or more different access control methods, such as form-fill, Federated (OIF), SSO Protected (OAM), and other policies. The web-based SSO system can include a user interface through which the user can access different web applications, systems, etc. and manage their credentials. Each SSO service can be associated with a web interface allowing the SSO services to be accessed over the web. The web interfaces can provide CRUD (create, read, update, delete) functionality for each SSO service. To support different access policy types, the web-based SSO system can include an extensible data manager that can manage data access to different types of repositories transparently.

Abstract: A computer account server receives a nominee identity from an account owner associated with owner access credentials. The nominee identity is stored in a data structure of a computer account that is selected based on the owner access credentials. Electronic access to information stored in the data structure is then restricted to access requests from computer terminals that provide the owner access credentials. In response to determining that an account handoff event has become satisfied for the computer account, the computer account server sends a nominee handoff message using the nominee identity retrieved from the data structure. A nominee access request message is received from a nominee computer terminal. In response to validating content of the nominee access request message, the computer account server modifies the restriction of electronic access to grant the nominee computer terminal electronic access to the information stored in the data structure of the computer account.

Abstract: Different data-sets for functionality to be synchronized across users can be identified by many variable including social networks the user is participating in, by identified interests of the user, by the physical location of the device being synchronized, by one or more applications being used on the device, by the season, by a social event being attended by a user, and by a wireless network being accessed at that time.

Abstract: Embodiments of the invention provide a method, system and computer program product for advanced application authentication utilizing an application key. In a method of the invention, an end user provides in a single user interface screen for authenticating into an application, each of a user identification, password and an application key. Thereafter, the application key is validated in connection with the user identification. If the application key validates in connection with the user identification, one or more application parameters for the application necessary to complete a log-in process are retrieved and the end user is authenticated into the application utilizing each of the user identification, password and application parameters so as to complete the log in process for the end user and the application and the end user is granted the ability to utilize the application.

Abstract: Respective cryptographic shares of password data, dependent on a user password, are provided at n authentication servers. A number t1?n of the password data shares determine if the user password matches a password attempt. Respective cryptographic shares of secret data, enabling determination of a username for each verifier server, are provided at n authentication servers. A number t2?t1 of the shares reconstruct the secret data. For a password attempt, the user computer communicates with at least t1 authentication servers to determine if the user password matches the password attempt and, if so, the user computer receives at least t2 secret data shares from respective authentication servers. The user computer uses the secret data to generate, with T?t1 of said t1 servers, a cryptographic token for authenticating the user computer to a selected verifier server, secret from said at least T servers, under said username.

Abstract: Example embodiments of the present disclosure provide methods, devices, and computer programs for authorization detection. The first system receives, from the second system unauthorized by the first system, a request for operating a resource of the first system. The first system causes a detection of an authorization chain to be detected based on the first record that at least indicates one or more systems that are authorized by the first system. The authorization chain includes at least a third system that authorizes the second system and is authorized by the first system. If the authorization chain is detected, the first system authorizes the operation of the resource of the first system.

Abstract: Respective cryptographic shares of password data, dependent on a user password, are provided at n authentication servers. A number t1?n of the password data shares determine if the user password matches a password attempt. Respective cryptographic shares of secret data, enabling determination of a username for each verifier server, are provided at n authentication servers. A number t2?t1 of the shares reconstruct the secret data. For a password attempt, the user computer communicates with at least t1 authentication servers to determine if the user password matches the password attempt and, if so, the user computer receives at least t2 secret data shares from respective authentication servers. The user computer uses the secret data to generate, with T?t1 of said t1 servers, a cryptographic token for authenticating the user computer to a selected verifier server, secret from said at least T servers, under said username.

Abstract: Respective cryptographic shares of password data, dependent on a user password, are provided at n authentication servers. A number t1?n of the password data shares determine if the user password matches a password attempt. Respective cryptographic shares of secret data, enabling determination of a username for each verifier server, are provided at n authentication servers. A number t2?t1 of the shares reconstruct the secret data. For a password attempt, the user computer communicates with at least t1 authentication servers to determine if the user password matches the password attempt and, if so, the user computer receives at least t2 secret data shares from respective authentication servers. The user computer uses the secret data to generate, with T?t1 of said t1 servers, a cryptographic token for authenticating the user computer to a selected verifier server, secret from said at least T servers, under said username.

Abstract: A system and method are presented for providing generic single sign-on in an electronic device. Information is received that identifies one or more applications and associated identity authenticators and a whitelist of the identified applications and authenticators is created. A request for an access token is received from a requesting application. If the requesting application is listed in the whitelist, an authenticator associated with the requesting application is determined and a request for an access token is sent to the associated authenticator. In response to the request, an access token is received from the authenticator and the access token is sent to the requesting application. If the requesting application is not listed in the whitelist, a predefined response message is sent to the requesting application.

Abstract: This disclosure describes a method for accessing network resources which includes receiving by a first application in a mobile computing device sign-in information from a user and enabling the user to sign in to a second application with the first application to access network resources from a resource server based on (a) a first application identification (ID) of the second application, (b) the user authorizing the second application to the resource server, and (c) receiving an authorization grant from the resource server to enable the second application to access the network resources, the mobile computing device coupled with the resource server via a network.

Abstract: The present disclosure provides a method, terminal, and system for authentication with respect to an application. The present techniques may be applicable at a terminal with near-field communication function. When a particular operation of the application is triggered, a near-field device within a certain distance of a terminal is detected. An identification of the near-field device is obtained. The identification is sent to a server to request the server to determine whether the near-field device is a particular near-field device corresponding to the particular operation. A result of authentication performed by the server according to the identification is obtained. A following processing is applied to the particular operation according to the result of authentication. The present techniques ensure safety of operations of the application operated at the terminal.