Abstract: A virtual identity and context module may generate a virtual identity for a user. Virtual identities for different categories of users may be sourced from disparate identity services. For example, a first authentication of the user provided by a first identity service may be identified. A first virtual attribute field of the virtual identity may be populated or filled based on a first attribute field associated with the first identity service. A second identity service associated with the user may also be identified. A second virtual attribute field of the virtual identity may be populated or filled based on a second attribute field associated with the second identity service. Access to an application may be provided to a user based on the virtual attribute fields of the virtual identity that has been generated for the user.

Abstract: A method for creating a virtual SIP user agent by use of a webRTC enabled web browser (200) comprises a user logging in to a web application server (400) via a webRTC enabled web browser (200). The web application server (400) uses the logged on user identity to lookup an associated SIP user identity along with a registrar server address and the web application server (400) initiates a SIP registration procedure using its IP address as the registered contact.

Abstract: Different data-sets for functionality to be synchronized across users can be identified by many variable including social networks the user is participating in, by identified interests of the user, by the physical location of the device being synchronized, by one or more applications being used on the device, by the season, by a social event being attended by a user, and by a wireless network being accessed at that time.

Abstract: Various embodiments implement a multiplatform system architected to provide secure messaging between a plurality of disparate systems (e.g., mobile devices, secure cloud systems, remote locations, health monitoring devices, fitness centers, etc.), co-ordinate resources associated with each of the disparate systems, manage communication between proprietary applications via customized application programming interfaces (APIs) and manage reservation of resources of the disparate systems via the APIs. Further embodiments enable an extensible system architecture to incorporate additional systems. In some embodiments, the system includes a multi-layered database architecture to mediate information and access control (e.g., based on inheritable privileges, specific user classes are allowed or denied access to data in the database). In further embodiments, the data architecture is architected with access layers that ensure compliance with regulatory systems governing health data.

Abstract: An identity management system provides single sign-on (SSO) services to clients, logging the clients into a variety of third-party services for which the clients have accounts. An SSO integration is stored for each of the third-party services, the SSO integration including information that allows the identity management system to automate the login for the corresponding third-party service, such as locations of the login pages, and/or identities of username and password fields. The identity management system uses different techniques in different embodiments to detect that a given SSO integration is broken (i.e., no longer permits login for its corresponding third-party service) and/or to repair the SSO integration.

Abstract: Systems and methods for providing an application marketplace configured to install applications outside of an application store provided by the entity providing the operating system of a computing device in accordance with embodiments of the invention are illustrated.

Abstract: Examples of techniques for authenticating mobile applications are described herein. A method can include receiving, by a processor, a key pair and a policy file associated with a mobile service. The processor can receive a service request from a mobile application at a security gateway. The processor can detect that the service request includes an invalid or missing access token. The processor can redirect the mobile application to request a grant token from an authorization end point on a server. The processor can receive a grant token request from the mobile application and forward the grant token request to the server based on a policy file, the policy file including a list of: a plurality of security objects to be authenticated, a plurality of computing devices to authenticate the security objects, and an order of authentication.

Abstract: Application-manager software authenticates a user of a client device over a channel. The authentication operation is performed using a directory service. The application-manager software presents a plurality of applications in a GUI displayed by the client device. The plurality of applications depends on the authentication, the client device, and the channel. And the plurality of applications includes a thin application and a software-as-a-service (SaaS) application. The application-manager software receives a selection as to an application from the user. If the selection is for the SaaS application, the application-manager software provisions the SaaS application. The provision includes automatically logging the user onto an account with a provider of the SaaS application using a single sign-on and connecting the user to the account so that the user can interact with the SaaS application. If the selection is for the thin application, the application manager software launches the thin application.

Abstract: A method, system and computer-usable medium are disclosed for generating a cyber behavior profile, comprising: monitoring user interactions between a user and an information handling system; converting the user interactions and the information about the user into electronic information representing the user interactions; generating a unique cyber behavior profile based upon the electronic information representing the user interactions and the information about the user; and, storing information relating to the unique cyber behavior profile in a behavior blockchain.

Abstract: A third-party application client performs authorization authentication with a user client and a platform server. The third party application obtains an access token and an open ID. The third-party application client interacts with the platform server for information related to the user ID by using the token, calls the user client or is called by the user client according to the open ID. The third-party application client may interact with the platform server for the information related to the user ID by using the token, so that other resources or information of the user accumulated for the platform server can be used by the third-party application client continuously.

Abstract: System and method of a single machine or cluster of machines acting as a single machine that simplifies and consolidates the hosting of appliances using virtualization, containers, and or any type of sandboxing to host virtual appliances, however, interconnecting these appliance nodes in a manner of having one centralized node acting as the security center, firewall appliance, and information distributer for not only the local virtual network(s), machines, appliances, but physical and foreign virtual networks which includes but is not limited to wireless connectivity and or whatever the current ubiquitous connectivity, as well as multiple sub-networks via single or multiple networking adapters; using these methods allows for a completely secure customized network environment with all the needed appliances for the intended use case.

Abstract: Devices, systems, and methods for generating a secure token specific to an online service provider are provided. User account information of a user is transmitted to a token processor from an online service provider requesting a secure token generation. The token processor also receives, from the online service provider, exchange information for an exchange between the user and the online service provider. The token processor generates, based on the exchange information and the user account information, a secure token to be used for the exchange. The generated secure token is mapped to the online service provider and transmitted to the online service provider. The exchange information is deleted from the online service provider. The stored secure token is usable only at the mapped online service provider.

Abstract: Some aspects of the disclosure generally relate to providing single sign on features in mobile applications in a secure environment using a shared vault. An application may prompt a user to provide user entropy such as a passcode (e.g. a password and/or PIN). The application may use the user entropy to decrypt a user-entropy-encrypted vault key. Once the vault key is decrypted, the application may decrypt a vault database of the shared vault. The shared vault may store shared secrets, such as server credentials, and an unlock key. The application may store the unlock key, generate an unlock-key-encrypted vault key, and cause the shared vault to store the unlock-key-encrypted vault key, thereby “unlocking” the vault. The application may then use the unlock key to decrypt the vault database without prompting the user to provide user entropy again.

Abstract: An application launcher is disclosed for retrieving and permitting launch of multiple mobile applications through a single, secure authentication process, and a method of use. The method includes receiving a request to launch one or more applications through a single authentication process. The method further includes authenticating a user through an application launcher. The method further includes appending a security token to one or more applications upon authentication of the user to enable the user to launch the one or more applications through the single authentication process provided by the application launcher.

Abstract: Systems and methods for providing an application marketplace configured to install applications outside of an application store provided by the entity providing the operating system of a computing device in accordance with embodiments of the invention are illustrated. In one embodiment, a computing device includes a processor and a memory connected to the processor and storing an application installation application, wherein the application installation application directs the processor to obtain target information including data descriptive of the computing device, transmit a request for a set of recommended applications, where the request includes the target information, obtain recommended application data identifying at least one installation package targeted to the computing device based on the target information, and install the recommended application data on the computing device. In an additional embodiment, the recommended application data is signed using an OEM key.

Abstract: A method including registering an authority device for an account on an auth platform; receiving transaction request from an initiator to the auth platform; messaging the authority device with the transaction request; receiving an authority agent response from the authority device to the auth platform; if the authority agent response confirms the transaction, communicating a confirmed transaction to the initiator; and if the authority agent response denies the transaction, communicating a denied transaction to the initiator.

Abstract: The described technology provides a single sign-on capability so that a user who is already signed on to a web application from a client application may not be required to sign-on again when he/she later needs access to the web application from the same or another client application. The technology also provides a multiple login prevention capability to detect multiple sign-on events using the same credentials and disable one or more of the associated multiple sessions.

Abstract: An image processing apparatus includes: a communication interface configured to communicate with at least one server and a relay device; a processor configured to execute functions; and a controller. The controller causes the image processing apparatus to: send the relay device identification information identifying the image processing apparatus; receive, from the relay device, setting information indicating which service is usable by the image processing apparatus identified by the transmitted identification information, among services provided by the at least one server; display at least one service image respectively identifying at least one usable service of the services based on the setting information; and limit selection of at least one of the functions, based on the setting information.

Abstract: Disclosed are methods and systems for authenticating a key exchange between a first peer device and a second peer device. In an aspect, the first peer device sends federated login credentials of a user and a first identifier to a first federated login provider, receives a first authentication response from the first federated login provider, receives a second authentication response from the second peer device, authenticates the second authentication response with a second federated login provider, sends the first authentication response to the second peer device, receives an acknowledgment from the second peer device indicating that the second peer device has authenticated the first authentication response with the federated login provider, sends an acknowledgment to the second peer device indicating that the first peer device has authenticated the second authentication response, and authenticates the key exchange based on the acknowledgment from the second peer device.

Abstract: A processing method and system for identity authentication with a mobile terminal based on iris recognition is provided. The iris characteristic data of the user is encapsulated as iris identification data, which is further established as a unique identifier of the user for identity authentication. The mobile terminal compares the scanned iris characteristic data of the current user against the prestored iris identification data. When the iris characteristic data of the current user is in match with the prestored iris identification data, the mobile terminal is unlocked. Iris recognition is employed to verify the identity of the user, so as to control unlock the mobile terminal and log into the application.

Abstract: Devices, systems, and methods for generating a secure token specific to an online service provider are provided. User account information of a user is transmitted to a token processor from an online service provider requesting a secure token generation. The token processor also receives exchange information for an exchange between the user and the online service provider. The token processor generates, based on the exchange information and the user account information, a secure token to be used for the exchange. The generated secure token is mapped to the online service provider and transmitted to the online service provider. The stored secure token is usable only at the mapped online service provider.

Abstract: A device is disclosed which is programmed with an application or “app” to share bandwidth to and from multiple sources. In one embodiment, this uses a mobile device with a computer running a controlling program for operating functions of the mobile device, and an app that controls sharing of bandwidth from the mobile device, and obtaining shared bandwidth from another mobile device. Usage data is accumulated which indicates an amount of data received and shared from the one client.

Abstract: A system and method for enabling access of content in a home network are provided. The method includes receiving a content on a source device. Further, the method includes setting content sharing preferences by the source device. The content sharing preferences indicate whether a device is authorized to access the content. The method includes encrypting the content on the source device. Further, the method includes storing the encrypted content in a shared storage device. The method includes receiving a request from a device for decryption of the encrypted content. Further, the method includes decrypting the content by the source device based on the content sharing preferences. Furthermore, the method includes providing the decrypted content to the device, thereby enabling access of the content to the device.

Abstract: A system and method for facilitating multigame currencies in multiple online games and security therewith is disclosed. The multigame currencies may be “spent” and/or “earned” by the players in the individual ones of the multiple online games. A request to use the multigame currencies in a given player account in a given online game may be authenticated through a third party identity that has been associated with the given player for the given online game. In situations where such an association does not exist, a third party identity associated with the given player for any other online game may be used to authenticate the request. In situations where no third party identity is associated with the given player for any one of the online games, an association of a third party identity and the given player for the given online game may be facilitated for subsequent authentication of requests.

Abstract: A mobile terminal includes: a display; and a controller. The controller puts at least one screen corresponding to the current display screen and having the same execution depth into standby, and when a predetermined trigger operation is performed, further displays on the display a screen chosen from the at least one screen by the trigger operation.

Abstract: A computer-implemented method, computer program product, and system for tagging and replacing tagged credentials with target credentials unknown to a client. The method includes; receiving an access request from a client to access a protected resource on a target server, injecting credential field tags into a credential form used to access the protected resource, auto-submitting the credential form on the client computer, replace tagged credentials with target credentials, submitting the target credentials to the target server, and updating the target credentials if the target credentials are invalid or expired without intervention by the client.

Abstract: A system, method and related data structures for discovering and describing computing resources available at various computing devices, and for exposing those resources as services that are addressable by software applications. The data describing the resources is arranged according to an identity-based schema. The computing resources may include, for example, storage capacity, bandwidth, processing power, input methods and mechanism, and rendering methods. The method and system are identity-based, whereby a user (with an identity) has access to the distributed resources commensurate with that identity.

Abstract: The disclosed computer-implemented method for enabling users to launch applications without entering authentication credentials may include (1) receiving, at a server that hosts an application that requests authentication credentials from users before allowing the users to access the application, a request from an endpoint device to download the application, the request including a user token that identifies a user of the endpoint device, (2) in response to receiving the request, authenticating the user token within the request, (3) creating an authenticated version of the application by adding, to the application, an indication that the user token has been authenticated, (4) distributing the authenticated version of the application to the endpoint device, where the endpoint device (A) identifies, within the authenticated version of the application, the indication that the user token has been authenticated and (B) launches the authenticated version of the application without requiring the user to enter authen

Abstract: The present disclosure relates to new network device source entity triggered device configuration setup. Specifically, various techniques and systems are provided for efficient setup of a acquired device on a network using information generated by a new network device source entity. More specifically, exemplary embodiments of the present invention include methods and systems for receiving, at a computing device connected to an established network device on a network, an acquisition communication including an indication that a new network device has been acquired; transmitting data to the established network device, wherein the data includes identification information associated with the new network device; receiving a join query, wherein the join query includes a request to authorize the new network device to join a network; and transmitting a response to the join query, wherein the response includes an authorization for the new network device to join the network.

Abstract: Disclosed are a method and apparatus for providing a linking service between a vehicle AVN system and a smartphone based on a virtualization framework. An apparatus for providing a linking service between a vehicle audio video navigation (AVN) system and a smartphone, includes a host operating system for managing an operation and a state of a host process and AVN application, and managing hardware resources included in the apparatus for the host process and AVN application, a guest operating system for managing an operation and a state of a guest process/the smartphone linkage application, and a hypervisor for emulating the hardware resources according to a control signal of the host operating system to allocate a virtualized hardware resource to the guest operating system. Therefore, the present disclosure has an advantage of continuously providing an existing AVN function irrespective of an error of a function of linking a vehicle AVN system and a smartphone.

Abstract: A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

Abstract: The disclosed apparatus may include (1) a reply-reception module, stored in memory, that receives, from a satellite device, an authentication reply that includes an original authentication message digitally signed by the aggregation device using a private key of the aggregation device and that is digitally signed by the satellite device using a private key of the satellite device, (2) a forwarding module, stored in memory, that forwards the authentication reply to a network management server, (3) a validation-reception module, stored in memory, that receives, from the network management server in response to forwarding the authentication reply, a validation message, and (4) an authentication module, stored in memory, that authenticates the satellite device based at least in part on receiving the validation message. Various other apparatuses, systems, and methods are also disclosed.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for managing access to public content are disclosed. In one aspect, a method includes receiving, at a user device, first content transmitted by a first system; in response to receiving the first content, generating, by the user device, a request for second content; transmitting the request for the second content to a second system; determining, by the user device, whether the second content has successfully loaded; and in response to determining that the second content has not been successfully loaded by the user device, executing code included as part of the first content to cause a display of main display content. Other embodiments of this aspect include corresponding systems, apparatus, and computer programs, configured to perform the actions of the methods, encoded on computer storage devices.

Abstract: The application relates in particular to a method for authentication of a secure electronic device (BNK_SRV) from a non-secured electronic device (PC, SP) comprising an input peripheral (KBD, MS, TS, CAM), an output peripheral (SCR, SPK, PRN) and a secure electronic circuit (TPM). The application also relates to a secure electronic circuit (TPM), a computer program and a storage medium arranged to implement such a method.

Abstract: Disclosed herein is a system and method for optimizing a cookie or token in a web service or other claims based domain system. A user presents an identity token to the domain system which verifies the identity claim as authentic and then determines what accounts the user has access to on the domain. The user is issued an intermediate token by the system which includes the locations of the accounts the user has access to. The user then selects the account they wish to interact with and receives an account token back to the user for the specific account, including any of the privileges the user has on the account. The account token also includes information that the user has multiple accounts on the domain. The user is able to switch accounts on the domain system without having to revalidate their credentials to the domain system.

Abstract: A system and method for bypassing secondary user authentication based at least in part on the detection of a whitelisting deviation from a user pattern are disclosed. In one implementation, the system includes a pattern determination module, a fraudulent login identifier module, a whitelisting deviation detection module and a user authentication generation module. The pattern determination module determines a user pattern. The fraudulent login identifier module identifies a potentially fraudulent login and triggers a secondary authentication challenge. The whitelisting deviation detection module compares user information to the user pattern and determines based on the comparison whether a whitelisting deviation from the user pattern has occurred.

Abstract: Application of enterprise policies to Web Real-Time Communications (WebRTC) interactive sessions using an enterprise Session Initiation Protocol (SIP) engine, and related methods, systems, and computer-readable media are disclosed. In one embodiment, a method comprises receiving, by session token converter of enterprise device, an incoming WebRTC session description token. The method comprises generating, by session token converter, outgoing SIP request message. The method comprises sending, by session token converter, outgoing SIP request message to enterprise SIP engine and applying, by enterprise SIP engine, enterprise policies based on outgoing SIP request message. The method comprises, responsive to applying enterprise policies, sending incoming SIP request message to enterprise device. The method comprises converting, by session token converter, incoming SIP request message into outgoing WebRTC session description token, and sending outgoing WebRTC session description token to a target device.

Abstract: A Cloud federator may be used to allow seamless and transparent access by a Cloud Client to Cloud services. Federation may be provided on various terms, including as a subscription based real-time online service to Cloud Clients. The Cloud federator may automatically and transparently effect communication between the Cloud Client and Clouds and desired services of the Clouds, and automatically perform identity federation. A Service Abstraction Layer (SAL) may be implemented to simplify Client communication, and Clouds/Cloud services may elect to support the SAL to facilitate federation of their services.

Abstract: In one embodiment, a user device may store state data for an application at an internet-accessible data storage 124 for access by other devices of the user. The target user device 140 may use an untrusted platform 142 to generate an access request 300 for an application state data set for a source application 114. The target user device 140 may send the access request 300 to the internet-accessible data storage 124. The target user device 140 may send an access credential 330 to the internet-accessible data storage 124.

Abstract: Techniques to perform federated authentication are described. An apparatus may comprise a resource server may have an authentication proxy component to perform authentication operations on behalf of a client. The authentication proxy component comprises an authentication handling module operative to receive an authentication request to authenticate the client using a basic authentication protocol. The authentication proxy component also comprises an authentication discovery module communicatively coupled to the authentication handling module, the authentication discovery module operative to discover an identity server for the client.

Abstract: An approach is provided for determining that a user has been authenticated for an access to at least one service using a federated identity (401). The approach also comprises determining federated account information associated with the user based, at least in part, on one or more user accounts associated with the federated identity, the at least one service, the at least one or more other services, or a combination thereof (403). The approach further comprises determining one or more functions of the at least one service, the at least one or more other services, or a combination thereof to make available to the user based, at least in part, on the federated account information (411).

Abstract: Examples of techniques for invoking a restricted access service through a representational state transfer (RESTful) interface are disclosed. In one example implementation according to aspects of the present disclosure, a method may include: receiving, at a web server, a RESTful application program interface (API) request to access a RESTful API from a user on a mobile device; determining whether the user is authorized to access the RESTful API using an authorization service; responsive to determining that the user is authorized to access the RESTful API, routing the RESTful API request from the web server to the restricted access service to process the request; receiving, by the web server, return data from the restricted access service after processing the request; and invoking a data transformer associated with the RESTful API to transform the return data into transformed data.

Abstract: Methods and apparatus are disclosed for enabling selection of a remote service node from a plurality of possible nodes, each capable of providing a service, and each associated with a service node control entity.

Abstract: The present invention relates to remote storage auditing. In another embodiment, a remote storage auditing system may include a first remote storage manager configured to be a data owner, a second remote storage manager configured to be a storage donor, and a remote storage auditor. The first remote storage manager sends a data block and a signed fingerprint for the data block to the second remote storage manager. The second remote storage manager verifies that the signed fingerprint is associated with the data block and stores the data block and signed fingerprint. The second remote storage manager calculates a fingerprint for a sub-block of the data block, and sends the fingerprint for the sub-block and signed fingerprint to the remote storage auditor. The remote storage auditor audits a sub-block of the data block and verifies the fingerprint for the sub-block and signed fingerprint.

Abstract: Disclosed are various embodiments for controlling distribution of resources on a network. In one embodiment, a distribution service receives a request from a client device to access resources hosted by a distribution service. In response, the distribution service determines whether the client device is authorized to access the distribution service. The distribution service identifies which of the resources hosted by the distribution service are accessible to the client device based on the resource grouping identifiers associated with the client device. The distribution service determines which distribution rules are associated with the identified resources, the distribution rules including location rules and time rules.

Abstract: A system enables end user devices to receive audio announcements from third party cloud-based resources. For example, the system may include a first party cloud-based resource providing tokens to the third party cloud-based resource in order to prevent the third party cloud-based resource from causing audio announcements to be output by user devices without authorization. In some cases, the tokens may be time based and prevent the third party cloud-based resource from causing audio announcements to be output by user devices after a predefined amount of time. In other examples, the tokens may be use based and prevent the third party cloud-based resource from causing the user device to output more than a predetermined number of audio announcements.

Abstract: A secure database includes a catalog of information about one or more identity providers (IdPs) that are trusted by a service provider (SP) to authenticate users on the SP's behalf. The catalog securely stores one or more IdP configurations. An entry in the database stores information associated with the trusted IdP including artifacts to identify the IdP, artifacts used by the IdP for cryptographic operations, and a specification of one or more website(s) serviced by the trusted identity provider. Upon receipt by the SP of identity information representing a user that has authenticated to an IdP, information in the catalog of information is used to determine whether the IdP is trusted to authenticate the user on the service provider's behalf. The determination verifies that the SP uses the IdP and that a binding between an IdP identifier and at least one IdP cryptographic artifact is valid.

Abstract: A client system associated with a user includes at least one hardware processor configured to initiate the following operations. A modified login page is received from a proxy hardware system. An asynchronous engine is loaded by a browser system executing on the client system and caused by a routine from the modified login page. A login process with an authentication profiling service is executed, using the asynchronous engine, to retrieve login information for a back-end server. The authentication process with the back-end server is completed using the asynchronous engine. The modified logic page is generated by the proxy hardware system by adding the routine to a login page being sent from the back-end server to the browser.

Abstract: Methods, articles of manufacture and apparatus are disclosed to facilitate single sign-on services. An example method includes monitoring web session activity for an indication of entry of first credentials, identifying an SSO framework associated with the device in response to detecting a context event indicative of web session termination, querying the SSO framework for second credentials associated with the web session, and configuring SSO services on the device when the second credentials are absent from the SSO framework.

Abstract: A convenient login method, apparatus and system for automatically detecting and filling in a login field within a web environment or an application are disclosed herein. The convenient login system includes a client, a server, and a terminal. The client detects an ID/PW input field within a login page when a user accesses the login page, outputs a convenient login button, outputs an input box when the user clicks on the convenient login button, and automatically enters an ID/PW in the ID/PW input field. The server receives any one of the telephone number and ID information of the terminal from the client, sends a message to the terminal, receives the ID/PW from the terminal when the mobile program is run, and sends the ID/PW to the client. The terminal runs the mobile program, recombines a segmented and stored ID/PW, and sends the recombined ID/PW to the client via the server.