ВСЕОБЪЕМЛЮЩАЯ, ОРИЕНТИРОВАННАЯ НА ПОЛЬЗОВАТЕЛЯ СЕТЕВАЯ БЕЗОПАСНОСТЬ, ОБЕСПЕЧИВАЕМАЯ ДИНАМИЧЕСКОЙ КОММУТАЦИЕЙ ДАТАГРАММ И СХЕМОЙ АУТЕНТИФИКАЦИИ И ШИФРОВАНИЯ ПО ТРЕБОВАНИЮ ЧЕРЕЗ ПЕРЕНОСНЫЕ ИНТЕЛЛЕКТУАЛЬНЫЕ НОСИТЕЛИ ИНФОРМАЦИИ

Изобретение относится к защищенной передаче данных и предоставлению услуг в открытых или закрытых сетевых настройках. Техническим результатом является повышение надежности и гибкости передачи данных в сети. Безопасные, устойчивые сетевые соединения и эффективные сетевые транзакции среди множества пользователей поддерживаются открытой и распределенной архитектурой клиент-сервер. Схема датаграмм приспособлена для обеспечения динамической коммутации датаграмм в поддержку множества сетевых приложений и услуг. Предоставлены мобильные интеллектуальные носители данных, которые обеспечивают возможность реализации схемы аутентификации и шифрования. Интеллектуальные носители данных выполнены с возможностью целевой доставки приложений уполномоченным пользователям. Схема аутентификации и кодирования в одном варианте воплощения основана на физической или рабочей биометрии. Способы и системы предназначены для использования в сетевой среде предприятия для поддержки широкого спектра деловых, исследовательских ...

Verfahren zur sicheren Interaktion mit einem Sicherheitselement

In einem Verfahren zur gesicherten Interaktion mit einem Sicherheitsmodul (200), welches in ein Endgerät (100) integriert ist, über eine Eingabeeinrichtung (180) des Endgeräts (100) wird die Eingabeeinrichtung (180) durch eine Sicherheitsapplikation (180), welche in einem vertrauenswürdigen Bereich (130) des Endgeräts (100) ausführbar ist, reserviert. Anschließend werden erste Authentisierungsdaten (PIN 1) über die reservierte Eingabeeinrichtung (180) eingegeben. Die Sicherheitsapplikation (150) leitet aus den ersten Authentisierungsdaten (PIN 1) mittels in dem vertrauenswürdigen Bereich (130) gespeicherter Geheimdaten (144) zweite Authentisierungsdaten (PIN 2) ab. Diese (PIN 2) werden anschließend durch die Sicherheitsapplikation (150) verschlüsselt und an das Sicherheitsmodul (200) und/oder an einen Server übertragen. In dem Sicherheitsmodul (200) und/oder dem Server werden die empfangenen, verschlüsselten zweiten Authentisierungsdaten (PIN 3) schließlich entschlüsselt.

Distributed single sign-on

A user computer (2, fig. 1) connects via a network (3, fig. 1) to verifier servers (4, fig. 1) and authentication servers (5, fig. 1). Respective cryptographic shares of password data, dependent on a predetermined user password, are provided at the authentication servers. A plurality of password data shares is needed to determine if the password matches a password attempt. Respective cryptographic shares of secret data, enabling determination of a username for a verifier server, are provided at the authentication servers. A plurality of secret data shares is needed to reconstruct the secret data. The user computer communicates 32, via the network, with a minimum threshold number of the authentication servers and the password data shares of those servers are used to determine if 33 the user password matches an input password attempt 31. If so, the user computer receives 35 secret data shares from respective authentication servers. On receipt of said shares, the user computer reconstructs ...

Secure mutual authentication system

A security analysis method

System,method and apparatus for federated single sign-on services

The advent of new and sophisticated web services provided by Service Providers to users, services that individually require authentication of users and authorization of access, brings the needs for a new service to facilitate such authentication and access, a service referred to as Single Sign-On (SSO). The basic principle behind SSO is that users are authenticated once at a particular level, and then access all their subscribed services accepting that level of authentication. The present invention provides a system, method and apparatus wherein a cellular Federation of mobile network operators becomes an SSO authentication authority for subscribers of this Federation accessing Service Providers having such agreement with a mobile network operator of the Federation. In accordance with this invention, mobile network operators can leverage their operator-subscriber trust relationship in order to act as SSO authentication authority for those subscribers accessing Service Providers in a service ...

Obtaining Password Data

Obtaining password data for entry to an application running on a device comprising running a password manager application on a device, the password manager application identifying one or more applications installed on the device, displaying the identified applications on a display of the device and receiving a user selection of a displayed application. The password manager application then determines whether an entry exists for the selected application in a memory associated with the password manager application, if no entry exists, the password manager application generates an entry comprising password data for the selected application which may comprise of default password data, if an entry exists, the password manager application retrieves password data relating to the selected application. The password manager may copy the generated or retrieved password data to a clipboard for pasting into the selected application or the password manager application may enter the password data into ...

A security analysis method

System,method and apparatus for federated single sign-on services

FLEXIBLE PROCEDURE FOR BENUTZERAUTHENTIFIZIERUNG FOR A PASSWORD-BASED SYSTEM

DEVICE AND PROCEDURE FOR INTEGRATING AUTHENTICATION MINUTES INTO THE STRUCTURE OF CONNECTIONS BETWEEN COMPUTER DEVICES

PROCEDURE AND DEVICE FOR AUTHENTIFIZIERTEN ENTRANCE TO A MAJORITY OF NETWORK USERS BY ONLY ONE REGISTRATION

ACCESS CONTROL AND MONITOR FOR INTERNET SERVERS

RDP proxy support in presence of RDP server farm with session directory or broker

Described embodiments provide systems and methods for connecting to a server of a plurality of servers. The system may include a device intermediary between a client and a plurality of servers. The device may receive a remote desktop protocol (RDP) request from the client to connect to one of the plurality of servers. The RDP request may include a token. The device may cause a load-balancer of the plurality of servers to modify or remove the token of the RDP request, responsive to presence of a session directory /broker. The device may receive a server redirect packet that indicates a target server identified from the plurality of servers by the session directory, to which the client is to connect. The device may cause the server redirect packet to be modified to cause the client to send a redirected connection request packet for connecting with the target server.

Pervasive, user-centric network security enabled by dynamic datagram switch and an on-demand authentication and encryption scheme through mobile intelligent data carriers

Procedure for accessing a service in a data communication system, and a data communication system

Method for directly accessing a communication network site such as internet, provided with access protecting means

METHOD FOR OAUTH SERVICE THROUGH BLOCKCHAIN NETWORK, AND DEVICE AND SERVER USING THE SAME

A method for authentication based on a blockchain network is provided. The method includes steps of: an authentication-supporting server (a) if verification is requested by a certificate authority (CA) app, verifying a signature value and transmitting an access token to a user device, supporting the CA-affiliate app to transmit a login request to a CA-affiliate server, and registering the access token in the blockchain network, and transmitting a verification request to the blockchain network to transmit the access token to the authentication-supporting server, and register the access token in the blockchain network, and transmitting the access token to the user device, and transmit the login request to the CA-affiliate server, and (b) performing one of (i) verifying the access token, and (ii) transmitting the verification request to the blockchain network, and transmitting a verification-result to the CA-affiliate server, to allow the CA-affiliate app to log in to the CA-affiliate server ...

TENANT-AWARE DISTRIBUTED APPLICATION AUTHENTICATION

Flexible authentication technologies customized to particular tenants of a data center network can be implemented. For example, an administrator can specify a primary authentication server and specify at which data centers different applications are to be hosted for a given tenant. End users can be shielded from the complexities of implementing such configuration details. For example, single sign-on authentication can be implemented, even when applications are configured to be hosted in different data centers. Enterprise tenants can thus control where applications are hosted and enforce data containment scenarios without encumbering users with additional tasks. Collaboration and application-to-application authentication can be achieved.

SYSTEM AND METHOD FOR A SINGLE SIGN-ON PASSWORD MANAGER

SYSTEM AND METHOD FOR PROTECTING ACCESS TO AUTHENTICATION SYSTEMS

A system and method for protecting access to authentication systems. A mediator may accept original authentication credentials from a client, may process the authentication credentials to provide processed authentication credentials and may forward the processed authentication credentials to an authentication system. Processing original authentication credentials may include encrypting at least one portion of original authentication credentials.

PROCESS FOR AUTHENTIFYING A USER WORKING IN AN ENVIRONMENT DISTRIBUTED IN A CLIENT-SERVER MODE

La présente invention concerne un procédé d'authentification d'un utilisateur travaillant dans un environnement distribué en mode client/serveur. Ce procédé d'authentification est remarquable en ce que, chaque authentification est effectuée à partir d'une seule information d'authentification à mémoriser, la "phrase de passe", de longueur et de durée d'utilisation (fonction d'une valeur de comptage) déterminées et ce, que ce soit dans un système du type à mot de passe à utilisation unique OTP intégré à un système Kerberos ou bien dans un système du type à mot de passe à utilisation unique OTP utilisé seul. Selon une caractéristique importante le présent procédé peut être utilisé à partir d'un terminal de confiance ou d'un terminal quelconque. Egalement selon l'invention, une technique est proposée qui permet de ré-initialiser la "phrase de passe" en fin de durée d'utilisation de manière sûre même en cas d'interception active et ceci que ce soit dans un système OTP intégré à un système Kerberos ...

Distributed encryption system

Method and apparatus for providing trusted single sign-on access to applications and internet-based services

The service application for providing authorization access in order to use the end-user of the protected resources of the method

REINFORCED SINGLE AUTHENTICATION METHOD

PROCEEDED Of AUTHENTIFICATION Of a USER WORKING IN an ENVIRONMENT DISTRIBUTES IN CLIENT/SERVER MODE

La présente invention concerne un procédé d'authentification d'un utilisateur travaillant dans un environnement distribué en mode client/serveur. Ce procédé d'authentification est remarquable en ce que, chaque authentification est effectuée à partir d'une seule information d'authentification à mémoriser, la "phrase de passe", de longueur et de durée d'utilisation (fonction d'une valeur de comptage) déterminées et ce, que ce soit dans un système du type à mot de passe à utilisation unique OTP intégré à un système Kerberos ou bien dans un système du type à mot de passe à utilisation unique OTP utilisé seul. Selon une caractéristique importante le présent procédé peut être utilisé à partir d'un terminal de confiance ou d'un terminal quelconque. Egalement selon l'invention, une technique est proposée qui permet de ré-initialiser la "phrase de passe" en fin de durée d'utilisation de manière sûre même en cas d'interception active et ceci que ce soit dans un système OTP intégré à un système Kerberos ...

SYSTEM, METHOD AND PROGRAM PRODUCT FOR CONSOLIDATED AUTHENTICATION

컴퓨터 운영체제의 로그인 인증 결과를 이용한 싱글 사인 온 자동 로그인 방법 및 이를 적용한 컴퓨터로 읽을 수 있는 저장매체

... 컴퓨터 운영체제의 로그인 인증 결과를 이용한 싱글 사인 온 자동 로그인 방법이 개시된다. 컴퓨터 운영체제의 로그인 인증 결과를 이용한 싱글 사인 온 자동 로그인 방법은 운영체제 로그인 인증 모듈에 의해, 특정 아이디에 대한 컴퓨터 운영체제의 로그인 명령의 인증절차가 수행되는 단계; 및 상기 인증절차의 유효성이 검증되면, 상기 운영체제 로그인 인증 모듈이 SSO(Single Sign On) 인증 서버에 접속하여, 상기 특정 아이디에 대한 자동 로그인 명령을 수행하는 단계;를 포함한다. 이에 의해, 컴퓨터 운영체제를 시작하기 위한 인증절차를 수행하고, 이후 애플리케이션을 실행하여, 재차 인증절차를 수행하는 번거로움 없이, 컴퓨터 운영체제를 시작하기 위한 인증절차만으로, 사용자의 아이디에 따라 설정된 그룹웨어들에 자동 로그인될 수 있어, 사용자의 편의를 도모할 수 있다.

METHOD EMPLOYED IN USER AUTHENTICATION SYSTEM AND INFORMATION PROCESSING APPARATUS INCLUDED IN USER AUTHENTICATION SYSTEM

The present disclosure provides a system in which a migration operation which is different from a normal registration operation performed on a system is started in either a terminal before replacement or a terminal after the replacement, so that a registration operation performed on the terminal after the replacement is easily completed only by causing a user to consecutively perform an authentication operation on both of the terminals. COPYRIGHT KIPO 2019 (121) Migration terminal (122) Migration destination terminal (AA) Cooperation service (BB) Process loop in a data migration (S801) Obtain migration information (S802) Access on a migration destination URL (S803) Generate an authentication parameter (S804) Transmit an authentication parameter (S810) Process a selection of a migration terminal (S811) Request an authentication (S812) Process an authentication using biometric information (S813) Return an assertion (S814) Transmit an assertion (S815) Verify a signature (S820) Generate a registration ...

전자 디바이스의 잠금 스크린을 인에이블하기 위한 시스템들 및 방법들

... 전자 프로세서(12) 및 디스플레이 스크린(18)을 포함하는 전자 디바이스(10)를 동작시키는 전자 디바이스(10)의 잠금 스크린을 인에이블하는 방법(100)이 개시되어 있다. 이 방법(100)은 전자 프로세서(12)에 의해, 전자 디바이스(10)를 잠금 해제하라는 요청을 수신하는 단계를 포함한다. 방법(100)은 전자 프로세서(12)에 의해, 전자 디바이스(10)에 대한 인증 상태를 결정하는 단계를 추가로 포함한다. 방법(100)은 전자 프로세서(12)에 의해, 인증 상태에 기초하여 잠금 스크린 인증 모드를 결정하는 단계, 및 디스플레이 스크린(18) 상에, 잠금 스크린 인증 모드를 포함하는 잠금 스크린을 디스플레이하는 단계를 추가로 포함한다. 전자 디바이스(10)는 디스플레이 스크린(18) 및 전자 프로세서(12)를 포함한다. 전자 프로세서(12)는 전자 디바이스(10)를 잠금 해제하라는 요청을 수신하도록 구성된다. 전자 프로세서(12)는 전자 디바이스(10)에 대한 인증 상태를 결정하고, 인증 상태에 기초하여 잠금 스크린 인증 모드를 결정하고 디스플레이 스크린(18) 상에, 잠금 스크린 인증 모드를 포함하는 잠금 스크린을 디스플레이하도록 추가로 구성된다.

METHOD FOR PRODUCING A SOFT TOKEN

OPTIMIZED TOKEN-BASED PROXY AUTHENTICATION

Methods, systems, apparatuses, and computer program products are provided for authentication of users in a service-to-service context. At a first service, a user authentication token is received from a client device that was obtained from an identity provider. The user authentication token was received to enable access to the first service by a user. The user is authenticated based on the user authentication token. A second service is determined to be needed to be accessed by the first service on behalf of the user. The user authentication token is converted into a proxy token that is not convertible back to the user authentication token. The proxy token is forwarded from the first service to the second service to enable access to the second service. A response is received by the first service from the second service due to the user having been authenticated based on the proxy token.

CROSS CLOUD TENANT DISCOVERY

A computer-implemented method for a security endpoint of a non-isolated computing environment includes receiving a request related to a non-isolated application. The method includes querying a directory service according to a domain name of a user specified in the request. The directory service stores a mapping between domain names and computing environments, including isolated computing environments and the non-isolated computing environment. The method includes receiving, from the directory service, an indication of a first computing environment. The method includes generating and sending a response to allow the user to be authenticated to the application. In response to the first computing environment being the non-isolated computing environments, the response indicates that the user belongs to the non-isolated computing environment. In response to the first computing environment being one of the isolated computing environments, the response indicates that the user does not belong to ...

WEB-BASED INTERFACE INTEGRATION FOR SINGLE SIGN-ON

Web-based single sign-on can enable a user to log in to a single interface (such as through a web browser or thin client) and then provide SSO services to the user for one or more web applications. The web-based SSO system can be extended to support one or more different access control methods, such as form-fill, Federated (OIF), SSO Protected (OAM), and other policies. The web-based SSO system can include a user interface through which the user can access different web applications, systems, etc. and manage their credentials. Each SSO service can be associated with a web interface allowing the SSO services to be accessed over the web. The web interfaces can provide CRUD (create, read, update, delete) functionality for each SSO service. To support different access policy types, the web-based SSO system can include an extensible data manager that can manage data access to different types of repositories transparently.

Reset and recovery of managed security credentials

Disclosed are various embodiments for management functions relating to security credentials. Account data, which includes multiple security credentials for multiple network sites for a user, is stored in an encrypted form. A request to temporarily change the account data is obtained from a client. The request specifies a master security credential for accessing the account data. In response to the request, the multiple security credentials for the account data are changed to a single temporary security credential, as specified by a user. After an expiration period expires, the multiple security credentials are automatically reset to a plurality of different security credentials.

Controlling access to a process using a separate hardware device

A method and apparatus for automatic user authentication are described. The method includes receiving information at a device, the device including a credential container; storing the information at the credential container and performing cryptographic calculations on the received information and providing the encrypted information upon request.

Passporting credentials between a mobile app and a web browser

Systems and methods for passporting credentials provide a mechanism by which a native app on a client device can invoke a service provider's core web site web addresses (URL) while keeping the existing session active and shared between the two experiences (native app and web flow) so that the end user does not need to re-login at each context switch. The mechanism can include a unique way for the web flow context to communicate conditions and pass control back to the native app context of the shared session.

System and method for a single request and single response authentication protocol

Various embodiments of a system and method for a single request and single response authentication protocol are described. A client may send to an authentication server a request to authenticate the identity of a user attempting to access an electronic document protected by a rights management policy. The single request may be generated according to rights management configuration information included within the document. Such rights management information may include one or more parameters for requesting authentication from an authentication server. In response to the request, an authentication server may send a single response to the client. The single response may include information indicating that the identity is authenticated (e.g., a license to access the document, or an encryption key to decrypt the document). The client system may be configured to, in response to the single response, provide access to the document according to the rights management policy.

Method and apparatus for remotely accessing a password-protected service in a data communication system

A procedure and a data communication system in which a service provider provides to a remote user of a service a set of expendable passwords for use by the user in accessing the service via a telecommunication and/or data network. The user's terminal device is provided with means for automatically transmitting a password at log-on to the service, and a server to which the terminal device sets up a connection includes means for identifying the password and for allowing or denying access to the service on the basis of the supplied password. The terminal device further includes means for storing a set of passwords and for selecting, at log-on to a predetermined service, the correct password from the stored set of passwords for automatic addition of the password to a connection setup signal transmitted from the terminal device to the server.

Establishing and maintaining an improved single sign-on (SSO) facility

A backend server system includes at least one hardware processor configured to initiate and/or perform the following. A login page is sent to a browser executing on a client associated with a user; and an authentication process is performed with the client. The logic page is intercepted by a proxy, and a modified logic page is generated by the proxy by adding a routine to the logic page. The modified logic page is forwarded to the browser, and the routine causes the browser to loads an asynchronous engine configured to execute a login process with an authentication profiling service to retrieve login information for the back-end server, and complete the authentication process.

Secure data parser method and system

The present invention provides a method and system for securing sensitive data from unauthorized access or use. The method and system of the present invention is useful in a wide variety of settings, including commercial settings generally available to the public which may be extremely large or small with respect to the number of users. The method and system of the present invention is also useful in a more private setting, such as with a corporation or governmental agency, as well as between corporation, governmental agencies or any other entity.

Systems and methods for logging into an application on a second domain from a first domain in a multi-tenant database system environment

A system and method for logging into an application across separate domains in a multi-tenant database environment is provided. The method may include receiving, by a server associated with a first domain, a substitute user request from a user of the first domain, the substitute user request including a request for the user of the first domain to become a user on a second domain, posting, to a server associated with the second domain, the substitute user request, and posting, by the server associated with the second domain, a new session identification allowing the user of the first domain to login to an application on the second domain.

METHOD AND DEVICE FOR AUTHENTICATING LOGIN

TENANT-AWARE DISTRIBUTED APPLICATION AUTHENTICATION

AUTO-FORM FILL BASED WEBSITE AUTHENTICATION

DECENTRALIZED IDENTIFICATION ANCHORED BY DECENTRALIZED IDENTIFIERS

Additional server connected into network with service provider server and user computer for data transmission includes recording, authentication and proxy protocol

The inventive server (3) includes a recorder for information transmitted to it from the server (2) of the service provider when the data is called up. Authentication is carried out for the operator of the user computer (1). Testing is carried out electronically to authorize the user, assisted by stored release information. A unit calls up the volume of data from the service provider server accordingly. A temporary connection address is provided, linked as the data volume address, for rewriting to the user computer (1).

Verfahren zur Authentifizierung eines Teilnehmers in einer verteilten Client/Server Netzwerkumgebung

Sharing user names across multiple services

Transferring user authentication for first to second web site

A customer is authenticated by a first web which is one of a number of partner web sites. Should the customer initiate a transfer to a second web site of the partner web sites then an authentication message is prepared and sent with the transfer relocation so that if the customer has been registered at the second web site before they will not have to enter their login details again. If however the customer has not visited the second web site before they will be directed to log in. The authentication message can include a source identifier 202, a date/time stamp 204 and encrypted text 208 containing a customer pseudonym 210, key 212, transaction ID 214 and authenticated data 216. The authentication message may also include the first web site URL 206 so that the customer may be returned when the transaction at the second web site is complete.

Secure mutual authentication system

Method for integrating multiple web servers based on individual client authorisation

Digital Security Management Platform

Platform for generation of passwords and/or email addresses

A password and/or email address management platform configured to regenerate a previously generated password for a given web domain or digital system without permanently storing the previously generated password. The platform can operate without maintaining a permanent store or list of other user- related information, e.g. a list of web domains or systems for which passwords have been generated. In an embodiment, the platform performs the steps of concatenating a plurality of password input data elements into a requested phantom password input data string, applying a hashing algorithm to the requested phantom password input data string to generate a phantom password hash, applying a hash-to-string function to convert the phantom password hash to a phantom password, and purging the password generation system of the phantom password after it is notified to a user.

PROCEDURE AROUND A SERVICE IN A DATA COMMUNICATION SYSTEM IN REQUIREMENT FOR TAKING AND DATA COMMUNICATION SYSTEM

SECURE IDENTITY ADMINISTRATION

PROCEDURE AND SYSTEM FOR THE WEB-BASED CROSS DOMAIN AUTHORIZATION WITH UNIQUE REGISTRATION

A SYSTEM AND METHOD FOR CONSOLIDATION OF USER DIRECTORIES

EFFICIENT BROWSER-BASED IDENTITY MANAGEMENT PROVIDING PERSONAL CONTROL AND ANONYMITY

Method and system for web-based cross-domain single-sign-on authentication

System and method for executing a request from a client application

System and method for protecting access to authentication systems

A system and method for protecting access to authentication systems. A mediator may accept original authentication credentials from a client, may process the authentication credentials to provide processed authentication 5 credentials and may forward the processed authentication credentials to an authentication system. Processing original authentication credentials may include encrypting at least one portion of original authentication credentials.

METHOD AND SYSTEM RELATED TO AUTHENTICATION OF USERS FOR ACCESSING DATA NETWORKS

The present invention relates to a system and method for authenticating a user that requests access to services of a computer network, comprising using a unique communication address for authentication and identification.

SYSTEM AND METHOD FOR EXECUTING A REQUEST FROM A CLIENT APPLICATION

A system and method are provided for executing a request from a client application. Unlike conventional networks in which a client application transmits several data access transactions to several server applications, the client application of these preferred embodiments merely sends a single request to a gateway application, which converts the request into appropriate data access transactions. The preferred embodiments provide the advantage of allowing a client application to communicate with a plurality of server applications without knowing the server application's format or syntax requirements. Further, unlike environments in which a client application compiles data received from each contacted server application, in the environment of the preferred embodiments, the client application is presented with a single integrated response.

A method for integrating Linux and Windows operating systems to unify user authentication

Unified login authentication development and maintenance integration system and login authentication method thereof

Mobile application integration system of intelligent terminal and method thereof

Small program login method and device and related equipment

The invention provides an applet login method and device, electronic equipment and a computer readable storage medium, and the applet login method can comprise the steps: displaying a login page of a first applet in a first application program logged in by a target account, the login page comprising a login request control; jumping to a second applet in response to a triggering operation for the login request control; displaying at least one associated account associated with the target account through the second applet, wherein the at least one associated account comprises the target associated account; and in response to a trigger operation for the target associated account, jumping back to the first applet so as to log in the first applet through the target associated account. According to the embodiment of the invention, the first applet in the first application program can be logged in by using the associated account of the login account of the first application program, so that relevant ...

Real-time electrostatic monitoring system and method based on EPA environment

The invention discloses a real-time electrostatic monitoring system and method based on an EPA environment. The system comprises an EPA intelligent electrostatic protection platform. According to the real-time electrostatic monitoring system and method based on the EPA environment, an EPA intelligent electrostatic protection platform comprises equipment access, equipment management and control, real-time data application, data management application, a management center and public service, and an interconnected, safe and compatible EPA intelligent electrostatic protection monitoring platform is designed and built at present. The electrostatic protection intelligent Internet of Things system integrates equipment Internet of Things, monitoring and early warning, unified management, visualization and intelligence. A real-time intelligent static monitoring and protection system is formed by distributed terminal monitoring equipment, station workshops, personnel, environments, the internet and ...

SYSTEM AND PROCESS OF SECURITY USING A SAFETY DEVICE

DEVICE OF MANAGEMENT OF ACCOUNTS USERS READY TO COOPERATE WITH A SINGLE DEVICE OF SIGNATURE

SYSTEM AND PROCESS OF SECURITY USING A SAFETY DEVICE

Système (1) de sécurisation d'une application de traitement de données, ledit système comportant : - des premiers moyens (2) d'interface avec un dispositif (3) de sécurité ; - des deuxièmes moyens (4) d'interface avec l'utilisateur ; - des troisièmes moyens (6) d'interface avec l'application adaptée pour intercepter toute requête d'utilisation dudit dispositif de sécurité en provenance de ladite application à destination dudit dispositif de sécurité ; - des moyens (8) d'authentification connectés aux premiers et deuxièmes moyens d'interface, adaptés pour authentifier l'utilisateur comme utilisateur légitime du dispositif de sécurité par demande d'au moins un secret ; - des moyens (10) de stockage du résultat de l'authentification ; - des moyens de validation connectés aux moyens de stockage et aux premiers et troisièmes moyens d'interface, adaptés pour autoriser toute requête en provenance de l'application, à destination dudit dispositif de sécurité si et seulement si, l'utilisateur est ...

손상된 장치의 개선된 선택적 소거 기법

... 본 명세서에서는 선택적 소거 기술 및 동작을 개선하는 시스템, 방법, 및 소프트웨어를 개시한다. 일 구현에 있어서, 애플리케이션은 애플리케이션에 대한 사용자의 인증 요청을 시작한다. 일부 상황에 있어서, 애플리케이션은 선택적 소거 명령어를 포함하는 요청에 대한 응답을 수신한다. 이후에 애플리케이션은 그와 같은 응답을 수신하고, 애플리케이션은 애플리케이션과 연관된 데이터를 선택적으로 소거한다.

SERVER SYSTEM AND METHOD FOR CONTROLLING MULTIPLE SERVICE SYSTEMS

Each of one or more information element groups pertaining to each user in management information held by a server system (C(j)) includes mID (an identification that is shared between C(j) and a service system (Si(j)), and that is different for each of the users). C(j) receives a request from a user terminal. C(j) specifies, on the basis of the received request, one or more mIDs, each corresponding to one or more service systems, from the management information with regard to the user of the user terminal. C(j) transmits, to each of one or more Si(j), a request in which the mID that corresponds to the Si(j) among the specified one or more mIDs and the specifics of control for the Si(j) are correlated.

DUAL FACTOR AUTHENTICATION WITH ACTIVE DIRECTORY AND ONE TIME PASSWORD TOKEN COMBINATION

Aspects described herein may utilize self-federation in a plugin-based authentication system to support combinations of authentication processes. The authentication system may include a plugin that executes an authentication process that is a combination of two or more other authentication processes. This plugin may handle the combined authentication process by self-federating back to the authentication interface, generating its own authentication requests under each of the subsidiary authentication processes. Thus, the self-federating plugin corresponding to the combined authentication process may allow the authentication system to support authentication requests that indicate the combined authentication process. This chained authentication process, accomplished through self-federation, may allow the authentication system to reuse existing code paths and avoid downsides associated with duplication of code.

AUTHENTICATION SYSTEM, METHOD, AND PROGRAM

An authentication system in an embodiment is provided with a service-provider device, an IDaaS-operator device, and a delegated-authentication device. On the basis of a user ID and an SSO request transmitted by a user terminal, the delegated-authentication device, which has authentication account information associated via a second linking ID with SSO account information containing an SSO account identifier that matches the aforementioned user ID, performs a user authentication process. If said authentication process succeeds, the IDaaS-operator device, which has SSO account information containing an SSO account identifier that matches the user ID, authorizes SSO authentication of a service corresponding to a service-account identifier included in service-account information associated via a first linking ID with the abovementioned SSO account information. The service-provider device transmits information related to said service to the user terminal.

METHODS AND SYSTEMS FOR SECURELY EMBEDDING DASHBOARDS INTO A CONTENT MANAGEMENT SYSTEM

In an illustrative embodiment, systems and methods for secure access to dynamic analytics content include receiving a request for analytics information from a user at a computing device, confirming the user's access rights, embedding access credentials within a resource link for accessing the visualization content, and supplying the resource link to the user's computing device for use in obtaining the analytics information, where, upon the computing device following the resource link, the access credentials are confirmed and visualization content is provided to the user.

METHOD AND APPARATUS FOR MANAGING NOTIFICATION INFORMATION

Disclosed are a method and apparatus for managing notification information. The method comprises the following steps: acquiring, by a user terminal, a type of an operation currently performed on a browser; acquiring, by the user terminal, information about an operation currently performed on a browser page; transmitting, by the user terminal, the information about the operation to a server corresponding to a current browser page so as to cause the server to return, according to the information about the operation, corresponding response information to the user terminal; and processing accordingly, by the user terminal, and according to the type of the operation currently performed on the browser, the response information received. The invention solves problems relating to webpage information security and webpage rendering operation affected. The invention also solves information control problems, such as ineffective monitoring, management and indication of information, caused by a heavy ...

Method and system for secure binding register name identifier profile

A method, a system, an apparatus, and a computer program product are presented for improving a register name identifier profile within a federated computing environment such that the register name identifier profile is enhanced to be more securely binding between two federated entities within the federated computing environment, such as an identity provider and a service provider. After the first federated entity sends a register name identifier request for a principal to the second federated entity, the second federated entity performs an authentication operation for the principal. In response to successfully completing the authentication operation, the second federated entity registers or modifies a name identifier for the principal that has been extracted from the received register name identifier request.

Method and associated processor for authentication

The present invention provides method and associated processor for authentication, e.g., log-in, with a remote application server by the processor of a user equipment, including: by the processor, achieving a bootstrapping authorization with a remote operator, obtaining a username and a password for logging in the remote application server according to the bootstrapping authorization, composing a log-in message according to the username and the password, and sending the log-in message to the remote application server.

Centralized mobile application management system and methods of use

An application launcher is disclosed for retrieving and permitting launch of multiple mobile applications through a single, secure authentication process, and a method of use. The method includes receiving a request to launch one or more applications through a single authentication process. The method further includes authenticating a user through an application launcher. The method further includes appending a security token to one or more applications upon authentication of the user to enable the user to launch the one or more applications through the single authentication process provided by the application launcher.

Information processing terminal and control method

In the present invention, as functions of a web browser, the web browser extracts, among local storage data stored in a storage area, local storage data as a deletion candidate according to one or more conditions, and deletes the local storage data extracted as the deletion candidate from the storage area.

CONFIGURING IDENTITY FEDERATION CONFIGURATION

A method and apparatus for configuring identity federation configuration. The method includes: acquiring a set of identity federation configuration properties of a first computing system and a set of identity federation configuration properties of a second computing system; identifying one or more pairs of associated properties in the first and the second sets, where the pairs of associated properties include one property from each set of identity federation configuration; displaying, properties that need to be configured manually from the each sets of identity federation configuration properties, where the properties that need to be configured manually do not include the property in any pair of associated properties for which the value can be derived from the value of another property in the pair; automatically assigning a property that can be derived from the value of another property; and providing each computing systems with each set of identity federation properties.

Single login procedure for accessing social network information across multiple external systems

A social networking system contains information describing users of the social network and various connections among the users. A user can access multiple external systems that communicate with the social networking system to access information about the users of the social networking system. Login status of the user account on the social networking system is maintained. If the login status of the user account on the social networking system indicates that the user is not logged in, the user is required to provide authentication information. If the login status of the user account indicates that the user is logged in, social network information is provided to the user via an external system, subject to the privacy settings of users of the social networking system. If the user logs out from an external system, the user is also logged out from the social networking system.

Information processing apparatus and method, and non-transitory computer readable medium for permitting execution of an instruction in a case where first biometric information and second biometric information are different

An information processing apparatus includes an instruction accepting unit, an obtaining unit, an extraction unit, a determination unit, and a permission unit. The instruction accepting unit is configured to accept an instruction from a user. The obtaining unit is configured to obtain an image. The extraction unit is configured to extract first biometric information and second biometric information from the image obtained by the obtaining unit. The determination unit is configured to determine whether the first biometric information and the second biometric information are different. The permission unit is configured to permit execution of the instruction accepted by the instruction accepting unit in a case where the determination unit determines that the first biometric information and the second biometric information are different.

Processing authentication requests to secured information systems using machine-learned user-account behavior profiles

Aspects of the disclosure relate to processing authentication requests to secured information systems using machine-learned user-account behavior profiles. A computing platform may receive an authentication request corresponding to a request for a user of a client computing device to access one or more secured information resources associated with a user account. The computing platform may capture one or more behavioral parameters and activity data associated with one or more interactions with one or more non-authenticated pages. Then, the computing platform may evaluate the one or more behavioral parameters and the activity data using a behavioral profile associated with the user account. Based on this evaluation, the computing platform may identify the authentication request as malicious and may generate and send one or more denial-of-access commands to prevent the client computing device from accessing the one or more secured information resources associated with the user account.

SINGLE SET OF CREDENTIALS FOR ACCESSING MULTIPLE COMPUTING RESOURCE SERVICES

A user may utilize a set of credentials to access, through a managed directory service, one or more services provided by a computing resource service provider. The managed directory service may be configured to identify one or more policies applicable to the user. These policies may define the level of access to the one or more services provided by the computing resource service provider. Based at least in part on these policies, the managed directory service may transmit a request to an identity management system to obtain a set of temporary credentials that may be used to enable the user to access the one or more services. Accordingly, the managed directory service may be configured to enable the user, based at least in part on the policies and the set of temporary credentials, to access an interface, which can be used to access the one or more services.

METHODS AND DEVICES FOR MANAGING AUTOMATIC PARALLEL LOGIN AND LOGOUT IN SEVERAL APPLICATIONS

The present invention relates to a method and a device for managing accounts. The method includes: receiving (101) a first logout request to log out a plurality of target accounts corresponding to at least one target application; and for each target application, sending (102) a second logout request which carries information of the target accounts associated with this target application to a target application server corresponding to the target application, for the target application server to log out the target accounts according to the information of the target accounts. The present invention can allow to quickly logging out a plurality of target accounts, saving time for users and improving user experience.

Information processing system and authentication method

An information processing system includes a first authentication function unit that issues first authentication information which is necessary to perform an authentication collaboration function between the information processing system and an external service and indicates that an authentication is completed by a first authentication function; an administration unit that issues second authentication information which is necessary to use an internal service and indicates that the authentication is completed by a second authentication function and performs, when a collaboration authentication request using the second authentication information is received from an external apparatus and if the received second authentication information is authorized, the collaboration authentication request for the first authentication function and sends the collaboration authentication response from the first authentication function to the external apparatus; and an authentication function using unit that ...

METHOD AND DEVICE FOR DATA PROCESSING AND COMMUNICATION SYSTEM COMPRISING SUCH DEVICE

AUTHENTICATION METHOD AND APPARATUS UTILIZING PROOF-OF-AUTHENTICATION MODULE

画像形成装置及びプログラム

認定情報検証装置及び認定情報検証プログラム並びに認定情報検証システム及び認定情報検証方法

印刷システム、画像形成装置、中間処理装置、ウェブサービス提供装置、印刷システムの制御方法およびコンピュータプログラム

СПОСОБ СРАВНИТЕЛЬНОЙ ОЦЕНКИ СТРУКТУР ИНФОРМАЦИОННО-ВЫЧИСЛИТЕЛЬНОЙ СЕТИ

Изобретение относится к области информационной безопасности информационно-вычислительных сетей (ИВС) и систем связи и может быть использовано при сравнительной оценке структур ИВС на предмет их устойчивости к отказам, вызванным воздействиями случайных и преднамеренных помех. Техническим результатом от использования изобретения является повышение достоверности результатов сравнительной оценки структур ИВС в условиях воздействия случайных и преднамеренных помех за счет формирования альтернативных маршрутов к включенным в структуру ИВС узлам управления сервисами и определения более безопасного маршрута. Способ заключается в следующем: дополнительно задают совокупность М узлов управления сервисами, после приема ответных сообщений от узлов управления сервисами выделяют и запоминают идентификаторы и адреса узлов управления сервисами, а также множество L маршрутов передачи сообщений, после чего вычисляют критическое соотношение ранее запомненных «опасных» и «безопасных» узловдля каждого l-го маршрута ...

СПОСОБ ВХОДА В СИСТЕМУ

Изобретение относится к способу входа в систему по меньшей мере в двух элементах сети в пределах коммуникационной сети и устройству для входа в такую систему. Технический результат заключается в упрощении входа в два или более элемента коммуникационной сети, заключающемся в том, что пользователь задает только одну пару имя пользователя/пароль, и при этом обеспечивается высокая степень сетевой защиты. Пользователь вводит первое имя пользователя (GUSER) и первый пароль (GPSSWD) на пользовательской станции (WS). При этом пользовательская станция (WS) входит в первую систему (NEMU) через первое соединение, используя первое имя пользователя (GUSER) и первый пароль (GPSSWD). Первая система (NEMU) определяет совместно со второй системой (DX) второе имя пользователя (MUSER) и второй пароль (MPSSWD). Первая система (NEMU) посылает второе имя пользователя (MUSER) и второй пароль (MPSSWD) пользовательской станции (WS), и пользовательская станция (WS) входит во вторую систему (DX) со вторым именем ...

Linked identities

Methods and systems to automatically respond to make a Super Identity by linking two identities and methods and systems to use the identities include a transaction authorization module that receives a request associated with a first identity record associated with a user, the request being for information associated with a second identity record. An identity linking module identifies that the second identity record is linked to the first identity record and retrieves the information associated with the second identity record. The transaction authorization module also generates a response including the information associated with the second identity, and transmits the response.

Accessing resources of a secure computing network

According to one embodiment of the present invention, a method for accessing resources of a secure computing network may be provided. The method may include receiving a request to allow a user to access a secure computing network. The user may be associated with an avatar that has a unique set of one or more identifiers that are associated with the user. A security clearance level of the avatar may be determined from the unique set of identifiers of the avatar. The avatar may be authorized to access one or more virtual compartments of the secure computing network according to the security clearance level of the avatar. The virtual compartment may comprise one or more resources of the secure computing network. The method may further include facilitating display of one or more resources of a virtual compartment accessed by the avatar.

Method and Apparatus for Detecting Changes in Websites and Reporting Results to Web Developers for Navigation Template

A computerized appliance includes a non-transitory physical memory medium couple to the computerized appliance, and software executing on the computerized appliance from the non-transitory physical memory medium. The computerized appliance performs a method comprising steps of accessing an electronic information page on a network by proxy on behalf of a client, following a navigation template assembled from a plurality of functional logic blocks, determining failed execution of the navigation template, determining the logic block involved at the point of failure, determining information necessary to repair the logic block determined at the point of failure, creating a new modular logic block according to the information, and installing the newly-created modular logic block into the navigation template that failed, and automatically replacing the failed logic block in all stored navigation templates that depend on the failed logic block.

WebConnect: Website for increasing ease of website and media accessiblity on the world wide web

WebConnect is a collection of methods combined onto one website. These methods include: an advanced bookmarking method, a social network, time-management tools, a personal media, and simple mail transfer protocol tool. WebConnect allows easy access to websites, specifically those that require accounts with passwords. When a user has bookmarked a website, websites over an https require you to log in; even when the user has exercised the option of having the browser remember the username and password. The application provided by WebConnect gives the user the option of saving the website in memory even while logged in. So the next time the user wants to visit that specific web page, they can simply navigate to the website without signing in. This application is referred to as trapping, and it is the central part of WebConnect that eliminates having to memorize various logins. In the context of a website, to trap means to save any page on an open account, or any page in general, for later access to avoid having to sign in later.

Information processing system, web server, information processing apparatus, control methods therefor, and program

This invention provides an information processing system which sets a validity period of authentication in an Web application provided by a Web server activated from an information processing apparatus in accordance with the logout transition time in the information processing apparatus, a Web server, an information processing apparatus, and control methods therefor. To accomplish this, a Web application activated on a Web server acquires the information of the logout transition time set in an information processing apparatus, and updates the validity period of authentication in the Web application in accordance with the acquired logout transition time. The Web application receives the notification of an operation event occurring in an MFP in addition to an operation event on the Web application, and properly resets a timer for the validity period of authentication in the Web application.

Application Identity Design

Methods and apparatus, including computer program products, implementing and using techniques for providing user credentials over a network to a remote computer application. User credentials for the remote computer application are stored in a central repository that is accessible through the network. A request is sent to a service to perform, on behalf of a user, a particular task involving the remote computer application. It is determined whether the service has been granted permission to act on behalf of the user with respect to the remote computer application. When the service has permission to act on behalf of the user, the service is used to retrieve the user's credentials for the remote computer application from the central repository and to supply the retrieved user credentials to the remote computer application.

Information processing apparatus, control method therefor, and program

There are provided an information processing apparatus which provides a user credential sharing service on a user credential sharing condition intended by a vendor that creates an application, and a control method for the information processing apparatus. To accomplish this, the information processing apparatus generates sharing settings which defines a sharing condition for each item of a user credential among applications according to a manifest file acquired from each application. Upon receiving a request of a user credential from one of the applications, the information processing apparatus provides the user credential to the requesting application according to the generated sharing settings.

Synchronized sign-on methods for non-programmatic integration systems

Methods and systems for automatically signing a user on to an integration application when a user signs on to another application and signing a user off when the user signs off of the other application. The integration application automatically non-programmatically collects data from a mapped location of a mapped source reference of the other application. The collected data includes a user identifier value. The integration continuously monitors the collected user identifier value for a difference in the collected user identifier value. If the collected user identifier value is recognized by the integration application, the user is signed into the integration application using the collected user identifier value, and if a difference in the collected user identifier value is detected, the user is signed off of the integration application.

Methods for processing private metadata

According to one aspect of the invention, a file received from a first user is stored in a storage device, where the file includes private metadata encrypted by a secret key associated with a second user. A private metadata identifier is stored in a predetermined storage location, indicating that private metadata of the file has not been decrypted and indexed. In response to an inquiry subsequently received from the second user, the predetermined storage location is scanned to identify the private metadata identifier based on the inquiry. The encrypted metadata identified by the private metadata identifier is transmitted to the second user for decryption. In response to the metadata that has been decrypted by the second user, the decrypted metadata is indexed for the purpose of subsequent searches of at least one of the metadata and the file.

Interactive Bill Payment Center

A software suite that provides a bill-payment module and comprises an interactive main interface listing bills due and payment accounts, an interactive history link, an interactive set-up link embedded in the main interface, an interactive transfer-funds link, an interactive calendar link, a plurality of interactive drop-down menus providing upon invocation a plurality of selectable, interactive options for treating the listed bill and an interactive refresh-all link embedded in the main interface.

Quick payment using mobile device binding

Methods and systems are provided for secure device binding that provides user convenience through avoiding repetitive logging in when changing apps or moving from website to website. A mobile device undergoes binding to an account so that customers do not always have to enter their password when going through a financial transaction process, on a known (e.g., registered) mobile device. A device may be bound during an initial login, and once logged in, the user can select an option to be “remembered” so that the user need not re-login on the same device for future visits with an app or to a website that shares the service provider library.

Identity management trust establishment method, identity provider and service provider

A method for establishing an identity management trust, and an IDentification Provider (IDP) and a Service Provider (SP) are provided in the present disclosure. The method comprises: after receiving an access from a user, an SP determines whether an IDP to which the user attaches is located in a trust domain of the SP (S 102 ); if the IDP to which the user attaches is not located in the trust domain of the SP, the SP inquires of an IDP in a local trust domain about the IDP to which the user attaches (S 104 ); if the SP receives information of the IDP to which the user attaches, wherein the information is returned by an IDP in the local trust domain, the SP adds the IDP to which the user attaches to a temporary trust list to establish a trust for the IDP to which the user attaches (S 106 ). The present disclosure can establish a trust relationship between an SP and any IDP in case of adding or not adding extra devices, ensuring the user to obtain desired services after logging on for one time.

Method and system for authenticating a rich client to a web or cloud application

A rich client performs single sign-on (SSO) to access a web- or cloud-based application. According to the described SSO approach, the rich client delegates to its native application server the task of obtaining a credential, such as a SAML assertion. The native server, acting on behalf of the user, obtains an assertion from a federated identity provider (IdP) that is then returned to the rich client. The rich client provides the assertion to a cloud-based proxy, which presents the assertion to an identity manager to attempt to prove that the user is entitled to access the web- or cloud-based application using the rich client. If the assertion can be verified, it is exchanged with a signed token, such as a token designed to protect against cross-site request forgery (CSRF). The rich client then accesses the web- or cloud-based application making a REST call that includes the signed token. The application, which recognizes the request as trustworthy, responds to the call with the requested data.

Sharing user id between operating system and application

One or more techniques and/or systems are disclosed for authenticating a user of an application using an operating system. A user can log onto their device, such as at power-up, using a cloud-based ID registered to an online identity service. The user can be authenticated with the operating system on the user's device, using the cloud-based identity for the user, where the operating system may contact the online identity service to authenticate the user. When the user activates an application on the device it may request authentication of the user from the operating system, and an authentication token for the user's cloud-based identity is provided to the application. The application then uses the authentication token to authenticate the user for the application, as long as the application supports the use of the cloud-based ID of the user. In this manner, a subsequent manual user log-in operation is not required.

System and method for providing customers with seamless entry to a remote server

The present invention provides a seamless entry system that comprises a universal session manager. Users connect to the host service provider with a unique username and password. Then, through a series of data exchanges between the universal session manager, a validation database, and the remote service module, the customer may be transparently logged into remote service providers. Internet banking customers utilize a browser system to connect to a host server providing a range of banking services supported by a remote or distinct server. According to the method, the customer first enters a username and password to gain access to the host service provider. The universal session manager transmits data required for login to the remote service provider. The user is thus able to utilize the remote services with his/her web browser system without having entered a username or password particular to the remote service.

Leveraging a Persistent Connection to Access a Secured Service

Leveraging a persistent connection to provide a client access to a secured service may include establishing a persistent connection with a client in response to a first request from the client, and brokering a connection between the client and a secured service based on a second request from the client by leveraging the persistent connection with the client. The brokering may occur before the client attempts to connect to the secured service directly and the connection may be established between the client and the secured service without provision by the client of authentication information duplicative or additional to authentication information provided by the client to establish the persistent connection.

System and method of sort-order preserving tokenization

An intercepting proxy server processes traffic between an enterprise user and a cloud application. The intercepting proxy server provides interception of real data elements in communications from the enterprise to the cloud and replacing them with obfuscating tokens. Tokens included in results returned from the cloud, are intercepted by the intercepting proxy server, and replaced with the corresponding real data elements. In order for the sort order of the tokens to correspond to the sort order of the corresponding real data elements, a sort order preserving data compression is performed on parts of the real data elements, and the compressed values concatenated with the obfuscated tokens, thus producing sortable tokens which, even though they are obfuscated, appear in the correct sort order in the cloud application.

Systems and methods for universal enhanced log-in, identity document verification and dedicated survey participation

Systems and methods are provided for controlling access via a computer network to a subscriber server. A log-in server receives a query to connect through the computer network to the subscriber server, and the log-in server receives registrant identification data. A first session is established between the log-in server and the subscriber server to validate the registrant identification data, and to generate a session password. A second session is established between the log-in server and the subscriber server. The second session is configured to authorize, based in part on the registrant identification data, access to at least a portion of a website associated with the subscriber server.

Single sign-on between applications

A single sign-on (SSO) system uses simple one-to-one trust relationships between individual applications and an SSO service to extend log in services from one application to another. Each application retains its own login policies and can separately make a decision whether to trust the SSO request or challenge the user for login credentials. By structuring the SSO system to use simple identity mapping, there is no requirement for consolidating user identity records from multiple applications into a single database with its attendant overhead and dependency risks.

Method and apparatus for authenticating a user equipment

The present invention relates to a Femtocell providing services to a UE, and it proposes a method for authenticating a UE registered in a first operating domain of a communication network (e.g. a mobile core network), when the UE requests the service provided by a second operating domain (e.g. a fixed access network, a backhaul network). An authentication server in the first operating domain allocates the needed information to access the service provided by the second operating domain for the UE, and stores. After receiving the needed information, the UE sends an authentication request message to an authentication server in the second operating domain, wherein the authentication server in the second operating domain forwards the authentication request message to the authentication server in the first operating domain.

Systems and methods for establishing and enforcing user exclusion criteria across multiple websites

Various embodiments provide systems and methods for monitoring a user over at least two websites. The systems and methods are configured to: (a) receive self-exclusion information from the user; (b) after receiving the self-exclusion information: (1) associate a unique user identifier that identifies the user with the self-exclusion information; and (2) store the unique user identifier and the self-exclusion information; (c) receive a first request from a first website to validate whether the user can engage in one or more first types of transaction activities; (d) after receiving the first request: (1) query the memory based on the unique user identifier; and (2) in response, send the first website a first indication that the user is excluded from engaging in the at least one of the first types of transaction activities. Second requests for a second website are then handled analogously. Associated methods are likewise provided.

Flexible security token framework

A computer-implemented server system includes or supports applications that use security tokens. The server system includes a security token module to create token types for use with the applications, to generate security tokens corresponding to created token types, and to enforce token use policies for generated security tokens. The server system also includes a database to store security tokens for the token module. The token module accommodates creation of different token types having different token formats and different token use policies, based on obtained values of a plurality of token configuration variables. The token module generates security tokens in accordance with the different token formats, and enforces the different token use policies when processing incoming security tokens.

Systems and Methods for Managing Secure Communication Sessions with Remote Devices

According to various embodiments, a session manager generates, stores, and periodically updates the login credentials for each of a plurality of connected IEDs. An operator, possibly via an access device, may provide unique login credentials to the session manager. The session manager may determine the authorization level of the operator based on the operator's login credentials, defining with which IEDs the operator may communicate. According to various embodiments, the session manager does not facilitate a communication session between the operator and a target IED. Rather, the session manager maintains a first communication session with the operator and initiates a second communication session with the target IED. Accordingly, the session manager may forward commands transmitted by the operator to the target IED. Based on the authorization level of the operator, a session filter may restrict what may be communicated between an operator and an IED.

Authentication system, authentication method, and storage medium for realizing a multitenant service

In order to prevent leakage of data possessed by a tenant to other tenants in multitenant service, it is necessary to control access. However, the conventional access control method is designed and developed to meet a specified request. Thus, costs for a dedicated design, development, administration, and maintenance need to be considered. Such costs can be reduced by using role information for each of a plurality of services and determining whether to allow or not allow access in a uniform manner.

Method and system for automatic recovery from lost security token on embedded device

Automatic recovery from loss of a security token on an embedded device is achieved by having a service provider (SP) server send to a device server a backup copy of the security token in conjunction with sending to an embedded device a primary copy of the security token, and retrieving from the device server and sending to the embedded device the backup copy of the security token upon detecting that the primary copy of the security token has been lost. The method and system obviate the need for a user to have to re-input on the embedded device a credential that is represented by the security token in the event the primary copy of the security token is erased from the embedded device or otherwise becomes inaccessible to the embedded device.

Method and Apparatus for the Protection of Computer System Account Credentials

There is described methods, systems and software for creating, managing and using authentication credentials. The invention maintains for each user two authentication credentials—external and internal authentication credentials that share the same number of authentication factors of the same type. These are stored in a data store [ 1.4 ]. The user users the external authentication credential by a device [ 1.1 ] that is external to the network [ 1.8 ]. This is matched to the internal authentication credentials that are then used authenticate the user on the network [ 1.8 ]. It is an advantage of the invention that the internal authentication credentials are not stored on the device [ 1.1 ] leading to greater security. Also, the client software on the device [ 1.1 ] does not need to be customised in anyway to deliver this improved security.

Method and apparatus for key sharing over remote desktop protocol

Various methods for the secure exchange of private keys for authenticating a user to an RDP service are provided. One example method may comprise receiving a request comprising a session token to provide a user with access to an RDP service, and retrieving a username and password associated with the user using the session token. The method may further comprise assigning a time period of validity to the password. Furthermore, the method may comprise generating a first secret key based on user information, generating a second secret key based on the first secret key and a salt, and encrypting a packet comprising the password and the time period using the second secret key. Additionally, the method may comprise transmitting the username and encrypted packet to the device for authenticating the user with the requested RDP service. Similar and related example methods, apparatuses, systems, and computer program products are also provided.

Enhanced security for electronic communications

Techniques are described for providing enhanced security for electronic communications, such as by including in a message sent between two services a digital signature that is generated by using secret information known to the services, so that the recipient receives assurance regarding the sender's identity if the recipient can replicate the received digital signature using the secret information known to the recipient. In some situations, the enhanced security is used in communications to and/or from an access manager system that provides single sign-on functionality and other functionality to other services for use with those services' users, such as to prevent malicious phishers from inappropriately gaining access to user information. Various services may use the enhanced security techniques when interacting with the access manager system at various times, such as to initiate sign-on for a user and/or to take subsequent action on behalf of a signed-on user.

System and method for transparent single sign-on

A method for transparent single sign-on authentication on computers in a networked environment. An embodiment includes receiving an authentication request from an operating system of a first computer, requesting credentials of an application making the authentication request, authenticating the credentials, storing the credentials if the authentication is successful, and transmitting the credentials to a second computer. On subsequent access requests made by the user on the second computer, the credentials can be retrieved from the secure store, eliminating the need to prompt the user to re-enter authentication information.

Mobile application, identity relationship management

Techniques for managing identities are provided. In some examples, identity management, authentication, authorization, and token exchange frameworks may be provided for use with mobile devices, mobile applications, cloud applications, and/or other web-based applications. For example a mobile client may request to perform one or more identity management operations associated with an account of a service provider. Based at least in part on the requested operation and/or the particular service provider, an application programming interface (API) may be utilized to generate and/or perform one or more instructions and/or method calls for managing identity information of the service provider.

Multi-server authentication token data exchange

A client is authenticated by a server receiving an initial request from the client at the beginning of a session. The server receiving the initial request generates an authentication token and returns the authentication token to the client in response to the client being authenticated. The user's credentials used to authenticate the client are stored in the authentication token along with other information. After receiving the authentication token from the server that generated the authentication token, the client passes the authentication token with each of the future requests to the pool of servers. Using the client to pass the transferrable authentication token, the servers share the user's identity/credentials in a decentralized manner. Any server from the shared pool of servers that receives a subsequent client request is able to decrypt the token and re-authenticate the user without having to prompt the client for authentication credentials again.

Mobile application, identity interface

Techniques for managing identities are provided. In some examples, identity management, authentication, authorization, and token exchange frameworks may be provided for use with mobile devices, mobile applications, cloud applications, and/or other web-based applications. For example a mobile client may request to perform one or more identity management operations associated with an account of a service provider. Based at least in part on the requested operation and/or the particular service provider, an application programming interface (API) may be utilized to generate and/or perform one or more instructions and/or method calls for managing identity information of the service provider.

Service providing system

A system 100 includes a first service providing part 110 for providing a first service, and a second service providing part 120 for providing a second service. The first service providing part 110 transmits a first individual ID that is associated with a common ID included in an ID information provision request and that is for identifying a user in the first service, to a user terminal. The second service providing part 120 receives a service ID for identifying the first service, the first individual ID and the common ID from the user terminal, and transmits the service ID and first individual ID having been received with the common ID associated with a second individual ID that is included in an ID information acquisition request and that is for identifying a user in the second service, to a user terminal

System And Method For A Single Request And Single Response Authentication Protocol

Various embodiments of a system and method for a single request and single response authentication protocol are described. A client may send to an authentication server a request to authenticate the identity of a user attempting to access an electronic document protected by a rights management policy. The single request may be generated according to rights management configuration information included within the document. Such rights management information may include one or more parameters for requesting authentication from an authentication server. In response to the request, an authentication server may send a single response to the client. The single response may include information indicating that the identity is authenticated (e.g., a license to access the document, or an encryption key to decrypt the document). The client system may be configured to, in response to the single response, provide access to the document according to the rights management policy.

NETWORK SYSTEM, INFORMATION PROCESSING APPARATUS, METHOD FOR CONTROLLING THE INFORMATION PROCESSING APPARATUS, AND COMPUTER-READABLE STORAGE MEDIUM FOR COMPUTER PROGRAM

A network system including at least one client and a user account management server is provided. The user account management server includes a user account saving portion for saving a user identifier and a user password for a cooperative server with which at least one client works in coordination for specific processing. Each of the clients includes an application storage portion for storing an application for the specific processing, a reference information storage portion for storing reference information to be referred to when the application is executed, a location information obtaining portion for obtaining location information indicating a saving location of the user identifier and user password, a user account obtaining portion for obtaining, based on the location information, the user identifier and the user password from the user account management server, and an update portion for updating the reference information to indicate the user identifier and the user password. 1. A network system comprising:at least one client; anda user account management server; wherein 'a user account saving portion configured to save, thereto, a user identifier and a user password for a cooperative server with which said at least one client works in coordination for specific processing, and', 'the user account management server includes'} an application storage portion configured to store, therein, an application for the specific processing,', 'a reference information storage portion configured to store, therein, reference information to be referred to when the application is executed,', 'a location information obtaining portion configured to obtain location information indicating a saving location of the user identifier and the user password,', 'a user account obtaining portion configured to obtain, based on the location information, the user identifier and the user password from the user account management server, and', 'an update portion configured to update the reference ...

Methods for Single Signon (SSO) Using Decentralized Password and Credential Management

A method for single sign-on (SSO) that provides decentralized credential management using end-to-end security. Credential (and other personal user information) management is decentralized in that encryption is performed locally on the user's computer. The user's encrypted credentials may be stored by the login server and/or a plurality of distributed servers/databases (such as a cloud). The login server never has access to the user's credentials or other personal information. When the user wants to use single sign-on, he enters his password into his browser and the browser submits the encrypted/hashed password to the login server for validation. Upon validation, the browser receives the user's encrypted credentials. The credentials are decrypted by the browser and provided to relevant websites to automatically log the user in.

Presenting Managed Security Credentials to Network Sites

Disclosed are various embodiments for providing managed security credentials to network sites for authentication. Multiple accounts of a user are maintained for multiple network sites. A secured resource of a network site is to be accessed by a computing device. One of the accounts is identified according to a domain name of the network site. The account is associated with a different network site having a different domain name from the domain name. The computing device is automatically authenticated with the network site using a security credential associated with the account.

Identity provider discovery service using a publish-subscribe model

A proxy is integrated within an F-SSO environment and interacts with an external identity provider (IdP) instance discovery service. The proxy proxies IdP instance requests to the discovery service and receives responses that include the IdP instance assignments. The proxy maintains a cache of the instance assignment(s). As new instance requests are received, the cached assignment data is used to provide appropriate responses in lieu of proxying these requests to the discovery service, thereby reducing the time needed to identify the required IdP instance. The proxy dynamically maintains and manages its cache by subscribing to updates from the discovery service. The updates identify IdP instance changes (such as servers being taken offline for maintenance, new services being added, etc.) occurring within the set of geographically-distributed instances that comprise the IdP service. The updates are provided via a publication-subscription model such that the proxy receives change notifications proactively.

Identity provider discovery service using a publish-subscribe model

A proxy is integrated within an F-SSO environment and interacts with an external identity provider (IdP) instance discovery service. The proxy proxies IdP instance requests to the discovery service and receives responses that include the IdP instance assignments. The proxy maintains a cache of the instance assignment(s). As new instance requests are received, the cached assignment data is used to provide appropriate responses in lieu of proxying these requests to the discovery service, thereby reducing the time needed to identify the required IdP instance. The proxy dynamically maintains and manages its cache by subscribing to updates from the discovery service. The updates identify IdP instance changes (such as servers being taken offline for maintenance, new services being added, etc.) occurring within the set of geographically-distributed instances that comprise the IdP service. The updates are provided via a publication-subscription model such that the proxy receives change notifications proactively.

SERVICE USAGE MANAGEMENT METHOD, RECORDING MEDIUM, AND INFORMATION PROCESSING DEVICE

A service usage management method executed by an information processing device, the service usage management method includes receiving, from a terminal device used by a user, a piece of authentication information which authenticates a user's right to use a service provided by a device as an issuing source and includes a number of times of issuing processing for issuing, based on a piece of authentication information, another piece of authentication information and an identifier of the device as the issuing source, generating the authentication information which includes the number of times of addition of adding one to the number of times indicated in the received authentication information and the identifier of the information processing device and authenticates the user's right to use the service provided by the information processing device, and transmitting the generated authentication information to the terminal device. 1. A service usage management method executed by an information processing device , the service usage management method comprising:receiving, from a terminal device used by a user, a piece of authentication information which authenticates a user's right to use a service provided by a device as an issuing source and includes a number of times of issuing processing for issuing, based on a piece of authentication information, another piece of authentication information and an identifier of the device as the issuing source,generating the authentication information which includes the number of times of addition of adding one to the number of times indicated in the received authentication information and the identifier of the information processing device and authenticates the user's right to use the service provided by the information processing device, andtransmitting the generated authentication information to the terminal device.2. The service usage management method according to claim 1 , wherein the authentication information includes a list of ...

Application identity design

Methods and apparatus, including computer program products, implementing and using techniques for providing user credentials over a network to a remote computer application. User credentials for the remote computer application are stored in a central repository that is accessible through the network. A request is sent to a service to perform, on behalf of a user, a particular task involving the remote computer application. It is determined whether the service has been granted permission to act on behalf of the user with respect to the remote computer application. When the service has permission to act on behalf of the user, the service is used to retrieve the user's credentials for the remote computer application from the central repository and to supply the retrieved user credentials to the remote computer application,

Wireless communication using concurrent re-authentication and connection setup

A method includes generating at least one of a re-authorization request or a re-authentication with an extensible authentication protocol. The method also includes generating an upper layer message. The method further includes bundling the upper layer message and the least one of the re-authorization request or the re-authentication request as an association request. The method further includes transmitting the association request to an access point.

Inter-domain replication of service information

An automated conversion of service information between independent information technology (IT) management domains is performed using a federated gateway within each of the independent IT management domains that bridges the independent IT management domains. The automated conversion of service information allows at least one service consumer application executing within a first independent IT management domain to use a local service definition format to access at least one remote service provider application with a remote service interface defined using a different remote service definition format for execution in a second independent IT management domain. At least one service request is dynamically processed for the at least one remote service provider application via service provider application endpoint translation using the federated gateway within each of the independent IT management domains that bridges the independent IT management domains.

SYSTEMS AND METHODS FOR INTERCEPTING AND AUTOMATICALLY FILLING IN FORMS BY THE APPLIANCE FOR SINGLE-SIGN ON

The present invention is directed towards systems and methods for form-based single sign-on by a user desiring access to one or more protected resources, e.g., protected web pages, protected web-served applications, etc. In various embodiments, a single sign-on (SSO) module is in operation on an intermediary device, which is disposed in a network to manage internet traffic between a plurality of clients and a plurality of servers. The intermediary device can identify an authentication response from a server and forward the authentication response to the SSO module. The SSO module can complete a login form in the authentication response with a client's authentication data, return the completed login form to the server and forward cookies associated with the authentication response to the client. In various embodiments, multiple login forms can be completed, transparently to the client, by the SSO module on a client's behalf and reduce time expended by a client in obtaining access to protected resources. 1. A method for performing form-based authentication via a device intermediary to a client and a server , the method comprising:(a) intercepting, by a device intermediary to a client and a server, a login form communicated from the server for authenticating a user of the client to the server, the server communicating the login form responsive to a request from the client to authenticate the user;(b) submitting, to the server by the device to authenticate the user, the login form with authentication credentials populated in the login form by the device;(c) receiving, by the device, a response from the server to submission of the login form that indicates the user is authenticated to the server; and(d) transmitting, by the device responsive to the request from the client to authenticate the user, the response from the server to the client.2. The method of claim 1 , wherein step (a) further comprises storing a cookie communicated by the server in association with the ...

METHOD AND SYSTEM FOR PROVIDING USER ACCESS TO A SECURE APPLICATION

Providing remote user access to secure financial applications includes deployment of SSO software to client workstations by receiving a password for collaborating access to a secure server, navigating to the secure server using a web browser on a remote workstation, providing user authorization details and the received password to the secure server, generating a subsequent password at the secure server upon validation of the user authorization details and received password, and downloading an SSO deployment file to the remote workstation. The deployment file includes a subsequent password. The SSO deployment file is executed to install an SSO client application on the remote workstation. Workstation settings and user credentials are read from a secure file or data store. The SSO client application is run on the workstation to employ the user credentials and subsequent password to logon to the secure application. 122.-. (canceled)23. A non-transitory computer readable storage medium storing software modules that provide remote user access to a secure application , the software modules comprising executable code that is executable to:receive a password for collaborating access to a secure server;receive a subsequent password from the secure server upon validation of user authorization details and the received password;execute an SSO deployment file that includes the subsequent password to install an SSO client application; andrun the SSO client application to logon to the secure application with user credentials.24. The non-transitory computer readable storage medium of wherein the SSO client application facilitates reduced or single sign on type remote access to a plurality of secure applications.25. The non-transitory computer readable storage medium of wherein user credentials may take the form of identifiers claim 23 , passwords claim 23 , pass phrases claim 23 , certificates claim 23 , encryption claim 23 , signing and authentication key pairs or keys claim 23 , ...

MULTI-HOP SINGLE SIGN-ON (SSO) FOR IDENTITY PROVIDER (IdP) ROAMING/PROXY

Embodiments of the present disclosure describe methods, apparatuses, and systems related to using an identity provider (IdP) as a proxy for another IdP. Other embodiments may be described and/or claimed. 1. An apparatus , comprising:a network device of a first identity provider (IdP) that provides a first identity and configured to operate as a proxy, for a second IdP that provides a second identity, to enable the second identity to be used to obtain authorized access to a service that recognizes the first identity, initiate an authentication process with the second IdP for the second identity; and', 'if the second identity is determined by the network device to be authenticated by the authentication process, send to the service an assert message associated with the first identity to complete the authorized access to the service; and, 'wherein to operate as the proxy to enable the second identity to be used to obtain authorized access to the service, the network device is configured toa network interface, included in the network device and having a transceiver, configured to communicate with the second IdP.2. The apparatus of wherein the network device includes:an IdP component configured to receive an authentication request sent by the service;a relaying party (RP) component configured to send a communication to initiate the authentication process with the second IdP; andhardware including a processor and a memory configured to store the IdP component and the RP component.3. The apparatus of wherein the IdP component is configured to receive the authentication request from user equipment (UE) that has redirected the authentication request from the service to the network device.4. The apparatus of wherein the RP component is configured to send the communication to initiate the authentication process directly to the second IdP.5. The apparatus of wherein the RP component is configured to send the communication to initiate the authentication process to user equipment ...

System and method for accessing integrated applications in a single sign-on enabled enterprise solution

A method for performing access management to facilitate a user to access applications in a single sign-on enabled enterprise solution is provided. A challenge token and a response token are transmitted between a server and a client. The challenge token and response token comprises one-way hashed data. The response token is verified at the server and the client to authenticate the user. Further, a request for service token is transmitted between the server and the client. The request for service token is encrypted at the client and decrypted at the server using a unique session key negotiated between the server and client. A service token is generated and transmitted between the server and the client. The service token is encrypted and decrypted at the server using a secret key to verify the service token. Based on the verification, the requested applications are rendered on client based user interface.

Universal website preference management

Systems, apparatus, methods, and computer program products for universal user website preference management. The invention provides for a user to define website preferences that will be applied universally across multiple websites. The user preferences may be inputted and stored at a universal user preference website or the like. Such user preferences may include a preferred language, a preferred location, preferred billing information, preferred authentication credentials and the like. Through the use of tag parameters, the user preferences may be retrieved and applied at the onset of a user website session, such that the preferences become active when the user initiates website communication.

ONE ROUND TRIP AUTHENTICATION USING SNGLE SIGN-ON SYSTEMS

Systems, methods, and apparatus embodiments are described herein for enabling one-round trip (ORT) seamless user/device authentication for secure network access. For example, pre-established security associations and/or credentials may be leveraged between a user/device and a network entity (e.g., application server) on a network to perform an optimized fast authentication and/or to complete security layer authentication and secure tunnel setup in an on-demand and seamless fashion on the same or another network. 1. A method performed at a user equipment (UE) , the method comprising:establishing a security association with a single sign-on (SSO) server on a first network;discovering a network identity of an access point on a second network;deriving, with the SSO server, dynamically generated credentials for use in accessing the access point on the second network; andperforming an optimized authentication using the dynamically generated credentials to gain secure access to the access point via the second network.2. The method as recited in claim 1 , wherein the first network is a cellular network and the second network is a hotspot network or a WLAN network.3. The method as recited in claim 1 , wherein the network identity is discovered via the first network.4. The method as recited in claim 1 , wherein the credentials are derived with the SSO server via the first network or via a direct connection with the SSO server.5. The method as recited in claim 1 , wherein the optimized authentication is performed in accordance with an optimized extensible authentication protocol (EAP) framework.6. The method as recited in claim 1 , wherein the dynamically generated credentials comprise a master session key (MSK).7. The method as recited in claim 1 , wherein the SSO server is an OpenID identity provider and the access point is a relying party claim 1 , and wherein the OpenID identity provider and the relying party transfer one or more access tokens between each other.8. The ...

Multi-media identity management system

A method for utilizing multi-media identities for access control to a secure area or item can begin with a multi-media identity management system providing a multi-media identity to an entity for use with an access control system. The multi-media identity can be a digital identifier defining multi-media authentication data and security privileges for the entity. The provided multi-media identity and multi-media authentication data can be received in an access request for a secure area or item. The multi-media authentication data can be verified against the multi-media data elements of the multi-media identity. The security privileges of the multi-media identity can be validated for the secure area or item. When the multi-media authentication data, multi-media identity, and security privileges are valid, the entity can be granted access and denied access when at least one item is invalid.

Single sign-on for disparate servers

A system includes authentication of a user with a first server, reception of a request from the user to authenticate the user with a second server, requesting, from the first server, in response to receiving the request, user credentials to access the second server, reception of the user credentials from the first server, and transmission of the user credentials to the second server.

COMPUTER READABLE STORAGE MEDIA FOR SELECTIVE PROXIFICATION OF APPLICATIONS AND METHOD AND SYSTEMS UTILIZING SAME

Systems and methods for selective proxification of applications are disclosed. One or more computer readable storage media may be encoded with instructions executable by one or more processing units of a computing system. The instructions encoded on the computer readable storage media may comprise authenticating a single sign-on access at a proxy server, receiving a request at the proxy server to access an application on an application server requiring authentication, accessing the application on the application server, authenticating a user to the application without additional authentication input from the user, and selectively providing a proxified session between the user and the application. 1. One or more computer readable storage media encoded with instructions executable by one or more processing units of a computing system , the instructions comprising authenticating a single sign-on access at a proxy server , receiving a request at the proxy server to access an application on an application server requiring authentication , accessing the application on the application server , authenticating a user to the application without additional authentication input from the user , and selectively providing a proxified session between the user and the application.2. The storage media of claim 1 , wherein the instructions further comprise instructions for receiving an additional authenticated request at the proxy server to access an additional application and providing the user access to the additional application without a proxified session.3. The storage media of claim 1 , wherein the instructions for selectively providing a proxified session include instructions for modifying a response provided by the application.4. The storage media of claim 1 , wherein the proxified session between the user and the application is based at least in part on web proxification.5. The storage media of claim 1 , wherein the user includes a computing device and wherein the ...

WEB BASED SYSTEM THAT ALLOWS USERS TO LOG INTO WEBSITES WITHOUT ENTERING USERNAME AND PASSWORD INFORMATION

Internet user passwords are securely managed. A formation component can enable a user to create a master account on a web server, the master account comprising a master username and password. An access component can enable the user to access a plurality of password protected websites from a web browser or non-browser software application resident on the user's computing device when the user logs into the master account by entering the valid master username and password. A selection component can log the user into a website of the plurality of password protected websites when the user selects a hyperlink associated with the website, selects a linked image associated with the website, or selects the website from a pulldown list contained in a toolbar of a web browser. A display component can open a web browser or tab associated with the website. 1. A system , comprising: create master account data representing a master account for an identity comprising a master username and a master password;', 'in response to an authentication of the identity utilizing the master username and the master password, enable access to password protected websites associated with the master account based on an encryption key that is a function of the master username and the master password;', 'receive input representing a password protected website of the password protected websites, a username and a password that are associated with the password protected website;', 'encrypt the username and the password that are associated with the password protected website using the encryption key resulting in encrypted access data; and', 'in response to further input indicating a selection of the password protected website, log into the password protected website on behalf of the identity using the username and the password by decrypting the encrypted access data., 'a processor, coupled to a memory, that executes or facilitates execution of instructions stored in the memory to cause the system to at ...

DEVICE AND METHOD FOR PROVIDING AUTHENTICATED ACCESS TO INTERNET BASED SERVICES AND APPLICATIONS

Device for providing an authenticated access to the Internet based services, which is remarkable in that it comprises a unified identity management system (), which is centered on the user () for generating a unified identity means () intended for users () within a particular area, so that this user is able to use the same account to make himself known and to authenticate this for various applications (), possibly based on different application owners (); and associated method therefor. 123233313233346163. Device for providing an authenticated access to the Internet based services , characterized in that it comprises a unified identity management system () , which is centered on the user () for generating a unified identity means () intended for users () within a particular area , so that this user is able to use the same account to make himself known and to authenticate this for various applications ( , , , , ) , possibly based on different application owners ().223. Device according to the previous claim , characterized in that the user centered management means () is based on a combination of validation means of agreements established between a particular service provider and owners of the concerned websites in their capacity of suppliers , to provide access for the user () to an Internet site he visits that is subject to the intended management system (L) when he is connected to the relevant management system (L).32331323334403240331323334. Device according to any one of the preceding claims , characterized in that the management system () is aimed at the user () , whereby the latter is able to access all of the aforementioned applications ( , , , ) which are mutually different , and this by means of a single identity field () which the said user () unequivocally identifies , wherein said centered linked identity management system () provides a unified identity field () to the user () that is used for the said applications ( , , , ) at the same time , and which ...

Information processing apparatus, control method thereof, storage medium, and image processing apparatus

A user credential sharing mechanism which can suitably implement a single sign-on function while preventing illicit accesses by accidental matches of authentication data in a mixed environment of an environment suitable for use of a single sign-on function and an unsuitable environment is provided. To accomplish this, when an information processing apparatus of this invention receives, from a user, an access request instruction to an external apparatus connected to be able to communicate with the information processing apparatus, if an authentication protocol related to user credentials generated at the time of a login operation is that which can limit a security domain, the apparatus accesses the external apparatus using the user credentials, and if that authentication protocol is that which cannot limit a security domain, the apparatus prompts the user to input an account accessible to the external apparatus.

INFORMATION PROCESSING SYSTEM, CONTROL METHOD THEREOF, AND STORAGE MEDIUM THEREOF

A method for realizing Single Sign-On (SSO) includes verifying, using prior information, whether authorization information issued by a first information processing system in response to successfully authenticating a user satisfies security requirements, providing, in a case where the authorization information is verified as satisfying the security requirements, a service without performing the user authentication, and performing, if an instruction to register a first information processing system that performs user authentication is received from the user, the registration by a method different from a method according to a management method of the prior information in the first information processing system. 1. A second information processing system that communicates with a first information processing system that performs user authentication using user authentication information input by a user , the second information processing system comprising:a verification unit configured to, using prior information, verify whether authorization information issued by the first information processing system in response to successfully authenticating a user satisfies security requirements;a providing unit configured to, in a case where the authorization information satisfies the security requirements, provide a service without performing the user authentication; anda registration unit configured to, if an instruction to register a first information processing system that performs user authentication is received from the user, perform the registration by a method different from a method according to a management method of the prior information in the first information processing system.2. The second information processing system according to claim 1 , wherein claim 1 , in a case where the first information processing system causes a plurality of groups to share the prior information claim 1 , the registration unit performs registration so that verification is performed using ...

Method And Apparatus For Managing Identity For Mobile Terminal

A method and apparatus for managing an identity for a mobile. The method comprises identifying an application sending an identity verification request when receiving the identity verification request from one of multiple applications, sending a request message obtained according to the identity verification request to an identity verification server; and notifying all applications in a related application list comprising the identified application of an identity verification result obtained according to a returned message, when receiving the returned message from the identity verification server. Centralized management is performed for user identity information and user identity verification, development and maintenance cost is reduced, security of the user account is increased, and operations of the user are facilitated. 1. A method for managing an identity for a mobile terminal , comprising:at a mobile terminal having one or more processors and one or more memories,identifying an application sending an identity verification request when receiving the identity verification request from one of multiple applications, sending a request message obtained according to the identity verification request to an identity verification server; andnotifying all applications in a related application list comprising the identified application of an identity verification result obtained according to a returned message when receiving the returned message from the identity verification server.2. The method according to claim 1 , wherein identifying an application sending an identity verification request comprises:utilizing identifier information of the application extracted from the identity verification request, searching a stored application information list for related information of the application, the related information comprising: an address of the identity verification server corresponding to the application and the related application list comprising the application; if the ...

COOPERATION SYSTEM, COOPERATION METHOD THEREOF, INFORMATION PROCESSING SYSTEM, AND STORAGE MEDIUM

A client sends a request to start to use a service via an information processing system that is a cooperation source, acquires identification information indicating that authentication has been successfully performed based on group authentication information set for a group to which a user belongs, and then transmits the identification information to an information processing system that is a cooperation destination. 1. A cooperation system including a first information processing system for managing user authentication information about a plurality of users for each group and a second information processing system for acquiring data from the first information processing system and providing a service using the acquired data , a first authentication unit configured to receive user authentication information from a user operating a client and to authenticate the user based on the received user authentication information; and', 'a first transmission unit configured to, in response to reception of a request for starting to use the service after the user is successfully authenticated, transmit group authentication information set for the group to which the user belongs to the second information processing system, and, 'the first information processing system comprising a second authentication unit configured to receive the transmitted group authentication information and to perform authentication based on the received group authentication information; and', 'a second transmission unit configured to, after the authentication has been successfully performed based on the group authentication information, transmit identification information indicating that the authentication has been successfully performed to the first information processing system,, 'the second information processing system comprising 'an instruction unit configured to transmit the transmitted identification information to the client and to instruct the client to access the second information processing ...

Transferring an account between devices

A method for transferring an account associated with a first device to a second device is disclosed. The method includes: initiating, by the second device, a message intersession with a third party device; receiving, at the second device and from a server, an indication that the second device is using a known identity associated with the first device; and providing, by the second device, an instruction for transferring an account from the first device to the second device.

SYSTEM, CONTROL METHOD, AND STORAGE MEDIUM

The present invention performs control to realize an appropriate access by executing mapping processing of single sign-on by associating SP side user information and IdP side user information using a unique AUID. 1. A system which manages a plurality of pieces of user information , the system comprising:a receiver unit configured to receive user information from another system; anda transmitting unit configured to transmit a table which associates the received user information and unique identification information of the plurality of pieces of user information,wherein, when the other system succeeds user authentication, the system is configured to provide a function of the system without performing the user authentication in the system based on the unique identification information.2. The system according to claim 1 , wherein the user information is obtained from the table which associates the user information and the user information of the other system.3. The system according to claim 1 , further comprising a determination unit configured to determine based on specifying information which is received together with the user information and which specifies the other system whether claim 1 , when the other system succeeds the user authentication claim 1 , the other system is configured to provide the function of the system without performing the user authentication in the system claim 1 ,wherein, when it is determined that the other system is configured to provide the function, the table is transmitted.4. The system according to claim 1 , further comprising a specifying unit configured to specify a group to which a user of a user ID belongs claim 1 , based on the user ID and a password received together with the user information.5. The system according to claim 4 , whereinan authority of the user ID is specified, andthe table which associates user information acquired by the authority from user information belonging to the specified group, and the unique ...

Graduated authentication in an identity management system

A method and system for graduated security in an identity management system utilize differing levels of time sensitivity, channel security and authentication security to provide a multi-dimensional approach to providing the right fit for differing identity requests. The differing levels of security can be selected by user preference, membersite request or homesite policy.

SINGLE SIGN ON FOR CLOUD

Systems and methods for single sign on to a cloud. The system includes a cloud service provider and a tenant. The cloud service provider has a consumer unit and a portal. The consumer unit provides an interface for a user to connect to the cloud service provider. The portal providing a cloud service to the user, the portal has a first authentication system that issues a security token request and that is connected to the consumer unit. The tenant includes the user and a second authentication system. The second authentication system signs the security token request. The consumer unit is adapted to communicate with the first authentication system using a first protocol and adapted to communicate with the second authentication system using a second protocol. 1. A system for single sign on to a cloud , the system comprising: a consumer unit that provides an interface for a user to connect to the cloud service provider; and', 'a portal that provides a cloud service to the user, the portal comprising a first authentication system that issues a security token request, and the first authentication system is connected to the consumer unit; and, 'a cloud service provider comprising the user; and', 'a second authentication system that signs the security token request, wherein, 'a tenant comprisingthe consumer unit is adapted to communicate with the first authentication system using a first protocol and adapted to communicate with the second authentication system using a second protocol.2. The system according to claim 1 , wherein the consumer unit is adapted to request the cloud service from the portal based on a request for the cloud service from the user.3. The system according to claim 1 , whereinthe consumer unit is adapted to translate a security token request in the first protocol to a security token request in the second protocol; andthe consumer unit is adapted to translate a signed security token in the second protocol to a signed security token in the first protocol. ...

METHOD FOR PROVIDING NETWORK SERVICE AND APPARATUS THEREOF

A method for providing network service and apparatus thereof are described. The method includes the following steps: acquiring a network identity information of a user wherein the network identity information stored in a browser is a kind of information with an unique recognition; matching the network identity information with a local identity database to determine whether the local identity database stores a binding relationship between the network identity information and a server account information of the user; querying the server account information stored in the local identity database based on the network identity information of the binding relationship if the network identity information is matched with the local identity database to be found in the local identity database; and automatically logging in the web server based on the server account information of the user. 1. A method for providing a network service , the method comprising the steps of:collecting a browser account information of a user by a browser;encrypting the browser account information of the user by the browser for generating a network identity information with an unique recognition and storing the network identity information in the browser;acquiring the network identity information of the user from the browser by a web server;matching the network identity information with a local identity database by the web server to determine whether the local identity database stores a binding relationship between the network identity information and a server account information of the user of the web server;querying the server account information stored in the local identity database by the web server based on the network identity information of the binding relationship if the network identity information is matched with the local identity database to be found in the local identity database;requesting the user to either register or login the web server if the network identity information is not found ...

SYSTEMS, METHODS, AND MEDIA FOR SYNTHESIZING VIEWS OF FILE SYSTEM BACKUPS

Systems, methods, and media for synthesizing a view of a file system are provided herein. Methods may include receiving a request to obtain a view of at least a portion of a file system backup for a device, responsive to the request, mounting one or more backup files for the device on a backup node, generating a view of the at least a portion of a file system created from the one or more mounted backup files, the view being accessible via the intermediary node that is communicatively coupled with the backup node. 1. A method for synthesizing a view of at least a portion of a file system backup , the method comprising:receiving a request to obtain a view of at least a portion of a file system backup for a device; generate a view of the at least a portion of a file system created from the one or more mounted backup files; and', 'expose the view to an intermediary node that is communicatively coupled with the backup node., 'responsive to the request, mounting one or more backup files for the device on a backup node to2. The method according to claim 1 , wherein the one or more backup files includes at least one of: (i) one or more snapshots and (ii) one or more incremental files.3. The method according to claim 2 , wherein the one or more incremental files includes at least one reverse incremental delta increment.4. The method according to claim 1 , wherein the intermediary node and the backup node are communicatively coupled using a secure connection.5. The method according to claim 1 , wherein the view is generated from the one or more backup files using a userspace file system simulation emulation (UFSE) module.6. The method according to claim 1 , further comprising authenticating a client node and providing the view to the client node.7. The method according to claim 1 , wherein the view includes a directory tree of the file system at an arbitrary point in time.8. The method according to claim 1 , further comprising storing the view of the at least a portion of a ...

ESTABLISHING HISTORICAL USAGE-BASED HARDWARE TRUST

Establishing trust according to historical usage of selected hardware involves providing a usage history for a selected client device; and extending trust to a selected user based on the user's usage history of the client device. The usage history is embodied as signed statements issued by a third party or an authentication server. The issued statement is stored either on the client device, or on an authentication server. The usage history is updated every time a user is authenticated from the selected client device. By combining the usage history with conventional user authentication, an enhanced trust level is readily established. The enhanced, hardware-based trust provided by logging on from a trusted client may eliminate the necessity of requiring secondary authentication for e-commerce and financial services transactions, and may also be used to facilitate password recovery and conflict resolution in the case of stolen passwords. 1. One or more computer-readable storage memories comprising processor-executable instructions which , responsive to execution by at least one processor , are configured to:write a token into any of a memory or a disk that is associated with a selected client device of one or more client devices;confirm that the token exists on the selected client device during each log in of the selected client device through one or more access points across a network; and a frequency of the confirmed log ins; or', 'a number of the confirmed log ins., 'extend an increase in trust to the selected client device at a level that is based, at least in part, on at least one of2. The one or more computer-readable storage memories of claim 1 , wherein the token comprises at least one of:a cookie; ora tag.3. The one or more computer-readable storage memories of claim 1 , the processor-instructions further configured to:perform an authentication of a selected user of the selected client device, wherein the authentication is based on a combination of the ...

Secure Non-Geospatially Derived Device Presence Information

This invention includes a system and method to enable a device to determine the presence information of another device over a secure communication network. First, the device and a presence server establish a secure connection. Next, while the initial secure connection with the presence server is established, the device generates a randomly created token and provides it to the presence server. The token is used as a shared-secret by the device and the presence server to secure future presence communications over a non-secure connection. Next, without the need to again enter a password or establish a secure connection with the presence server, the device uses the shared-secret to sign, encrypt and convey presence information to the presence server over an arbitrary connection. Finally, the presence server may share the first device's presence information with another device. 1. A system enabling a device to determine the presence information of another device over a communication network comprising:a first device;an access point coupled to the first device via a firewall, to facilitate and manage communication amongst the many devices connected to the communication network;the access point coupled to a communications network;a presence server coupled to the communications network; andanother device connected to the network and available to receive information regarding the presence and status of the first device.2. The system of wherein the device comprises a smart phone claim 1 , tablet PC claim 1 , notebook PC claim 1 , desktop PC claim 1 , remote monitoring device claim 1 , camera claim 1 , sensor claim 1 , or any other device that transmits and receives data.3. The system of wherein the presence information indicates status such as the ability and willingness of the device to communicate claim 1 , whether the device is available for communication claim 1 , unavailable for communication claim 1 , how it can be contacted for future communication claim 1 , should not ...

User authentication device having multiple isolated host interfaces

Devices and methods provide for enabling a user to use a single user authentication device such as smart-card reader, such that the user is capable of securely interfacing with two or more isolated computers and enabling the user to authenticate and remain authenticated at multiple computers at the same time. Once the user removes the smart-card from the smart-card reader, the authentication session on all coupled computers is terminated at once. The user authentication device comprises: an authentication module connected via a channel selection switch to one of a plurality of channels, each interfacing with a respective coupled computer.

Universal Authentication Token

A universal authentication token is configured to securely acquire security credentials from other authentication tokens and/or devices. In this manner, a single universal authentication token can store the authentication credentials required to access a variety of resources, services and applications for a user. The universal authentication token includes a user interface, memory for storing a plurality of authentication records for a user, and a secure processor. The secure processor provides the required cryptographic operations to encrypt, decrypt, and/or authenticate data that is sent or received by universal token. For example, secure processor may be used to generate authentication data from seed information stored in memory.

Method and system for transmitting authentication context information

A system of the present invention uses an identity provider to provide the authentication services for multiple service providers. An identity provider communicates with one or more service providers. A user that wishes to gain access to a service provider is authenticated through the use of the identity provider. A user desiring to access a service provider is first authenticated by the identity provider. The identity provider determines if the user meets the desired class level and provides various information related to the authentication. When the user attempts to access a second service provider that is associated with the same identity provider, the second service provider accesses the identity provider and determines that the user was recently authenticated. The identity provider then transmits the relevant information regarding the authentication process to the second service provider, which can then allow or deny the user access to the second service provider.

Secure configuration catalog of trusted identity providers

A secure database includes a catalog of information about one or more identity providers (IdPs) that are trusted by a service provider (SP) to authenticate users on the SP's behalf. The catalog securely stores one or more IdP configurations. An entry in the database stores information associated with the trusted IdP including artifacts to identify the IdP, artifacts used by the IdP for cryptographic operations, and a specification of one or more website(s) serviced by the trusted identity provider. Upon receipt by the SP of identity information representing a user that has authenticated to an IdP, information in the catalog of information is used to determine whether the IdP is trusted to authenticate the user on the service provider's behalf. The determination verifies that the SP uses the IdP and that a binding between an IdP identifier and at least one IdP cryptographic artifact is valid.

Instant account access after registration

A method for user registration may include in response to receiving registration data of the user from a client, creating an inactivated user account, generating a temporary session that includes a temporary session identification, transmitting the temporary session identification to the client, and subsequent to the transmitting the temporary session identification, sending an e-mail containing a hyperlink for verification to the user.

MOBILE MULTIFACTOR SINGLE-SIGN-ON AUTHENTICATION

Features are disclosed for authentication of mobile device applications using a native, independent browser using a single-sign-on system. An authentication module within the mobile application can direct the mobile device's native browser to a URL to initiate authentication with an authentication appliance. The mobile browser can receive and store a browser-accessible token to indicate previous authentication performed by the user. The mobile application can receive from the application appliance and store a client application ID token that may be presented to network services for access. A second mobile device application may direct the same browser to the authentication appliance. The authentication appliance may inspect the persistent browser-accessible token and issue a second client application ID identity to the second application without collecting additional authentication information, or collecting additional authentication information that is different from the first authentication information. 1. A non-transitory computer storage medium which stores a non-browser mobile client application comprising executable code that directs a mobile computing device to perform a process comprising: wherein the non-browser mobile client application comprises the authentication module,', 'wherein the independent browser has not been specifically configured to provide identity information for non-browser mobile applications,', 'wherein the authentication information is associated with a user of the mobile device, and', 'wherein the authentication appliance is configured to provide single-sign-on (SSO) services that comprise accepting, for purposes of authentication, in lieu of the authentication information, a previously created valid browser-accessible token that was the result of a previous authentication between the authentication appliance and a second non-browser mobile client application;, 'directing, by an authentication module, an independent browser, executable ...

ACCESS CONTROL METHOD, ACCESS CONTROL SYSTEM, COMMUNICATION TERMINAL, AND SERVER

An access control method including: receiving a log information item indicating use history of electrical equipment that is used together with an intended product; receiving product information including information for identifying the intended product; storing the log information item received in the receiving of a log information item and the product information received in the receiving of product information, in association with each other; and controlling whether or not to allow access to the log information item based on the product information associated with the log information item when access to the log information item is attempted. 1. An access control method comprising:receiving a log information item indicating use history of electrical equipment that is used together with an intended product;receiving product information including information for identifying the intended product;storing the log information item and the product information in association with each other, the log information item being received in the receiving of a log information item, the product information being received in the receiving of product information; andcontrolling whether or not to allow access to the log information item based on the product information associated with the log information item when access to the log information item is attempted.2. The access control method according to claim 1 , further comprisingadding tag information indicating the product information to the log information item received in the receiving of a log information item,wherein in the storing,a tagged log information item is stored which results from the addition of the tag information to the log information item in the adding of tag information, andin the controlling,whether or not to allow access to the tagged log information item is controlled based on the tag information included in the tagged log information item.3. The access control method according to claim 2 ,wherein in the ...

Multi-Tiered Authentication Methods For Facilitating Communications Amongst Smart Home Devices and Cloud-Based Servers

Apparatus, systems, methods, and related computer program products for synchronizing distributed states amongst a plurality of entities and authenticating devices to access information and/or services provided by a remote server. Synchronization techniques include client devices and remote servers storing buckets of information. The client device sends a subscription request to the remote serve identifying a bucket of information and, when that bucket changes, the remote server sends the change to the client device. Authentication techniques include client devices including unique default credentials that, when presented to a remote server, provide limited access to the server. The client device may obtain assigned credentials that, when presented to the remote server, provide less limited access to the server.

Injection of Tokens or Client Certificates for Managed Application Communication

Methods and systems for injection of tokens or certificates for managed application communication are described. A computing device may intercept a request from an application executable on the computing device, the request being to access a remote resource. The computing device may modify future network communications between the computing device and the remote resource to include a token or a client certificate, where the token or the client certificate is an identifier that enables the future network communications to be routed to the remote resource for a given computing session without use of data from the remote resource or data indicative of a connection of the remote resource in which to receive the future network communications. The computing device may send the future network communications to the remote resource to enable action to be taken on behalf of the computing device in response to receipt of the future network communications. 1. A computing device , comprising:at least one processor; intercept a request from an application executable on the computing device, the request being to access a remote resource;', 'modify future network communications between the computing device and the remote resource to include a token or a client certificate, wherein the token or the client certificate is an identifier that enables the future network communications to be routed to the remote resource for a given computing session without use of data from the remote resource or data indicative of a connection of the remote resource in which to receive the future network communications; and', 'send the future network communications to the remote resource to enable action to be taken on behalf of the computing device in response to receipt of the future network communications., 'memory storying computer-readable instructions that, when executed by the at least one processor, cause the computing device to2. The computing device of claim 1 , wherein a server claim 1 , ...

CROSS DEVICE SINGLE SIGN-ON

Systems and methods for providing a single sign-on for authenticating a user via multiple client devices is provided. For example, the system includes a processor configured to receive a first connection request from a first client device. The processor processes the first connection request and transmits an access token to the first client. The processor can further receive a second connection request from a second client device and process the second connection request. The processor can transmit a single sign-on response to the second client device in reply to the second connection request. The second client device can be configured to communicated with and transmit the single-sign on response to the first client device for processing. The processor can receive a single sign-on verification from the first client device, process the single sign-on verification, and transmit a copy of the access token to the second client device. 1. A computer system for providing a single sign-on for authenticating a user via multiple client devices in a distributed resource environment , the system comprising:a memory;a network interface; and receive, via the network interface, a single sign-on connection request from a requesting client device,', 'process the single sign-on connection request,', 'transmit, via the network interface, a single sign-on response to the requesting client device in reply to the single sign-on connection request,', 'receive, via the network interface, a single sign-on verification from a previously authenticated initial client device,', 'process the single sign-on verification, and', 'transmit, via the network interface, a copy of an access token to the requesting client device., 'at least one processor coupled to the memory and the network interface and configured to'}2. The computer system of claim 1 , wherein the at least one processor is further configured to authenticate the initial client device by being configured to:receive, via the network ...

Paging method and device

A paging method includes, when needing to page a user equipment (UE) according to service requirements, a mobile switching center (MSC) analyzing a user identification if finding that subscriber data are lost at present, judging whether the UE has a possibility of residing in a long term evolution (LTE) network, if yes, finding out one or more mobility management entities (MMEs) which are overlapped with the coverage area of the MSC itself, and sending a paging message for the UE to the MMEs. An MSC includes a first module, a second module, a third module and a fourth module. With the paging method and apparatus provided, the UE in the LTE can be successfully paged under the condition that a visitor location register (VLR) loses the subscriber data and a home location register (HLR) fails to return an MME identification.

Method and Processes For Securely Autofilling Data Fields in A Software Application

The present invention gives the methods and processes for automatically servicing user driven requests to find place-holder fields, fill them in with relevant data in a secure manner and securely communicating the data related thereto to the appropriate Android™ device and/or application. More particularly, it relates to the methods and processes for authenticated users to automatically obtain and use the correct filled-in data that allows them to access or use any of a multiple number of Android™ applications and/or services at any time. 1. A method of requesting assets on a mobile device , the method comprising the steps of:sending a request for assets from an autofiller state machine to an assets datastore, the request for assets based on at least one predetermined action sequence;retrieving the assets from the assets datastore based on the at least one predetermined action sequence;sending the assets and the at least one predetermined action sequence to a user interface overlay service;displaying at least one interaction to a user, the interaction corresponding to the assets and the at least one predetermined action sequence;retrieving an interaction selection from the user, the interaction selection having a selection action sequence associated with selection assets;sending the interaction selection from the user interface overlay service to the autofiller state machine;querying the assets datastore to retrieve the selection assets from the assets datastore; andexecuting the selection action sequence to accessibility nodes using the selection assets.2. The method of claim 1 , wherein the at least one predetermined action sequence is entropy coded based on at least one of data size and data redundancy.3. The method of claim 1 , wherein the at least one predetermined action sequence is encrypted.4. The method of claim 3 , wherein the at least one predetermined action sequence is encrypted using an encryption based on at least one of data size and data redundancy. ...

Searching SaaS Virtual Applications

Methods and systems for searching SaaS virtual applications are disclosed. One method includes receiving a set of search terms for a search of a virtual application, the search of the virtual application being executable without having the virtual application open on a computing device. The search request is provided to a source of the virtual application, the request including the set of search terms for the virtual application. At least one response is received from the source of the virtual application based on the set of search terms. A list of search results is provided to the computing device to enable selection of the virtual application from a plurality of other virtual applications accessible via the computing device, the list of search results including the received at least one response. 1. A method for searching applications , comprising:receiving a set of search terms for a search of a virtual application, the search of the virtual application being executable without having the virtual application open on a computing device;providing a search request to a source of the virtual application, the request including the set of search terms for the virtual application;receiving at least one response from the source of the virtual application based on the set of search terms; andproviding a list of search results to the computing device to enable selection of the virtual application from a plurality of other virtual applications accessible via the computing device, the list of search results including the received at least one response.2. The method according to claim 1 , wherein the virtual application comprises a Software as a Service (SaaS) virtual application.3. The method according to claim I claim 1 , wherein the search request further comprises configuration information for the virtual application claim 1 , the configuration information including:a name of the virtual application;a location of the source of the virtual application;a format for the ...

REAL-TIME FEATURE LEVEL SOFTWARE SECURITY

Systems and techniques for real-time feature level software security are described herein. A request may be received from a computing device for data from the feature of the software application. The request for data may include authorization information of a user of the computing device. It may be identified that the feature of the software application contains code containing a reference to a security configuration service. A security configuration may be determined for the feature of the software application by comparing a resource identifier and a feature identifier of the feature of the software application to a set of security configurations of the security configuration service. The security configuration may provide access rules for the feature of the software application. A response may be sent to the computing device based on a comparison of the received authorization information of the user of the computing device to the determined security configuration. 1. A system for providing security for a feature of a software application in real-time , the system comprising:at least one processor; and receive a request, from a computing device, for data from the feature of the software application, the feature of the software application including code containing a reference to a security configuration service;', 'determine a security configuration for the feature of the software application by comparing identifiers of the feature to a set of security configurations of the security configuration service, the security configuration providing access rules for the feature of the software application;', 'determine, using the security configuration, that a first data item identified in the request for data should be encrypted before transmission and a second data item identified in the request for data should be transmitted unencrypted;', 'encrypt the first data item using an encryption algorithm; and', 'send a response including the encrypted first data item and the ...

UNIFIED AUTHENTICATION MANAGEMENT SYSTEM

A system for automatic authentication of a user to allow access to websites and physical devices which provides tiered levels of security and defines an API protocol for exchange of authentication credentials. 1. A system for providing automatic user authentication , comprising:a user device running an authentication client;a database of authentication credentials, accessible by said client;wherein said authentication client:receives requests for authentication credentials;retrieves the requested authentication credentials from said database; and returns said requested authentication credentials to the requester.2. The system of wherein said authentication credentials are secured and further wherein said authentication client verifies claim 1 , via a security protocol claim 1 , that said authentication credentials may be returned.3. The system of wherein said security protocol allows said authentication credentials to be returned if said user device is within a predetermined distance of pre-set geolocation.4. The system of wherein said pre-set geolocation is settable by a user of said user device.5. The system of wherein said security protocol allows authentication credentials to be returned after a user enters a password or a biometric.6. The system of wherein said security protocol disallows returning of authentication credentials after one set of authentication credentials has been returned.7. The system of wherein said security protocol disallows returning of authentication credentials when said user device is travels a predetermined distance from a pre-set geo location.8. The system of further comprising a wireless link between said user device and a second computer making a request for authentication credentials.9. The system of wherein said security protocol disallows returning of authentication credentials when said wireless link with said second computer is lost.10. The system of wherein said security protocol disallows returning of authentication ...

DYNAMIC PRIVILEGE MANAGEMENT IN A COMPUTER SYSTEM

An example method of dynamic privilege management in a computer system includes: detecting launch of an application by a user in a login session of a desktop executing on the computer system; determining identification information for the application; evaluating at least one policy that specifies requirements for privilege elevation using the identification information as parametric input; generating a privilege elevation result for the application, the privilege evaluation result including a positive or negative indication of whether the at least one policy permits privilege elevation of a process created for the application within the login session; and elevating privilege of the process in response to the positive indication in the privilege elevation 1. A method of dynamic privilege management in a computer system , comprising:detecting launch of an application by a user in a login session of a desktop executing on the computer system;determining identification information for the application;evaluating at least one policy that specifies requirements for privilege elevation using the identification information as parametric input;generating a privilege elevation result for the application, the privilege evaluation result including a positive or negative indication of whether the at least one policy permits privilege elevation of a process to be created for the application within the login session;determining a reputation of the application and comparing the reputation against at least one reputation threshold to generate a reputation result for the process, the reputation result including a positive or negative indication of whether the process can be executed; andelevating privilege of the process in response to the privilege elevation result after evaluation of the reputation result.2. The method of claim 1 , further comprising:creating the process having the elevated privilege.3. The method of claim 2 , wherein the step of elevating comprises:replacing a ...

Controlling Exposure of Sensitive Data and Operation Using Process Bound Security Tokens in Cloud Computing Environment

Exposure of sensitive information to users is controlled using a first security token containing user identity and user credentials to represent the user who requests services, and a second security token containing two other identities, one identifying the token issuer and the other identifying the owning process. When requesting services, the token-owning process sends a security token to indicate who is making the request, and uses its key to digitally sign the request. The token-owning process signs the request to indicate that it endorses the request. A receiving server accepts a request if (1) the token-owning process endorses the request by signing the request; (2) the token is valid (token is signed by its issuer and the digital signature is verified and unexpired); (3) user entity, which can be a real user or a deployment or a server process, that is represented by the token has the authorization to access the specified resources; and (4) the token-owning process is authorized to endorse the user entity represented by the token to access the specified resources. 1. A method for controlling exposure of sensitive data and using process bound security tokens comprising:representing a service requester using one or more security tokens containing a user identity, one or more user credentials, an identity of a token issuer, and an identity of the owning process;responsive to requesting services and subsequent authenticating to a server process, issuing the one or more security tokens including an issuer key name which indicates a key which was used to sign the security token;responsive to receiving the security token, using an issuer process name and the issuer key name to uniquely identify a public key needed to verify a token issuer digital signature; andresponsive to verifying the token issuer digital signature, granting access to a requested process or server resource to the requesting service.2. The method as set forth in wherein an owning process of a ...

AUTHENTICATION CONTEXT TRANSFER FOR ACCESSING COMPUTING RESOURCES VIA SINGLE SIGN-ON WITH SINGLE USE ACCESS TOKENS

Techniques are disclosed for accessing computing resources using secure single sign on authentication with a single use access token, including website-to-desktop application delivery and secure transfer of context information from the website to the desktop application once valid security credentials are provided from the same end-user computing device. A user signs onto a web application once using the security credentials. A web-based single use token generator generates a single use access token based on the user-supplied security credentials. A web-based context embedder service dynamically generates a context carrier and transfer application including the single use access token. The context carrier and transfer application is provided to an end-user computing device, which, when executed locally, installs a desktop application onto the end-user computing device. The desktop application utilizes the single use access token to access a secure, cloud-based computing resource. The single use access token expires after one use. 1. A computer-implemented method for accessing computing resources using secure single sign-on authentication , the method comprising:authenticating, by any of one or more computer processors, data representing a security credential of a user;generating, by any of the one or more computer processors, data representing a single use access token based on the authenticated security credential, the single use access token being configured to expire for purposes of validation after a single such validation occurs against the single use access token; andgenerating, by any of the one or more computer processors, executable code having the single use access token data encoded therewith, the executable code comprising instructions that, when executed by an end-user computing device, cause the end-user computing device to install an application and the single use access token data onto a computer-readable medium.2. The method of claim 1 , further ...

PROVIDING A SINGLE SESSION EXPERIENCE ACROSS MULTIPLE APPLICATIONS

A system is described allowing a user to log into an API proxy by supplying login credentials and to have the API proxy log into the APIs of various web-based applications on behalf of the user by using the user's login credentials, without the user needing to separately log into each application. Calls made by the user to an application and application replies are routed through the API proxy. Further, the API proxy manages session expirations, e.g., by sending dummy calls to applications that exhibit idle expiration. 1. A method , comprising:receiving, at an application programming interface (API) proxy, login credentials from a client device;initiating a session between the client device and the API proxy based on the login credentials;conveying the login credentials from the API proxy to an API of at least one application located on one or more remote servers to initiate at least one session between the API proxy and the at least one application on behalf of the client device;receiving at the API proxy a request from the client device, the request being targeted to the API of the at least one application;conveying the request from the API proxy to the API of the at least one application and receiving a response to the request at the API proxy; andforwarding the response to the client device.2. The method of claim 1 , further comprising:establishing a first session between the API proxy and a first application, wherein the first application employs a first session expiration policy;establishing a second session between the API proxy and a second application, wherein the second application employs a second session expiration policy that is different from the first session expiration policy; andmaintaining the first session according to the first expiration policy and the second session according to the second expiration policy by the API proxy on behalf of the client device.3. The method of claim 1 , further comprising claim 1 , prior to conveying the login ...

Secure Identity Federation for Non-Federated Systems

Methods and apparatus, including computer program products, implementing and using techniques for providing user credentials over a network to a remote computer application. User credentials for the remote computer application are stored in a central repository that is accessible through the network. A request is sent to a service to perform, on behalf of a user, a particular task involving the remote computer application. It is determined whether the service has been granted permission to act on behalf of the user with respect to the remote computer application. When the service has permission to act on behalf of the user, the service is used to retrieve the user's credentials for the remote computer application from the central repository and to supply the retrieved user credentials to the remote computer application. 1. A method of providing a unified access to systems , the method including:storing a plurality of sets of user credentials for a plurality of remote computer applications in a central repository accessible via an interoperability network, wherein the plurality of remote computer applications are entities that do not share a common identity verification protocol;receiving an interoperability network credential that authorizes a user to use the plurality of remote computer applications and access the stored plurality of sets of the user credentials;verifying that an intermediary service coupled to the interoperability network, upon receiving a request to perform, on behalf of the user, a particular task that requires access to and task performance by a particular remote computer application from the plurality of remote computer applications, has authorization to act on behalf of the user in obtaining authorized access to and task performance by the particular remote computer application; andupon verification of authorization, automatically supplying the intermediary service particular user credentials for the particular remote computer application ...

Systems and Methods for Managing Performance of Identity Management Services

This disclosure relates generally to identity management, and more particularly to systems and methods for managing performance of identity management services. In one embodiment, a processor-implemented identity management performance control method is disclosed. The method may include receiving, via one or more hardware processors, an identity management architecture specification. The method may also include identifying, via the one or more hardware processors, a plurality of identity management attributes for the identity management architecture specification. The method may include selecting, via the one or more hardware processors, measurement criteria based on a target environment for implementing the identity management architecture. The method may include calculating, via the one or more hardware processors, an attribute measurement quotient for the plurality of identified identity management attributes using the selected measurement criteria.

Multi-device single network sign-on

Methods, systems and computer readable media for multi-device single network sign-on are described. For example, a method can include authenticating a first device for network access via a first authentication process, the first device being associated with a user account. The method can also include receiving an access request from a second device associated with the user account, and determining whether the second device is within an access perimeter of the first device. The method can further include permitting the second device to access the network without a second authentication process when the second device is within the access perimeter of the first device.

MOBILE MULTIFACTOR SINGLE-SIGN-ON AUTHENTICATION

Features are disclosed for authentication of mobile device applications using a native, independent browser using a single-sign-on system. An authentication module within the mobile application can direct the mobile device's native browser to a URL to initiate authentication with an authentication appliance. The mobile browser can receive and store a browser-accessible token to indicate previous authentication performed by the user. The mobile application can receive from the application appliance and store a client application ID token that may be presented to network services for access. A second mobile device application may direct the same browser to the authentication appliance. The authentication appliance may inspect the persistent browser-accessible token and issue a second client application ID identity to the second application without collecting additional authentication information, or collecting additional authentication information that is different from the first authentication information. 115.-. (canceled)16. A computer-implemented method for providing single-sign-on (SSO) authentication to a user of a client application on a mobile device , the computer-implemented method comprising:receiving, from an independent browser on a mobile device, a first request to access a first uniform resource locator (URL) associated with a first non-browser mobile application executing on the mobile device;authenticating the user interacting with the mobile device at least partly by: receiving first authentication information related to the user from the independent browser, and verifying the first authentication information with an identity database;identifying a first URL mapping configured to invoke the first non-browser mobile application;sending, to the independent browser, a browser-based token, the first URL mapping, and a first client application identity for use by the first non-browser mobile application;receiving, from the independent browser on the ...

Security bridging

A network media gateway is used to bridge trust between a Service Provider network and subscriber devices. The gateway is authenticated by the Service Provider by using knowledge of network topology. Subscriber devices are authenticated in response to subscriber input to the gateway via an interface. Trusted subscriber devices can be tightly coupled with the Service Provider network, thereby facilitating delivery of QoE. Mobile and remote subscriber devices may also be authenticated. The gateway may also facilitate establishment of VPNs for peer-to-peer communications, and dynamically adjustable traffic, policy and queue weightings based on usage patterns.

Prompting login account

A login request initiated by a user at a current page is received. Whether there exists an account record matched with a login account name and login password combination in the login request is searched from an account table of the current page. If a result is positive, the user is allowed to log in. If a result is not positive, a preconfigured account name collection corresponding to the login account name is acquired. The account name collection includes login account names of the user's registered accounts in a plurality of member systems. A login account name in a member system to which the current page belongs is searched from the account name collection, and the found login account name is provided to the user. The techniques of the present disclosure prompts a correct login account name to the user, especially when there are many user login account names, thereby reducing memory burden of the user and assisting the user in implementing a quick login under multi-account management.

CROSS-NATIVE APPLICATION AUTHENTICATION APPLICATION

A user device stores first authentication information used to grant access to a resource associated with a first application, and configuration information relating to a second application. The user device receives an authentication request from the second application requesting second authentication information. Based on the configuration information relating to the second application, the user device determines whether the first authentication information contains some or all of the requested second authentication information. The user device generates an authentication response to the authentication request, using the first authentication information, and sends the authentication response to the second application in order to permit access to a resource associated with the second application. 1. A user device , comprising: [ 'the first authentication information being used to grant access to a resource associated with a first application,', 'first authentication information,'}, the second application being different than the first application,', 'the first application and the second application operating on the user device; and, 'configuration information relating to the second application,'}], 'a memory to store receive an authentication request, from the second application, requesting second authentication information,', 'determine, based on the authentication request, that the memory stores the configuration information relating to the second application,', 'determine, based on the configuration information, whether the first authentication information contains some or all of the second authentication information,', 'generate an authentication response, to the authentication request, using the first authentication information based on determining that the first authentication information contains some or all of the second authentication information, and', 'send the authentication response, to the second application, to permit access to a resource associated ...

Detecting sharing of passwords for password protected user accounts

A method for detecting the sharing of a password related to a password protected user account provided by an organization, by multiple entities of the organization is disclosed. In one embodiment, input associated with a training word is received from a user of a user computing device. In some examples, the input may include a sequence of user input entries related to the training word. In some embodiments, metadata associated with the sequence of user input entries is derived and a user input pattern profile is generated based on the metadata. In some embodiments, an authorized user of the organization is identified based at least in part on comparing the received input to the user input pattern profile.

Providing Social Network Content Based on the Login State of a User

An electronic device includes a display, one or more processors, and memory storing one or more programs. The one or more programs include a first program having a user-logged-in state for a first user and a user-logged-out state for the first user. The device communicates with a social network system; and displays a first user interface on the display. The first user interface includes a first predetermined area that corresponds to the first program. If the first program is in the user-logged-in state for the first user, the device displays in the first predetermined area first content from a plurality of users of the social network system that are connected to the first user. If the first program is in the user-logged-out state, the device displays in the first predetermined area second content that is selected for the first user, without displaying the first content. 1. A computer readable storage medium storing one or more programs , the one or more programs comprising instructions , which , when executed by a social network system with one or more processors , cause the social network system to:communicate with an electronic device associated with a first user that is remote from the social network system;in accordance with a determination that the first user is logged in to the social network system, send to the electronic device first content from a plurality of users of the social network system that are connected to the first user for display in a first predetermined area in a first user interface; and,in accordance with a determination that the first user is logged out of the social network system, send to the electronic device second content that is selected for the first user for display in the first predetermined area in the first user interface, without sending the first content from the plurality of users of the social network system that are connected to the first user.2. The computer readable storage medium of claim 1 , including instructions claim ...

METHOD AND SYSTEM FOR AUTOMATICALLY MANAGING SECRET APPLICATION AND MAINTENANCE

Secret application and maintenance policy data is generated for different classes of data. The class of data to be protected is determined and the secret application and maintenance policy data for the determined class of the data to be protected is identified and obtained. Required secrets data representing one or more secrets to be applied to the data to be protected is obtained and then automatically scheduled for application to the data to be protected in accordance with the secret application and maintenance policy data for the determined class of the data to be protected. Maintenance of the one or more secrets is also automatically scheduled in accordance with the secret application and maintenance policy data for the determined class of the data to be protected. 1. A system for automatically managing secrets application and maintenance comprising:at least one processor; andat least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the at least one processors, perform a process for automatically managing secrets application and maintenance, the process for automatically managing secrets application and maintenance including:generating data classification data defining one or more classes of data;for each class of data, generating secret application and maintenance policy data including required secrets application data indicating required secret types to be applied to each class of data and secrets maintenance policy data indicating secret maintenance procedures for required secrets to be applied to each class of data;obtaining access to data to be protected;determining the class of the data to be protected;obtaining the secret application and maintenance policy data for the determined class of the data to be protected;analyzing the required secrets application data of the secret application and maintenance policy data for the determined class of the data to be ...

Dynamic Access Control to Network Resources Using Federated Full Domain Logon

Methods and systems for granting or denying a client device access to one or more resources in a remote computing environment are described herein. During authentication, context information for the client device, such as device type, device location, etc., may be determined. A computing device in the system may receive data indicating the context information, such as data indicating that the user is at a particular location and/or is of a particular device type. One or more labels for a session associated with the user of the client device may be determined based on the data indicating the context information. The computing device may generate an authentication certificate comprising one or more labels. Based on the certificate, one or more access groups for the user of the client device may be determined, and the user of the client device may be granted or denied access to one or more resources according to the access group(s). 1. A method comprising:authenticating, via an identity provider, a user of a client device, wherein the authenticating is based on a determination that the user is at a first location;receiving, by a computing device and from the identity provider, a token indicating that the user is at the first location;determining, by the computing device and based on the token indicating that the user is at the first location, one or more labels for a session associated with the user of the client device;generating, by the computing device, an authentication certificate comprising the one or more labels;determining, by the computing device and based on the authentication certificate, one or more access groups for the user of the client device; andbased on one or more of the one or more access groups for the user of the client device or the one or more labels, granting the user of the client device access to first data and second data.2. The method of claim 1 , wherein the token indicates context information associated with the client device.3. The ...

COMPUTER READABLE STORAGE MEDIA FOR LEGACY INTEGRATION AND METHODS AND SYSTEMS FOR UTILIZING SAME

Systems and methods for integrative legacy context management are disclosed herein. An example computer hardware system may include at least one processing unit coupled to a memory, and the memory may be encoded with computer executable instructions that when executed cause the at least one processing unit to receive a set of credentials associated with a user from a user device, cross-reference the set of credentials with a first set of credentials of an agent associated with the user to determine whether the set of credentials is valid; and if the set of credentials is valid, provide a second set of credentials of the agent to the user device in response to a request for the second set of credentials from the user device. 1. A computer hardware system comprising at least one processing unit coupled to a memory , wherein the memory is encoded with computer executable instructions that when executed cause the at least one processing unit to:receive a set of credentials associated with a user from a user device;cross-reference the set of credentials with a first set of credentials of an agent associated with the user to determine whether the set of credentials is valid;if the set of credentials is valid, generate a token associated with the user device; andin response to a request for at least one additional set of credentials from the user device, provide at least one additional set of credentials of the agent on demand to the user device during a period of time for which the token is valid.2. The computer hardware system of claim 1 , wherein the set of credentials is provided on behalf of a legacy application.3. The computer hardware system of claim 1 , wherein the set of credentials is received from a proxy that operates as an intermediary between a legacy application and a legacy server.4. The computer hardware system of claim 1 , wherein the at least one additional set of credentials of the agent is associated with a service provided by a legacy server.5. The ...

DEVICE AUTHENTICATION BASED UPON TUNNEL CLIENT NETWORK REQUESTS

Disclosed are various approaches for providing authentication of a user and a client device. A user's credentials can be authenticated by an identity provider. In addition, a device posture assessment that analyzes the device from which the authentication request originates is also performed. An authentication request can be authenticated based upon whether the device posture assessment reveals that device to be a managed device that is in compliance with compliance rules. 1. A system for performing a device posture assessment , comprising:at least one computing device comprising a processor and a memory; and obtain a request to authenticate a client device from an identity provider, the request comprising a device identification parameter corresponding to the client device;', 'determine an enrollment status of the client device, the enrollment status indicating that the client device is enrolled with the management service;', 'determine a compliance status of the client device; and', 'provide to the identity provider an indication of the compliance status of the client device., 'a management service comprising machine-readable instructions stored in the memory that, when executed by the processor, cause the at least one computing device to at least2. The system of claim 1 , wherein the device identification parameter comprises a certificate signature claim 1 , and the management service further comprises machine-readable instructions that claim 1 , when executed by the processor claim 1 , cause the at least one computing device to at least identify the client device based at least in part on certificate signature.3. The system of claim 1 , wherein the machine-readable instructions that cause the at least one computing device to at least determine the enrollment status of the client device cause the at least one computing device to at least determine that the client device is a managed device that is enrolled with the management service based at least in part on the ...

SYSTEM AND METHOD FOR MAKING A CONTENT ITEM, RESIDENT OR ACCESSIBLE ON ONE RESOURCE, AVAILABLE THROUGH ANOTHER

Systems and methods are provided to make content items, already available on one resource, also available through another, such as through a new location or resource. The content items may be, e.g., videos uploaded by a user or other content. The systems and methods employ a streamlined interface for convenience to the user. In one example, a user of a computer system views a video segment through a first website and re-posts the video segment to a second website by entering a single command or clicking a single button. The websites coordinate the re-posting using credentials previously or contemporaneously entered by the user. Moreover, a content item may be automatically prepared for re-posting on the target website using previously-entered user selections. Playback software from a source website may be posted to a target website to allow access of the content item at the source website. 1. A method of making available through a target resource a content item , the content item consumable on an originating resource , comprising:a. receiving a request from a client, the request pertaining to a content item and to a target resource;b. authenticating the client on the target resource; and i. transmitting the content item from an originating resource to the target resource; or', 'ii. posting a link to the content item on the target resource., 'c. if the authenticating is successful, then making available the content item through the target resource by either2. The method of claim 1 , wherein the authenticating includes:a. receiving at the target resource a credential of the client;b. comparing the credential to a list of authenticated credentials; andc. if the credential of the client is the same as a credential on the list of authenticated credentials, then returning a confirmation that the authenticating is successful.3. The method of claim 1 , wherein the receiving claim 1 , authenticating claim 1 , and making available is performed at least in part by a server ...

SINGLE SIGN-ON MECHANISM ON A RICH CLIENT

Methods and systems are provided that enable single sign-on (SSO) mechanisms on rich clients running hosting applications that include documents with one or more embedded web assets. An embedded web asset may be any resource (e.g., document, image, data, etc.) that is accessed via a browser from within a hosting application. In aspects, authentication of a user identity is required to access an embedded web asset. In particular, an identity management module is provided on a rich client. The identity management module is configured to maintain multiple credentials for multiple user identities that are associated with multiple applications, whether the applications are embedded applications or hosting applications. In this way, a user may access multiple applications, including embedded web assets, associated with each user identity—without signing into each application. That is, a user is able to login a single time for each user identity. 1. A processor-implemented method of providing a single sign-on mechanism for embedded web assets , comprising:receiving a first identity cookie associated with a first user identity and a second identity cookie associated with a second user identity;receiving first user credentials for accessing a hosting application, wherein the first user credentials are associated with the first user identity;receiving a first indication to access a first web asset embedded in a first hosting document of the hosting application;based at least in part on the first identity cookie, automatically enabling access to the first embedded web asset;receiving second user credentials for accessing the hosting application, wherein the second user credentials are associated with the second user identity;receiving a second indication to access a second web asset embedded in a second hosting document of the hosting application; andbased at least in part on the second identity cookie, automatically enabling access to the second embedded web asset.2. The ...