公开(公告)号：US08181225B2

公开(公告)日：2012-05-15

申请号：US12481007

申请日：2009-06-09

申请人： Heather Maria Hinton ,  Anthony Scott Moran ,  Dolapo Martin Falola ,  Ivan Matthew Milman ,  Patrick Ryan Wardrop

发明人： Heather Maria Hinton ,  Anthony Scott Moran ,  Dolapo Martin Falola ,  Ivan Matthew Milman ,  Patrick Ryan Wardrop

IPC分类号： G06F7/04

CPC分类号： H04L63/0815 ,  H04L67/30

摘要： The invention provides federated functionality within a data processing system by means of a set of specialized runtimes, which are instances of an application for providing federation services to requesters. Each of the plurality of specialized runtimes provides requested federation services for selected ones of the requestors according to configuration data of respective federation relationships of the requestors with the identity provider. The configuration data is dynamically retrieved during initialization of the runtimes which allows the respective_runtime to be specialized for a given federation relationship. Requests are routed to the appropriate specialized runtime using the first requestor identity and the given federation relationship. The data, which describes each federation relationship between the identity provider and each of the plurality of requestors, is configured prior to initialization of the runtimes.

摘要翻译： 本发明通过一组专用运行时提供数据处理系统内的联合功能，这是一组向需求者提供联合服务的应用的实例。 多个专用运行时间中的每一个根据请求者与身份提供者的各自的联合关系的配置数据，为所选请求者提供所请求的联合服务。 在运行时的初始化期间动态地检索配置数据，这允许相应的运行时间针对给定的联合关系而专门化。 请求使用第一请求者标识和给定的联合关系路由到适当的专用运行时。 在初始化运行时之前配置描述身份提供者与多个请求者中的每一个之间的每个联合关系的数据。

公开(公告)号：US07631346B2

公开(公告)日：2009-12-08

申请号：US11097587

申请日：2005-04-01

申请人： Heather Maria Hinton ,  Ivan Matthew Milman ,  Venkat Raghavan ,  Shane Bradley Weeden

发明人： Heather Maria Hinton ,  Ivan Matthew Milman ,  Venkat Raghavan ,  Shane Bradley Weeden

IPC分类号： G06F7/04 ,  G06F15/16 ,  G04L9/32 ,  G06F17/30

CPC分类号： H04L63/0815 ,  G06F21/41

摘要： A method, system, apparatus, and computer program product are presented to support computing systems of different enterprises that interact within a federated computing environment. Federated single-sign-on operations can be initiated at the computing systems of federation partners on behalf of a user even though the user has not established a user account at a federation partner prior to the initiation of the single-sign-on operation. For example, an identity provider can initiate a single-sign-on operation at a service provider while attempting to obtain access to a controlled resource on behalf of a user. When the service provider recognizes that it does not have a linked user account for the user that allows for a single-sign-on operation with the identity provider, the service provider creates a local user account. The service provider can also pull user attributes from the identity provider as necessary to perform the user account creation operation.

摘要翻译： 提出了一种方法，系统，装置和计算机程序产品，以支持在联合计算环境内交互的不同企业的计算系统。 即使用户在单点登录操作开始之前尚未在联盟伙伴上建立用户帐户，也可以代表用户在联盟伙伴的计算系统上启动联合单点登录操作。 例如，身份提供者可以尝试在代表用户获得受控资源的访问的情况下，在服务提供商处启动单点登录操作。 当服务提供商认识到它不具有用于允许与身份提供商进行单点登录操作的用户的链接用户帐户时，服务提供商创建本地用户帐户。 服务提供商还可以根据需要从身份提供者提取用户属性，以执行用户帐户创建操作。

公开(公告)号：US20090259753A1

公开(公告)日：2009-10-15

申请号：US12481007

申请日：2009-06-09

申请人： Heather Maria Hinton ,  Anthony Scott Moran ,  Dolapo Martin Falola ,  Ivan Matthew Milman ,  Patrick Ryan Wardrop

发明人： Heather Maria Hinton ,  Anthony Scott Moran ,  Dolapo Martin Falola ,  Ivan Matthew Milman ,  Patrick Ryan Wardrop

IPC分类号： G06F15/16

CPC分类号： H04L63/0815 ,  H04L67/30

摘要： The invention provides federated functionality within a data processing system by means of a set of specialized runtimes, which are instances of an application for providing federation services to requesters. Each of the plurality of specialized runtimes provides requested federation services for selected ones of the requestors according to configuration data of respective federation relationships of the requestors with the identity provider. The configuration data is dynamically retrieved during initialization of the runtimes which allows the respective_runtime to be specialized for a given federation relationship. Requests are routed to the appropriate specialized runtime using the first requestor identity and the given federation relationship. The data, which describes each federation relationship between the identity provider and each of the plurality of requestors, is configured prior to initialization of the runtimes.

摘要翻译： 本发明通过一组专用运行时提供数据处理系统内的联合功能，这是一组向需求者提供联合服务的应用的实例。 多个专用运行时间中的每一个根据请求者与身份提供者的各自的联合关系的配置数据，为所选请求者提供所请求的联合服务。 在运行时的初始化期间动态地检索配置数据，这允许相应的运行时间针对给定的联合关系而专门化。 请求使用第一请求者标识和给定的联合关系路由到适当的专用运行时。 在初始化运行时之前配置描述身份提供者与多个请求者中的每一个之间的每个联合关系的数据。

公开(公告)号：US09397981B2

公开(公告)日：2016-07-19

申请号：US12426752

申请日：2009-04-20

申请人： Heather Maria Hinton ,  Ivan Matthew Milman

发明人： Heather Maria Hinton ,  Ivan Matthew Milman

IPC分类号： H04L29/06

CPC分类号： H04L63/0428 ,  H04L9/0863 ,  H04L63/06

摘要： A document management (DM), data leak prevention (DLP) or similar application in a data processing system is instrumented with a document protection service provider interface (SPI). The service provider interface is used to call an external function, such as an encryption utility, that is used to facilitate secure document exchange between a sending entity and a receiving entity. The encryption utility may be configured for local download to and installation in the machine on which the SPI is invoked, but a preferred approach is to use the SPI to invoke an external encryption utility as a “service.” In such case, the external encryption utility is implemented by a service provider. When the calling program invokes the SPI, preferably the user is provided with a display panel. Using that panel, the end user provides a password that is used for encryption key generation, together with an indication of the desired encryption strength. The service provider uses the password to generate the encryption key. In one embodiment, the service provider provides the key to the service provider interface, which then uses the key to encrypt the document and to complete the file transfer operation. In the alternative, the service provider itself performs the document or file encryption. The service provider interface also preferably generates and sends an email or other message to the receiving entity that includes the key or a link to enable the receiving entity to retrieve the key. This approach obviates the sending and receiving entity having to install and manage matched or other special-purpose encryption utilities.

摘要翻译： 数据处理系统中的文档管理（DM），数据泄漏预防（DLP）或类似应用程序具有文档保护服务提供者接口（SPI）。 服务提供商接口用于调用外部功能，例如加密实用程序，用于促进发送实体和接收实体之间的安全文档交换。 加密实用程序可以被配置为用于本地下载并安装在调用SPI的机器中，但优选的方法是使用SPI来将外部加密实用程序作为“服务”来调用。在这种情况下，外部加密 实用程序由服务提供商实现。 当调用程序调用SPI时，优选地，用户被提供有显示面板。 使用该面板，最终用户提供用于加密密钥生成的密码以及所需加密强度的指示。 服务提供商使用密码来生成加密密钥。 在一个实施例中，服务提供商向服务提供商接口提供密钥，然后使用密钥对文档进行加密并完成文件传输操作。 在替代方案中，服务提供商本身执行文档或文件加密。 服务提供商接口还优选地生成并发送包括密钥或链接的接收实体的电子邮件或其他消息，以使接收实体能够检索密钥。 这种方法避免了发送和接收实体必须安装和管理匹配或其他专用加密实用程序。

公开(公告)号：US20100268934A1

公开(公告)日：2010-10-21

申请号：US12426752

申请日：2009-04-20

申请人： Heather Maria Hinton ,  Ivan Matthew Milman

发明人： Heather Maria Hinton ,  Ivan Matthew Milman

IPC分类号： H04L29/06

CPC分类号： H04L63/0428 ,  H04L9/0863 ,  H04L63/06

摘要： A document management (DM), data leak prevention (DLP) or similar application in a data processing system is instrumented with a document protection service provider interface (SPI). The service provider interface is used to call an external function, such as an encryption utility, that is used to facilitate secure document exchange between a sending entity and a receiving entity. The encryption utility may be configured for local download to and installation in the machine on which the SPI is invoked, but a preferred approach is to use the SPI to invoke an external encryption utility as a “service.” In such case, the external encryption utility is implemented by a service provider. When the calling program invokes the SPI, preferably the user is provided with a display panel. Using that panel, the end user provides a password that is used for encryption key generation, together with an indication of the desired encryption strength. The service provider uses the password to generate the encryption key. In one embodiment, the service provider provides the key to the service provider interface, which then uses the key to encrypt the document and to complete the file transfer operation. In the alternative, the service provider itself performs the document or file encryption. The service provider interface also preferably generates and sends an email or other message to the receiving entity that includes the key or a link to enable the receiving entity to retrieve the key. This approach obviates the sending and receiving entity having to install and manage matched or other special-purpose encryption utilities.

摘要翻译： 数据处理系统中的文档管理（DM），数据泄漏预防（DLP）或类似应用程序具有文档保护服务提供者接口（SPI）。 服务提供商接口用于调用外部功能，例如加密实用程序，用于促进发送实体和接收实体之间的安全文档交换。 加密实用程序可以被配置为用于本地下载并安装在调用SPI的机器中，但优选的方法是使用SPI来将外部加密实用程序作为“服务”来调用。在这种情况下，外部加密 实用程序由服务提供商实现。 当调用程序调用SPI时，优选地，用户被提供有显示面板。 使用该面板，最终用户提供用于加密密钥生成的密码以及所需加密强度的指示。 服务提供商使用密码来生成加密密钥。 在一个实施例中，服务提供商向服务提供商接口提供密钥，然后使用密钥对文档进行加密并完成文件传输操作。 在替代方案中，服务提供商本身执行文档或文件加密。 服务提供商接口还优选地生成并发送包括密钥或链接的接收实体的电子邮件或其他消息，以使接收实体能够检索密钥。 这种方法避免了发送和接收实体必须安装和管理匹配或其他专用加密实用程序。

公开(公告)号：US20110112974A1

公开(公告)日：2011-05-12

申请号：US12616330

申请日：2009-11-11

申请人： Heather Maria Hinton ,  Ivan Matthew Milman

发明人： Heather Maria Hinton ,  Ivan Matthew Milman

IPC分类号： G06Q10/00 ,  G06F15/177

CPC分类号： G06Q10/06 ,  G06Q10/06393 ,  G06Q30/018

摘要： A multi-component auditing environment uses a set of log-enabled components that are capable of being triggered during an information flow in a data processing system. A “master”, compliance component receives data from each log-enabled component in the set of log-enabled components, the data indicating a set of logging properties that are associated with or provided by that log-enabled component. The master compliance component determines, for a given compliance policy, which of a set of one or more events are required from one or more of the individual log-enabled components in the set of log-enabled components. As a result of the determining step, the master compliance component then configures one of more of the individual log-enabled components, e.g. by generating one or more configuration events that are then sent to the one or more individual components. This configuration may take place remotely, i.e., over a network connection. As a result of the information flow, audit or other logs are then collected from the log-enabled components. The master compliance component evaluates the collected logs to determine compliance with the compliance policy. As necessary, the master compliance component re-configures one or more log-enabled components in the set of log-enabled components to address any compliance issues arising from the evaluation. Thus, once a given compliance policy is specified, typically the individual log-enabled components in the multiple-component environment are not responsible for their own configuration, as that task is undertaken by the master compliance component.

摘要翻译： 多组件审计环境使用能够在数据处理系统中的信息流中触发的一组启用日志的组件。 “主”合规性组件从启用日志的组件集中的每个启用日志的组件接收数据，该数据指示与该启用日志的组件相关联或由该启用日志的组件提供的一组日志记录属性。 对于给定的合规性策略，主合规性组件确定了一组启用日志的组件中的一个或多个启用日志的组件中需要哪一个或多个事件中的哪一个。 作为确定步骤的结果，主合规性组件然后配置多个单独的启用日志的组件中的一个，例如， 通过生成一个或多个配置事件，然后将其发送到一个或多个单独组件。 这种配置可以远程进行，即通过网络连接进行。 作为信息流的结果，然后从启用日志的组件中收集审核或其他日志。 主合规性组件评估收集的日志以确定是否符合合规性策略。 根据需要，主合规性组件会重新配置一组启用日志的组件中的一个或多个启用日志的组件，以解决评估引起的任何合规性问题。 因此，一旦指定了规定的合规性策略，通常，多组件环境中的单个启用日志的组件对其自己的配置不负任何责任，因为该任务由主合规性组件承担。

公开(公告)号：US07562382B2

公开(公告)日：2009-07-14

申请号：US11014553

申请日：2004-12-16

申请人： Heather Maria Hinton ,  Anthony Scott Moran ,  Dolapo Martin Falola ,  Ivan Matthew Milman ,  Patrick Ryan Wardrop

发明人： Heather Maria Hinton ,  Anthony Scott Moran ,  Dolapo Martin Falola ,  Ivan Matthew Milman ,  Patrick Ryan Wardrop

IPC分类号： G06F7/04

CPC分类号： H04L63/0815 ,  H04L67/30

摘要： The invention provides federated functionality within a data processing system by means of a set of specialized runtimes. Each of the plurality of specialized runtimes provides requested federation services for selected ones of the requestors according to configuration data of respective federation relationships of the requestors with the identity provider. The configuration data is dynamically retrieved during initialization of the runtimes which allows the respective runtime to be specialized for a given federation relationship. Requests are routed to the appropriate specialized runtime using the first requestor identity and the given federation relationship. The data which describes each federation relationship between the identity provider and each of the plurality of requesters is configured prior to initialization of the runtimes. Configuration data is structured into global specified data, federation relationship data and requestor specific data to minimize data change, making the addition or deletion of requestors very scalable.

摘要翻译： 本发明通过一组专用的运行时提供数据处理系统内的联合功能。 多个专用运行时间中的每一个根据请求者与身份提供者的各自的联合关系的配置数据，为所选请求者提供所请求的联合服务。 在运行时的初始化期间动态地检索配置数据，这允许相应的运行时间针对给定的联合关系专门化。 请求使用第一请求者标识和给定的联合关系路由到适当的专用运行时。 在初始化运行时之前配置描述身份提供者与多个请求者中的每一个之间的每个联合关系的数据。 配置数据被构造为全局指定数据，联合关系数据和请求者特定数据，以最小化数据更改，使添加或删除请求者非常可扩展。

公开(公告)号：US10169723B2

公开(公告)日：2019-01-01

申请号：US12616330

申请日：2009-11-11

申请人： Heather Maria Hinton ,  Ivan Matthew Milman

发明人： Heather Maria Hinton ,  Ivan Matthew Milman

IPC分类号： G06Q10/06 ,  G06Q30/00

摘要： A multi-component auditing environment uses a set of log-enabled components that are capable of being triggered during an information flow in a data processing system. A “master” compliance component receives data from each log-enabled component in the set of log-enabled components, the data indicating a set of logging properties that are associated with or provided by that log-enabled component. The master compliance component determines, for a given compliance policy, which of a set of one or more events are required from one or more of the individual log-enabled components in the set of log-enabled components. As a result of the determining step, the master compliance component then configures one of more of the individual log-enabled components, e.g. by generating one or more configuration events that are then sent to the one or more individual components. This configuration may take place remotely, i.e., over a network connection. As a result of the information flow, audit or other logs are then collected from the log-enabled components. The master compliance component evaluates the collected logs to determine compliance with the compliance policy. As necessary, the master compliance component re-configures one or more log-enabled components in the set of log-enabled components to address any compliance issues arising from the evaluation. Thus, once a given compliance policy is specified, typically the individual log-enabled components in the multiple-component environment are not responsible for their own configuration, as that task is undertaken by the master compliance component.

公开(公告)号：US5862323A

公开(公告)日：1999-01-19

申请号：US557754

申请日：1995-11-13

申请人： George Robert Blakley, III ,  Ivan Matthew Milman ,  Wayne Dube Sigler

发明人： George Robert Blakley, III ,  Ivan Matthew Milman ,  Wayne Dube Sigler

IPC分类号： G06F12/14 ,  G06F1/00 ,  G06F13/00 ,  G06F13/42 ,  G06F15/16 ,  G06F15/177 ,  G06F21/00 ,  G06F21/20 ,  G06F21/24 ,  H04K1/00 ,  H04L9/00

CPC分类号： G06F21/31 ,  G06F21/46

摘要： A network system server that provides password synchronization between a main data store and a plurality of secondary data stores is disclosed. The network system server includes a security server, which is coupled to the main data store, a plurality of clients, which is coupled to the security server for accessing the main data store wherein each client maintains a unique, modifiable password, a password synchronization server, which is coupled to security server and the plurality of secondary data stores, and a password repository, which is coupled to the password synchronization server, that stores the passwords. One of the secondary data stores can retrieve the passwords via the password synchronization server so that each client is able to maintain a single, unique password among the plurality of secondary data stores. Password retrieval is instigated by at least one of the plurality of secondary data stores regardless of the current password status of the secondary data stores.

摘要翻译： 公开了一种在主数据存储和多个辅助数据存储之间提供密码同步的网络系统服务器。 网络系统服务器包括耦合到主数据存储的安全服务器，多个客户端，其耦合到安全服务器以访问主数据存储，其中每个客户端维护唯一的可修改密码，密码同步服务器 ，其耦合到安全服务器和多个辅助数据存储，以及耦合到密码同步服务器的密码存储库，其存储密码。 辅助数据存储中的一个可以通过密码同步服务器检索密码，以便每个客户端能够在多个辅助数据存储之间维护一个唯一的密码。 密码检索是由多个辅助数据存储器中的至少一个引起的，而不管辅助数据存储器的当前密码状态如何。

公开(公告)号：US5832211A

公开(公告)日：1998-11-03

申请号：US557755

申请日：1995-11-13

申请人： George Robert Blakley, III ,  Ivan Matthew Milman ,  Wayne Dube Sigler

发明人： George Robert Blakley, III ,  Ivan Matthew Milman ,  Wayne Dube Sigler

IPC分类号： G06F12/14 ,  G06F1/00 ,  G06F12/00 ,  G06F13/00 ,  G06F21/00 ,  G06F21/20 ,  G06F21/24 ,  H04K1/00 ,  H04L9/00

CPC分类号： G06F21/31 ,  G06F21/46

摘要： A network system server that provides password synchronization between a main data store and a plurality of secondary data stores is disclosed. The network server further includes a security server, which is coupled to the main data store, a plurality of clients, coupled to the security server for accessing the main data store wherein each client maintains a unique, modifiable password, and a password synchronization server, coupled to the security server and the plurality of secondary data stores, that provides password propagation synchronization to each of the secondary data stores from a user associated with one of the plurality of clients so that user is able to maintain a single, unique password among plurality of secondary data stores. The password propagation is imposed on the plurality of secondary data stores regardless of the current password status of the secondary data stores.

摘要翻译： 公开了一种在主数据存储和多个辅助数据存储之间提供密码同步的网络系统服务器。 网络服务器还包括耦合到主数据存储的安全服务器，耦合到安全服务器的多个客户端，用于访问主数据存储，其中每个客户端维护唯一的可修改的密码和密码同步服务器， 耦合到安全服务器和多个辅助数据存储，其从与多个客户端中的一个客户端相关联的用户提供与每个次要数据存储的密码传播同步，使得用户能够在多个客户端之间维护单个唯一密码 的次要数据存储。 密码传播被施加在多个辅助数据存储上，而不管辅助数据存储器的当前密码状态如何。