An authentication device includes an authentication unit, a history information generator and a communication unit. The authentication unit executes, when a user terminal accesses a service provider system, an authentication process based on an authentication request that includes a description pertaining to an authentication condition and an authentication method that correspond to the service provider system. The history information generator generates history information. The history information includes information indicating whether the authentication condition is satisfied and information indicating a result of executing the authentication process by using the authentication method. The communication unit transmits the history information to the user terminal.

Application permissions can be set in a cloud computing environment based on a user's authorization level in the cloud computing environment. For example, a system can determine that a user has a particular authorization level in a cloud computing environment. The system can determine that the user is to have particular permissions for a continuous integration tool by mapping the particular authorization level to the particular permissions. The system can then set a permission setting for the continuous integration tool to limit the user to the particular permissions.

Techniques are described for providing customizable sign-on functionality, such as via an access manager system that provides single sign-on functionality and other functionality to other services for use with those services’ users. The access manager system may maintain various sign-on and other account information for various users, and provide single sign-on functionality for those users using that maintained information on behalf of multiple unrelated services with which those users interact. The access manager may allow a variety of types of customizations to single sign-on functionality and/or other functionality available from the access manager, such as on a per-service basis via configuration by an operator of the service, such as co-branding customizations, customizations of information to be gathered from users, customizations of authority that may be delegated to other services to act on behalf of users, etc., and with the customizations that are available being determined specifically for that service.

A secure executable container executed by an endpoint device establishes a two-way trusted relationship in a secure peer-to-peer data network with a user entity, generates an endpoint identifier for the endpoint device in the secure peer-to-peer data network, and associates the endpoint device with a federation identifier identifying the user entity in the secure peer-to-peer data network. The secure executable container also: establishes a two-way trusted relationship between the endpoint device and a target network device; securely obtains, via the secure peer-to-peer data network, a user interface element definition describing a user interface element executable by the target network device; and supplies the user interface element definition to a secure keyboard resource executed in the endpoint device, causing the secure keyboard resource to generate a local representation of the user interface element for control of the target network device via the secure keyboard resource.

A secure executable container executed by a network device establishes a two-way trusted relationship in a secure peer-to-peer data network with a network entity, generates a secure key for the network device in the secure peer-to-peer data network, and associates the endpoint device with a federation identifier identifying the user entity in the secure peer-to-peer data network. The secure executable container also: establishes a two-way trusted relationship between the network device and a target network device; obtains, based on the two-way trusted relationship, cohort interface element definition describing commands executable by the target network device; and generates a data object identifying a selected command from the commands and identifying an identifier for the target network device as a subscriber to the data object, causing the target network device to securely retrieve and execute the selected command.

An information processing apparatus includes a processor configured to request a management apparatus for user authentication to acquire second credential information that is used for acquiring first credential information that is used for a Web service, the second credential information indicating that a user has been authenticated, receive the second credential information transmitted from the management apparatus in a case where the user authentication is successful by the management apparatus, transmit the received second credential information to an authentication server, receive the first credential information transmitted from the authentication server in response to the transmission of the second credential information, and use the Web service by using the received first credential information.

The described technology provides a single sign-on capability so that a user who is already signed on to a web application from a client application may not be required to sign-on again when he/she later needs access to the web application from the same or another client application. The technology also provides a multiple login prevention capability to detect multiple sign-on events using the same credentials and disable one or more of the associated multiple sessions.

Aspects of the disclosure relate to extending single-sign-on to relying parties for federated logon providers. An enterprise identity provider server may receive a first authentication token previously issued to an enterprise server by the enterprise identity provider server. Subsequently, the enterprise identity provider server may retrieve, from a token store, a second authentication token associated with a federated identity service provided by a federated identity provider server. The enterprise identity provider server may refresh the second authentication token with the federated identity service provided by the federated identity provider server to obtain a refreshed authentication token. Finally, the enterprise identity provider server may send the refreshed authentication token to the enterprise server, which may enable user devices managed by the enterprise server to access one or more resources provided by a third party system using the federated identity service.

A user, using a user-computing device connected to a computer network, is authenticated to access a computing resource managed by a system on the computer network. The user computing device presents a user interface to prompt the user to input a value for each of a set of user-defined credentials that the user has previously defined for a SAIF server to authenticate the user to access the computer resource, thereby forming a set of input values. Modified values, each generated from and representing a corresponding one of the input values, are transmitted and validated by comparing them with corresponding modified forms of user-defined credential values stored in a memory, thereby determining whether the user is authenticated to access the computing resource on the system.

Methods, systems, and apparatus, including computer programs stored on computer-readable media, for integrating electronic card display at a client via a software development kit (SDK) provided at one or more data servers are disclosed. A client-side application such as a web browser may request the SDK based on a code snippet included in a data file, such as a HyperText Markup Language (HTML) file for a web page. Once the SDK is received at the client, the client-side application may perform various functionalities enabled by the SDK, including determining terms in the data file that match keywords associated with electronic cards, requesting and receiving electronic card rendering data associated with the electronic cards, and modifying a display generated based on the data file to display an electronic card, upon detecting a trigger event in relation to a term within the web page that corresponds to the electronic card.