Abstract: Provisioning a user account. A method includes, at a local entity contacting an identity system to begin user account provisioning. The method further includes receiving from the identity system a correlating factor related to a verification code sent to the user from the identity system. The method further includes receiving from the user, profile information entered into the local entity, where the profile information is to be stored in the user account. The method further includes receiving from the user the verification code corresponding to the correlating factor. The method further includes sending the correlating factor, user entered verification code and the user entered profile information to the identity system, where the identity system determines that the verification code properly correlates to the correlating factor, and as a result provisions the user account and stores the profile information in the user account.

Abstract: A method and system performed by a computing system for signing in using personal identifiers input via a sign-in portal that supports multiple tenants is provided. The system receives a sign-in request for a user that includes a personal identifier. The personal identifier uniquely identifies a person but does not include an identification of a tenant. The system performs a verification based on the personal identifier to authenticate the user. The system identifies, from a mapping, a tenant to which the personal identifier is mapped. The mapping maps personal identifiers of users to tenants. The system retrieves, from a user store for the tenant, user information relating to the user. The system then creates a security token based on the user information. If verification of the user was successful, the system sends the security token to the sign-in portal as evidence that the user has been authenticated.

Abstract: Described technologies enhance cybersecurity and facilitate computing system account usage by configuring a primary account and a supplementary account together in a security configuration lifecycle. The primary account user may be a parent or other adult, while the supplementary account user may be a child or other person with less capacity than the primary user. Over time, the accounts may transition together through security configurations to give more capabilities to the supplementary user, e.g., login separate from the primary user, and to reduce the control of the primary user over the supplementary account. Security configuration lifecycle stages are implemented, e.g., using capability-security pair data structures and account security configuration code. Despite the security configuration linkage of the accounts, each account may have its own personalized content and its own recommendation history.

Abstract: A system for creating an account with an identity provider. The system receives a request to create an identity provider account with the identity provider for use in logging onto a third-party system. The system generates one or more display pages for providing an integrated-consent user experience. The integrated-consent user experience includes a display page for collecting both new-account information and scope-of-consent information whereby a user consents to share information with the third-party system. After the user provides the new-account information that includes user credentials for the identity provider account and consents to share account information of the identity provider account with the third-party system, the system creates the identity provider account for the user.

Abstract: Allowing an entity managed device to access a tenant associated with the e on a public cloud service while preventing the device from accessing one or more other tenants on the cloud service. A method includes, at the cloud service, obtaining policy from the entity with respect to tenant access. The method further includes, at the cloud service, receiving a request from the entity managed device to access a tenant at the cloud service. The method further includes granting or denying the access request based on the policy obtained from the entity.

Abstract: A sign-in system can be protected against enumeration attacks while providing an improved sign-in experience for legitimate users by disclosing whether or not an account exists. An account within a specified domain can be identified by an account identifier such as a username. Before a threshold throttling value is reached, account existence/non-existence information can be provided in response to an access request. In response to reaching or exceeding a specified threshold throttling value, account existence/non-existence information can cease to be provided. Entering a valid account identifier/authenticating credential credentials pair provides access to the computer system regardless of whether or not the threshold was reached or exceeded or not reached.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for training neural networks. In one aspect, a system includes a neural network shrinking engine that is configured to receive a neural network being trained and generate a reduced neural network by a shrinking process. The shrinking process includes training the neural network based on a shrinking engine loss function that includes terms penalizing active neurons of the neural network and removing inactive neurons from the neural network. The system includes a neural network expansion engine that is configured to receive the neural network being trained and generate an expanded neural network by an expansion process including adding new neurons to the neural network and training the neural network based on an expanding engine loss function. The system includes a training subsystem that generates reduced neural networks and expanded neural networks.

Abstract: A method and system for controlling casting to a media renderer is provided. A casting control system receives from a requesting device a request to cast media to the media renderer. In response to receiving the request, the casting control system identifies a gatekeeper for the media renderer and notifies the gatekeeper that a request has been received to cast media to the media renderer. After the casting control system receives from the gatekeeper an indication to grant or deny the request, the casting control system allows or denies the casting of the media to the media renderer.

Abstract: The automatic selection of an identity provider to be used to authenticate users when requesting to access network resources for a tenant. The authentication is initiated by checking the username against the directory of the tenant. If that check results in finding an entry for the username in that directory, the entry is checked for an identity provider. If that check results in finding an identity provider, the user is directed to that found identity provider for authentication. Thus, in many, most, or all cases, an identity provider is found and selected for authentication of the user without the user having to manually select the identity provider. The username may be an internal user of an entity. The selection of the identity provider works in either case since there would still be an entry for that user in the directory of the tenant.

Abstract: A system of a primary cloud for signing in users is provided. The system receives a sign-in request for a user that includes a personal identifier (e.g., phone number). The system performs a verification based on the personal identifier to authenticate the user. The system identifies, from a mapping, an entity to which the personal identifier is mapped. When the entity is associated with an external cloud, the system sends a sign-in request to the external cloud for authentication by the external cloud. When the entity is associated with an internal tenant, the system retrieves user information relating to the user and creates a security token based on the user information. If verification of the user was successful, the system sends the security token to the sign-in portal as evidence that the user has been authenticated.

Abstract: A method and system performed by a computing system for signing in using personal identifiers input via a sign-in portal that supports multiple tenants is provided. The system receives a sign-in request for a user that includes a personal identifier. The personal identifier uniquely identifies a person but does not include an identification of a tenant. The system performs a verification based on the personal identifier to authenticate the user. The system identifies, from a mapping, a tenant to which the personal identifier is mapped. The mapping maps personal identifiers of users to tenants. The system retrieves, from a user store for the tenant, user information relating to the user. The system then creates a security token based on the user information. If verification of the user was successful, the system sends the security token to the sign-in portal as evidence that the user has been authenticated.

Abstract: Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user's login account has been compromised, where the user's login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.

Abstract: An identity provider IP service provides an optimized sign out experience for a user accessing a single account service. The IP service designates a first account of a service as signed in based on first credentials provided by a user. The IP service provides a first security token for the first account to the service. Upon receiving a first sign out notification, the IP service determines whether the user wants to switch to a second account of the service. Upon determining that the user wants to switch to the second account, the IP service designates the second account as signed in based on second credentials provided by the user, provides a second security token for the second account to the service, and designates the first account as soft signed out so that the user can switch to the first account without re-providing the first credentials.

Abstract: A system for creating an account with an identity provider. The system receives a request to create an identity provider account with the identity provider for use in logging onto a third-party system. The system generates one or more display pages for providing an integrated-consent user experience. The integrated-consent user experience includes a display page for collecting both new-account information and scope-of-consent information whereby a user consents to share information with the third-party system. After the user provides the new-account information that includes user credentials for the identity provider account and consents to share account information of the identity provider account with the third-party system, the system creates the identity provider account for the user.

Abstract: Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user's login account has been compromised, where the user's login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.

Abstract: A method and system for controlling casting to a media renderer is provided. A casting control system receives from a requesting device a request to cast media to the media renderer. In response to receiving the request, the casting control system identifies a gatekeeper for the media renderer and notifies the gatekeeper that a request has been received to cast media to the media renderer. After the casting control system receives from the gatekeeper an indication to grant or deny the request, the casting control system allows or denies the casting of the media to the media renderer.

Abstract: Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user's login account has been compromised, where the user's login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.

Abstract: Provisioning a user account. A method includes, at a local entity contacting an identity system to begin user account provisioning. The method further includes receiving from the identity system a correlating factor related to a verification code sent to the user from the identity system. The method further includes receiving from the user, profile information entered into the local entity, where the profile information is to be stored in the user account. The method further includes receiving from the user the verification code corresponding to the correlating factor. The method further includes sending the correlating factor, user entered verification code and the user entered profile information to the identity system, where the identity system determines that the verification code properly correlates to the correlating factor, and as a result provisions the user account and stores the profile information in the user account.

Abstract: Allowing an entity managed device to access a tenant associated with the e on a public cloud service while preventing the device from accessing one or more other tenants on the cloud service. A method includes, at the cloud service, obtaining policy from the entity with respect to tenant access. The method further includes, at the cloud service, receiving a request from the entity managed device to access a tenant at the cloud service. The method further includes granting or denying the access request based on the policy obtained from the entity.

Abstract: Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user's login account has been compromised, where the user's login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.