Abstract: An embodiment controls access to a resource, the access controlled by a multi-tenant system. Embodiments receive, at a web server, a request for the resource from a user via a web browser, the request including a Uniform Resource Locator (“URL”) associated with the resource and an identity of a tenant corresponding to the user. Embodiments determine an access policy for authenticating the user that is associated with the resource, the access policy based in part on the identity of the tenant. Embodiments then authenticate the user based on the determined access policy.

Abstract: A system for authorizing access to a resource receives a request for an access token that corresponds to the resource, where the request includes user information and application information. The user information includes a role of the user and the application information includes a role of the application. The system evaluates the request by computing scopes for the access token, including determining an intersection between the user information and the application information. The system then provides the access token that includes the computed scopes, the scopes being based at least on the role of the user and the role of the application.

Abstract: Embodiments perform write operations in a multi-tenant cloud system that includes a first data center adapted to authenticate a first plurality of registered clients and located in a first geographic area, and a second data center adapted to authenticate a second plurality of registered clients and located in a second geographic area that is different from the first geographic area. Embodiments receive a request from a first client to perform a first write for a resource at the second data center. Embodiments generate a call to the first data center including a second write for the resource at the first data center. Embodiments retrieve data corresponding to the first write and send the retrieved data to the first data center. Embodiments write on the data based on the first write, the writing on the data including changing the data to generate changed data.

Abstract: Embodiments of a multi-tenant cloud system include a first data center adapted to authenticate a first plurality of registered clients and located in a first geographic area, and a second data center adapted to authenticate a second plurality of registered clients and located in a second geographic area that is different from the first geographic area. The first data center receives a request from a first client of the first plurality of registered clients to access a resource of the second data center and validates the request from the first client and issues a global access token. The second data center receives the request with the global access token. A cloud gate at the second data center, based on the global access token, validates the request and provides the resource to the first client.

Abstract: A system provides cloud-based identity and access management. The system receives a request by a web gate for an identity management service for reaching an application, and determines a tenancy from a header value of the request. The system looks up a policy configured to be applied for the tenancy, and applies the policy to the request. The system then sends the request to a microservice based on a result of the applying of the policy to the request, where the microservice performs the identity management service for reaching the application.

Abstract: Dynamic client registration for an Identity Cloud Service (IDCS) is provided. A service instance client, associated with a service instance, is created in a first tenancy. A template client is created, based on a security blueprint, in a second tenancy. A registration client is created in the first tenancy. A request for a registration access token is received from an installed client application over a network; the request includes an ID of the template client. A user of the installed client application is authenticated using the template client. The registration access token is sent to the installed client application over the network. A request for a client assertion token is received from the installed client application over the network; the request includes the registration access token. The registration access token is authenticated using the template client. The client assertion token is sent to the installed client application over the network.

Abstract: A system provides cloud-based identity and access management. The system receives a request from a client for obtaining an access token for a user to access a resource. The system determines, based on the request, a tenancy of the client, a tenancy of the user, and a tenancy of the resource. The system accesses a microservice based on the request, and performs an identity management service by the microservice based on the request, where the identity management service includes generating the access token that identifies the tenancy of the resource and the tenancy of the user.

Abstract: A high availability (HA) Identity Bridge (IDBridge) between an on-premises Active Directory (AD) and a cloud-based Identity Cloud Service (IDCS) is provided. A connection to an AD, coupled to a first network, is established. A connection to an IDCS, coupled to a second network, is established, the IDCS including a System for Cross-domain Identity Management (SCIM) directory. A plurality of selectable AD OUs are displayed in a GUI, and a selection of one or more OUs is then received. Each member group of the selected OUs is displayed in the GUI, and a selection of one or more member groups of the selected OUs is then received. The users of the selected OUs and the selected member groups of the selected OUs are monitored to identify users and groups that have been added, modified or deleted. The identified users and groups are then synchronized to the SCIM directory.

Abstract: Embodiments implement data versioning in a cloud-based identity management system. Embodiments provide a first microservice for performing an identity management service and having a corresponding first version application programming interface (“API”) that identifies the first microservice. Embodiments provide a second microservice for performing the identity management service, the second microservice comprising a new version of the first microservice and having a corresponding second version API that identifies the second microservice. Embodiments receive a request for performing the identity management service from a client of the identity management system, the request including a uniform resource locator (“URL”), where the first version API or the second version API are identified in the URL. Embodiments then perform the identity management service using either the first microservice or the second microservice based on the request and using tenant data stored in a database.

Abstract: A system provides cloud-based identity and access management. The system receives a request from a client for obtaining an access token for a user to access a resource. The system determines, based on the request, a tenancy of the client, a tenancy of the user, and a tenancy of the resource. The system accesses a microservice based on the request, and performs an identity management service by the microservice based on the request, where the identity management service includes generating the access token that identifies the tenancy of the resource and the tenancy of the user.

Abstract: A system provides cloud-based identity and access management. The system receives a request for performing an identity management service. The request identifies the service and a current version of a microservice. The current version of the microservice is in a first stateless middle tier in a first topology that includes a first web tier. The system performs the identity management service by the current version of the microservice using tenant data stored in a database. The system then determines an upgrade to be applied to the microservice, and deploys a second topology that implements the upgrade. The second topology includes a second web tier and a second stateless middle tier including a new version of the microservice. The system tests the new version of the microservice in the second topology using test data stored in the database, promotes the second topology, and drains and shuts down the first topology.

Abstract: A system provides cloud-based identity and access management. The system receives a request for performing an identity management service, where the request includes a call to an application programming interface (“API”) that identifies the identity management service and a microservice configured to perform the identity management service. The system authenticates the request, accesses the microservice, and performs the identity management service by the microservice.

Abstract: A system provides cloud-based identity and access management. The system receives a request for performing an identity management service, where the request includes a call to an application programming interface (“API”) that identifies the identity management service and a microservice configured to perform the identity management service. The system authenticates the request, accesses the microservice, and performs the identity management service by the microservice.

Abstract: A high availability (HA) Identity Bridge (IDBridge) between an on-premises Active Directory (AD) and a cloud-based Identity Cloud Service (IDCS) is provided. A connection to an AD, coupled to a first network, is established. A connection to an IDCS, coupled to a second network, is established, the IDCS including a System for Cross-domain Identity Management (SCIM) directory. A plurality of selectable AD OUs are displayed in a GUI, and a selection of one or more OUs is then received. Each member group of the selected OUs is displayed in the GUI, and a selection of one or more member groups of the selected OUs is then received. The users of the selected OUs and the selected member groups of the selected OUs are monitored to identify users and groups that have been added, modified or deleted. The identified users and groups are then synchronized to the SCIM directory.

Abstract: A multi-tenant system that provides cloud-based identity management receives a request to execute a job, where the job has a scheduled start time, or a timeframe to complete, that exceeds the validity time of a request access token. The system generates the request access token corresponding to the job, where the request access token has access privileges. The system schedules the job and persists the request access token. The system triggers the job at the scheduled start time and generates a derived access token based on the request access token, where the derived access token includes the access privileges. The system then injects the derived access token during runtime of the job and calls a microservice using the derived access token to execute the job.

Abstract: Embodiments provide cloud-based identity management by receiving a request to perform an identity management service that includes real-time tasks and near-real-time tasks. Embodiments synchronously execute the real-time tasks by accessing at least one microservice using a corresponding application programming interface (“API”). Embodiments asynchronously execute the near-real-time tasks by offloading the near-real-time tasks to one or more message queues.

Abstract: A system provides cloud-based identity and access management. The system receives a request for performing an identity management service. The request identifies the service and a current version of a microservice. The current version of the microservice is in a first stateless middle tier in a first topology that includes a first web tier. The system performs the identity management service by the current version of the microservice using tenant data stored in a database. The system then determines an upgrade to be applied to the microservice, and deploys a second topology that implements the upgrade. The second topology includes a second web tier and a second stateless middle tier including a new version of the microservice. The system tests the new version of the microservice in the second topology using test data stored in the database, promotes the second topology, and drains and shuts down the first topology.

Abstract: A system provides cloud-based identity and access management. The system receives a request for an identity management service, authenticates the request, and forwards the request to a microservice configured to perform the identity management service, where the microservice is implemented by a microservice virtual machine provisioned by a provisioning framework, and the forwarding is according to routing information configured based on metadata information stored in a registry by the provisioning framework. The system then performs the identity management service by the microservice.

Abstract: A system provides cloud-based identity and access management. The system provides a user interface (“UI”) to a tenant of an identity-management service. The system enables diagnostics functionality for the tenant based on a user input received via the UI, where the diagnostics functionality allows for a user in the tenant to configure and receive diagnostics reports related to the identity-management service. The system then receives a request for the identity-management service, accesses a microservice based on the request, performs the identity-management service by the microservice, collects and records diagnostics information during the performing of the identity-management service, and displays the diagnostics information to the user via the UI.

Abstract: A system provides cloud-based identity and access management. The system receives a request to perform an identity management service, and accesses a microservice based on the identity management service. The system determines one or more real-time tasks and one or more near-real-time tasks that are required to be executed to complete the identity management task. The system synchronously executes the one or more real-time tasks by the microservice, and sends the one or more near-real-time tasks to a queue to be asynchronously executed.