Abstract: Approaches of reassigning a home region from a first data center to a second data center as requested by a customer are described herein. The home region is able to implement write operations to a domain, whereas other data centers cannot implement write operations to the domain. The customer can request the home region being reassigned to another data center such that the customer can utilize the other data center to implement write operations to the domain.

Abstract: The present embodiments relate to systems and methods for automatic sign in upon account signup. Particularly, the present embodiments can utilize a federated login approach for automatic sign in upon account signup for a cloud infrastructure. Specifically, the signup and sign in service (also known as SOUP) and an identity provider portal can be configured such that the nodes are aware of each other as Security Assertion Markup Language (SAML) partners. After new account registration, the signup service can redirect the user browser to a cloud infrastructure console to start with a federated login flow, where a sign in service can issue a SAML authentication request, and redirects it to signup service. Responsive to validating the browser using a SAML authentication process, the browser can be automatically signed into the new account and allowed access the account relating to the cloud infrastructure service.

Abstract: The present embodiments relate to systems and methods for automatic sign in upon account signup. Particularly, the present embodiments can utilize a federated login approach for automatic sign in upon account signup for a cloud infrastructure. Specifically, the signup and sign in service (also known as SOUP) and an identity provider portal can be configured such that the nodes are aware of each other as Security Assertion Markup Language (SAML) partners. After new account registration, the signup service can redirect the user browser to a cloud infrastructure console to start with a federated login flow, where a sign in service can issue a SAML authentication request, and redirects it to signup service. Responsive to validating the browser using a SAML authentication process, the browser can be automatically signed into the new account and allowed access the account relating to the cloud infrastructure service.

Abstract: Approaches of reassigning a home region from a first data center to a second data center as requested by a customer are described herein. The home region is able to implement write operations to a domain, whereas other data centers cannot implement write operations to the domain. The customer can request the home region being reassigned to another data center such that the customer can utilize the other data center to implement write operations to the domain.

Abstract: The present embodiments relate to a CI replication service that can replicate domain data from IDCS control plane to data plane and to all subscribed regions of a domain. For instance, the CI replication service can provide replication of required resources of a domain for AuthN and AuthZ from an IDCS local region to other regions for high availability (e.g., to improve latency). The CI replication service can replicate the resources from a domain's home region to all subscribed regions for local availability of data for workloads running in those regions. Further, when a new region is subscribed for a domain, then the service can bootstrap that domain's data from home region before enabling that region for the domain.

Abstract: Techniques are described for enabling resources within a cloud computing system to interact with each other. In certain embodiments, a base identifier assigned to a first resource is extended by mapping the base identifier onto a second identifier assigned to a logical resource that is built upon the first resource. This allows the first resource to have two identities, one identity indicating what the first resource is (e.g., a particular compute instance) and another identity indicating the purpose of the first resource (e.g., operating as a database for a particular tenancy). Consequently, the first resource may be provided with access privileges different from those associated with the base identifier. For example, the first resource may access another resource in the tenancy using the second identifier, but may have no access to the other resource using the base identifier.

Abstract: A cloud-based security solution that provides a robust and secure framework for managing and enforcing security policies related to various resources managed in the cloud is disclosed. The cloud-based security solution is implemented by a security zone policy enforcement system in a cloud service provider infrastructure. The system receives a request to perform an operation on a resource and determines a compartment associated with the resource. The system determines that the compartment is associated with a security zone and determines a set of one or more security zone policies applicable to the resource. The system then determines that the operation on the resource is permitted based on the set of one or more security zone policies and responsive to determining that the operation on the resource is permitted, allows the operation to be performed on the resource.

Abstract: The present embodiments relate to a CI replication service that can replicate domain data from IDCS control plane to data plane and to all subscribed regions of a domain. For instance, the CI replication service can provide replication of required resources of a domain for AuthN and AuthZ from an IDCS local region to other regions for high availability (e.g., to improve latency). The CI replication service can replicate the resources from a domain's home region to all subscribed regions for local availability of data for workloads running in those regions. Further, when a new region is subscribed for a domain, then the service can bootstrap that domain's data from home region before enabling that region for the domain.

Abstract: Techniques are described for enabling resources within a cloud computing system to interact with each other. In certain embodiments, a resource is assigned a digital token that provides certain access privileges for the duration in which the digital token is valid. The digital token permits the resource to have access for a duration sufficient to perform some operation (e.g., run one-time code or the same code periodically on a scheduled basis), but without extending the level of access for significantly longer than necessary to complete the operation. Each time the resource principal is to perform the operation, the token can be reissued to the resource to provide the resource with time-limited access privileges. The use of this short-lived token avoids having to create permanent credentials for the resource.

Abstract: Techniques are described for providing a multi-cloud control plane (MCCP) in a first cloud infrastructure (included in a first cloud environment provided by a first cloud services provider) that enables services and/or resources provided in the first cloud infrastructure to be utilized by users of a second cloud environment. The first cloud infrastructure receives a request from a user associated with an account in the second cloud infrastructure. The request corresponding to using a service provided by the first cloud infrastructure. A tenancy is created for the user in the first cloud infrastructure to enable the user to utilize the service, and a link-resource object is created that includes information linking the tenancy of the user in the first cloud infrastructure to the account of the user in the second cloud infrastructure, the link-resource object enabling the user to utilize the service provided by the first cloud infrastructure.

Abstract: Techniques are described for providing a multi-cloud control plane (MCCP) in a first cloud infrastructure (included in a first cloud environment provided by a first cloud services provider) that enables services and/or resources provided in the first cloud infrastructure to be utilized by users of a second cloud environment. The first cloud infrastructure receives a request from a user associated with an account in the second cloud infrastructure. The request corresponding to using a service provided by the first cloud infrastructure. A tenancy is created for the user in the first cloud infrastructure to enable the user to utilize the service, and a link-resource object is created that includes information linking the tenancy of the user in the first cloud infrastructure to the account of the user in the second cloud infrastructure, the link-resource object enabling the user to utilize the service provided by the first cloud infrastructure.

Abstract: Techniques are described for providing a multi-cloud control plane (MCCP) in a first cloud infrastructure (included in a first cloud environment provided by a first cloud services provider) that enables services and/or resources provided in the first cloud infrastructure to be utilized by users of a second cloud environment. The first cloud infrastructure receives a request from a user associated with an account in the second cloud infrastructure. The request corresponding to using a service provided by the first cloud infrastructure. A tenancy is created for the user in the first cloud infrastructure to enable the user to utilize the service, and a link-resource object is created that includes information linking the tenancy of the user in the first cloud infrastructure to the account of the user in the second cloud infrastructure, the link-resource object enabling the user to utilize the service provided by the first cloud infrastructure.

Abstract: A cloud-based security solution that provides a robust and secure framework for managing and enforcing security policies related to various resources managed in the cloud is disclosed. The cloud-based security solution is implemented by a security zone policy enforcement system in a cloud service provider infrastructure. The system receives a request to perform an operation on a resource and determines a compartment associated with the resource. The system determines that the compartment is associated with a security zone and determines a set of one or more security zone policies applicable to the resource. The system then determines that the operation on the resource is permitted based on the set of one or more security zone policies and responsive to determining that the operation on the resource is permitted, allows the operation to be performed on the resource.

Abstract: A system for providing login to a network of a cloud service provider via more than one region is described herein. For example, the system and approaches may store authentication information in multiple regions allowing for authentication in the multiple regions.

Abstract: Approaches of reassigning a home region from a first data center to a second data center as requested by a customer are described herein. The home region is able to implement write operations to a domain, whereas other data centers cannot implement write operations to the domain. The customer can request the home region being reassigned to another data center such that the customer can utilize the other data center to implement write operations to the domain.

Abstract: An approach of performing data center failover using an address that indicates a backup data center. The address includes common names indicating a data center with a domain and a backup datacenter with a replica of the domain. A cloud service provider can receive the address, establish a connection with an available data center, and failover to the backup data center if the data center with the connection becomes unavailable.

Abstract: An identity management and authorization system (IMAS) receives a request to download an application to a user device associated with a user. The IMAS downloads, to the user device, a template application instance corresponding to the requested application, the template application instance having a reduced functionality than the requested application. The IMAS receives, from the user device, a request to register to the downloaded template.

Abstract: Described herein is a framework for generating an integrated identity and access management (IAM) system from a first IAM system and a second IAM system that is different than the first IAM system. The integrated IAM system is generated by: (i) creating a domain in a customer tenancy associated with the first IAM system, and (ii) embedding an identity provider of the second IAM system within the domain. The integrated IAM system receives a request from a user to perform an operation with respect to resource associated with the second IAM system. Upon the user being successfully authenticated by the integrated IAM system, the request is executed.

Abstract: Techniques are provided for granting an application of a first type of identity system, which uses a first type of identity token, access to a second type of identity system, which uses a second type of identity token. An application can make a request to a token exchange system. The request can include a bearer token and a public key of the application. The token exchange system can exchange the bearer token for a Proof-of-Possession token after performing verification steps. A token exchange system can exchange the first token (e.g., bearer token) for the first identity system for the second token (e.g., Proof-of-Possession token) for the second identity system without requiring entry of credentials to access the second identity system.

Abstract: Systems and methods for single sign-on between two independent systems are disclosed herein. The method can include receiving a request to access a first application of a first system having a first login protocol. The method can include receiving user login credentials and authenticating the user login credentials. The method can include logging the user in to the first system and a second system based on the received login credentials. The second system can have a second login protocol independent of the first login protocol.