Abstract: A method for facilitating identity and access management in a cloud environment based on a zero-trust configuration is provided. The method includes retrieving, via a job, a token from a corresponding identity provider, the job including a unit of work and a unit of execution that corresponds to a change; retrieving, via the job, a change authorization from a change management system, the change authorization including a signed change authorization; retrieving, via the job, a change artifact from an artifact repository, the change artifact including a signed change artifact; requesting, via the job, a change orchestrator to execute the change, the request including the token, the change authorization, and the change artifact; instructing, via the change orchestrator, a service broker to execute the change; and executing, via the service broker, the change within the cloud environment.

Abstract: A method for facilitating a provision of a certificate that securely verifies an identification of an application is provided. The method includes: validating a bootstrap identity that identifies the application at a time of invocation; generating a first token that is signed with a first private key and transmitting the signed first token to the application; receiving, from an external server, a request for a public key to be used for verifying the first private key; and transmitting the requested public key to the external server in order to prompt the external server to provide the certificate to the application. When prompted to provide the certificate to the application, the external server generates a second token that is signed with a second private key and transmits the certificate in conjunction with the signed second token to the application. The private keys are never shared with the application.

Abstract: A method for validating an access request with respect to an application is provided. The method includes: receiving an access request from a user with respect to an application; retrieving, from a memory, group identification information that relates to at least one group to which the user belongs; retrieving, from the memory, scope information that indicates qualifications and/or characteristics of a relationship between the user and the at least one group; and generating a token that notifies the application of the group identification information and the scope information, and is usable by the application for validating the access request. The method may be implemented in an Active Directory Federation Services (AD FS) environment.

Abstract: A method for facilitating a provision of a certificate that securely verifies an identification of an application is provided. The method includes: validating a bootstrap identity that identifies the application at a time of invocation; generating a first token that is signed with a first private key and transmitting the signed first token to the application; receiving, from an external server, a request for a public key to be used for verifying the first private key; and transmitting the requested public key to the external server in order to prompt the external server to provide the certificate to the application. When prompted to provide the certificate to the application, the external server generates a second token that is signed with a second private key and transmits the certificate in conjunction with the signed second token to the application. The private keys are never shared with the application.