Abstract: Embodiments described herein are directed to the registration of the same domain with different cloud services networks. For example, systems and methods described herein enable registering a domain in a cloud services network wherein the same domain is also concurrently registered in another cloud services network. Systems and methods described herein further enable selecting one of a plurality of cloud-based identity providers to process a request to authenticate a user associated with a domain that is registered in more than one cloud services network and generating an authentication response in accordance with the selection. Systems and methods described herein also enable the federation of user authentication requests from different cloud services networks to the same enterprise identity provider.

Abstract: Embodiments described herein are directed to the registration of the same domain with different cloud services networks. For example, systems and methods described herein enable registering a domain in a cloud services network wherein the same domain is also concurrently registered in another cloud services network. Systems and methods described herein further enable selecting one of a plurality of cloud-based identity providers to process a request to authenticate a user associated with a domain that is registered in more than one cloud services network and generating an authentication response in accordance with the selection. Systems and methods described herein also enable the federation of user authentication requests from different cloud services networks to the same enterprise identity provider.

Abstract: Embodiments disclosed herein extend to the use of external access objects in a multi-tenant environment. First and second tenants contract for operations that users of the second tenant will perform in the first tenant. Identity criteria for the users are determined. These users are mapped to an external access object that represents the second tenant users when performing the operations in the first tenant. The external access object is also associated with the resources and/or data that the users of the second tenant will be allowed access to when performing the operations. The users of the second tenant provide a request for access to the resources and/or data to perform operations. Identity criteria are determined and the users are mapped to an external access object based on the identity criteria. It is determined if the user has permission to access the resources and/or data and perform the operations.

Abstract: Embodiments disclosed herein extend to the use of administrative roles in a multi-tenant environment. The administrative roles define administrative tasks defining privileged operations that may be performed on the resources or data of a particular tenant. In some embodiments, the administrative tasks are a subset of administrative tasks. The administrative role also defines target objects which may be subjected to the administrative tasks. In some embodiments, the target objects are a subset of target objects. An administrator may associate a user or group of users of the particular tenant with a given administrative role. In this way, the user or group of users are delegated permission to perform the subset of administrative tasks on the subset of target objects without having to be given permission to perform all administrative tasks on all target objects.

Abstract: Embodiments disclosed herein extend to the use of external access objects in a multi-tenant environment. First and second tenants contract for operations that users of the second tenant will perform in the first tenant. Identity criteria for the users are determined. These users are mapped to an external access object that represents the second tenant users when performing the operations in the first tenant. The external access object is also associated with the resources and/or data that the users of the second tenant will be allowed access to when performing the operations. The users of the second tenant provide a request for access to the resources and/or data to perform operations. Identity criteria are determined and the users are mapped to an external access object based on the identity criteria. It is determined if the user has permission to access the resources and/or data and perform the operations.

Abstract: In one embodiment, a client computer system receives user credentials from a computer user. The client computer system formulates a system identifier that uniquely identifies the system, and sends the received user credentials with the system identifier to an authentication service running on a datacenter server. The authentication service is configured to authenticate the user credentials and generate an authentication certificate based on the user credentials and the system identifier. The client computer system receives the generated authentication certificate from the authentication service and stores the received authentication certificate.