Abstract: Embodiments of the disclosure include systems and methods for secure storage and/or retrieval of customer secrets by, e.g., a cloud services provider. According to methods, secret data that is to be securely stored may be transmitted, along with an initialization vector, to an encryption service for encryption using a private key stored on in a remote key vault. The encrypted data can be returned and stored, in its encrypted form, in a secure storage along with the initialization vector data. To retrieve the securely stored data, embodiments disclose retrieving the encrypted form of the data and transmitting it, along with its related initialization vector data, to the encryption service for decryption using the private key stored in the remote key vault. The decrypted data can then be made available to a requesting product service.

Abstract: A principal database is described in which each entry includes one principal identity, and one or more alias identities that may each have an authorization scope. Principal identity attributes include a principal identifier and login credentials, and alias identity attributes include an authorization scope and login credentials. Responsive to successfully authenticating the user for a first application (a multiple-identity application), based on the alias identity login credentials, an access token containing both the alias identity attributes and the principal identity attributes is transmitted to the first application, causing the first application to grant a scope of access based on the authorization scope. Responsive to a request to authenticate the user for a second application (a single-identity application), the access token is transmitted to the second application without re-authenticating the user, causing the second application to grant a scope of access based on the principal identifier.

Abstract: Embodiments of the disclosure include systems and methods for secure storage and/or retrieval of customer secrets by, e.g., a cloud services provider. According to methods, secret data that is to be securely stored may be transmitted, along with an initialization vector, to an encryption service for encryption using a private key stored on in a remote key vault. The encrypted data can be returned and stored, in its encrypted form, in a secure storage along with the initialization vector data. To retrieve the securely stored data, embodiments disclose retrieving the encrypted form of the data and transmitting it, along with its related initialization vector data, to the encryption service for decryption using the private key stored in the remote key vault. The decrypted data can then be made available to a requesting product service.

Abstract: A computing device may include a memory and a processor configured to cooperate with the memory to receive data from browsers of client devices configured to remotely access different Web applications through the browsers, with the data being indicative of user actions performed within the different Web applications. The processor may also be configured to cooperate with the memory to generate a data structure separately from the different Web applications based upon the received data, determine an action to perform based upon the data structure, and perform the determined action.

Abstract: Methods and systems for authentication using multiple identity providers are described herein. A first identity provider may receive, e.g., from a second identity provider, an indication of an authentication request. The first identity provider may retrieve, from a storage device, session information associated with the request. The first identity provider may authenticate, using one or more first functions, based on the session information, and based on authentication credentials received from a user, the user. Based on the authentication, the first identity provider may modify the session information. The second identity provider may authenticate, based on the session information and using one or more second functions, the user. The one or more second functions may comprise providing the user a token based on the session information. The session information may be subsequently deleted.

Abstract: A computer system includes client devices operated by users collaborating on a project, and a collaboration server. Each client device remotely accesses web applications via a managed browser to be used by the users collaborating on the project. The collaboration server cooperates with the managed browsers to receive from the managed browsers data corresponding to actions performed by each user within the web applications, generate notifications based on the actions performed by the users within the web applications, and cause the managed browsers to display the notifications. The notifications are generated independent from the web applications.

Abstract: A technique involves normalizing identification of users (e.g., different customer organizations) across disparate local systems (e.g., different electronic platforms that provide different products and/or services). Such normalization of user identification enables a provider to accurately ascertain a particular user of multiple disparate local systems even when the multiple disparate local systems identify that user using different identification schemes. Accordingly, the provider is able to offer enhanced support to that user across the multiple disparate local systems. For example, with such normalization of user identification, the provider may employ a single authentication system across the various local systems thus enabling the user to authenticate via the same authentication process regardless of which local system the user attempts to access.

Abstract: Methods and devices for searching and aggregating data in a distributed cloud computing environment are provided. In some embodiments, a request from a client to perform a data transaction is received by a first server. The first server simultaneously spawns a plurality of threads, each thread sending to a different server of a plurality of servers the request to perform the data transaction. A response indicating whether the data transaction was performed by the server is received by the first server and from each server of the plurality of servers. In response to an indication that the data transaction was performed by one or more servers of the plurality of servers and when the data transaction is a get transaction: data corresponding to the data transaction is received by the first server and from the one more servers, the data received from the one or more servers is aggregated by the first server to form combined data, and the first server sends the combined data to the client.

Abstract: A technique involves normalizing identification of users (e.g., different customer organizations) across disparate local systems (e.g., different electronic platforms that provide different products and/or services). Such normalization of user identification enables a provider to accurately ascertain a particular user of multiple disparate local systems even when the multiple disparate local systems identify that user using different identification schemes. Accordingly, the provider is able to offer enhanced support to that user across the multiple disparate local systems. For example, with such normalization of user identification, the provider may employ a single authentication system across the various local systems thus enabling the user to authenticate via the same authentication process regardless of which local system the user attempts to access.

Abstract: The embodiments are directed to methods and devices for creating one or more network groups. The methods and devices can define a network group with one or more properties. The methods and devices can identify a plurality of isolated networks, and can assign the plurality of isolated networks to the defined network group. The methods and devices can assign machines to at least one of the plurality of isolated networks, wherein the network group enables unrestricted routing.

Abstract: Methods and systems for routing a user request for a service to a version of the service in a geographical region associated with the user are described herein. The service may be deployed in multiple geographical regions, and the service may have multiple versions in each of the geographical regions. A user device may send a request for a service to a first server in a geographical region. The first server may determine whether the user is associated with the geographical region. Responsive to determining that the user is not associated with the geographical region, the first server may ask one or more servers in other geographical regions whether the user is associated with any of the other geographical regions.

Abstract: Aspects of the disclosure relate to extending single-sign-on to relying parties for federated logon providers. An enterprise identity provider server may receive a first authentication token previously issued to an enterprise server by the enterprise identity provider server. Subsequently, the enterprise identity provider server may retrieve, from a token store, a second authentication token associated with a federated identity service provided by a federated identity provider server. The enterprise identity provider server may refresh the second authentication token with the federated identity service provided by the federated identity provider server to obtain a refreshed authentication token. Finally, the enterprise identity provider server may send the refreshed authentication token to the enterprise server, which may enable user devices managed by the enterprise server to access one or more resources provided by a third party system using the federated identity service.

Abstract: Methods and systems for routing a user request for a service to a version of the service in a geographical region associated with the user are described herein. The service may be deployed in multiple geographical regions, and the service may have multiple versions in each of the geographical regions. A user device may send a request for a service to a first server in a geographical region. The first server may determine whether the user is associated with the geographical region. Responsive to determining that the user is not associated with the geographical region, the first server may ask one or more servers in other geographical regions whether the user is associated with any of the other geographical regions.

Abstract: Aspects of the disclosure relate to extending single-sign-on to relying parties for federated logon providers. An enterprise identity provider server may receive a first authentication token previously issued to an enterprise server by the enterprise identity provider server. Subsequently, the enterprise identity provider server may retrieve, from a token store, a second authentication token associated with a federated identity service provided by a federated identity provider server. The enterprise identity provider server may refresh the second authentication token with the federated identity service provided by the federated identity provider server to obtain a refreshed authentication token. Finally, the enterprise identity provider server may send the refreshed authentication token to the enterprise server, which may enable user devices managed by the enterprise server to access one or more resources provided by a third party system using the federated identity service.

Abstract: Technology for providing communication connectivity between network entities located in different isolated communication networks through a centralized cloud service. A cloud service connector in a source communication network receives an initial connection request from a source end point device in the source communication network, and determines a customer name and requested service associated with the port number indicated in the request. Mappings are established between the source end point device and a destination end point device that provides the requested service from within a destination communication network that is associated with the customer name.

Abstract: Methods and systems for performing multi-geographical processing of user requests are described herein. An order service computing device may receive a user request associated with a user and, based on the user request, may generate a user account associated with the user. The order service computing device may establish the user account at a geographic computing platform which may provide access to one or more computing resources and/or services. The order service computing device may receive one or more access requests corresponding to one or more computing resources and/or services associated with the geographic computing platform and/or other geographic computing platforms. The order service computing device may generate identifiers based on the one or more access requests which identify the one or more computing resources and/or services.

Abstract: A principal database is described in which each entry includes one principal identity, and one or more alias identities that may each have an authorization scope. Principal identity attributes include a principal identifier and login credentials, and alias identity attributes include an authorization scope and login credentials. Responsive to successfully authenticating the user for a first application (a multiple-identity application), based on the alias identity login credentials, an access token containing both the alias identity attributes and the principal identity attributes is transmitted to the first application, causing the first application to grant a scope of access based on the authorization scope. Responsive to a request to authenticate the user for a second application (a single-identity application), the access token is transmitted to the second application without re-authenticating the user, causing the second application to grant a scope of access based on the principal identifier.

Abstract: Embodiments of the disclosure include systems and methods for secure storage and/or retrieval of customer secrets by, e.g., a cloud services provider. According to methods, secret data that is to be securely stored may be transmitted, along with an initialization vector, to an encryption service for encryption using a private key stored on in a remote key vault. The encrypted data can be returned and stored, in its encrypted form, in a secure storage along with the initialization vector data. To retrieve the securely stored data, embodiments disclose retrieving the encrypted form of the data and transmitting it, along with its related initialization vector data, to the encryption service for decryption using the private key stored in the remote key vault. The decrypted data can then be made available to a requesting product service.

Abstract: A principal database is described in which each entry includes one principal identity, and one or more alias identities that may each have an authorization scope. Principal identity attributes include a principal identifier and login credentials, and alias identity attributes include an authorization scope and login credentials. Responsive to successfully authenticating the user for a first application (a multiple-identity application), based on the alias identity login credentials, an access token containing both the alias identity attributes and the principal identity attributes is transmitted to the first application, causing the first application to grant a scope of access based on the authorization scope. Responsive to a request to authenticate the user for a second application (a single-identity application), the access token is transmitted to the second application without re-authenticating the user, causing the second application to grant a scope of access based on the principal identifier.

Abstract: Embodiments of the disclosure include systems and methods for secure storage and/or retrieval of customer secrets by, e.g., a cloud services provider. According to methods, secret data that is to be securely stored may be transmitted, along with an initialization vector, to an encryption service for encryption using a private key stored on in a remote key vault. The encrypted data can be returned and stored, in its encrypted form, in a secure storage along with the initialization vector data. To retrieve the securely stored data, embodiments disclose retrieving the encrypted form of the data and transmitting it, along with its related initialization vector data, to the encryption service for decryption using the private key stored in the remote key vault. The decrypted data can then be made available to a requesting product service.