Abstract: A settings management system in a remote server environment generates user interface displays with settings management user input mechanisms, and detects actuation of those user input mechanisms. Settings configuration metadata is generated, for a given setting, based upon the detected actuation. The settings metadata is output for access by a plurality of different, heterogeneous, computing environments, and the settings metadata is consistent across all of those environments.

Abstract: Technologies are disclosed for resource mapping during URL changes in multi-tenant distributed computing systems. The distributed computing system may resolve a URL by using a tenant and/or site name extracted from the URL to retrieve an entry in a site map table. The entry includes an address to a database that contains the requested content. After a tenant or site name has been changed, or if the tenant or site have been moved, the distributed computing system will resolve pre-existing URLs to the old entry, resulting in a file not found error. In some embodiments, during an operation that changes a tenant or site name, a redirect URL containing the new tenant and/or site name is added to the old entry. When a request addressed to a URL containing the old tenant and/or site names is received, the distributed system sends a redirect response that includes the redirect URL.

Abstract: The techniques disclosed herein enable applications to seamlessly consume cloud-based services while minimizing exposure to security vulnerabilities. Specifically, an application is enabled to access a cloud service on behalf of a user without the user's active user token. Access is granted in a way that does not also grant access to any other user's cloud service. In some configurations, during an active user session, an artifact token is generated that caches the user's permissions. The artifact token may later be redeemed to gain access to the user's cloud service. For example, an application may request that a cloud service generate an artifact token. The request may be in response to a user scheduling the application to perform a task that depends on the cloud service. When the scheduled task is performed, the application may redeem the artifact token to access the user's cloud service.

Abstract: A data processing system for controlling data access to a secured resource of a distributed system implements receiving, from a first user device of a first user, a first request to access a secured resource and a first security token, the first security token including group information for one or more first access control groups associated with the secured resource of which the first user is a member; accessing group access policy information for groups associated with the secured resource; determining, based on the group information included in the first security token and the group access policy information, that the first user is a member of at least one group that is permitted to access the secured resource; and permitting the first user device of the user to access the secured resource responsive to determining that the first user is a member of at least one group that is permitted to access the secured resource.

Abstract: Operation requests received from a tenant are added to a tenant-specific queue. A tenant scheduling work item is added to an execution queue that is shared with oilier tenants. When the tenant scheduling work item is executed, it copies up to a defined number of scheduled operations from the tenant-specific queue to the execution queue. The tenant-scheduling work item then re-adds itself to the execution queue. While the operations are executed and before the tenant scheduling work item is executed again, other tenants have an opportunity to queue their own operations. The tenant scheduling work item selects scheduled operations from the tenant-specific queue in the order they were originally requested until one of several conditions is met. Conditions may be based on how many operations are in progress, what kind of operations are in progress, and/or dependencies between operations of different types.

Abstract: Technologies are disclosed for resource mapping during URL changes in multi-tenant distributed computing systems. The distributed computing system may resolve a URL by using a tenant and/or site name extracted from the URL to retrieve an entry in a site map table. The entry includes an address to a database that contains the requested content. After a tenant or site name has been changed, or if the tenant or site have been moved, the distributed computing system will resolve pre-existing URLs to the old entry, resulting in a file not found error. In some embodiments, during an operation that changes a tenant or site name, a redirect URL containing the new tenant and/or site name is added to the old entry. When a request addressed to a URL containing the old tenant and/or site names is received, the distributed system sends a redirect response that includes the redirect URL.

Abstract: A settings management system in a remote server environment generates user interface displays with settings management user input mechanisms, and detects actuation of those user input mechanisms. Settings configuration metadata is generated, for a given setting, based upon the detected actuation. The settings metadata is output for access by a plurality of different, heterogeneous, computing environments, and the settings metadata is consistent across all of those environments.

Abstract: A settings management system in a remote server environment generates user interface displays with settings management user input mechanisms, and detects actuation of those user input mechanisms. Settings configuration metadata is generated, for a given setting, based upon the detected actuation. The settings metadata is output for access by a plurality of different, heterogeneous, computing environments, and the settings metadata is consistent across all of those environments.

Abstract: Users in a given organization are tagged with a data center identifier (or data location) that identifies a data center where the user's resources are located. A user request is detected, that indicates that the user wishes to access a resource that is tied to the user. The user is automatically navigated to the user's corresponding data center, where the user permissions are analyzed to selectively grant access to the requested resource.

Abstract: Directory information and content for two separate tenants are merged by identifying a first of tenants as a hub tenant and a second of the tenants as a satellite tenant. The hub tenant is modified to include two instances, or data containers, one instance for the hub tenant and another instance for the satellite tenant. Directory merger logic re-associates identity account items in the satellite instance, with the hub instance, by replacing a tenant identifier in the identity account items of the satellite instance with a tenant identifier corresponding to the hub instance. Unique identifiers for users of the satellite instance are maintained unchanged. Content merger logic re-associates content items of the satellite instance with the hub instance by setting a tenant identifier for all satellite content items to the tenant identifier corresponding to the hub instance.

Abstract: Distributed computing systems, computing devices, and associated methods of operations implementing geographic location based computing asset provisioning are disclosed herein. In one embodiment, a provisioning server is configured to retrieve, from a directory service, a record of user account data containing data representing a pre-configured deployment location at which user data of the requested computing service is to be stored. The provisioning server is also configured to determine whether a current geographic location of the provisioning server is within a geographic boundary of the deployment location and in response to determining that the current geographic location of the provisioning server is within a geographic boundary of the deployment location, deploy computing assets at the current geographic location to allow user data of the computing service to be stored at the pre-configured deployment location to satisfy data residency regulations.

Abstract: Directory information and content for two separate tenants are merged by identifying a first of tenants as a hub tenant and a second of the tenants as a satellite tenant. The hub tenant is modified to include two instances, or data containers, one instance for the hub tenant and another instance for the satellite tenant. Directory merger logic re-associates identity account items in the satellite instance, with the hub instance, by replacing a tenant identifier in the identity account items of the satellite instance with a tenant identifier corresponding to the hub instance. Unique identifiers for users of the satellite instance are maintained unchanged. Content merger logic re-associates content items of the satellite instance with the hub instance by setting a tenant identifier for all satellite content items to the tenant identifier corresponding to the hub instance.

Abstract: Users in a given organization are tagged with a data center identifier (or data location) that identifies a data center where the user's resources are located. A user request is detected, that indicates that the user wishes to access a resource that is tied to the user. The user is automatically navigated to the user's corresponding data center, where the user permissions are analyzed to selectively grant access to the requested resource.

Abstract: A session token can be requested to be sent to a first computing service from a second computing service, and a first computing service can receive the requested session token from the second computing service. The first computing service can send a message that includes the session token through a passive client to the second computing service. The second computing service can receive the message that includes the session token from the passive client, and the second computing service can verify that the message is valid. This verification of the validity of the message can include verifying that the session token received back from the passive client matches the session token the second computing service sent to the first computing service.

Abstract: A settings management system in a remote server environment generates user interface displays with settings management user input mechanisms, and detects actuation of those user input mechanisms. Settings configuration metadata is generated, for a given setting, based upon the detected actuation. The settings metadata is output for access by a plurality of different, heterogeneous, computing environments, and the settings metadata is consistent across all of those environments.

Abstract: A session token can be requested to be sent to a first computing service from a second computing service, and a first computing service can receive the requested session token from the second computing service. The first computing service can send a message that includes the session token through a passive client to the second computing service. The second computing service can receive the message that includes the session token from the passive client, and the second computing service can verify that the message is valid. This verification of the validity of the message can include verifying that the session token received back from the passive client matches the session token the second computing service sent to the first computing service.

Abstract: A session token can be requested to be sent to a first computing service from a second computing service, and a first computing service can receive the requested session token from the second computing service. The first computing service can send a message that includes the session token through a passive client to the second computing service. The second computing service can receive the message that includes the session token from the passive client, and the second computing service can verify that the message is valid. This verification of the validity of the message can include verifying that the session token received back from the passive client matches the session token the second computing service sent to the first computing service.

Abstract: A session token can be requested to be sent to a first computing service from a second computing service, and a first computing service can receive the requested session token from the second computing service. The first computing service can send a message that includes the session token through a passive client to the second computing service. The second computing service can receive the message that includes the session token from the passive client, and the second computing service can verify that the message is valid. This verification of the validity of the message can include verifying that the session token received back from the passive client matches the session token the second computing service sent to the first computing service.

Abstract: A user authentication system collects measurements of physical and/or behavioral characteristics of a user. The measurements are processed by two or more processing engines to produce initial confidence measures, and a unified confidence measure is prepared from weighted inputs including the initial confidence measures.

Abstract: Methods of comparing a plurality of measurements to a template are described. Measurements are compared piecewise (element-by-element) and a proportion of successful comparisons at each of a plurality of distance scaling factors is calculated. The proportions are subjected to a nonlinear transformation, then normalized and combined into a weighted sum. The weighted sum is compared with a threshold value to establish the result of the comparison. Software and systems to implement embodiments of the invention are also described and claimed.