Abstract: Methods and systems for handling of invalid state parameters during authentication are described herein. A computing device may receive, from a web browser executing on a user device, first data. That data may comprise an indication of authentication of authentication credentials and a first state parameter. Based on that first state parameter being invalid, the computing device may generate a new state parameter and redirect the web browser to a web page associated with an identity provider application. The computing device may then receive, from the web browser, an indication of authentication of a cookie and the new state parameter. The computing device may provide, to the user device, access to one or more services.

Abstract: Aspects of the disclosure relate to extending single-sign-on to relying parties for federated logon providers. An enterprise identity provider server may receive a first authentication token previously issued to an enterprise server by the enterprise identity provider server. Subsequently, the enterprise identity provider server may retrieve, from a token store, a second authentication token associated with a federated identity service provided by a federated identity provider server. The enterprise identity provider server may refresh the second authentication token with the federated identity service provided by the federated identity provider server to obtain a refreshed authentication token. Finally, the enterprise identity provider server may send the refreshed authentication token to the enterprise server, which may enable user devices managed by the enterprise server to access one or more resources provided by a third party system using the federated identity service.

Abstract: Embodiments of the disclosure include systems and methods for secure storage and/or retrieval of customer secrets by, e.g., a cloud services provider. According to methods, secret data that is to be securely stored may be transmitted, along with an initialization vector, to an encryption service for encryption using a private key stored on in a remote key vault. The encrypted data can be returned and stored, in its encrypted form, in a secure storage along with the initialization vector data. To retrieve the securely stored data, embodiments disclose retrieving the encrypted form of the data and transmitting it, along with its related initialization vector data, to the encryption service for decryption using the private key stored in the remote key vault. The decrypted data can then be made available to a requesting product service.

Abstract: Methods and systems for routing a user request for a service to a version of the service in a geographical region associated with the user are described herein. The service may be deployed in multiple geographical regions, and the service may have multiple versions in each of the geographical regions. A user device may send a request for a service to a first server in a geographical region. The first server may determine whether the user is associated with the geographical region. Responsive to determining that the user is not associated with the geographical region, the first server may ask one or more servers in other geographical regions whether the user is associated with any of the other geographical regions.

Abstract: Systems and methods for operating a system including a plurality of directories. The methods comprises: receiving, by a computing device, a first search request for identity information associated with an individual user of the system that is in a common request format supported by a common Application Programming Interface (“API”); performing first operations by the computing device to generate second search requests by transforming a format of the first search request from the common request format to a plurality of directory search request formats respectively supported by the plurality of directories; and respectively communicating the second search requests to the plurality of directories for retrieving the identity information associated with an individual user of the system.

Abstract: Methods and systems for routing a user request for a service to a version of the service in a geographical region associated with the user are described herein. The service may be deployed in multiple geographical regions, and the service may have multiple versions in each of the geographical regions. A user device may send a request for a service to a first server in a geographical region. The first server may determine whether the user is associated with the geographical region. Responsive to determining that the user is not associated with the geographical region, the first server may ask one or more servers in other geographical regions whether the user is associated with any of the other geographical regions.

Abstract: Secure communications between services or components of a cloud computing system, are facilitated by generating at a first service provided by a first computing entity of a cloud computing system, a request for computing resources, generating at the first computing entity a digital data signature based at least on the request, using a private key associated with the first service; and inserting the digital data signature within an HTTP header associated with the request. A computer data network is used to communicate the request to a second service. The second service extracts the digital data signature and uses a public key to validate the digital data signature.

Abstract: Systems and methods for normalizing cloud resource interactions across disparate objects and actions provided by a plurality of different cloud services. The methods comprise: obtaining information that identifies the objects and indicates what actions can be performed for the objects; processing the information to consolidate at least two of the actions supported by different ones of the objects into a single action; causing a unified view to be presented in a User Interface (“UI”) that allows an initiation of the single action whereby the at least two actions supported by different ones of the objects are concurrently selected; receiving a standardized command for initiating the single action; transforming a first protocol format of the standardized command into a second different protocol format to generate at least one non-standardized command; and using the non-standardized command to cause performance of the at least two actions by said different ones of the objects.

Abstract: Embodiments of the disclosure include systems and methods for secure storage and/or retrieval of customer secrets by, e.g., a cloud services provider. According to methods, secret data that is to be securely stored may be transmitted, along with an initialization vector, to an encryption service for encryption using a private key stored on in a remote key vault. The encrypted data can be returned and stored, in its encrypted form, in a secure storage along with the initialization vector data. To retrieve the securely stored data, embodiments disclose retrieving the encrypted form of the data and transmitting it, along with its related initialization vector data, to the encryption service for decryption using the private key stored in the remote key vault. The decrypted data can then be made available to a requesting product service.

Abstract: Methods, computer-readable media, and apparatuses for checking the health of a cloud-based component. The method includes receiving, by a health event hub as output by a first device, a request for performing a health check on a second device; outputting, by the health event hub, the request to each health checker on the network; receiving, by the health event hub, a health data response output by at least one checker that is capable of performing the health check; collecting, by the health event hub, each health data response associated with the request output by the first device that is output by the at least one health checker that is capable of performing the health check on the second device; and outputting, by the health event hub to each health data collector on the network, each health data response associated with the request output by the first device.

Abstract: Preventing certain types of service disruptions in a computing system involves receiving a lease request at a server of a cloud-based computing system, where the lease request originates from one of a plurality of cloud-hosted service computing systems (CSCS). The lease request will specify at least one suitable connector of a plurality of remote computing machines, where such connectors comprise an availability set at a computing resources location. In response to receiving the request, the server determines whether at least one of the connectors has pending maintenance operations. Based on such determination, the server will selectively grant the lease request by generating at least one electronic message directed to the CSCS which originated the lease request.

Abstract: Embodiments of the disclosure include systems and methods for secure storage and/or retrieval of customer secrets by, e.g., a cloud services provider. According to methods, secret data that is to be securely stored may be transmitted, along with an initialization vector, to an encryption service for encryption using a private key stored on in a remote key vault. The encrypted data can be returned and stored, in its encrypted form, in a secure storage along with the initialization vector data. To retrieve the securely stored data, embodiments disclose retrieving the encrypted form of the data and transmitting it, along with its related initialization vector data, to the encryption service for decryption using the private key stored in the remote key vault. The decrypted data can then be made available to a requesting product service.

Abstract: Preventing certain types of service disruptions in a computing system involves receiving a lease request at a server of a cloud-based computing system, where the lease request originates from one of a plurality of cloud-hosted service computing systems (CSCS). The lease request will specify at least one suitable connector of a plurality of remote computing machines, where such connectors comprise an availability set at a computing resources location. In response to receiving the request, the server determines whether at least one of the connectors has pending maintenance operations. Based on such determination, the server will selectively grant the lease request by generating at least one electronic message directed to the CSCS which originated the lease request.

Abstract: Aspects of the disclosure relate to extending single-sign-on to relying parties for federated logon providers. An enterprise identity provider server may receive a first authentication token previously issued to an enterprise server by the enterprise identity provider server. Subsequently, the enterprise identity provider server may retrieve, from a token store, a second authentication token associated with a federated identity service provided by a federated identity provider server. The enterprise identity provider server may refresh the second authentication token with the federated identity service provided by the federated identity provider server to obtain a refreshed authentication token. Finally, the enterprise identity provider server may send the refreshed authentication token to the enterprise server, which may enable user devices managed by the enterprise server to access one or more resources provided by a third party system using the federated identity service.

Abstract: Systems and methods for operating a system including a plurality of directories. The methods comprises: receiving, by a computing device, a first search request for identity information associated with an individual user of the system that is in a common request format supported by a common Application Programming Interface (“API”); performing first operations by the computing device to generate second search requests by transforming a format of the first search request from the common request format to a plurality of directory search request formats respectively supported by the plurality of directories; and respectively communicating the second search requests to the plurality of directories for retrieving the identity information associated with an individual user of the system.

Abstract: Aspects of the disclosure relate to extending single-sign-on to relying parties for federated logon providers. An enterprise identity provider server may receive a first authentication token previously issued to an enterprise server by the enterprise identity provider server. Subsequently, the enterprise identity provider server may retrieve, from a token store, a second authentication token associated with a federated identity service provided by a federated identity provider server. The enterprise identity provider server may refresh the second authentication token with the federated identity service provided by the federated identity provider server to obtain a refreshed authentication token. Finally, the enterprise identity provider server may send the refreshed authentication token to the enterprise server, which may enable user devices managed by the enterprise server to access one or more resources provided by a third party system using the federated identity service.

Abstract: Systems and methods for operating a system including a plurality of directories. The methods comprises: receiving, by a computing device, a first search request for identity information associated with an individual user of the system that is in a common request format supported by a common Application Programming Interface (“API”); performing first operations by the computing device to generate second search requests by transforming a format of the first search request from the common request format to a plurality of directory search request formats respectively supported by the plurality of directories; and respectively communicating the second search requests to the plurality of directories for retrieving the identity information associated with an individual user of the system.

Abstract: Systems and methods for normalizing cloud resource interactions across disparate objects and actions provided by a plurality of different cloud services. The methods comprise: obtaining information that identifies the objects and indicates what actions can be performed for the objects; processing the information to consolidate at least two of the actions supported by different ones of the objects into a single action; causing a unified view to be presented in a User Interface (“UI”) that allows an initiation of the single action whereby the at least two actions supported by different ones of the objects are concurrently selected; receiving a standardized command for initiating the single action; transforming a first protocol format of the standardized command into a second different protocol format to generate at least one non-standardized command; and using the non-standardized command to cause performance of the at least two actions by said different ones of the objects.

Abstract: Systems and methods for preventing service disruptions in a computing system. The methods comprise: receiving, at a cloud-based computing system, messages for initiating software updates requiring system reboots by remote computing machines; and performing operations by the cloud-based computing system to cause an operational state of only one remote computing machine to be transitioned from an online state to an offline state at any given time by scheduling the software updates and system reboots in a one-machine-at-a-time manner.

Abstract: Secure communications between services or components of a cloud computing system, are facilitated by generating at a first service provided by a first computing entity of a cloud computing system, a request for computing resources, generating at the first computing entity a digital data signature based at least on the request, using a private key associated with the first service; and inserting the digital data signature within an HTTP header associated with the request. A computer data network is used to communicate the request to a second service. The second service extracts the digital data signature and uses a public key to validate the digital data signature.