Abstract: Embodiments of a multi-tenant cloud system include a first data center adapted to authenticate a first plurality of registered clients and located in a first geographic area, and a second data center adapted to authenticate a second plurality of registered clients and located in a second geographic area that is different from the first geographic area. The first data center receives a request from a first client of the first plurality of registered clients to access a resource of the second data center and validates the request from the first client and issues a global access token. The second data center receives the request with the global access token. A cloud gate at the second data center, based on the global access token, validates the request and provides the resource to the first client.

Abstract: Embodiments perform write operations in a multi-tenant cloud system that includes a first data center adapted to authenticate a first plurality of registered clients and located in a first geographic area, and a second data center adapted to authenticate a second plurality of registered clients and located in a second geographic area that is different from the first geographic area. Embodiments receive a request from a first client to perform a first write for a resource at the second data center. Embodiments generate a call to the first data center including a second write for the resource at the first data center. Embodiments retrieve data corresponding to the first write and send the retrieved data to the first data center. Embodiments write on the data based on the first write, the writing on the data including changing the data to generate changed data.

Abstract: Embodiments of a multi-tenant cloud system include a first data center adapted to authenticate a first plurality of registered clients and located in a first geographic area, and a second data center adapted to authenticate a second plurality of registered clients and located in a second geographic area that is different from the first geographic area. The first data center receives a request from a first client of the first plurality of registered clients to access a resource of the second data center and validates the request from the first client and issues a global access token. The second data center receives the request with the global access token. A cloud gate at the second data center, based on the global access token, validates the request and provides the resource to the first client.

Abstract: Embodiments of a multi-tenant cloud system include a first data center adapted to authenticate a first plurality of registered clients and located in a first geographic area, and a second data center adapted to authenticate a second plurality of registered clients and located in a second geographic area that is different from the first geographic area. The first data center receives a request from a first client of the first plurality of registered clients to access a resource of the second data center and validates the request from the first client and issues a global access token. The second data center receives the request with the global access token. A cloud gate at the second data center, based on the global access token, validates the request and provides the resource to the first client.

Abstract: A multi-tenant identity management (IDM) system enables IDM functions to be performed relative to various different customers' domains within a shared cloud computing environment and without replicating a separate IDM system for each separate domain. The IDM system can provide IDM functionality to service instances located within various different customers' domains while enforcing isolation between those domains. A cloud-wide identity store can contain identity information for multiple customers' domains, and a cloud-wide policy store can contain security policy information for multiple customers' domains. The multi-tenant IDM system can provide a delegation model in which a domain administrator can be appointed for each domain, and in which each domain administrator can delegate certain roles to other user identities belong to his domain. Service instance-specific administrators can be appointed by a domain administrator to administer to specific service instances within a domain.

Abstract: Embodiments perform write operations in a multi-tenant cloud system that includes a first data center adapted to authenticate a first plurality of registered clients and located in a first geographic area, and a second data center adapted to authenticate a second plurality of registered clients and located in a second geographic area that is different from the first geographic area. Embodiments receive a request from a first client to perform a first write for a resource at the second data center. Embodiments generate a call to the first data center including a second write for the resource at the first data center. Embodiments retrieve data corresponding to the first write and send the retrieved data to the first data center. Embodiments write on the data based on the first write, the writing on the data including changing the data to generate changed data.

Abstract: Embodiments of a multi-tenant cloud system include a first data center adapted to authenticate a first plurality of registered clients and located in a first geographic area, and a second data center adapted to authenticate a second plurality of registered clients and located in a second geographic area that is different from the first geographic area. The first data center receives a request from a first client of the first plurality of registered clients to access a resource of the second data center and validates the request from the first client and issues a global access token. The second data center receives the request with the global access token. A cloud gate at the second data center, based on the global access token, validates the request and provides the resource to the first client.

Abstract: A multi-tenant identity management (IDM) system enables IDM functions to be performed relative to various different customers' domains within a shared cloud computing environment and without replicating a separate IDM system for each separate domain. The IDM system can provide IDM functionality to service instances located within various different customers' domains while enforcing isolation between those domains. A cloud-wide identity store can contain identity information for multiple customers' domains, and a cloud-wide policy store can contain security policy information for multiple customers' domains. The multi-tenant IDM system can provide a delegation model in which a domain administrator can be appointed for each domain, and in which each domain administrator can delegate certain roles to other user identities belong to his domain. Service instance-specific administrators can be appointed by a domain administrator to administer to specific service instances within a domain.

Abstract: A multi-tenant identity management (IDM) system enables IDM functions to be performed relative to various different customers' domains within a shared cloud computing environment and without replicating a separate IDM system for each separate domain. The IDM system can provide IDM functionality to service instances located within various different customers' domains while enforcing isolation between those domains. A cloud-wide identity store can contain identity information for multiple customers' domains, and a cloud-wide policy store can contain security policy information for multiple customers' domains. The multi-tenant IDM system can provide a delegation model in which a domain administrator can be appointed for each domain, and in which each domain administrator can delegate certain roles to other user identities belong to his domain. Service instance-specific administrators can be appointed by a domain administrator to administer to specific service instances within a domain.

Abstract: A multi-tenant identity management (IDM) system enables IDM functions to be performed relative to various different customers' domains within a shared cloud computing environment and without replicating a separate IDM system for each separate domain. The IDM system can provide IDM functionality to service instances located within various different customers' domains while enforcing isolation between those domains. A cloud-wide identity store implemented as a single LDAP directory can contain identity information for multiple customers' domains. This single LDAP directory can store identities for entities for all tenants, in separate partitions or subtrees of the LDAP directory, each such partition or subtree being dedicated to a separate identity domain for a tenant. Components of the cloud computing environment ensure that LDAP entries within a particular subtree are accessible only to service instances that have been deployed to the identity domain that corresponds to that particular subtree.

Abstract: Techniques for providing a consolidated view of directory changes across different directory servers. In one set of embodiments, a changelog record can be received from a directory server, where the directory server is associated with a proprietary changelog format, and where the changelog record is formatted according to the proprietary changelog format. The received changelog record can then be translated into a virtualized changelog record that is formatted according to a standard changelog format, and the virtualized changelog record can be sent to a consuming client. In a further set of embodiments, a “changelog cookie” can be generated for a virtualized changelog record prior to sending the record to a client. In various embodiments, the changelog cookie can act as a globally unique identifier—i.e., an identifier that distinguishes the virtualized changelog record from other virtualized changelog records.

Abstract: Techniques for providing a consolidated view of directory changes across different directory servers. In one set of embodiments, a changelog record can be received from a directory server, where the directory server is associated with a proprietary changelog format, and where the changelog record is formatted according to the proprietary changelog format. The received changelog record can then be translated into a virtualized changelog record that is formatted according to a standard changelog format, and the virtualized changelog record can be sent to a consuming client. With this virtualization capability, the client does not need to be concerned with, or even aware of, the proprietary changelog mechanisms/formats that may be used by different directory servers in a multi-server deployment.

Abstract: A multi-tenant identity management (IDM) system enables IDM functions to be performed relative to various different customers' domains within a shared cloud computing environment and without replicating a separate IDM system for each separate domain. The IDM system can provide IDM functionality to service instances located within various different customers' domains while enforcing isolation between those domains. A cloud-wide identity store can contain identity information for multiple customers' domains, and a cloud-wide policy store can contain security policy information for multiple customers' domains. The multi-tenant IDM system can provide a delegation model in which a domain administrator can be appointed for each domain, and in which each domain administrator can delegate certain roles to other user identities belong to his domain. Service instance-specific administrators can be appointed by a domain administrator to administer to specific service instances within a domain.

Abstract: A multi-tenant identity management (IDM) system enables IDM functions to be performed relative to various different customers' domains within a shared cloud computing environment and without replicating a separate IDM system for each separate domain. The IDM system can provide IDM functionality to service instances located within various different customers' domains while enforcing isolation between those domains. A cloud-wide identity store implemented as a single LDAP directory can contain identity information for multiple customers' domains. This single LDAP directory can store identities for entities for all tenants, in separate partitions or subtrees of the LDAP directory, each such partition or subtree being dedicated to a separate identity domain for a tenant. Components of the cloud computing environment ensure that LDAP entries within a particular subtree are accessible only to service instances that have been deployed to the identity domain that corresponds to that particular subtree.

Abstract: Techniques for providing a consolidated view of directory changes across different directory servers. In one set of embodiments, a changelog record can be received from a directory server, where the directory server is associated with a proprietary changelog format, and where the changelog record is formatted according to the proprietary changelog format. The received changelog record can then be translated into a virtualized changelog record that is formatted according to a standard changelog format, and the virtualized changelog record can be sent to a consuming client. With this virtualization capability, the client does not need to be concerned with, or even aware of, the proprietary changelog mechanisms/formats that may be used by different directory servers in a multi-server deployment.

Abstract: Techniques for providing a consolidated view of directory changes across different directory servers. In one set of embodiments, a changelog record can be received from a directory server, where the directory server is associated with a proprietary changelog format, and where the changelog record is formatted according to the proprietary changelog format. The received changelog record can then be translated into a virtualized changelog record that is formatted according to a standard changelog format, and the virtualized changelog record can be sent to a consuming client. In a further set of embodiments, a “changelog cookie” can be generated for a virtualized changelog record prior to sending the record to a client. In various embodiments, the changelog cookie can act as a globally unique identifier—i.e., an identifier that distinguishes the virtualized changelog record from other virtualized changelog records.