receiving, by a cloud authentication services computer program, authenticating information for a user from an active directory federation service computer program, wherein the authenticating information comprises multifactor authentication appliance data, a user role, and/or a ticket identifier;

querying, by the cloud authentication services computer program, a plurality of backend services to validate the authenticating information, wherein the cloud authentication services computer program queries an in-memory entitlements graph to validate the user role; and

communicating, by the cloud authentication services computer program, validation to the active directory federation service computer program, wherein the active directory federation service computer program is configured to generate a security token comprising one or more assertion, wherein the assertion comprises a limit on a session with the user at a cloud platform, and wherein the cloud platform is configured to receive the security token and a trusted federated endpoint executed by the cloud platform is configured to enforce the limit on the session.