Single sign-on between multiple data centers

US 10,084,769 B2
Filed: 04/29/2016
Issued: 09/25/2018
Est. Priority Date: 09/20/2013
Status: Active Grant

First Claim

Patent Images

1. A method for managing access among data centers, the method comprising:

receiving, at a first computer system managing access for a first data center, authentication data for a computing device associated with a user, the authentication data including a reference to a second data center with which the user has an existing session, the existing session being established upon successful verification of access for the user at the second data center;

sending, by the first computer system and based on the reference included in the authentication data, a request to the second data center for session information associated with the user at the second data center;

determining, by the first computer system, that no response to the request for the session information associated with the user is received from the second data center; and

upon determining that no response to the request for the session information associated with the user is received from the second data center;

identifying, by the first computer system, session data stored by the first data center, wherein the session data was previously received from the second data center as part of a periodic data transmission from the second data center prior to the sending of the request, the session data including data for authenticating the user;

determining, by the first computer system, that the identified session data is insufficient to establish the session associated with the user at the first data center;

transmitting, by the first computer to the computing device associated with the user, a prompt for second authentication data;

receiving, by the first computer from the computing device associated with the user, the second authentication data;

authenticating, by the first computer, the user based on the second authentication data; and

establishing, by the first computer system, a session associated with the user at the first data center based on the second authentication data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for a single sign-on (SSO) enterprise system with multiple data centers that can use a lightweight cookie on a user'"'"'s client device. The lightweight cookie can include a reference to a data center in which the user is already authenticated, and a new data center can contact the old data center for creating a session for the user on the new data center. If the old data center is unavailable, then the new data center may fall back to accessing a local security store, a backup of keys, security tokens, and/or other security data, in order to create a local session for the user on the new data center.

Citations

19 Claims

1. A method for managing access among data centers, the method comprising:
- receiving, at a first computer system managing access for a first data center, authentication data for a computing device associated with a user, the authentication data including a reference to a second data center with which the user has an existing session, the existing session being established upon successful verification of access for the user at the second data center;
  
  sending, by the first computer system and based on the reference included in the authentication data, a request to the second data center for session information associated with the user at the second data center;
  
  determining, by the first computer system, that no response to the request for the session information associated with the user is received from the second data center; and
  
  upon determining that no response to the request for the session information associated with the user is received from the second data center;
  
  identifying, by the first computer system, session data stored by the first data center, wherein the session data was previously received from the second data center as part of a periodic data transmission from the second data center prior to the sending of the request, the session data including data for authenticating the user;
  
  determining, by the first computer system, that the identified session data is insufficient to establish the session associated with the user at the first data center;
  
  transmitting, by the first computer to the computing device associated with the user, a prompt for second authentication data;
  
  receiving, by the first computer from the computing device associated with the user, the second authentication data;
  
  authenticating, by the first computer, the user based on the second authentication data; and
  
  establishing, by the first computer system, a session associated with the user at the first data center based on the second authentication data.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the identified session data and the session information associated with the user at the second data center are both associated with a session at the second data center enabling access for the user at the second data center.
  - 3. The method of claim 1, further comprising:
    - determining whether the session data includes data sufficient to verify the user for the session associated with the user at the first data center; and
      
      upon determining that the session data does not include sufficient data to verify the user for the session associated with the user, sending, by the first computer system, to the computing device associated with the user, the prompt for second authentication data including a request for verification of the user.
  - 4. The method of claim 3, wherein the request for verification of the user includes a request for one or more credentials associated with the user.
  - 5. The method of claim 3, further comprising:
    - in response to the sending the request for verification of the user, receiving, at the first computer system, verification information as part of the second authentication data; and
      
      establishing, based on the verification information, the session associated with the user at the first data center.
  - 6. The method of claim 1, wherein the request for the session information is sent based on determining that there is no active session for the user at the first data center and based on receiving the authentication data.
  - 7. The method of claim 1, wherein the identified session data includes at least one of a login key or a security token.

8. A system comprising:
- a first data storage system including a memory storing a plurality of instructions; and
  
  one or more hardware processors; and
  
  wherein the plurality of instructions, upon execution by the one or more hardware processors, causes the one or more hardware processors to;
  
  receive authentication data for a computing device associated with a user, the authentication data including a reference to a second data center with which the user has an existing session, the existing session being established upon successful verification of access for the user at the second data center;
  
  send, based on the reference included in the authentication data, a request to the second data center for session information associated with the user at the second data center;
  
  determine that no response to the request for the session information associated with the user is received from the second data center;
  
  upon determining that no response to the request for the session information associated with the user is received from the second data center;
  
  identify session data stored by the first data center, wherein the session data was previously received from the second data center as part of a periodic data transmission from the second data center prior to the sending of the request, the session data including data for authenticating the user;
  
  determine that the identified session data is insufficient to establish the session associated with the user at the first data center;
  
  transmit, to the computing device associated with the user, a prompt for second authentication data;
  
  receive, from the computing device associated with the user, the second authentication data;
  
  authenticate the user based on the second authentication data; and
  
  establish a session associated with the user at the first data center based on the second authentication data.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The system of claim 8, wherein the identified session data and the session information associated with the user at the second data center are both associated with a same session at the second data center enabling access for the user at the second data center.
  - 10. The system of claim 8, wherein the plurality of instructions, upon execution by the one or more hardware processors, further causes the one or more hardware processors to:
    - store, at the first data storage system, session data received from the second data center on a periodic schedule.
  - 11. The system of claim 8, wherein the plurality of instructions, upon execution by the one or more hardware processors, further causes the one or more hardware processors to:
    - determine whether the session data includes data sufficient to verify the user for the session associated with the user at the first data center; and
      
      upon determining that the session data does not include sufficient data to verify the user for the session associated with the user, send to the computing device associated with the user, the prompt for second authentication data including a request for verification of the user.
  - 12. The system of claim 11, wherein the plurality of instructions, upon execution by the one or more hardware processors, further causes the one or more hardware processors to:
    - in response to the sending the request for verification of the user, receive verification information as part of the second authentication data; and
      
      establish, based on the verification information, the associated with the user at the first data center.
  - 13. The system of claim 8, wherein the request for the session information is sent based on determining that there is no active session for the user at the first data center and based on receiving the authentication data.

14. A non-transitory computer-readable medium storing a plurality of instructions executable by one or more processors to cause the one or more processors to:
- receive, at a first data center, authentication data for a computing device associated with a user, the authentication data including a reference to a second data center with which the user has an existing session, the existing session being established upon successful verification of access for the user at the second data center;
  
  send, from the first data center and based on the reference included in the authentication data, a request to the second data center for session information associated with the user at the second data center;
  
  determine that no response to the request for the session information associated with the user is received from the second data center;
  
  upon determining that no response to the request for the session information associated with the user is received from the second data center;
  
  identify session data stored by the first data center, wherein the session data was previously received from the second data center as part of a periodic data transmission from the second data center prior to the sending of the request, the session data including data for authenticating the user;
  
  determine that the identified session data is insufficient to establish the session associated with the user at the first data center;
  
  transmit, to the computing device associated with the user, a prompt for second authentication data;
  
  receive, from the computing device associated with the user, the second authentication data;
  
  authenticate the user based on the second authentication data; and
  
  establish a session associated with the user at the first data center based on the second authentication data.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The non-transitory computer-readable medium of claim 14, wherein the identified session data and the session information associated with the user at the second data center are both associated with a same session at the second data center enabling access for the user at the second data center.
  - 16. The non-transitory computer-readable medium of claim 14, wherein the plurality of instructions are further executable by the one or more processors to cause the one or more processors to:
    - store, at the first data center, session data received from the second data center based on a schedule.
  - 17. The non-transitory computer-readable medium of claim 14, wherein the plurality of instructions are further executable by the one or more processors to cause the one or more processors to:
    - determine whether the session data includes data sufficient to verify the user for the session; and
      
      upon determining that the session data does not include sufficient data to verify the user for the session, send to the computing device associated with the user, the prompt for second authentication data including a request for verification of the user.
  - 18. The non-transitory computer-readable medium of claim 17, wherein the plurality of instructions are further executable by the one or more processors to cause the one or more processors to:
    - in response to the sending the request for verification of the user, receive verification information as part of the second authentication data; and
      
      establish, based on the verification information, the session associated with the user at the first data center.
  - 19. The non-transitory computer-readable medium of claim 14, wherein the request for the session information is sent based on determining that there is no active session for the user at the first data center and based on receiving the authentication data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Mathew, Stephen, Motukuru, Vamsi, Martin, Madhu, Chathoth, Vikas Pooven
Primary Examiner(s)
Reza, Mohammad W

Application Number

US15/143,240
Publication Number

US 20160248758A1
Time in Patent Office

879 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 65/1066   Session management

H04L 65/1069   Session establishment or de...

H04L 67/141   Setup of application sessio...

Single sign-on between multiple data centers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Single sign-on between multiple data centers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links