Single sign-on between multiple data centers
First Claim
Patent Images
1. A method for managing access among data centers, the method comprising:
- receiving, at a first computer system managing access for a first data center, authentication data for a computing device associated with a user, the authentication data including a reference to a second data center with which the user has an existing session, the existing session being established upon successful verification of access for the user at the second data center;
sending, by the first computer system and based on the reference included in the authentication data, a request to the second data center for session information associated with the user at the second data center;
determining, by the first computer system, that no response to the request for the session information associated with the user is received from the second data center; and
upon determining that no response to the request for the session information associated with the user is received from the second data center;
identifying, by the first computer system, session data stored by the first data center, wherein the session data was previously received from the second data center as part of a periodic data transmission from the second data center prior to the sending of the request, the session data including data for authenticating the user;
determining, by the first computer system, that the identified session data is insufficient to establish the session associated with the user at the first data center;
transmitting, by the first computer to the computing device associated with the user, a prompt for second authentication data;
receiving, by the first computer from the computing device associated with the user, the second authentication data;
authenticating, by the first computer, the user based on the second authentication data; and
establishing, by the first computer system, a session associated with the user at the first data center based on the second authentication data.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are disclosed for a single sign-on (SSO) enterprise system with multiple data centers that can use a lightweight cookie on a user'"'"'s client device. The lightweight cookie can include a reference to a data center in which the user is already authenticated, and a new data center can contact the old data center for creating a session for the user on the new data center. If the old data center is unavailable, then the new data center may fall back to accessing a local security store, a backup of keys, security tokens, and/or other security data, in order to create a local session for the user on the new data center.
-
Citations
19 Claims
-
1. A method for managing access among data centers, the method comprising:
-
receiving, at a first computer system managing access for a first data center, authentication data for a computing device associated with a user, the authentication data including a reference to a second data center with which the user has an existing session, the existing session being established upon successful verification of access for the user at the second data center; sending, by the first computer system and based on the reference included in the authentication data, a request to the second data center for session information associated with the user at the second data center; determining, by the first computer system, that no response to the request for the session information associated with the user is received from the second data center; and upon determining that no response to the request for the session information associated with the user is received from the second data center; identifying, by the first computer system, session data stored by the first data center, wherein the session data was previously received from the second data center as part of a periodic data transmission from the second data center prior to the sending of the request, the session data including data for authenticating the user; determining, by the first computer system, that the identified session data is insufficient to establish the session associated with the user at the first data center; transmitting, by the first computer to the computing device associated with the user, a prompt for second authentication data; receiving, by the first computer from the computing device associated with the user, the second authentication data; authenticating, by the first computer, the user based on the second authentication data; and establishing, by the first computer system, a session associated with the user at the first data center based on the second authentication data. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising:
-
a first data storage system including a memory storing a plurality of instructions; and
one or more hardware processors; andwherein the plurality of instructions, upon execution by the one or more hardware processors, causes the one or more hardware processors to; receive authentication data for a computing device associated with a user, the authentication data including a reference to a second data center with which the user has an existing session, the existing session being established upon successful verification of access for the user at the second data center; send, based on the reference included in the authentication data, a request to the second data center for session information associated with the user at the second data center; determine that no response to the request for the session information associated with the user is received from the second data center; upon determining that no response to the request for the session information associated with the user is received from the second data center; identify session data stored by the first data center, wherein the session data was previously received from the second data center as part of a periodic data transmission from the second data center prior to the sending of the request, the session data including data for authenticating the user; determine that the identified session data is insufficient to establish the session associated with the user at the first data center; transmit, to the computing device associated with the user, a prompt for second authentication data; receive, from the computing device associated with the user, the second authentication data; authenticate the user based on the second authentication data; and establish a session associated with the user at the first data center based on the second authentication data. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A non-transitory computer-readable medium storing a plurality of instructions executable by one or more processors to cause the one or more processors to:
-
receive, at a first data center, authentication data for a computing device associated with a user, the authentication data including a reference to a second data center with which the user has an existing session, the existing session being established upon successful verification of access for the user at the second data center; send, from the first data center and based on the reference included in the authentication data, a request to the second data center for session information associated with the user at the second data center; determine that no response to the request for the session information associated with the user is received from the second data center; upon determining that no response to the request for the session information associated with the user is received from the second data center; identify session data stored by the first data center, wherein the session data was previously received from the second data center as part of a periodic data transmission from the second data center prior to the sending of the request, the session data including data for authenticating the user; determine that the identified session data is insufficient to establish the session associated with the user at the first data center; transmit, to the computing device associated with the user, a prompt for second authentication data; receive, from the computing device associated with the user, the second authentication data; authenticate the user based on the second authentication data; and establish a session associated with the user at the first data center based on the second authentication data. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification