Single sign-on between multiple data centers

US 10,693,864 B2
Filed: 09/24/2018
Issued: 06/23/2020
Est. Priority Date: 09/20/2013
Status: Active Grant

First Claim

Patent Images

1. A method for managing access among data centers, the method comprising:

receiving, at a first computer system managing access for a first data center, first authentication data for a computing device associated with a user;

determining, by the first computer system and based on the first authentication data, that a second data center stores session information associated with the user;

determining, by the first computer system, that the second data center cannot transmit, in response to a request for the session information communicated from the first data center to the second data center, the session information to the first computer system;

upon determining that the second data center cannot transmit the session information to the first computer system;

identifying, by the first computer system, session data stored by the first data center, wherein the session data was previously received from the second data center;

determining, by the first computer system, that the identified session data is insufficient to establish a session associated with the user at the first data center;

receiving, by the first computer system from the computing device, second authentication data; and

establishing, by the first computer system, the session associated with the user at the first data center based on the second authentication data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for a single sign-on (SSO) enterprise system with multiple data centers that can use a lightweight cookie on a user'"'"'s client device. The lightweight cookie can include a reference to a data center in which the user is already authenticated, and a new data center can contact the old data center for creating a session for the user on the new data center. If the old data center is unavailable, then the new data center may fall back to accessing a local security store, a backup of keys, security tokens, and/or other security data, in order to create a local session for the user on the new data center.

153 Citations

20 Claims

1. A method for managing access among data centers, the method comprising:
- receiving, at a first computer system managing access for a first data center, first authentication data for a computing device associated with a user;
  
  determining, by the first computer system and based on the first authentication data, that a second data center stores session information associated with the user;
  
  determining, by the first computer system, that the second data center cannot transmit, in response to a request for the session information communicated from the first data center to the second data center, the session information to the first computer system;
  
  upon determining that the second data center cannot transmit the session information to the first computer system;
  
  identifying, by the first computer system, session data stored by the first data center, wherein the session data was previously received from the second data center;
  
  determining, by the first computer system, that the identified session data is insufficient to establish a session associated with the user at the first data center;
  
  receiving, by the first computer system from the computing device, second authentication data; and
  
  establishing, by the first computer system, the session associated with the user at the first data center based on the second authentication data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the first authentication data include a reference to the second data center and indicates that the computing device associated with the user has been successfully authenticated and authorized by the second data center;
    - andwherein the determination that the second data center stores the session information is based on the first authentication data including the reference to the second data center.
  - 3. The method of claim 2, wherein the session information include information for creating a local session at the first data center;
    - andwherein the session information is related to an existing session between the second data center and the computing device.
  - 4. The method of claim 3, wherein the session information include at least one of:
    - a last access or update time, an Internet Protocol (IP) address of the computing device associated with the user, or a session identifier of the session.
  - 5. The method of claim 1, wherein determining, by the first computer system, that the second data center cannot transmit session information associated with the user to the first computer system comprises at least one of:
    - determining that a network error condition occurs that prevents communication between the first computer system and the second data center, or a high load condition occurs at the second data center that prevents the second data center from having sufficient bandwidth to communicate with the first computer system.
  - 6. The method of claim 1, therein determining, by the first computer system, that the second data center cannot transmit the session information associated with the user to the first computer system comprises:
    - transmitting a request to the second data center for the session information associated with the user at the second data center; and
      
      determining that no response to the request for the session information associated with the user is received from the second data center.
  - 7. The method of claim 6, further comprising:
    - determining that there is no active session for the user at the first data center; and
      
      transmitting the request for the session information to the second data center based on determining that there is no active session for the user at the first data center.
  - 8. The method of claim 1, wherein the session data was previously received from the second data center as part of a periodic data transmission from the second data center.
  - 9. The method of claim 1, wherein the session data include authentication data;
    - andwherein determining, by the first computer system, that the identified session data are insufficient to establish the session associated with the user at the first data center comprises;
      
      determining that the authentication data included in the session data are insufficient to authenticate the computing device.
  - 10. The method of claim 9, wherein the session data include at least one of:
    - a login key of the user, or a security key of the user.
  - 11. The method of claim 1, further comprising:
    - responsive to determining that the identified session data are insufficient to establish the session, transmitting a prompt to the computing device for the second authentication data.

12. A system comprising:
- a computer that manages access for a first data center, the computer including a memory storing a plurality of instructions; and
  
  one or more hardware processors; and
  
  wherein the plurality of instructions, upon execution by the one or more hardware processors, causes the one or more hardware processors to;
  
  receive first authentication data for a computing device associated with a user;
  
  determine that a second data center stores session information associated with the user;
  
  determine that the second data center cannot transmit the session information to the system;
  
  upon determining that the second data center cannot transmit, in response to a request for the session information communicated from the first data center to the second data center, the session information to the system;
  
  identify session data stored by the first data center, wherein the session data was previously received from the second data center;
  
  determine that the identified session data is insufficient to establish a session associated with the user at the first data center;
  
  receive from the computing device, second authentication data; and
  
  establish the session associated with the user at the first data center based on the second authentication data.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The system of claim 12, wherein the first authentication data include a reference to the second data center and indicates that the computing device associated with the user has been successfully authenticated and authorized by the second data center;
    - andwherein the determination that the second data center stores the session information is based on the first authentication data including the reference to the second data center.
  - 14. The system of claim 13, wherein the session information include information for creating a local session at the first data center;
    - andwherein the session information is related to an existing session between the second data center and the computing device.
  - 15. The system of claim 14, wherein the session information include at least one of:
    - a last access or update time, an Internet Protocol (IP) address of the computing device associated with the user, or a session identifier of the session.
  - 16. The system of claim 12, wherein the plurality of instructions, upon execution by the one or more hardware processors, causes the one or more hardware processors to determine that the second data center cannot transmit the session information associated with the user to the system based on at least one of:
    - determining that a network error condition occurs that prevents communication between the system and the second data center, or a high load condition occurs at the second data center that prevents the second data center from having sufficient bandwidth to communicate with the system.
  - 17. The system of claim 12, wherein the plurality of instructions, upon execution by the one or more hardware processors, causes the one or more hardware processors to:
    - transmit a request to the second data center for the session information associated with the user at the second data center; and
      
      determine that no response to the request for the session information associated with the user is received from the second data center.
  - 18. The system of claim 17, further comprising:
    - determining that there is no active session for the user at the first data center; and
      
      transmitting the request for the session information to the second data center based on determining that there is no active session for the user at the first data center.

19. A non-transitory computer-readable medium storing a plurality of instructions executable by one or more processors of a computer that manages access for a first data center to cause the one or more processors to:
- receive first authentication data for a computing device associated with a user;
  
  determine that a second data center stores session information associated with the user;
  
  determine that the second data center cannot transmit the session information to the computer;
  
  upon determining that the second data center cannot transmit, in response to a request for the session information communicated from the first data center to the second data center, the session information to the computer;
  
  identify session data stored by the first data center, wherein the session data was previously received from the second data center;
  
  determine that the identified session data is insufficient to establish a session associated with the user at the first data center;
  
  receive from the computing device, second authentication data; and
  
  establish the session associated with the user at the first data center based on the second authentication data.
- View Dependent Claims (20)
- - 20. The non-transitory computer-readable medium of claim 19, wherein the first authentication data include a reference to the second data center and indicates that the computing device associated with the user has been successfully authenticated and authorized by the second data center;
    - andwherein the determination that the second data center stores the session information is based on the first authentication data including the reference to the second data center.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Mathew, Stephen, Motukuru, Vamsi, Martin, Madhu, Chathoth, Vikas Pooven
Primary Examiner(s)
Reza, Mohammad W

Application Number

US16/140,343
Publication Number

US 20190036907A1
Time in Patent Office

638 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 65/1066   Session management

H04L 65/1069   Session establishment or de...

H04L 67/141   Setup of application sessio...

Single sign-on between multiple data centers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

153 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Single sign-on between multiple data centers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

153 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links