Single sign-on between multiple data centers
First Claim
Patent Images
1. A method for managing access among data centers, the method comprising:
- receiving, at a first computer system managing access for a first data center, first authentication data for a computing device associated with a user;
determining, by the first computer system and based on the first authentication data, that a second data center stores session information associated with the user;
determining, by the first computer system, that the second data center cannot transmit, in response to a request for the session information communicated from the first data center to the second data center, the session information to the first computer system;
upon determining that the second data center cannot transmit the session information to the first computer system;
identifying, by the first computer system, session data stored by the first data center, wherein the session data was previously received from the second data center;
determining, by the first computer system, that the identified session data is insufficient to establish a session associated with the user at the first data center;
receiving, by the first computer system from the computing device, second authentication data; and
establishing, by the first computer system, the session associated with the user at the first data center based on the second authentication data.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are disclosed for a single sign-on (SSO) enterprise system with multiple data centers that can use a lightweight cookie on a user'"'"'s client device. The lightweight cookie can include a reference to a data center in which the user is already authenticated, and a new data center can contact the old data center for creating a session for the user on the new data center. If the old data center is unavailable, then the new data center may fall back to accessing a local security store, a backup of keys, security tokens, and/or other security data, in order to create a local session for the user on the new data center.
153 Citations
20 Claims
-
1. A method for managing access among data centers, the method comprising:
-
receiving, at a first computer system managing access for a first data center, first authentication data for a computing device associated with a user; determining, by the first computer system and based on the first authentication data, that a second data center stores session information associated with the user; determining, by the first computer system, that the second data center cannot transmit, in response to a request for the session information communicated from the first data center to the second data center, the session information to the first computer system; upon determining that the second data center cannot transmit the session information to the first computer system; identifying, by the first computer system, session data stored by the first data center, wherein the session data was previously received from the second data center; determining, by the first computer system, that the identified session data is insufficient to establish a session associated with the user at the first data center; receiving, by the first computer system from the computing device, second authentication data; and establishing, by the first computer system, the session associated with the user at the first data center based on the second authentication data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system comprising:
-
a computer that manages access for a first data center, the computer including a memory storing a plurality of instructions; and
one or more hardware processors; andwherein the plurality of instructions, upon execution by the one or more hardware processors, causes the one or more hardware processors to; receive first authentication data for a computing device associated with a user; determine that a second data center stores session information associated with the user; determine that the second data center cannot transmit the session information to the system; upon determining that the second data center cannot transmit, in response to a request for the session information communicated from the first data center to the second data center, the session information to the system; identify session data stored by the first data center, wherein the session data was previously received from the second data center; determine that the identified session data is insufficient to establish a session associated with the user at the first data center; receive from the computing device, second authentication data; and establish the session associated with the user at the first data center based on the second authentication data. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
-
19. A non-transitory computer-readable medium storing a plurality of instructions executable by one or more processors of a computer that manages access for a first data center to cause the one or more processors to:
-
receive first authentication data for a computing device associated with a user; determine that a second data center stores session information associated with the user; determine that the second data center cannot transmit the session information to the computer; upon determining that the second data center cannot transmit, in response to a request for the session information communicated from the first data center to the second data center, the session information to the computer; identify session data stored by the first data center, wherein the session data was previously received from the second data center; determine that the identified session data is insufficient to establish a session associated with the user at the first data center; receive from the computing device, second authentication data; and establish the session associated with the user at the first data center based on the second authentication data. - View Dependent Claims (20)
-
Specification