FACILITATING SINGLE SIGN-ON (SSO) ACROSS MULTIPLE BROWSER INSTANCE

US 20120210413A1
Filed: 02/11/2011
Published: 08/16/2012
Est. Priority Date: 02/11/2011
Status: Active Grant

First Claim

Patent Images

1. A computing system comprising:

an authentication server to authenticate users; and

a plurality of server systems to host a plurality of protected resources, which are accessible only to authenticated users,each server system to receive a request for accessing a protected resource of said plurality of protected resources and if the request is identified as not being from an authenticated user, redirecting the received request to said authentication server for authentication of the user by said authentication server,wherein said authentication server and said plurality of server systems operate to enable a single user to access said plurality of protected resources from different browser instances based on a single authentication provided in one browser instance corresponding to said single user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Facilitating single sign-on (SSO) across multiple browser instances such that user authentication at one browser instance is used as a basis to permit access to protected resources (hosted on server systems) from other browser instances. In an embodiment, the different browser instances are executing on different client systems. An authentication server may maintain a registration data indicating the different client systems/browser instances registered by a user for SSO feature. After a user is authenticated for a first session from one browser instance, the authentication server enables the user to access any protected resource from registered client systems/browser instances without requiring further authentication (based on the presence of the authenticated first session).

91 Citations

View as Search Results

19 Claims

1. A computing system comprising:
- an authentication server to authenticate users; and
  
  a plurality of server systems to host a plurality of protected resources, which are accessible only to authenticated users,each server system to receive a request for accessing a protected resource of said plurality of protected resources and if the request is identified as not being from an authenticated user, redirecting the received request to said authentication server for authentication of the user by said authentication server,wherein said authentication server and said plurality of server systems operate to enable a single user to access said plurality of protected resources from different browser instances based on a single authentication provided in one browser instance corresponding to said single user.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computing system of claim 1, further comprising:
    - a single client system to execute a plurality of browsers instances using which users send requests to said plurality of server systems, wherein said single user sends a first request for accessing a first protected resource using a first browser instance and then a second request for accessing a second protected resource using a second browser instance, wherein said first protected resource and said second protected resource are contained in said plurality of protected resources,wherein said authentication server performs said single authentication of said single user in response to receiving said first request, wherein said single user is allowed to access said first protected resource after said single authentication,wherein said authentication server and said plurality of server systems operate to allow said single user to access said second protected resource based on said single authentication such that said single user is not required to perform authentication again to access said second protected resource from said second browser instance.
  - 3. The computing system of claim 1, further comprising:
    - a plurality of client systems using which users send requests to said plurality of server systems, wherein said single user sends a first request for accessing a first protected resource using a first browser instance executing in a first client system and then a second request for accessing a second protected resource using a second browser instance executing in a second client system, wherein said first protected resource and said second protected resource are contained in said plurality of protected resources, wherein said first client system and said second client system are contained in said plurality of client systems,wherein said authentication server performs said single authentication of said single user in response to receiving said first request, wherein said single user is allowed to access said first protected resource from said first client system after said single authentication,wherein said authentication server and said plurality of server systems operate to allow said single user to access said second protected resource based on said single authentication such that said single user is not required to perform authentication again to access said second protected resource from said second client system.
  - 4. The computing system of claim 3, wherein said authentication server maintains a registration data indicating a respective set of client systems registered for each user across which single sign-on (SSO) is to be facilitated,wherein said registration data indicates that a first set of client systems is registered for said single user, said first set of client systems contained in said plurality of client systems and including said second client system,wherein access to said second protected resource from said second client system is allowed based on the presence of said second client system in said first set of client systems in said registration data.
  - 5. The computing system of claim 4, wherein said registration data further indicates a respective set of policies to be checked before allowing access from each of the client system registered for a user,wherein said registration data indicates that a first set of policies is to be checked before allowing access from said second client system registered for said single user,wherein access to said second protected resource from said second client system is allowed only when said first set of policies are checked and determined to be validated.
  - 6. The computing system of claim 4, wherein each of said plurality of client systems indicated in said registration data is identified using a corresponding unique signature,wherein presence of said second client system in said first set of client systems is determined based on matching of the unique identifier of said second client system in said registration data.
  - 7. The computing system of claim 6, wherein the unique signature of a client system comprises a browser signature corresponding to the browser instance used to send the request to access protected requests and a device signature corresponding to the client system.

8. A method of facilitating single sign-on (SSO) across multiple client systems when accessing a plurality of protected resources, wherein said plurality of protected resources are accessible only to users authenticated by an authentication server, said method being performed in said authentication server, said method comprising:
- maintaining a registration data indicating which ones of a plurality of client systems are registered for which ones of a plurality of users for accessing said plurality of protected resources;
  
  receiving, from a first client system, a first request from a first user to access a first protected resource of said plurality of protected resources, said first user being contained in said plurality of users, said first client system being contained in said plurality of client systems;
  
  allowing access to said first protected resource from said first client system after an authentication of said first user;
  
  receiving, from a second client system, a second request to access a second protected resource of said plurality of protected resource, said second client system being contained in said plurality of client systems;
  
  determining that said second client system is registered for said first user based on said registration data; and
  
  allowing access to said second protected resource from said second client system based on said authentication of said first user with respect to accessing of said first protected resource,wherein said first user is enabled to access said plurality of protected resources from different client systems based on said authentication provided from said first client system.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The method of claim 8, wherein said registration data indicates that said a first set of client systems contained in said plurality of client systems is registered for said first user,wherein said determining determines that said second client system is registered for said first user based on the presence of said second client system in said first set of client systems.
  - 10. The method of claim 9, wherein said registration data further indicates a respective set of policies to be checked before allowing access from each of the client system registered for a user,wherein said registration data indicates that a first set of policies is to be checked before allowing access from said second client system registered for said first user,wherein said allowing allows access to said second protected resource from said second client system only when said first set of policies are checked and determined to be validated.
  - 11. The method of claim 10, wherein each of said plurality of client systems indicated in said registration data is identified using a corresponding unique signature,wherein presence of said second client system in said first set of client systems is determined based on matching of the unique identifier of said second client system in said registration data.
  - 12. The method of claim 11, wherein the unique signature of a client system comprises a browser signature corresponding to the browser instance used to send the request to access protected requests and a device signature corresponding to the client system.

13. A non-transitory machine readable medium storing one or more sequences of instructions for causing an authentication server to facilitate single sign-on (SSO) across multiple client systems when accessing protected resources, wherein each protected resource is accessible only to users authenticated by said authentication server, wherein execution of said one or more sequences of instructions by one or more processors contained in said authentication server causes said authentication server to perform the actions of:
- receiving, from a first client system, a first request from a first user to access a first protected resource;
  
  allowing access to said first protected resource from said first client system after an authentication of said first user;
  
  receiving, from a second client system, a second request from said first user to access a second protected resource; and
  
  allowing access to said second protected resource from said second client system based on said authentication of said first user at said first client system,wherein said first user is enabled to access the protected resources from different client systems based on said authentication provided from said first client system.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The machine readable medium of claim 13, further comprising one or more instructions for:
    - creating a global session in said authentication server for said first user based on said authentication; and
      
      checking, in response to said second request after said determining, whether said global session for said first user exists in said authentication server,wherein said allowing allows access to said second protected resource from said second client system if said checking determines that said global session exists in said authentication server.
  - 15. The machine readable medium of claim 14, further comprising one or more instructions for creating a local session in said authentication server for said first user when accessing said second protected resource from said second client system.
  - 16. The machine readable medium of claim 14, further comprising one or more instructions for:
    - maintaining a registration data indicating a respective set of client systems registered for each user across which single sign-on (SSO) is to be facilitated, wherein said registration data indicates that a first set of client systems is registered for said first user; and
      
      determining whether said second client system is included in said first set of client systems to identify that said second request is received from said first user,wherein said allowing allows access to said second protected resource from said second client system if said determining determines that said second client system is included in said first set of client systems.
  - 17. The machine readable medium of claim 16, wherein said registration data further indicates a respective set of policies to be checked before allowing access from each of the client system registered for a user,wherein said registration data indicates that a first set of policies is to be checked before allowing access from said second client system registered for said first user,wherein said allowing allows access to said second protected resource from said second client system only when said first set of policies are checked and determined to be validated.
  - 18. The machine readable medium of claim 17, wherein each of said plurality of client systems indicated in said registration data is identified using a corresponding unique signature,wherein said determining determines whether said second client system is included in said first set of client systems based on matching of the unique identifier of said second client system in said registration data.
  - 19. The machine readable medium of claim 18, wherein the unique signature of a client system comprises a browser signature corresponding to a browser instance used to send the request to access protected requests and a device signature corresponding to the client system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Akula, Naga Sravani, Chatoth, Vikas Pooven

Granted Patent

US 9,413,750 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/8
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

FACILITATING SINGLE SIGN-ON (SSO) ACROSS MULTIPLE BROWSER INSTANCE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

91 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

FACILITATING SINGLE SIGN-ON (SSO) ACROSS MULTIPLE BROWSER INSTANCE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

91 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others