SINGLE SIGN-ON BETWEEN MULTIPLE DATA CENTERS

US 20150089614A1
Filed: 12/20/2013
Published: 03/26/2015
Est. Priority Date: 09/20/2013
Status: Active Grant

First Claim

Patent Images

1. A method for single sign-on (SSO) access among data centers, the method comprising:

receiving, at a first data center, a single sign-on authentication cookie from a client device, the cookie including a reference to a second data center with which a user of the client device has been successfully authenticated;

building, using at least one processor operatively coupled with a memory at the first data center, a session retrieval request based on the reference included in the authentication cookie; and

sending, from the first data center, the session retrieval request to the second data center based on the reference included in the authentication cookie.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed for a single sign-on (SSO) enterprise system with multiple data centers that use a lightweight cookie on a user'"'"'s client device. The lightweight cookie includes a reference to a data center in which the user is already authenticated, and a new data center contacts the old data center for creating a session for the user on the new data center. If the old data center is unavailable, then the new data center may fall back to accessing a local security store, a backup of keys, security tokens, and/or other security data, in order to create a local session for the user on the new data center.

Citations

20 Claims

1. A method for single sign-on (SSO) access among data centers, the method comprising:
- receiving, at a first data center, a single sign-on authentication cookie from a client device, the cookie including a reference to a second data center with which a user of the client device has been successfully authenticated;
  
  building, using at least one processor operatively coupled with a memory at the first data center, a session retrieval request based on the reference included in the authentication cookie; and
  
  sending, from the first data center, the session retrieval request to the second data center based on the reference included in the authentication cookie.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - receiving, at the first data center, session data from the second data center in response to the session retrieval request; and
      
      initializing, at the first data center, a session object with the session data from the second data center sufficient to authenticate the user client device at the first data center.
  - 3. The method of claim 2, further comprising:
    - terminating a session of the user at the second data center based on the initializing of the session object at the first data center.
  - 4. The method of claim 3, wherein the terminating is based upon an administrator preference to have only one active user session at a time in the data centers.
  - 5. The method of claim 2, further comprising:
    - terminating a session of the user at the second data center and the session object at the first data center in response to the user logging out of the first data center.
  - 6. The method of claim 1, further comprising:
    - prompting, from the first data center, the user for authentication credentials based on an administrator preference.
  - 7. The method of claim 1, further comprising:
    - determining, by the first data center, that the second data center cannot respond to the session retrieval request;
      
      determining, by the first data center, that a local security store of the first data center includes session data previously replicated from the second data center;
      
      reading, from the local security store of the first data center, the session data previously replicated from the second data center; and
      
      initializing, at the first data center, a session object with the session data from the local security store sufficient to authenticate the user client device at the first data center.
  - 8. The method of claim 1, further comprising:
    - determining, by the first data center, that the second data center cannot respond to the session retrieval request;
      
      determining, by the first data center, that a local security store of the first data center does not have sufficient session data for the client device replicated from the second data center;
      
      prompting, from the first data center, the user for authentication credentials;
      
      receiving, at the first data center, authentication credentials from the user in response to the prompt; and
      
      initializing, at the first data center, a session object using the received authentication credentials.

9. A system of a first data center, comprising:
- a memory storing a plurality of instructions; and
  
  one or more processors configurable to;
  
  receive a single sign-on authentication cookie from a client device, the cookie including a reference to a second data center with which a user of the client device has been successfully authenticated;
  
  build a session retrieval request based on the reference included in the authentication cookie; and
  
  send the session retrieval request to the second data center based on the reference included in the authentication cookie.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9, wherein the one or more processors are further configurable to:
    - receive session data from the second data center in response to the session retrieval request; and
      
      initialize a session object with the session data from the second data center sufficient to authenticate the user client device at the first data center.
  - 11. The system of claim 10, wherein the one or more processors are further configurable to:
    - terminate a session of the user at the second data center based on the initializing of the session object at the first data center.
  - 12. The system of claim 10, wherein the one or more processors are further configurable to:
    - terminate a session of the user at the second data center and the session object at the first data center in response to the user logging out of the first data center.
  - 13. The system of claim 9, wherein the one or more processors are further configurable to:
    - determine that the second data center cannot respond to the session retrieval request;
      
      determine that a local security store of the first data center includes session data previously replicated from the second data center;
      
      read, from the local security store of the first data center, the session data previously replicated from the second data center; and
      
      initialize a session object with the session data from the local security store sufficient to authenticate the user client device at the first data center.
  - 14. The system of claim 9, wherein the one or more processors are further configurable to:
    - determine that the second data center cannot respond to the session retrieval request;
      
      determine that a local security store of the first data center does not have sufficient session data for the client device replicated from the second data center;
      
      prompt the user for authentication credentials;
      
      receive authentication credentials from the user in response to the prompt; and
      
      initializing a session object using the received authentication credentials.

15. A computer-readable medium storing a plurality of instructions executable by one or more processors of a first data center, the plurality of instructions causing the one or more processors to:
- receive a single sign-on authentication cookie from a client device, the cookie including a reference to a second data center with which a user of the client device has been successfully authenticated;
  
  build a session retrieval request based on the reference included in the authentication cookie; and
  
  send the session retrieval request to the second data center based on the reference included in the authentication cookie.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable medium of claim 15, the plurality of instructions further causing the one or more processors to:
    - receive session data from the second data center in response to the session retrieval request; and
      
      initialize a session object with the session data from the second data center sufficient to authenticate the user client device at the first data center.
  - 17. The computer-readable medium of claim 16, the plurality of instructions further causing the one or more processors to:
    - terminate a session of the user at the second data center based on the initializing of the session object at the first data center.
  - 18. The computer-readable medium of claim 16, the plurality of instructions further causing the one or more processors to:
    - terminate a session of the user at the second data center and the session object at the first data center in response to the user logging out of the first data center.
  - 19. The computer-readable medium of claim 15, the plurality of instructions further causing the one or more processors to:
    - determine that the second data center cannot respond to the session retrieval request;
      
      determine that a local security store of the first data center includes session data previously replicated from the second data center;
      
      read, from the local security store of the first data center, the session data previously replicated from the second data center; and
      
      initialize a session object with the session data from the local security store sufficient to authenticate the user client device at the first data center.
  - 20. The computer-readable medium of claim 15, the plurality of instructions further causing the one or more processors to:
    - determine that the second data center cannot respond to the session retrieval request;
      
      determine that a local security store of the first data center does not have sufficient session data for the client device replicated from the second data center;
      
      prompt the user for authentication credentials;
      
      receive authentication credentials from the user in response to the prompt; and
      
      initialize a session object using the received authentication credentials.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
MATHEW, Stephen, MOTUKURU, Vamsi, MARTIN, Madhu, CHATHOTH, Vikas Pooven

Granted Patent

US 9,247,006 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 65/1066   Session management

H04L 65/1069   Session establishment or de...

H04L 67/141   Setup of application sessio...

SINGLE SIGN-ON BETWEEN MULTIPLE DATA CENTERS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SINGLE SIGN-ON BETWEEN MULTIPLE DATA CENTERS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links