Cross instance user authentication architecture

US 9,584,505 B2
Filed: 05/12/2015
Issued: 02/28/2017
Est. Priority Date: 04/17/2012
Status: Active Grant

First Claim

Patent Images

1. A method at a host organization, the method comprising:

receiving a login request from a client device at a single URL endpoint which services login requests for the host organization, the login request received at a first login server of the host organization, the first login server having at least a processor and a memory therein to receive the login request, wherein the first login server resides within a first datacenter of the host organization;

forwarding the login request received at the first login server of the host organization to a second login server within a second one of a plurality of datacenters within the host organization, the second login server having at least a processor and a memory therein to receive the login request from the first login server;

determining the second datacenter is a non-home-geo datacenter for a user associated with the login request received from the client device;

establishing a back-end link from the non-home-geo datacenter to a home-geo datacenter for the user;

forwarding the login request from the non-home-geo datacenter to the home-geo datacenter via the back-end link for authentication of the client device at the user'"'"'s home-geo datacenter responsive to the login request received from the client device; and

redirecting communications with the host organization from the client device to the user'"'"'s home-geo datacenter upon successful authentication of the login request at the home-geo datacenter.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with disclosed embodiments, there are provided methods, systems, and apparatuses for implementing a cross instance user authentication architecture in an on-demand service environment including, for example, means for receiving a login request at a global Virtual Internet Protocol (VIP) address for the host organization from a client device; forwarding the login request; determining the selected datacenter is a home-geo or a non-home-geo datacenter; establishing a back-end link; forwarding the login request from the non-home-geo datacenter to the home-geo datacenter via the back-end link for authentication; and returning a response to the client device from the non-home-geo datacenter upon successful authentication of the login request at the home-geo datacenter. Other related embodiments are disclosed.

Citations

19 Claims

1. A method at a host organization, the method comprising:
- receiving a login request from a client device at a single URL endpoint which services login requests for the host organization, the login request received at a first login server of the host organization, the first login server having at least a processor and a memory therein to receive the login request, wherein the first login server resides within a first datacenter of the host organization;
  
  forwarding the login request received at the first login server of the host organization to a second login server within a second one of a plurality of datacenters within the host organization, the second login server having at least a processor and a memory therein to receive the login request from the first login server;
  
  determining the second datacenter is a non-home-geo datacenter for a user associated with the login request received from the client device;
  
  establishing a back-end link from the non-home-geo datacenter to a home-geo datacenter for the user;
  
  forwarding the login request from the non-home-geo datacenter to the home-geo datacenter via the back-end link for authentication of the client device at the user'"'"'s home-geo datacenter responsive to the login request received from the client device; and
  
  redirecting communications with the host organization from the client device to the user'"'"'s home-geo datacenter upon successful authentication of the login request at the home-geo datacenter.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein receiving the login request at the single URL endpoint comprises:
    - receiving the login requests at a selected one of the plurality of datacenters within the host organization, wherein selection of the one of the plurality of datacenters to receive each login request is determined without regard to whether the selected one of the plurality of datacenters is a home-geo datacenter for the respective login request or a non-home-geo datacenter for the respective login request.
  - 3. The method of claim 1, wherein a global load balancer selects one of the plurality of datacenters of the host organization to receive each login request received by the host organization, wherein the selection of the datacenters by the global load balancer is performed without regard to whether the selected datacenter is a home-geo datacenter or a non-home-geo datacenter for the login request.
  - 4. The method of claim 3, wherein a local load balancer within each datacenter selects which one of a plurality of login servers at each of the datacenters of the host organization is to process login requests received at the single URL endpoint and communicated to each respective datacenter pursuant to the selection by the global load balancer.
  - 5. The method of claim 1, wherein receiving the login request from the client device comprises the host organization receiving the login request at a global Virtual Internet Protocol (VIP) address operating as the single URL endpoint for servicing login requests for the host organization.
  - 6. The method of claim 5:
    - wherein receiving a login request at a global Virtual Internet Protocol (VIP) address for the host organization from a client device comprises receiving the login request at a global Virtual IP interface and load balancer for the host organization; and
      
      wherein the global Virtual IP interface and load balancer selects the one of the plurality of datacenters within the host organization to process the login request received based on a geographic proximity of the client device making the login request and the selected one of the plurality of datacenters.
  - 7. The method of claim 6, wherein the global Virtual IP interface and load balancer operates at computing hardware of the host organization which resides outside of the selected one of the plurality of datacenters and which resides outside of the home-geo datacenter for the user.
  - 8. The method of claim 6, wherein the global Virtual IP interface and load balancer selects an instance from an application server pool at the selected datacenter to receive the login request for further processing.
  - 9. The method of claim 1, wherein establishing the back-end link from the non-home-geo datacenter to a home-geo datacenter for the user, comprises:
    - determining a geographic region associated with the client device based on an Internet Protocol (IP) address for the client device; and
      
      performing geographic Internet Protocol (Geo-IP) routing for the client device based on the geographic region associated with the client device to select one of the plurality of datacenters within the host organization.
  - 10. The method of claim 1, further comprising:
    - receiving the login request at an application server within a first computing pod of the first datacenter;
      
      checking a database within the first computing pod for a username passed with the login request;
      
      performing a fan-out operation to a second one or more computing pods of the first datacenter requesting application servers in the respective second one or more computing pods check databases within the respective second one or more computing pods of the first datacenter for the username passed with the login request when the username is not located in the database of the first computing pod; and
      
      performing a fan-out operation to at least the second datacenter of the host organization requesting application servers in the second datacenter to check databases within the second datacenter for the username passed with the login request when the username is not located in any of the computing pods of the first datacenter.
  - 11. The method of claim 10, further comprising:
    - returning an error code to the computing device making the login request when the username is not identified within any datacenter of the host organization indicating the user is unknown or invalid;
      
      maintaining a count of invalid requests associated with the computing device making the login request; and
      
      discarding further login requests from the computing device to protect against denial of service (DOS) attacks when the count of invalid requests from the computing device exceeds a threshold.
  - 12. The method of claim 1, further comprising:
    - for each datacenter, replicating a users table across all pods of the respective datacenter, wherein the replicated users table is unique to the respective datacenter and is not replicated across multiple datacenters, wherein each users table within each one of the datacenters specifies all users affiliated with the respective datacenter as their home-geo datacenter.
  - 13. The method of claim 1, further comprising:
    - replicating a master users table across all datacenters of the host organization, wherein the master users table specifies all users known to the host organization and the home-geo datacenter for each of the users known.
  - 14. The method of claim 1:
    - wherein receiving a login request at the host organization from a client device comprises receiving the login request from a web-browser at the client device;
      
      wherein establishing a back-end link from the non-home-geo datacenter to a home-geo datacenter for the user further comprises communicating with the home-geo datacenter over the back-end link using a temporary session; and
      
      wherein redirecting communications with the host organization from the client device to the user'"'"'s home-geo datacenter upon successful authentication of the login request at the home-geo datacenter further comprises returning a valid session cookie for an authenticated session between the client device and the home-geo datacenter specified via the re-direction.
  - 15. The method of claim 1, wherein the authentication of the client device at the home-geo datacenter comprises:
    - validating a username and password passed with the login request;
      
      validating an Internet Protocol (IP) address associated with the user'"'"'s login request;
      
      validating the user against permissible login hours for the username specified; and
      
      validating a challenge response to a further authentication challenge issued by the host organization responsive to the login request.
  - 16. The method of claim 1, wherein establishing the back-end link from the non-home-geo datacenter to the home-geo datacenter for the user comprises opening a secure HTTP compatible tunnel between an application server instance of the non-home-geo datacenter and an application server instance at the home-geo datacenter.
  - 17. The method of claim 1, wherein forwarding the login request received at the first login server of the host organization to the second login server within the second one of the plurality of datacenters within the host organization comprises communicating cross-instance calls between the non-home-geo datacenter and the home-geo datacenter, wherein each of the cross-instance calls are secured by one or more of the following:
    - a temporary session ID created uniquely for the communications between the non-home-geo datacenter and the home-geo datacenter in fulfillment of the login request;
      
      a header specifying a hash of the MAC address of the instance at the non-home-geo datacenter to protect against modification to the cross-instance calls en-route; and
      
      IP restriction applied to the cross-instance calls on the back-end link to prevent external parties from accessing or modifying the cross-instance calls being communicated.

18. Non-transitory computer readable storage medium having instructions stored thereon that, when executed by a computing hardware of a host organization including one or more processors and memories, the instructions cause the host organization to perform operations comprising:
- receiving a login request from a client device at a single URL endpoint which services login requests for the host organization, the login request received at a first login server of the host organization, the first login server having at least a processor and a memory therein to receive the login request, wherein the first login server resides within a first datacenter of the host organization;
  
  forwarding the login request received at the first login server of the host organization to a second login server within a second one of a plurality of datacenters within the host organization, the second login server having at least a processor and a memory therein to receive the login request from the first login server;
  
  determining the second datacenter is a non-home-geo datacenter for a user associated with the login request received from the client device;
  
  establishing a back-end link from the non-home-geo datacenter to a home-geo datacenter for the user;
  
  forwarding the login request from the non-home-geo datacenter to the home-geo datacenter via the back-end link for authentication of the client device at the user'"'"'s home-geo datacenter responsive to the login request received from the client device; and
  
  redirecting communications with the host organization from the client device to the user'"'"'s home-geo datacenter upon successful authentication of the login request at the home-geo datacenter.

19. A computing architecture within a host organization, the computing architecture comprising:
- one or more processors and memories to execute instructions;
  
  a plurality of datacenters geographically separated from one another, each of the plurality of datacenters having a plurality of computing pods therein including a database and a pool of application servers to perform workload processing on behalf of the host organization;
  
  a global virtual IP address interface and load balancer servicing a single URL endpoint for the host organization to receive login requests on behalf of the host organization;
  
  wherein the global virtual IP address interface and load balancer is to receive a login request from a client device at a first login server of the host organization;
  
  wherein the login request from the client device is received at the single URL endpoint which services login requests for the host organization;
  
  wherein the first login server resides within a first datacenter of the host organization;
  
  the first login server to forward the login request received to a second login server within a second one of a plurality of datacenters within the host organization;
  
  wherein the second login server at the second datacenter determines the second datacenter is a non-home-geo datacenter for a user associated with the login request received from the client device;
  
  wherein the second login server is to establish a back-end link from the non-home-geo datacenter to a home-geo datacenter for the user and forward the login request from the non-home-geo datacenter to the home-geo datacenter via the back-end link for authentication of the client device at the user'"'"'s home-geo datacenter responsive to the login request received from the client device; and
  
  wherein the second login server is to redirect communications with the host organization from the client device to the user'"'"'s home-geo datacenter upon successful authentication of the login request at the home-geo datacenter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Lee, Jong
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Zoubair, Noura

Application Number

US14/709,822
Publication Number

US 20150244703A1
Time in Patent Office

658 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/45   Structures or tools for the...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

H04L 67/1021   based on client or server l...

Cross instance user authentication architecture

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Cross instance user authentication architecture

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links