Single sign-on between multiple data centers
First Claim
Patent Images
1. A method comprising:
- generating, by a first computer system managing access at a first data center, an authentication cookie associated with a user, wherein the authentication cookie is generated using a first session object for a first session established at the first data center, the first session established based on upon successful authentication of the user at the first data center for access to a first resource at a client device, wherein the first session object is stored at the first data center, and wherein the authentication cookie includes an identifier that identifies the first data center;
sending the generated authentication cookie to the client device associated with the user to provide the access to the first resource;
based on no active session for the user at a second data center and responsive to a request, by the user at the client device, to the second data center for access to a second resource at the client device, the request including the generated authentication cookie having the identifier of the first data center as having a session;
receiving, by the first computer system, from a second computer system managing access at the second data center, a retrieval request having the identifier of the first data center obtained from the generated authentication cookie provided in the request to the second data center, wherein the retrieval request is a message requesting session information for the first session established for the user at the first data center;
responsive to the retrieval request, determining, based on the first session object, whether the first session for the user is active at the first data center;
based on determining that the first session for the user is active at the first data center, transmitting, by the first computer system, to the second computer system of a second data center, session data indicated by the first session object, wherein a second session object is generated for a second session enabling access to the second resource by the second computer system for the second data center using the session data, and wherein the second session object is generated for authentication of the user at the second data center; and
based on receiving an indication that the second session object at the second data center has been generated for the second session using the session data, terminating, by the first computer system, the first session associated with the user at the first data center based on receiving the indication that the second session object at the second data center has been generated.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are disclosed for a single sign-on (SSO) enterprise system with multiple data centers that use a lightweight cookie on a user'"'"'s client device. The lightweight cookie includes a reference to a data center in which the user is already authenticated, and a new data center contacts the old data center for creating a session for the user on the new data center. If the old data center is unavailable, then the new data center may fall back to accessing a local security store, a backup of keys, security tokens, and/or other security data, in order to create a local session for the user on the new data center.
-
Citations
16 Claims
-
1. A method comprising:
-
generating, by a first computer system managing access at a first data center, an authentication cookie associated with a user, wherein the authentication cookie is generated using a first session object for a first session established at the first data center, the first session established based on upon successful authentication of the user at the first data center for access to a first resource at a client device, wherein the first session object is stored at the first data center, and wherein the authentication cookie includes an identifier that identifies the first data center; sending the generated authentication cookie to the client device associated with the user to provide the access to the first resource; based on no active session for the user at a second data center and responsive to a request, by the user at the client device, to the second data center for access to a second resource at the client device, the request including the generated authentication cookie having the identifier of the first data center as having a session; receiving, by the first computer system, from a second computer system managing access at the second data center, a retrieval request having the identifier of the first data center obtained from the generated authentication cookie provided in the request to the second data center, wherein the retrieval request is a message requesting session information for the first session established for the user at the first data center; responsive to the retrieval request, determining, based on the first session object, whether the first session for the user is active at the first data center; based on determining that the first session for the user is active at the first data center, transmitting, by the first computer system, to the second computer system of a second data center, session data indicated by the first session object, wherein a second session object is generated for a second session enabling access to the second resource by the second computer system for the second data center using the session data, and wherein the second session object is generated for authentication of the user at the second data center; and based on receiving an indication that the second session object at the second data center has been generated for the second session using the session data, terminating, by the first computer system, the first session associated with the user at the first data center based on receiving the indication that the second session object at the second data center has been generated. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system comprising:
-
a first data storage system including; a memory storing a plurality of instructions; and one or more hardware processors; and a second data storage system including a computer system; wherein the plurality of instructions, when executed by the one or more hardware processors, cause the one or more hardware processors to; generate an authentication cookie associated with a user, wherein the authentication cookie is generated using a first session object for a first session established at the first data storage system, the first session established based on upon successful authentication of the user at the first data storage system for access to a first resource at a client device, wherein the first session object stored at the first data storage system, and wherein the authentication cookie includes an identifier that identifies the first data storage system; send the generated authentication cookie to the client device associated with the user to provide the access to the first resource; based on no active session for the user at the second data storage system and responsive to a request, by the user at the client device, to the second data storage system for access to a second resource at the client device, the request including the generated authentication cookie having the identifier of the first data storage system as having a session; receive, from a second computer system managing access at the second data storage system, a retrieval request having the identifier of the first data storage system obtained from the generated authentication cookie provided in the request to the second data storage system, wherein the retrieval request is a message requesting session information for the first session established for the user at the first data storage system; responsive to the retrieval request, determine, based on the first session object whether the first session for the user is active at the first data storage system; and based on determining that the first session for the user is active at the first data storage system, transmit, to the computer system of the second data storage system, session data indicated by the first session object, wherein a second session object is generated for a second session enabling access to the second resource by the computer system for the second data storage system using the session data, and wherein the second session object is generated for authentication of the user at the second data storage system; and based on receiving an indication that the second session object at the second data storage system has been generated for the second session using the session data, terminate the first session associated with the user at the first data storage system based on receiving the indication that the second session object at the second data storage system has been generated. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A non-transitory computer-readable medium storing a plurality of instructions executable by one or more processors to cause the one or more processors to:
-
generate, by a first computer system managing access at a first data center, an authentication cookie associated with a user, wherein the authentication cookie is generated using a first session object for a first session established at the first data center, the first session established based on upon successful authentication of the user at the first data center for access to a first resource at a client device, wherein the first session object is stored at the first data center, and wherein the authentication cookie includes an identifier that identifies the first data center; send the generated authentication cookie to the client device associated with the user to provide the access to the first resource; based on no active session for the user at a second data center and responsive to a request, by the user at the client device, to the second data center for access to a second resource at the client device, the request including the generated authentication cookie having the identifier of the first data center as having a session; receive, by the first computer system, from a second computer system managing access at the second data center, a retrieval request having the identifier of the first data center obtained from the generated authentication cookie provided in the request to the second data center, wherein the retrieval request is a message requesting session information for the first session established for the user at the first data center; responsive to the retrieval request, determine, based on the first session object, whether the first session for the user is active at the first data center; based on determining that the first session for the user is active at the first data center, transmit, to second computer system of a second data center, session data indicated by the first session object, wherein a second session object is generated for a second session enabling access to the second resource by the second computer system for the second data center using the session data, and wherein the second session object is generated for authentication of the user at the second data center; and based on receiving an indication that the second session object at the second data center has been generated for the second session using the session data, terminate, by the first computer system, the first session associated with the user at the first data center based on receiving the indication that the second session object at the second data center has been generated. - View Dependent Claims (13, 14, 15, 16)
-
Specification