Single sign-on between multiple data centers

US 9,887,981 B2
Filed: 01/25/2016
Issued: 02/06/2018
Est. Priority Date: 09/20/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating, by a first computer system managing access at a first data center, an authentication cookie associated with a user, wherein the authentication cookie is generated using a first session object for a first session established at the first data center, the first session established based on upon successful authentication of the user at the first data center for access to a first resource at a client device, wherein the first session object is stored at the first data center, and wherein the authentication cookie includes an identifier that identifies the first data center;

sending the generated authentication cookie to the client device associated with the user to provide the access to the first resource;

based on no active session for the user at a second data center and responsive to a request, by the user at the client device, to the second data center for access to a second resource at the client device, the request including the generated authentication cookie having the identifier of the first data center as having a session;

receiving, by the first computer system, from a second computer system managing access at the second data center, a retrieval request having the identifier of the first data center obtained from the generated authentication cookie provided in the request to the second data center, wherein the retrieval request is a message requesting session information for the first session established for the user at the first data center;

responsive to the retrieval request, determining, based on the first session object, whether the first session for the user is active at the first data center;

based on determining that the first session for the user is active at the first data center, transmitting, by the first computer system, to the second computer system of a second data center, session data indicated by the first session object, wherein a second session object is generated for a second session enabling access to the second resource by the second computer system for the second data center using the session data, and wherein the second session object is generated for authentication of the user at the second data center; and

based on receiving an indication that the second session object at the second data center has been generated for the second session using the session data, terminating, by the first computer system, the first session associated with the user at the first data center based on receiving the indication that the second session object at the second data center has been generated.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed for a single sign-on (SSO) enterprise system with multiple data centers that use a lightweight cookie on a user'"'"'s client device. The lightweight cookie includes a reference to a data center in which the user is already authenticated, and a new data center contacts the old data center for creating a session for the user on the new data center. If the old data center is unavailable, then the new data center may fall back to accessing a local security store, a backup of keys, security tokens, and/or other security data, in order to create a local session for the user on the new data center.

Citations

16 Claims

1. A method comprising:
- generating, by a first computer system managing access at a first data center, an authentication cookie associated with a user, wherein the authentication cookie is generated using a first session object for a first session established at the first data center, the first session established based on upon successful authentication of the user at the first data center for access to a first resource at a client device, wherein the first session object is stored at the first data center, and wherein the authentication cookie includes an identifier that identifies the first data center;
  
  sending the generated authentication cookie to the client device associated with the user to provide the access to the first resource;
  
  based on no active session for the user at a second data center and responsive to a request, by the user at the client device, to the second data center for access to a second resource at the client device, the request including the generated authentication cookie having the identifier of the first data center as having a session;
  
  receiving, by the first computer system, from a second computer system managing access at the second data center, a retrieval request having the identifier of the first data center obtained from the generated authentication cookie provided in the request to the second data center, wherein the retrieval request is a message requesting session information for the first session established for the user at the first data center;
  
  responsive to the retrieval request, determining, based on the first session object, whether the first session for the user is active at the first data center;
  
  based on determining that the first session for the user is active at the first data center, transmitting, by the first computer system, to the second computer system of a second data center, session data indicated by the first session object, wherein a second session object is generated for a second session enabling access to the second resource by the second computer system for the second data center using the session data, and wherein the second session object is generated for authentication of the user at the second data center; and
  
  based on receiving an indication that the second session object at the second data center has been generated for the second session using the session data, terminating, by the first computer system, the first session associated with the user at the first data center based on receiving the indication that the second session object at the second data center has been generated.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the terminating is performed based on a session policy, the session policy indicating a session threshold of a single active session for both the first data center and the second data center.
  - 3. The method of claim 1, wherein the indication is a first indication, and wherein the method further comprises:
    - receiving, by the first computer system, a second indication of the user exiting access for the second session at the second data center; and
      
      terminating, by the first computer system, the first session associated with the user at the first data center in response to receiving the second indication of the user exiting access for the second session at the second data center.
  - 4. The method of claim 1, wherein the request to the second data center is a first request, and wherein the method further comprises:
    - sending, by the first computer system, to the client device, a second request that causes the client device to prompt the user for authentication information based on a session policy.
  - 5. The method of claim 1, wherein the session data is for authentication of the user at the second data center, and wherein the session data identifies the first session at the first data center based on the successful authentication of the user at the first data center for access to the first resource at the client device.
  - 6. The method of claim 1, wherein the request to the second data center is a first request, and wherein the method further comprises:
    - responsive to receiving the retrieval request for the session information for the first session, sending, by the first computer system, to the client device, a second request for credential information of the user; and
      
      receiving, by the first computer system, the credential information from the client device responsive to the second request for credential information of the user;
      
      wherein transmitting, by the first computer system, to the second computer system, the session data indicated by the first session object includes transmitting the credential information that is received from the client device.

7. A system comprising:
- a first data storage system including;
  
  a memory storing a plurality of instructions; and
  
  one or more hardware processors; and
  
  a second data storage system including a computer system;
  
  wherein the plurality of instructions, when executed by the one or more hardware processors, cause the one or more hardware processors to;
  
  generate an authentication cookie associated with a user, wherein the authentication cookie is generated using a first session object for a first session established at the first data storage system, the first session established based on upon successful authentication of the user at the first data storage system for access to a first resource at a client device, wherein the first session object stored at the first data storage system, and wherein the authentication cookie includes an identifier that identifies the first data storage system;
  
  send the generated authentication cookie to the client device associated with the user to provide the access to the first resource;
  
  based on no active session for the user at the second data storage system and responsive to a request, by the user at the client device, to the second data storage system for access to a second resource at the client device, the request including the generated authentication cookie having the identifier of the first data storage system as having a session;
  
  receive, from a second computer system managing access at the second data storage system, a retrieval request having the identifier of the first data storage system obtained from the generated authentication cookie provided in the request to the second data storage system, wherein the retrieval request is a message requesting session information for the first session established for the user at the first data storage system;
  
  responsive to the retrieval request, determine, based on the first session object whether the first session for the user is active at the first data storage system; and
  
  based on determining that the first session for the user is active at the first data storage system, transmit, to the computer system of the second data storage system, session data indicated by the first session object, wherein a second session object is generated for a second session enabling access to the second resource by the computer system for the second data storage system using the session data, and wherein the second session object is generated for authentication of the user at the second data storage system; and
  
  based on receiving an indication that the second session object at the second data storage system has been generated for the second session using the session data, terminate the first session associated with the user at the first data storage system based on receiving the indication that the second session object at the second data storage system has been generated.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The system of claim 7, wherein the terminating is performed based on a session policy, the session policy indicating a session threshold of a single active session for both the first data storage system and the second data storage system.
  - 9. The system of claim 7, wherein the indication is a first indication, and wherein the plurality of instructions, when executed by the one or more hardware processors, further causes the one or more hardware processors to:
    - receive a second indication of the user exiting access for the second session at the second data storage system; and
      
      terminate the first session associated with the user at the first data storage system in response to receiving the second indication of the user exiting access for the second session at the second data storage system.
  - 10. The system of claim 7, wherein the session data is for authentication of the user at the second data storage system, and wherein the session data identifies the first session at the first data storage system based on the successful authentication of the user at the first data storage system for access to the first resource at the client device.
  - 11. The system of claim 7, wherein the request to the second data storage system is a first request, and wherein the plurality of instructions, when executed by the one or more hardware processors, further causes the one or more hardware processors to:
    - responsive to receiving the retrieval request for the session information for the first session, send, to the client device, a second request for credential information of the user;
      
      receive the credential information from the client device responsive to the second request for credential information of the user; and
      
      wherein transmitting the session data indicated by the first session object includes transmitting the credential information that is received from the client device.

12. A non-transitory computer-readable medium storing a plurality of instructions executable by one or more processors to cause the one or more processors to:
- generate, by a first computer system managing access at a first data center, an authentication cookie associated with a user, wherein the authentication cookie is generated using a first session object for a first session established at the first data center, the first session established based on upon successful authentication of the user at the first data center for access to a first resource at a client device, wherein the first session object is stored at the first data center, and wherein the authentication cookie includes an identifier that identifies the first data center;
  
  send the generated authentication cookie to the client device associated with the user to provide the access to the first resource;
  
  based on no active session for the user at a second data center and responsive to a request, by the user at the client device, to the second data center for access to a second resource at the client device, the request including the generated authentication cookie having the identifier of the first data center as having a session;
  
  receive, by the first computer system, from a second computer system managing access at the second data center, a retrieval request having the identifier of the first data center obtained from the generated authentication cookie provided in the request to the second data center, wherein the retrieval request is a message requesting session information for the first session established for the user at the first data center;
  
  responsive to the retrieval request, determine, based on the first session object, whether the first session for the user is active at the first data center;
  
  based on determining that the first session for the user is active at the first data center, transmit, to second computer system of a second data center, session data indicated by the first session object, wherein a second session object is generated for a second session enabling access to the second resource by the second computer system for the second data center using the session data, and wherein the second session object is generated for authentication of the user at the second data center; and
  
  based on receiving an indication that the second session object at the second data center has been generated for the second session using the session data, terminate, by the first computer system, the first session associated with the user at the first data center based on receiving the indication that the second session object at the second data center has been generated.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The non-transitory computer-readable medium of claim 12, wherein the terminating is performed based on a session policy, the session policy indicating a session threshold of a single active session for both the first data center and the second data center.
  - 14. The non-transitory computer-readable medium of claim 12, wherein the indication is a first indication, and wherein the plurality of instructions are executable by the one or more processors to further cause the one or more processors to:
    - receive a second indication of the user exiting access for the second session at the second data center; and
      
      terminate the first session of the user at the first data center in response to receiving the second indication of the user exiting access for the second session at the second data center.
  - 15. The non-transitory computer-readable medium of claim 12, wherein the session data is for authentication of the user at the second data center, and wherein the session data identifies the first session at the first data center based on the successful authentication of the user at the first data center for access to the first resource at the client device.
  - 16. The non-transitory computer-readable medium of claim 12, wherein the request to the second data center is a first request, and wherein the plurality of instructions are executable by the one or more processors to further cause the one or more processors to:
    - responsive to receiving the retrieval request for the session information, send to the client device, a second request for credential information of the user;
      
      receive the credential information from the client device responsive to the second request for credential information of the user; and
      
      wherein transmitting the session data indicated by the first session object includes transmitting the credential information that is received from the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Mathew, Stephen, Motukuru, Vamsi, Martin, Madhu, Chathoth, Vikas Pooven
Primary Examiner(s)
Reza, Mohammad W

Application Number

US15/005,365
Publication Number

US 20160219040A1
Time in Patent Office

743 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 65/1066   Session management

H04L 65/1069   Session establishment or de...

H04L 67/141   Setup of application sessio...

Single sign-on between multiple data centers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Single sign-on between multiple data centers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links