Session synchronization across multiple devices in an identity cloud service

US 10,764,273 B2
Filed: 06/28/2018
Issued: 09/01/2020
Est. Priority Date: 06/28/2018
Status: Active Grant

First Claim

Patent Images

1. A method for session synchronization across multiple devices of a user in a cloud-based identity and access management (IAM) system, the method comprising:

authenticating the user into an application on a first device of the user;

receiving a first request by a single-sign-on (SSO) service of the cloud-based IAM system from the first device to enroll the first device in a circle of trust (CoT) device group associated with the user, wherein a second device of the user is already enrolled in the CoT device group;

sending a push notification to the second device to obtain user consent of the user to enroll the first device in the CoT device group, wherein the second device obtains the consent of the user and sends a consent token to the first device;

receiving a second request from the first device by the SSO service, wherein the second request includes the consent token;

verifying the consent token;

enrolling the first device in the CoT device group; and

performing SSO session synchronization across devices enrolled in the CoT device group including the first device and the second device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments provide session synchronization across multiple user devices in a cloud-based identity and access management (IAM) system by authenticating the user into an application on a first device; receiving a first request by a single-sign-on (SSO) service of the IAM system from the first device to enroll the first device in a circle of trust (CoT) device group associated with the user, where a second device of the user is already enrolled in CoT; sending a push notification to the second device to obtain user consent to enroll the first device in CoT, where the second device obtains user consent and sends a consent token to the first device; receiving a second request including the consent token from the first device; verifying the consent token; enrolling the first device in CoT; and performing SSO session synchronization across devices enrolled in CoT.

291 Citations

20 Claims

1. A method for session synchronization across multiple devices of a user in a cloud-based identity and access management (IAM) system, the method comprising:
- authenticating the user into an application on a first device of the user;
  
  receiving a first request by a single-sign-on (SSO) service of the cloud-based IAM system from the first device to enroll the first device in a circle of trust (CoT) device group associated with the user, wherein a second device of the user is already enrolled in the CoT device group;
  
  sending a push notification to the second device to obtain user consent of the user to enroll the first device in the CoT device group, wherein the second device obtains the consent of the user and sends a consent token to the first device;
  
  receiving a second request from the first device by the SSO service, wherein the second request includes the consent token;
  
  verifying the consent token;
  
  enrolling the first device in the CoT device group; and
  
  performing SSO session synchronization across devices enrolled in the CoT device group including the first device and the second device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the first device generates a first asymmetric key pair that includes a first public key and a first private key, wherein the first device stores the first private key, wherein the first device passes the first public key in the first request to the SSO service.
  - 3. The method of claim 2, further comprising:
    - generating a request identifier (ID) identifying the first request;
      
      passing the request ID of the first request and device characteristics of the first device in the push notification to the second device; and
      
      returning the request ID to the first device in a Hypertext Transfer Protocol Secure (HTTPS) response.
  - 4. The method of claim 3, wherein, after obtaining the consent of the user, the second device determines a relative distance between the first device and the second device, establishes peer-to-peer (P2P) communication with the first device if the relative distance is less than a threshold, and sends the consent token to the first device using the P2P communication.
  - 5. The method of claim 4, wherein the consent token comprises a device ID of the second device and the request ID identifying the first request, wherein the consent token is signed using a second private key of the second device, wherein the second private key and a second public key comprise a second asymmetric key pair generated by the second device, wherein the CoT device group includes the second public key of the second device.
  - 6. The method of claim 5, wherein the first device validates the consent token before sending the second request to the SSO service, wherein the first device validates the consent token by validating the request ID in the consent token.
  - 7. The method of claim 6, wherein the second request further includes the first public key.
  - 8. The method of claim 7, wherein the consent token is verified using the second public key.
  - 9. The method of claim 8, wherein the enrolling of the first device in the CoT device group comprises adding the first public key to the CoT device group.
  - 10. The method of claim 9, further comprising:
    - creating a primary SSO session by the SSO service when the user signs-into the first device;
      
      creating an alias SSO session linked with the primary SSO session when the second device attempts to obtain an SSO session subsequent to the creating of the primary SSO session, wherein the alias SSO session is created with an “
      
      In Progress”
      
      status;
      
      setting an encrypted session cookie containing the alias session and returning an authorization code including the alias session to the second device, wherein the second device returns the authorization code with a Client JWT Assertion that is signed using the second private key;
      
      verifying the Client JWT assertion using the second public key available in the CoT device group; and
      
      converting the alias SSO session from the “
      
      In Progress”
      
      status to a “
      
      Valid”
      
      status.
  - 11. The method of claim 9, wherein the SSO session synchronization comprises replicating an SSO session created for the first device by encrypting the SSO session using the second public key and sending the encrypted SSO session from the first device to the second device using the P2P communication, wherein the second device decrypts the encrypted SSO session using the second private key stored at the second device and re-uses the SSO session.
  - 12. The method of claim 9, wherein the SSO session synchronization comprises logging off user sessions on all user devices enrolled in the CoT device group when one session on one user device in the CoT device group is logged off.
  - 13. The method of claim 1, wherein the authenticating is performed by an OpenID Connect service of the cloud-based IAM system.
  - 14. The method of claim 1, wherein the first application implements IAM functionality provided by components of the cloud-based IAM system.
  - 15. The method of claim 14, wherein the components comprise one or more microservices.

16. A non-transitory computer readable medium comprising instructions that, when executed by a processor, cause the processor to perform session synchronization across multiple devices of a user in a cloud-based identity and access management (IAM) system, the processor executing the instructions to:
- authenticate the user into an application on a first device of the user;
  
  receive a first request by a single-sign-on (SSO) service of the cloud-based IAM system from the first device to enroll the first device in a circle of trust (CoT) device group associated with the user, wherein a second device of the user is already enrolled in the CoT device group;
  
  send a push notification to the second device to obtain user consent of the user to enroll the first device in the CoT device group, wherein the second device obtains the consent of the user and sends a consent token to the first device;
  
  receive a second request from the first device by the SSO service, wherein the second request includes the consent token;
  
  verify the consent token;
  
  enroll the first device in the CoT device group; and
  
  perform SSO session synchronization across devices enrolled in the CoT device group including the first device and the second device.
- View Dependent Claims (17, 18, 19)
- - 17. The non-transitory computer readable medium of claim 16, wherein the first device generates a first asymmetric key pair that includes a first public key and a first private key, wherein the first device stores the first private key, wherein the first device passes the first public key in the first request to the SSO service.
  - 18. The non-transitory computer readable medium of claim 17, wherein the processor is further configured to:
    - generate a request identifier (ID) identifying the first request;
      
      pass the request ID of the first request and device characteristics of the first device in the push notification to the second device; and
      
      return the request ID to the first device in a Hypertext Transfer Protocol Secure (HTTPS) response.
  - 19. The non-transitory computer readable medium of claim 18, wherein, after obtaining the consent of the user, the second device determines a relative distance between the first device and the second device, establishes peer-to-peer (P2P) communication with the first device if the relative distance is less than a threshold, and sends the consent token to the first device using the P2P communication.

20. A cloud-based identity and access management (IAM) system for performing session synchronization across multiple devices of a user, the system comprising a processor coupled to storage, the processor executing instructions to:
- authenticate the user into an application on a first device of the user;
  
  receive a first request by a single-sign-on (SSO) service of the cloud-based IAM system from the first device to enroll the first device in a circle of trust (CoT) device group associated with the user, wherein a second device of the user is already enrolled in the CoT device group;
  
  send a push notification to the second device to obtain user consent of the user to enroll the first device in the CoT device group, wherein the second device obtains the consent of the user and sends a consent token to the first device;
  
  receive a second request from the first device by the SSO service, wherein the second request includes the consent token;
  
  verify the consent token;
  
  enroll the first device in the CoT device group; and
  
  perform SSO session synchronization across devices enrolled in the CoT device group including the first device and the second device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Mohamad Abdul, Mohamad Raja Gani, Tippanna, Kavita
Primary Examiner(s)
Desrosiers, Evans

Application Number

US16/021,253
Publication Number

US 20200007530A1
Time in Patent Office

796 Days
Field of Search

726 7
US Class Current
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

H04L 67/146   Markers for unambiguous ide...

H04L 67/55   Push-based network services

H04W 12/009   specially adapted for netwo...

H04W 12/084   using delegated authorisati...

Session synchronization across multiple devices in an identity cloud service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

291 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Session synchronization across multiple devices in an identity cloud service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

291 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links