Facilitating single sign-on (SSO) across multiple browser instance

US 9,413,750 B2
Filed: 02/11/2011
Issued: 08/09/2016
Est. Priority Date: 02/11/2011
Status: Active Grant

First Claim

Patent Images

1. A computing system comprising:

an authentication server to authenticate users and to maintain registration data indicating a respective set of client systems registered for each user across which a single sign-on (SSO) is to be facilitated; and

a plurality of server systems to host a plurality of protected resources, which are accessible only to authenticated users,each server system to receive a request for accessing a protected resource of said plurality of protected resources and if the request is identified as not being from an authenticated user, redirecting the received request to said authentication server for authentication of the user by said authentication server;

a plurality of client systems using which users send requests for accessing said plurality of protected resources to said plurality of server systems,wherein said registration data at a first time instance indicates that a first set of client systems is registered for a single user, said first set of client systems being contained in said plurality of client systems, said registration data indicating that said first set of client systems includes a second client system,wherein said single user sends from a first client system, a first request for accessing a first protected resource and then sends from said second client system, a second request for accessing a second protected resource,wherein said first request is sent at a second time instance following said first time instance,wherein said first protected resource and said second protected resource are contained in said plurality of protected resources, wherein said first client system is contained in said plurality of client systems,wherein said authentication server performs a single authentication of said single user in response to receiving said first request from said first client system, wherein said single user is allowed to access from said first client system, said first protected resource in a session duration after said single authentication, wherein a single sign on (SSO) session is maintained in said authentication server in said session duration as a basis for permitting access to at least some of said plurality of protected resources including said first protected resource,wherein said authentication server and said plurality of server systems operate to allow said single user to access said second protected resource in said session duration from said second client system, based on said single authentication from said first client system in view of said second client system being included in said first set of client systems registered for said single user such that said single user is not required to perform authentication again to access from said second client system, said second protected resource in said session duration.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Facilitating single sign-on (SSO) across multiple browser instances such that user authentication at one browser instance is used as a basis to permit access to protected resources (hosted on server systems) from other browser instances. In an embodiment, the different browser instances are executing on different client systems. An authentication server may maintain a registration data indicating the different client systems/browser instances registered by a user for SSO feature. After a user is authenticated for a first session from one browser instance, the authentication server enables the user to access any protected resource from registered client systems/browser instances without requiring further authentication (based on the presence of the authenticated first session).

91 Citations

View as Search Results

16 Claims

1. A computing system comprising:
- an authentication server to authenticate users and to maintain registration data indicating a respective set of client systems registered for each user across which a single sign-on (SSO) is to be facilitated; and
  
  a plurality of server systems to host a plurality of protected resources, which are accessible only to authenticated users,each server system to receive a request for accessing a protected resource of said plurality of protected resources and if the request is identified as not being from an authenticated user, redirecting the received request to said authentication server for authentication of the user by said authentication server;
  
  a plurality of client systems using which users send requests for accessing said plurality of protected resources to said plurality of server systems,wherein said registration data at a first time instance indicates that a first set of client systems is registered for a single user, said first set of client systems being contained in said plurality of client systems, said registration data indicating that said first set of client systems includes a second client system,wherein said single user sends from a first client system, a first request for accessing a first protected resource and then sends from said second client system, a second request for accessing a second protected resource,wherein said first request is sent at a second time instance following said first time instance,wherein said first protected resource and said second protected resource are contained in said plurality of protected resources, wherein said first client system is contained in said plurality of client systems,wherein said authentication server performs a single authentication of said single user in response to receiving said first request from said first client system, wherein said single user is allowed to access from said first client system, said first protected resource in a session duration after said single authentication, wherein a single sign on (SSO) session is maintained in said authentication server in said session duration as a basis for permitting access to at least some of said plurality of protected resources including said first protected resource,wherein said authentication server and said plurality of server systems operate to allow said single user to access said second protected resource in said session duration from said second client system, based on said single authentication from said first client system in view of said second client system being included in said first set of client systems registered for said single user such that said single user is not required to perform authentication again to access from said second client system, said second protected resource in said session duration.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computing system of claim 1, wherein said single user sends said first request, provides authentication information for said single authentication and accesses said first protected resource from a first browser instance executing in said first client system,wherein said single user sends said request and accesses said second protected resource from a second browser instance executing in said second client system without being required to provide authentication information again.
  - 3. The computing system of claim 2, wherein said authentication server also maintains a session data,wherein said session data indicates present sessions operative for a set of already authenticated users such that said session data indicates that said single user is authenticated in said session duration,wherein access to said second protected resource from said second client system is allowed based on the presence of said second client system in said first set of client systems in said registration data and said user being indicated to have a present session in said session data during said session duration.
  - 4. The computing system of claim 3, wherein said registration data further indicates a respective set of policies to be checked before allowing access from each of the client systems registered for a user,wherein said registration data indicates that a first set of policies is to be checked before allowing access from said second client system registered for said single user,wherein access to said second protected resource from said second client system is allowed only when said first set of policies are checked and determined to be validated.
  - 5. The computing system of claim 3, wherein each of said plurality of client systems indicated in said registration data is identified using a corresponding unique signature,wherein presence of said second client system in said first set of client systems is determined based on matching of the unique identifier of said second client system in said registration data.
  - 6. The computing system of claim 5, wherein the unique signature of a client system comprises a browser signature corresponding to the browser instance used to send the request to access protected requests and a device signature corresponding to the client system.

7. A method of facilitating single sign-on (SSO) across multiple client systems when accessing a plurality of protected resources, wherein said plurality of protected resources are accessible only to users authenticated by an authentication server, said method being performed in said authentication server, said method comprising:
- maintaining a registration data indicating which ones of a plurality of client systems are registered for which ones of a plurality of users for accessing said plurality of protected resources,wherein said registration data at a first time instance indicates that a first set of client systems is registered for a first user of said plurality of users, said first set of client systems being contained in said plurality of client systems, said registration data indicating that said first set of client systems includes a second client system;
  
  receiving, from a first client system, a first request from said first user to access a first protected resource of said plurality of protected resources, said first client system being contained in said plurality of client systems, wherein said first request is sent at a second time instance following said first time instance;
  
  authenticating said first user upon receipt of said first request and maintaining a single sign on (SSO) session in a session duration in which said first user is permitted to access said plurality of protected resources based on said authenticating;
  
  allowing access to said first protected resource from said first client system after said authentication of said first user;
  
  receiving, from said second client system, a second request to access a second protected resource of said plurality of protected resource;
  
  determining whether said second client system is included in said first set of client systems registered for said first user based on said registration data; and
  
  allowing access to said second protected resource from said second client system based on said authentication of said first user with respect to accessing of said first protected resource if said second request is received in said session duration and said determining determines that said second client system is included in said first set of client systems,wherein said first user is not required to perform authentication again to access said plurality of protected resources from different client systems, including said second client system, based on said authentication performed from said first client system in said session duration.
- View Dependent Claims (8, 9, 10)
- - 8. The method of claim 7, wherein said registration data further indicates a respective set of policies to be checked before allowing access from each of the client system registered for a user,wherein said registration data indicates that a first set of policies is to be checked before allowing access from said second client system registered for said first user,wherein said allowing allows access to said second protected resource from said second client system only when said first set of policies are checked and determined to be validated.
  - 9. The method of claim 8, wherein each of said plurality of client systems indicated in said registration data is identified using a corresponding unique signature,wherein said determining determines the presence of said second client system in said first set of client systems based on matching of the unique identifier of said second client system in said registration data.
  - 10. The method of claim 9, wherein the unique signature of a client system comprises a browser signature corresponding to the browser instance used to send the request to access protected requests and a device signature corresponding to the client system.

11. A non-transitory machine readable medium storing one or more sequences of instructions for causing an authentication server to facilitate single sign-on (SSO) across multiple client systems when accessing protected resources, wherein each protected resource is accessible only to users authenticated by said authentication server, wherein execution of said one or more sequences of instructions by one or more processors contained in said authentication server causes said authentication server to perform the actions of:
- maintaining a registration data indicating a respective set of client systems registered for each user across which single sign-on (SSO) is to be facilitated,wherein said registration data at a first time instance indicates that a first set of client systems is registered for a first user, said registration data indicating that said first set of client systems includes a second client system;
  
  receiving, from a first client system, a first request from said first user to access a first protected resource, wherein said first request is sent at a second time instance following said first time instance;
  
  authenticating said first user at said first client system based on an authentication information received from said first client system;
  
  maintaining a single sign on (SSO) session in a session duration in which said user is permitted to access said protected resources based on said authenticating;
  
  allowing access to said first protected resource from said first client system after said authenticating of said first user in said session duration;
  
  receiving, from said second client system, a second request from said first user to access a second protected resource;
  
  determining whether said second client system is included in said first set of client systems registered for said first user based on said registration data; and
  
  allowing access to said second protected resource from said second client system based on said authenticating of said first user at said first client system if said second request is received in said session duration and said determining determines that said second client system is included in said first set of client systems,wherein said first user is enabled to access the protected resources from different client systems, without said first user having to authenticate again, in view of said authentication information provided from said first client system in said session duration.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The machine readable medium of claim 11, further comprising one or more instructions for:
    - creating a global session in said authentication server for said first user based on said authentication, wherein said global session is maintained in said authentication server in said session duration; and
      
      checking, in response to said second request after said determining, whether said global session for said first user exists in said authentication server,wherein said allowing allows access to said second protected resource from said second client system if said checking determines that said global session exists in said authentication server.
  - 13. The machine readable medium of claim 12, further comprising one or more instructions for creating a local session in said authentication server for said first user when accessing said second protected resource from said second client system.
  - 14. The machine readable medium of claim 11, wherein said registration data further indicates a respective set of policies to be checked before allowing access from each of the client system registered for a user,wherein said registration data indicates that a first set of policies is to be checked before allowing access from said second client system registered for said first user,wherein said allowing allows access to said second protected resource from said second client system only when said first set of policies are checked and determined to be validated.
  - 15. The machine readable medium of claim 14, wherein each of the client systems indicated in said registration data is identified using a corresponding unique signature,wherein said determining determines whether said second client system is included in said first set of client systems based on matching of the unique identifier of said second client system in said registration data.
  - 16. The machine readable medium of claim 15, wherein the unique signature of a client system comprises a browser signature corresponding to a browser instance used to send the request to access protected requests and a device signature corresponding to the client system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Akula, Naga Sravani, Chatoth, Vikas Pooven
Primary Examiner(s)
Wang, Harris C

Application Number

US13/025,184
Publication Number

US 20120210413A1
Time in Patent Office

2,006 Days
Field of Search

726 2- 4, 726/8
US Class Current

1/1
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

Facilitating single sign-on (SSO) across multiple browser instance

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

91 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Facilitating single sign-on (SSO) across multiple browser instance

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

91 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links