Bundled authorization requests
US-2015089569-A1 · Mar 26, 2015 · US
Managing session access across multiple data centers
US11290438B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11290438-B2 |
| Application number | US-201715784029-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 13, 2017 |
| Priority date | Jul 7, 2017 |
| Publication date | Mar 29, 2022 |
| Grant date | Mar 29, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
The disclosure relates to techniques for enforcing a limit on single sign-on (SSO) sessions for users across multiple data centers in a multi data center deployment. Users may request access to resources that are governed by an access manager deployed across multiple data centers, with each data center being associated with its own identifier. Each user may be associated with an identity attribute preserved in identity stores across the multiple data centers. The prerequisite for session creation at a data center may be to update the identity attribute of the user to that data center's identifier. If the identity attribute can be updated successfully, the access manager can create a new SSO session at that data center. Updates to the identity attribute may be synchronized across all of the data centers, with each data center aware of any existing sessions based on the current value of the identity attribute.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: receiving, by a computer system of a first data center included in a first access management system, from a second data center of a second access management system, security data for a first user, wherein the security data includes: (i) an identifier of the second data center at which a session has been established for the first user to access a first resource using a first device, and (ii) a user credential of the first user; storing, by the computer system of the first data center, the security data in a first data store in the first data center; receiving, by the computer system of the first data center, the user credential and a request from a second user to access a second resource using a second device while the session for the first user is still active, wherein the second user is different from the first user and the second device is different from the first device; determining, by the computer system of the first data center, the second user is authenticated to access the second resource using the second device based on the user credential; in response to determining the the second user is authenticated to access the second resource using the second device, determining, by the computer system of the first data center, there is an existing session associated with the user credential provided by the second user, wherein the determining there is the existing session comprises: identifying the security data for the first user in the first data store based on the user credential, and determining there is the existing session associated with the user credential based on a presence of the identifier of the second data center within the security data; and based on determining that there is the existing session associated with the user credential provided by the second user, denying, by the computer system of the first data center, the second user to access the second resource using the second device. 2. The method of claim 1 , wherein the method further comprises: receiving, by the computer system of the first data center, from the second data center of the second access management system, a notification that the second data center has terminated the session for the first user to access the first resource using the first device; and upon receiving the notification, removing, by the computer system of the first data center, the identifier of the second data center from the security data in the first data store in the first data center. 3. The method of claim 1 , wherein the first data center and the second data center are part of a multi data center deployment. 4. The method of claim 1 , wherein the authentication of the second user is based on checking the user credential against a user identity in an identity store of the first data center. 5. A system comprising: a first data center of a first access management system, the first data center including a first processor and a first memory storing a first set of instructions that, upon execution by the first processor, cause the first processor to: determine an authentication of a first user to access a first resource using a first device; in response to determining the authentication of the first user to access the first resource using the first device, determine whether there is an existing session associated with the first user, wherein the determining whether there is the existing session comprises: identifying security data for the first user based on the user credential, and determining whether the security data stores an identifier of the first data center or a second data center; based on determining that there is no existing session associated with the first user, update the security data in the first data store to include the identifier of the first data center; send the security data of the first user to the second data center, wherein the security data includes (i) the identifier of the first data center, and (ii) the user credential of the first user; and establish a session at the first data center to enable the first user to access the first resource using the first device; and the second data center of a second access management system, the second data center including a second processor and a second memory storing a second set of instructions that, upon execution by the second processor, cause the second processor to: receive, from the first data center, the security data of the first user; update a second data store in the second data center to include the security data of the first user; receive the user credential and a request from a second user to access a second resource using a second device while the session for the first user is still active, wherein the second user is different from the first user and the second device is different from the first device; determine the second user is authenticated to access the second resource using the second device based on the user credential; in response to determining the the second user is authenticated to access the second resource using the second device, determining, by the computer system of the first data center, there is an existing session associated with the user credential provided by the second user, wherein the determining there is the existing session comprises: identifying the security data for the first user in the first data store based on the user credential, and determining there is the existing session associated with the user credential based on a presence of the identifier of the second data center within the security data; and based on determining that there is the existing session associated with the user credential provided by the second user, denying the second user to access the second resource using the second device. 6. The system of claim 5 , wherein the first data center and the second data center are part of a multi data center deployment. 7. The system of claim 5 , wherein the identifier of the first data center is a ClusterID of the first data center. 8. The system of claim 5 , wherein the authentication of the first user to access the first resource using the first device is based on a user identity in the first data store. 9. The system of claim 5 , wherein the authentication of the second user to access the second resource using the second device is based on a user identity in the second data store. 10. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions configured to cause one or more data processors of a remote cloud server to perform actions including: receiving, by a computer system of a first data center included in a first access management system, from a second data center of a second access management system, security data for a first user, wherein the security data includes: (i) an identifier of the second data center at which a session has been established for the first user to access a first resource using a first device, and (ii) a user credential of the first user; storing, by the computer system of the first data center, the security data in a first data store in the first data center; receiving, by the computer system of the first data center, the user credential and a request from a second user to access a second resource using a second device while the session for the first user is still active, wherein the second user is different from the first user and the second device is different from the first device; determining, by the computer system of the first data center, the second user is authenticated to access the second resource using the second device based on the user credential; in response to determining the secon
Assignees
Inventors
Classifications
User registration · CPC title
where a single sign-on provides access to a plurality of computers · CPC title
Entity profiles · CPC title
- H04L63/0815Primary
providing single-sign-on or federations · CPC title
Session management (for real-time applications in data packet communications networks H04L65/1066) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11290438B2 cover?
- The disclosure relates to techniques for enforcing a limit on single sign-on (SSO) sessions for users across multiple data centers in a multi data center deployment. Users may request access to resources that are governed by an access manager deployed across multiple data centers, with each data center being associated with its own identifier. Each user may be associated with an identity attrib…
- Who is the assignee on this patent?
- Oracle Int Corp
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0815. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 29 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).