Performing a security action with regard to an access token based on clustering of access requests
US-2024406160-A1 · Dec 5, 2024 · US
Single sign-on between multiple data centers
US2016248758A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2016248758-A1 |
| Application number | US-201615143240-A |
| Country | US |
| Kind code | A1 |
| Filing date | Apr 29, 2016 |
| Priority date | Sep 20, 2013 |
| Publication date | Aug 25, 2016 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques are disclosed for a single sign-on (SSO) enterprise system with multiple data centers that can use a lightweight cookie on a user's client device. The lightweight cookie can include a reference to a data center in which the user is already authenticated, and a new data center can contact the old data center for creating a session for the user on the new data center. If the old data center is unavailable, then the new data center may fall back to accessing a local security store, a backup of keys, security tokens, and/or other security data, in order to create a local session for the user on the new data center.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method for managing access among data centers, the method comprising: receiving, at a first computer system managing access for a first data center, authentication data from a computing device associated with a user, the authentication data generated by a second computer system managing access for a second data center, wherein the authentication data is generated upon successful verification of access for the user at the second data center; sending, by the first computer system, a request for session information associated with the user at the second data center; determining, by the first computer system, that the session information associated with the user cannot be obtained from the second data center; upon determining that the session information associated with the user cannot be obtained from the second data center, identifying, by the first computer system, session data stored by the first data center for a session established for the user at the second data center, wherein the session data was received from the second data center prior to the sending the request; and establishing, by the first computer system, a session associated with the user at the first data center, wherein the session is established based on verification of the user using the identified session data stored by the first data center. 2 . The method of claim 1 , wherein the identified session data and the session information associated with the user are both associated with a session at the second data center enabling access for the user at the second data center. 3 . The method of claim 1 , wherein determining, by the first computer system, that the session data cannot be obtained from the second data center includes determining that the first computer system does not receive a response to the request for session information from the second computer system. 4 . The method of claim 1 , further comprising: storing, at the first computer system, session data received from the second data center on a periodic schedule. 5 . The method of claim 1 , further comprising: determining whether the session data includes data sufficient to verify the user for the session associated with the user at the first data center; and upon determining that the session data does not include sufficient data to verify the user for the session associated with the user, sending, by the first computer system, to the computing device associated with the user, a request for verification of the user. 6 . The method of claim 5 , wherein the request for verification of the user includes a request for one or more credentials associated with the user. 7 . The method of claim 5 , further comprising: in response to the sending the request for verification of the user, receiving, at the first computer system, verification information; and establishing, based on the verification information, the session associated with the user at the first data center. 8 . The method of claim 1 , wherein the authentication data includes a reference to the second data center and the sending the request for session information is sent to the second data center based on the reference to the second data center. 9 . A system comprising: a first data storage system including a memory storing a plurality of instructions; and one or more hardware processors; and wherein the plurality of instructions, upon execution by the one or more hardware processors, causes the one or more hardware processors to: receive authentication data from a computing device associated with a user, the authentication data generated by a computer system managing access for a second data storage system, wherein the authentication data is generated upon successful verification of access for the user at the second data center; send a request for session information associated with the user at the second data center; determine that the session information associated with the user cannot be obtained from the second data center; upon determining that the session information associated with the user cannot be obtained from the second data center, identify session data stored by the first data center for a session established for the user at the second data center, wherein the session data was received from the second data center prior to the sending the request is sent; and establishing a session associated with the user at the first data center, wherein the session is established based on verification of the user using the identified session data stored by the first data center 10 . The system of claim 9 , wherein the identified session data and the session information associated with the user are both associated with a same session at the second data center enabling access for the user at the second data center. 11 . The system of claim 9 , wherein the plurality of instructions, upon execution by the one or more hardware processors, further causes the one or more hardware processors to: store, at the first data storage system, session data received from the second data center on a periodic schedule. 12 . The system of claim 9 , wherein the plurality of instructions, upon execution by the one or more hardware processors, further causes the one or more hardware processors to: determine whether the session data includes data sufficient to verify the user for the session associated with the user at the first data center; and upon determining that the session data does not include sufficient data to verify the user for the session associated with the user, send to the computing device associated with the user, a request for verification of the user. 13 . The system of claim 12 , wherein the plurality of instructions, upon execution by the one or more hardware processors, further causes the one or more hardware processors to: in response to the sending the request for verification of the user, receive verification information; and establish, based on the verification information, the associated with the user at the first data center. 14 . The system of claim 9 , wherein the authentication data includes a reference to the second data center and the sending the request for session information is sent to the second data center based on the reference to the second data center. 15 . A non-transitory computer-readable medium storing a plurality of instructions executable by one or more processors of a first data center to cause the one or more processors to: receive authentication data from a computing device associated with a user, the authentication data generated by a second computer system managing access for a second data center, wherein the authentication data is generated upon successful verification of access for the user at the second data center; send a request for session information associated with the user at the second data center; determine that the session information associated with the user cannot be obtained from the second data center; upon determining that the session information associated with the user cannot be obtained from the second data center, identify session data stored by the first data center for a session established for the user at the second data center, wherein the session data was received from the second data center prior to the sending the request is sent; and establishing a session associated with the user at the first data center, wherein the session is established based on verification of the user using the identified session data stored by the first data center. 16 . The non-transitory compu
Assignees
Inventors
Classifications
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Session establishment or de-establishment · CPC title
for controlling access to devices or network resources · CPC title
- H04L63/0815Primary
providing single-sign-on or federations · CPC title
Session management · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2016248758A1 cover?
- Techniques are disclosed for a single sign-on (SSO) enterprise system with multiple data centers that can use a lightweight cookie on a user's client device. The lightweight cookie can include a reference to a data center in which the user is already authenticated, and a new data center can contact the old data center for creating a session for the user on the new data center. If the old data c…
- Who is the assignee on this patent?
- Oracle Int Corp
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0815. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Aug 25 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).