Authenticated session management across multiple electronic devices using a virtual session manager
US-2018191701-A1 · Jul 5, 2018 · US
Maintaining session stickiness across authentication and authorization channels for access management
US2019097994A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2019097994-A1 |
| Application number | US-201815987631-A |
| Country | US |
| Kind code | A1 |
| Filing date | May 23, 2018 |
| Priority date | Sep 27, 2017 |
| Publication date | Mar 28, 2019 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques are described that enable maintaining of session stickiness across authentication and authorization channels in an access management system, through the use an identifier for an access manager from a plurality of access managers. The access manager authenticates a user of a client device based on an authentication request. In response to response to successful authentication of the user, the access manager creates a session. The access manager also generates the identifier and causes the identifier to be stored for the session. The access manager can then receive a second request, which is sent to the access manager based on identifying the access manager using the stored identifier.
First claim
Opening claim text (preview).
What is claimed is: 1 . A computer-implemented method comprising: authenticating, by a first access manager from a plurality of access managers, a user of a client device based on an authentication request; creating, by the first access manager, a session in response to successful authentication of the user; generating, by the first access manager, an identifier that identifies the first access manager; causing, by the first access manager, the identifier to be stored for the session; and receiving, by the first access manager, a second request, wherein the second request is sent to the first access manager based on identifying the first access manager using the stored identifier. 2 . The method of claim 1 , further comprising: sending, by the first access manager, the identifier to an access management agent for storage, wherein the stored identifier causes the access management agent to direct the second request to the first access manager. 3 . The method of claim 2 , wherein the identifier is sent to the access management agent in at least one of an authentication token or an authorization token. 4 . The method of claim 1 , wherein the plurality of access managers belong to different server clusters in a data center, and wherein the identifier includes information identifying a server cluster to which the first access manager belongs. 5 . The method of claim 1 , wherein the plurality of access managers belong to different data centers, and wherein the second request is sent to a data center of the first access manager based on the identifier. 6 . The method of claim 1 , wherein the first access manager receives the authentication request over a first channel and the second request over a second channel, and wherein the first channel and the second channel use different communication protocols. 7 . The method of claim 6 , wherein the first channel uses Hypertext Transfer Protocol (HTTP) and the second channel uses Oracle Access Protocol (OAP). 8 . The method of claim 1 , wherein the second request is a request to re-authenticate the user or a request to authorize the user to access a resource. 9 . The method of claim 1 , wherein the identifier indicates an order in which the plurality of access managers are to be contacted for handling subsequent requests. 10 . The method of claim 1 , wherein the second request includes the stored identifier, and wherein the second request is processed by a load balancer to direct the second request to the first access manager based on the stored identifier as provided in the second request. 11 . A system, comprising: a first access manager from a plurality of access managers, wherein the first access manager is configured to: authenticate a user of a client device based on an authentication request; create a session in response to successful authentication of the user; generate an identifier that identifies the first access manager; cause the identifier to be stored for the session; and receive a second request, wherein the second request is sent to the first access manager based on identifying the first access manager using the stored identifier. 12 . The system of claim 11 , further comprising: an access management agent that sends the authentication request to the first access manager and stores the identifier, wherein the stored identifier causes the access management agent to direct the second request to the first access manager. 13 . The system of claim 12 , wherein the first access manager is further configured to send the identifier to the access management agent in at least one of an authentication token or an authorization token. 14 . The system of claim 11 , further comprising: a data center, wherein the plurality of access managers belong to different server clusters in the data center, and wherein the identifier includes information identifying a server cluster to which the first access manager belongs. 15 . The system of claim 11 , further comprising: a first data center including the first access manager, wherein at least some of the plurality of access managers belong to a second data center, and wherein the second request is sent to first data center based on the identifier. 16 . The system of claim 11 , wherein the first access manager is further configured to receive the authentication request over a first channel and the second request over a second channel, and wherein the first channel and the second channel use different communication protocols. 17 . The system of claim 16 , wherein the first channel uses Hypertext Transfer Protocol (HTTP) and the second channel uses Oracle Access Protocol (OAP). 18 . The system of claim 11 , wherein the second request is a request to re-authenticate the user or a request to authorize the user to access a resource. 19 . The system of claim 11 , further comprising: a load balancer configured to direct the second request, which includes the stored identifier, to the first access manager based on the stored identifier as provided in the second request. 20 . A computer-readable storage medium storing a plurality of instructions that, when executed by one or more processors of a computer system, cause the one or more processors to: authenticate, by a first access manager from a plurality of access managers, a user of a client device based on an authentication request; create, by the first access manager, a session in response to successful authentication of the user; generate, by the first access manager, an identifier identifying the first access manager; cause, by the first access manager, the identifier to be stored for the session; and receive, by the first access manager, a second request, wherein the second request is sent to the first access manager based on identifying the first access manager using the stored identifier.
Assignees
Inventors
Classifications
using different networks or channels, e.g. using out of band channels (cryptographic mechanisms or cryptographic arrangements for key distribution involving distinctive intermediate devices or communication paths H04L9/0827; cryptographic mechanisms or cryptographic arrangements for authentication using a plurality of channels H04L9/3215) · CPC title
above the transport layer · CPC title
- H04L63/0815Primary
providing single-sign-on or federations · CPC title
Entity profiles · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2019097994A1 cover?
- Techniques are described that enable maintaining of session stickiness across authentication and authorization channels in an access management system, through the use an identifier for an access manager from a plurality of access managers. The access manager authenticates a user of a client device based on an authentication request. In response to response to successful authentication of the u…
- Who is the assignee on this patent?
- Oracle Int Corp
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0815. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Mar 28 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).