What technology area does this patent fall under?

Primary CPC classification H04L67/141. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Jan 26 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Single sign-on between multiple data centers

US9247006B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9247006-B2
Application number	US-201314137775-A
Country	US
Kind code	B2
Filing date	Dec 20, 2013
Priority date	Sep 20, 2013
Publication date	Jan 26, 2016
Grant date	Jan 26, 2016

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Systems and methods are disclosed for a single sign-on (SSO) enterprise system with multiple data centers that use a lightweight cookie on a user's client device. The lightweight cookie includes a reference to a data center in which the user is already authenticated, and a new data center contacts the old data center for creating a session for the user on the new data center. If the old data center is unavailable, then the new data center may fall back to accessing a local security store, a backup of keys, security tokens, and/or other security data, in order to create a local session for the user on the new data center.

First claim

Opening claim text (preview).

What is claimed is: 1. A method for single sign-on (SSO) access among data centers, the method comprising: receiving, at a first computer server managing access to a first data center, a single sign-on authentication cookie from a client device, the cookie stored by the client device and generated by a second computer server managing access to a second data center with which a user of the client device has been successfully authenticated in conjunction with at least one session object stored by the second computer server, the cookie comprising a reference to the second data center; generating, by the first computer server, a session retrieval request addressed to the second computer server using the reference included in the cookie received from the client device; sending, by the first computer server, the session retrieval request from the first data center to the second computer server of the second data center requesting session data from the at least one session object stored by the second computer server; and generating, by the first computer server, a session object sufficient to authenticate the user of the client device to at least one resource associated with the first data center using the session data requested from the at least one session object stored by the second computer server. 2. The method of claim 1 , further comprising: receiving, by the first computer server, the session data from the second data center in response to the session retrieval request; and initializing, at the first data center, the session object with the session data from the second data center sufficient to authenticate the user of the client device at the first data center. 3. The method of claim 2 , further comprising: terminating a session of the user at the second data center based on the initializing of the session object at the first data center. 4. The method of claim 3 , wherein the terminating is based upon an administrator preference to have only one active user session at a time in the data centers. 5. The method of claim 2 , further comprising: terminating a session of the user at the second data center and the session object at the first data center in response to the user logging out of the first data center. 6. The method of claim 1 , further comprising: prompting, from the first data center, the user for authentication credentials based on an administrator preference. 7. The method of claim 1 , further comprising: determining, by the first computer server, that the second data center cannot respond to the session retrieval request; determining, by the first computer server, that a local security store of the first data center includes session data previously replicated from the second data center; reading, from the local security store of the first data center, the session data previously replicated from the second data center; and initializing, by the first computer server, at least one session object with the session data from the local security store sufficient to authenticate the user of the client device at the first data center. 8. The method of claim 1 , further comprising: determining, by the first computer server, that the second data center cannot respond to the session retrieval request; determining, by the first computer server, that a local security store of the first data center does not have sufficient session data for the client device replicated from the second data center; prompting, by the first computer server, the user for authentication credentials; receiving, by the first computer server, authentication credentials from the user in response to the prompt; and initializing, by the first computer server, at least one session object using the received authentication credentials. 9. A system of a first data center, comprising: a communications interface having a communications path to a system of a second data center; a memory storing a plurality of instructions; and one or more hardware processors which when execute the plurality of instructions configure the one or more processors to: receive a single sign-on authentication cookie from a client device, the cookie stored by the client device and generated by the system of the second data center with which a user of the client device has been successfully authenticated in conjunction with at least one session object stored by the system of the second data center, the cookie comprising a reference to the second data center; generate a session retrieval request addressed to the system of the second data center using the reference included in the cookie received from the client device; send, using the communications interface, the session retrieval request to system of the second data center requesting session data from the at least one session object stored by the system of the second data center; and generate, in the memory, a session object sufficient to authenticate the user of the client device to at least one resource associated with the first data center using the session data requested from the at least one session object stored by the system of the second data center. 10. The system of the first data center of claim 9 , wherein the plurality of instructions further configure the one or more processors to: receive, using the communications interface, the session data from the system of the second data center in response to the session retrieval request; and initialize the session object with the session data from the second data center sufficient to authenticate the user of the client device at the first data center. 11. The system of the first data center of claim 10 , wherein the plurality of instructions further configure the one or more processors to: terminate a session of the user at the second data center based on the initializing of the session object at the first data center. 12. The system of the first data center of claim 10 , wherein the plurality of instructions further configure the one or more processors to: terminate a session of the user at the second data center and the session object at the first data center in response to the user logging out of the first data center. 13. The system of the first data center of claim 9 , wherein the plurality of instructions further configure the one or more processors to: determine that the second data center cannot respond to the session retrieval request; determine that a local security store of the first data center includes session data previously replicated from the second data center; read, from the local security store of the first data center, the session data previously replicated from the second data center; and initialize at least one session object with the session data from the local security store sufficient to authenticate the user client device at the first data center. 14. The system of the first data center of claim 9 , wherein the plurality of instructions further configure the one or more processors to: determine that the second data center cannot respond to the session retrieval request; determine that a local security store of the first data center does not have sufficient session data for the client device replicated from the second data center; prompt the user for authentication credentials; receive authentication credentials from the user in response to the prompt; and initializing at least one session object using the received authentication credentials. 15. A non-transitory computer-readable medium storing a plurality of instructions executable by one or more processors of a first data center, the plura

Assignees

Oracle Int Corp

Inventors

Classifications

H04L67/141Primary
Setup of application sessions (admission control or resource allocation in data switching networks H04L47/70) · CPC title
H04L63/08
for authentication of entities (cryptographic mechanisms or cryptographic arrangements for entity authentication H04L9/32) · CPC title
H04L63/0815Primary
providing single-sign-on or federations · CPC title
H04L65/1066
Session management · CPC title
H04L63/20
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title

Patent family

Related publications grouped by family.

View patent family 52692275

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9247006B2 cover?: Systems and methods are disclosed for a single sign-on (SSO) enterprise system with multiple data centers that use a lightweight cookie on a user's client device. The lightweight cookie includes a reference to a data center in which the user is already authenticated, and a new data center contacts the old data center for creating a session for the user on the new data center. If the old data ce…
Who is the assignee on this patent?: Oracle Int Corp
What technology area does this patent fall under?: Primary CPC classification H04L67/141. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Jan 26 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).