What technology area does this patent fall under?

Primary CPC classification H04L63/0815. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Feb 06 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Single sign-on between multiple data centers

US9887981B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9887981-B2
Application number	US-201615005365-A
Country	US
Kind code	B2
Filing date	Jan 25, 2016
Priority date	Sep 20, 2013
Publication date	Feb 6, 2018
Grant date	Feb 6, 2018

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Systems and methods are disclosed for a single sign-on (SSO) enterprise system with multiple data centers that use a lightweight cookie on a user's client device. The lightweight cookie includes a reference to a data center in which the user is already authenticated, and a new data center contacts the old data center for creating a session for the user on the new data center. If the old data center is unavailable, then the new data center may fall back to accessing a local security store, a backup of keys, security tokens, and/or other security data, in order to create a local session for the user on the new data center.

First claim

Opening claim text (preview).

What is claimed is: 1. A method comprising: generating, by a first computer system managing access at a first data center, an authentication cookie associated with a user, wherein the authentication cookie is generated using a first session object for a first session established at the first data center, the first session established based on upon successful authentication of the user at the first data center for access to a first resource at a client device, wherein the first session object is stored at the first data center, and wherein the authentication cookie includes an identifier that identifies the first data center; sending the generated authentication cookie to the client device associated with the user to provide the access to the first resource; based on no active session for the user at a second data center and responsive to a request, by the user at the client device, to the second data center for access to a second resource at the client device, the request including the generated authentication cookie having the identifier of the first data center as having a session: receiving, by the first computer system, from a second computer system managing access at the second data center, a retrieval request having the identifier of the first data center obtained from the generated authentication cookie provided in the request to the second data center, wherein the retrieval request is a message requesting session information for the first session established for the user at the first data center; responsive to the retrieval request, determining, based on the first session object, whether the first session for the user is active at the first data center; based on determining that the first session for the user is active at the first data center, transmitting, by the first computer system, to the second computer system of a second data center, session data indicated by the first session object, wherein a second session object is generated for a second session enabling access to the second resource by the second computer system for the second data center using the session data, and wherein the second session object is generated for authentication of the user at the second data center; and based on receiving an indication that the second session object at the second data center has been generated for the second session using the session data, terminating, by the first computer system, the first session associated with the user at the first data center based on receiving the indication that the second session object at the second data center has been generated. 2. The method of claim 1 , wherein the terminating is performed based on a session policy, the session policy indicating a session threshold of a single active session for both the first data center and the second data center. 3. The method of claim 1 , wherein the indication is a first indication, and wherein the method further comprises: receiving, by the first computer system, a second indication of the user exiting access for the second session at the second data center; and terminating, by the first computer system, the first session associated with the user at the first data center in response to receiving the second indication of the user exiting access for the second session at the second data center. 4. The method of claim 1 , wherein the request to the second data center is a first request, and wherein the method further comprises: sending, by the first computer system, to the client device, a second request that causes the client device to prompt the user for authentication information based on a session policy. 5. The method of claim 1 , wherein the session data is for authentication of the user at the second data center, and wherein the session data identifies the first session at the first data center based on the successful authentication of the user at the first data center for access to the first resource at the client device. 6. The method of claim 1 , wherein the request to the second data center is a first request, and wherein the method further comprises: responsive to receiving the retrieval request for the session information for the first session, sending, by the first computer system, to the client device, a second request for credential information of the user; and receiving, by the first computer system, the credential information from the client device responsive to the second request for credential information of the user; wherein transmitting, by the first computer system, to the second computer system, the session data indicated by the first session object includes transmitting the credential information that is received from the client device. 7. A system comprising: a first data storage system including: a memory storing a plurality of instructions; and one or more hardware processors; and a second data storage system including a computer system; wherein the plurality of instructions, when executed by the one or more hardware processors, cause the one or more hardware processors to: generate an authentication cookie associated with a user, wherein the authentication cookie is generated using a first session object for a first session established at the first data storage system, the first session established based on upon successful authentication of the user at the first data storage system for access to a first resource at a client device, wherein the first session object stored at the first data storage system, and wherein the authentication cookie includes an identifier that identifies the first data storage system; send the generated authentication cookie to the client device associated with the user to provide the access to the first resource; based on no active session for the user at the second data storage system and responsive to a request, by the user at the client device, to the second data storage system for access to a second resource at the client device, the request including the generated authentication cookie having the identifier of the first data storage system as having a session: receive, from a second computer system managing access at the second data storage system, a retrieval request having the identifier of the first data storage system obtained from the generated authentication cookie provided in the request to the second data storage system, wherein the retrieval request is a message requesting session information for the first session established for the user at the first data storage system; responsive to the retrieval request, determine, based on the first session object whether the first session for the user is active at the first data storage system; and based on determining that the first session for the user is active at the first data storage system, transmit, to the computer system of the second data storage system, session data indicated by the first session object, wherein a second session object is generated for a second session enabling access to the second resource by the computer system for the second data storage system using the session data, and wherein the second session object is generated for authentication of the user at the second data storage system; and based on receiving an indication that the second session object at the second data storage system has been generated for the second session using the session data, terminate the first session associated with the user at the first data storage system based on receiving the indication that the second session object at the second data storage system has been generated. 8. The system of claim 7 , wherein the terminating is performed based on a session policy, the session policy indicating a session threshold of a single active session for both

Assignees

Oracle Int Corp

Inventors

Classifications

G06F21/41
where a single sign-on provides access to a plurality of computers · CPC title
H04L65/1066
Session management · CPC title
H04L63/08
for authentication of entities (cryptographic mechanisms or cryptographic arrangements for entity authentication H04L9/32) · CPC title
H04L63/20
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
H04L65/1069
Session establishment or de-establishment · CPC title

Patent family

Related publications grouped by family.

View patent family 52692275

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9887981B2 cover?: Systems and methods are disclosed for a single sign-on (SSO) enterprise system with multiple data centers that use a lightweight cookie on a user's client device. The lightweight cookie includes a reference to a data center in which the user is already authenticated, and a new data center contacts the old data center for creating a session for the user on the new data center. If the old data ce…
Who is the assignee on this patent?: Oracle Int Corp
What technology area does this patent fall under?: Primary CPC classification H04L63/0815. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Feb 06 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).