WO2013099065A1 - 認証連携システムおよびidプロバイダ装置 - Google Patents
認証連携システムおよびidプロバイダ装置 Download PDFInfo
- Publication number
- WO2013099065A1 WO2013099065A1 PCT/JP2012/006085 JP2012006085W WO2013099065A1 WO 2013099065 A1 WO2013099065 A1 WO 2013099065A1 JP 2012006085 W JP2012006085 W JP 2012006085W WO 2013099065 A1 WO2013099065 A1 WO 2013099065A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- authentication
- user
- login
- idp
- unit
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/41—User authentication where a single sign-on provides access to a plurality of computers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Definitions
- Embodiments of the present invention relate to an authentication cooperation system and an ID provider device.
- SSO single sign-on
- the first problem is that since the use of HTTP Cookie is limited to a single domain, the authentication result cannot be shared between the domains using HTTP Cookie.
- the second problem is that the SSO method of the access management product adopted for each domain differs between vendors, so it cannot be simply introduced, and it is necessary to prepare a separate measure.
- SAML Security Assessment Markup Language
- OASIS Organization for the Advancement of Structured Standards
- SAML is a specification in which a representation format of information related to authentication, authorization, and attributes, and a transmission / reception procedure are defined, and is systematically defined to enable various implementation forms according to purposes.
- the configuration of the subject consists of an identity provider (Identity Provider (hereinafter referred to as IDP or ID provider)), a service provider (Service Provider (hereinafter referred to as SP or service provider)), and a user, and is issued by the ID provider.
- IDP Identity Provider
- SP Service Provider
- the first point is that a trust relationship is established between the service provider and the ID provider through business and technical information exchange and consensus building.
- the second point is that a single user has an individual account for each service provider, and these individual SP accounts and ID provider accounts are linked in advance (hereinafter referred to as account linkage).
- account linkage a single user has an individual account for each service provider, and these individual SP accounts and ID provider accounts are linked in advance. The user cannot start the SSO unless the preparations such as the construction of the trust relationship and the prior account linkage are completed.
- SSO is realized according to the following procedures (1) to (6).
- the SSO procedure of the service provider start model via the user terminal will be described.
- a user requests a service provider to provide a service.
- the service provider Since the service provider has not yet authenticated the user, the service provider sends an authentication request to the ID provider via the terminal on the user side.
- the ID provider authenticates the user by some means and creates an authentication assertion.
- SAML does not define authentication means, but defines a mechanism for transmitting an authentication assertion to a service provider.
- the authentication assertion includes information such as the type of authentication means and how the credentials are created in order to determine whether the service provider can trust the authentication result.
- the ID provider returns the authentication result including the created authentication assertion to the service provider via the user terminal.
- the service provider determines whether to provide the service based on the authentication result of the ID provider.
- the user receives service provision from the service provider.
- SAML defines two types: a service provider start model (hereinafter referred to as an SP start model) and an ID provider start model (hereinafter referred to as an IDP start model).
- SP start model is the same as the SSO procedure described above, and is a model in which the SSO request starts when the user accesses the SP and the SP transmits an authentication request based on SAML.
- the IDP start model is a model that starts when the user terminal requests the ID provider to provide a service provider service in the SSO procedure (1) described above. Accordingly, the SSO procedure (2) is not performed, and the processes (3) to (6) are performed following the procedure (1).
- a user can use a plurality of services without performing a further authentication procedure only by performing a single authentication procedure with an ID provider.
- SSO based on SAML is only a part of identity “use” in the entire life cycle of identity.
- SSO when SSO is started, it is necessary to perform account linkage.
- To perform account linkage management of registration, change, deletion, reissue, suspension, etc. of identities is performed between the service provider and the ID provider. Technology that comprehensively collaborates is required.
- Account provisioning is a technique for automating identity registration, change, deletion, reissue, suspension, etc.
- SPML Service Provisioning Markup Language
- a data processing system that dynamically executes account linkage as a part of SSO from a state where the above-described preparation for account linkage has not been completed is known. Normally, when an attempt is made to start SSO in a state where no user account is registered on the service provider side, that is, in a state where account linkage is not performed, an error has occurred.
- account linkage can be dynamically executed as a part of SSO even in the state described above. Specifically, after the service provider receives a service request from the user, it is confirmed that the service provider does not hold sufficient information for registering the user's account. After confirmation, the service provider requests user attributes from the ID provider, and the ID provider provides the desired user attributes to the service provider. As a result, the data processing system performs account registration and cooperation during the SSO process.
- the management department needs to perform prior account registration and account linkage to the service provider in a lump.
- the management department performs prior account registration and cooperation with respect to the applied user to the service provider. After such pre-processing, the user can use the service provided by the service provider.
- SaaS One of the advantages of SaaS is that it can be used quickly when you want to use it. However, when the latter approval flow is passed, since manual work occurs and the burden is large, this merit cannot be utilized. Therefore, it is desirable that a system that performs account registration and cooperation in the SSO process has a seamless mechanism for determining whether or not a service can be used without human intervention.
- the problem to be solved by the present invention is easy to introduce because it is not necessary to remodel the ID provider device, and whether or not the service can be used without manual intervention when performing account registration and cooperation during the SSO process. It is to provide an authentication cooperation system and an ID provider device that can make a decision.
- the ID provider device in response to a policy information storage unit that stores policy information indicating a user who is permitted to transmit service data and an authentication cooperation request, responds to the login state of the user terminal.
- a policy information storage unit that stores policy information indicating a user who is permitted to transmit service data and an authentication cooperation request.
- Authentication cooperation request pre-processing unit that performs policy evaluation processing and account cooperation processing at the timing, and authentication cooperation request that forwards the authentication cooperation request to the authentication cooperation request pre-processing unit when an authentication cooperation request is received from the service provider device A transfer unit.
- FIG. 1 is a block diagram showing the basic configuration of the authentication collaboration system of this embodiment.
- This authentication collaboration system includes an ID provider device 200 that can execute a login process on a user terminal 100 operated by a user, a service provider device 300 that can transmit service data to the user terminal 100 when the login process is successful, and It has. Although there may be a plurality of service provider devices 300, only one is shown here. Further, the user terminal 100, the ID provider device 200, and the service provider device 300 may be connected via a network, respectively.
- the user terminal 100 is a device that has a normal computer function and can communicate with the ID provider device 200 and the service provider device 300, and issues an SP use request for requesting the use of the service provider device 300 in accordance with a user operation.
- a function of transmitting to the service provider apparatus 300 a function of executing a login process between the user terminal 100 and the ID provider apparatus 200, a function of receiving service data from the service provider apparatus 300, and a service use stored in a memory in advance.
- the CPU executes the application program, it has a function of reproducing the received service data and a user interface function.
- the ID provider device 200 performs login processing, that is, authenticates a user who uses a service provided by the service provider device 300. Further, the ID provider device 200 performs user account registration with the service provider and account linkage based on policy information described later.
- the ID provider device 200 includes a portal server 210, a Web server 220, an IDP authentication cooperation unit 230, an authentication cooperation control system 240, an IDP user store 250, a policy store 260, an authentication session temporary storage device (first memory) 270, and a key storage.
- a device 280 is provided.
- the portal server 210 displays an access destination service provider to the user.
- the Web server 220 includes a reverse proxy device (first message transfer unit) 221 and a transfer destination URL storage device 222, and receives a message from the user terminal 100.
- a reverse proxy device first message transfer unit 221
- a transfer destination URL storage device 222 receives a message from the user terminal 100.
- the reverse proxy device 221 transfers the received message with reference to the transfer destination URL storage device 222.
- FIG. 2 shows an example of the transfer destination URL management table 223 stored in the transfer destination URL storage device 222.
- the transfer destination URL management table 223 of the present embodiment stores the Internet public URL and the transfer destination URL in association with each other, and an ID is assigned to each Internet public URL and the transfer destination URL. . That is, the reverse proxy device 221 searches the Internet public URL corresponding to the message received by the web server 220 from the user terminal 100, and transfers the message to the transfer destination URL corresponding to the search result.
- the IDP authentication linkage unit 230 has an SSO ID provider function.
- SSO ID provider function an example of the configuration of the IDP authentication cooperation unit 230 will be described with reference to FIG.
- the IDP authentication cooperation unit 230 of the ID provider device 200 includes an authentication cooperation request message reception unit 232, a login request message transmission unit 233, a login response message reception unit 234, and an authentication cooperation response message.
- a transmission unit 235 is provided.
- the authentication cooperation request message receiving unit 232 receives the authentication cooperation request message from the SP authentication cooperation unit 330 of the service provider device 300 described later.
- the authentication cooperation request message is, for example, in the form of an HTTP request, and is a message issued to request authentication cooperation from the ID provider apparatus 200 when the service provider apparatus 300 receives a service use request from the user terminal 100.
- the authentication cooperation request message receiving unit 232 confirms the login state of the user terminal, and if the login completion state, creates an authentication cooperation response message indicating that the user has been authenticated by the authentication cooperation response message transmission unit 235 described later. Request.
- the login request message transmission unit 233 transmits a login request message to the user terminal 100 that has not been logged in.
- the login response message receiving unit 234 receives a login response message input by the user terminal 100 as response information to the login request message, and performs a user login process.
- the login response message receiving unit 234 receives a login response message including a user ID and user authentication information as response information to the login request message from the user terminal 100, the ID provider user store 250 ( Hereinafter, the authentication is performed based on the user ID and the reference information in the IDP user store 250).
- the IDP user store 250 will be described with reference to FIG.
- the IDP user store 250 stores attribute information related to users belonging to the ID provider device 200 (hereinafter referred to as user attribute information).
- the IDP user store 250 stores user attribute information 251 in which an item name of a user attribute for specifying a user is associated with an item value of the user attribute.
- the user attribute information 251 includes, for example, a user ID for identifying a user, a user name, a user employee number, a user department, a user department, a user job title, and user terminal address information.
- the item name includes reference information to be referred to when the user logs in and the user's telephone number.
- FIG. 4 shows an example thereof.
- the user attribute information 251 is a collection of information that characterizes personal information.
- the user attribute information 251 is not limited thereto, and may further include an arbitrary item name and item value such as work status, for example.
- a password is used as reference information to be referred to when a user logs in.
- the reference information is not limited thereto, and may be biometric information such as a user's fingerprint.
- the authentication cooperation response message transmission unit 235 When the authentication cooperation response message transmission unit 235 receives the authentication cooperation response message creation request from the authentication cooperation request message reception unit 232, the authentication cooperation response message transmission unit 235 transmits an authentication cooperation response message including an authentication assertion indicating that the ID provider device 200 has authenticated the user. create.
- the authentication assertion includes information such as the type of authentication means and how the credentials are created in order to determine whether the service provider apparatus 300 can trust the authentication result.
- FIG. 5 shows an example of the authentication assertion 231 created by the IDP authentication cooperation unit 230 of the present embodiment.
- the authentication assertion 231 includes an authentication linkage ID, an assertion body including an authentication method name for login processing, and a digital signature.
- the authentication linkage ID is an ID for linking each user ID (user ID and SP-side user ID) in both the ID provider device 200 and the service provider device 300, and is issued by the account provisioning unit 247 described later.
- the authentication linkage ID may be newly issued, the user ID of the ID provider device 200 may be designated, or the user attribute information 251 common between the ID provider device 200 and the service provider device 300. You may specify an email address.
- the authentication cooperation ID is used by the service provider apparatus 300 to identify the user who has requested use in the authentication cooperation response confirmation process described later.
- the digital signature is generated by the IDP authentication cooperation unit 230 based on the signature generation key in the key storage device 280 for the assertion body.
- the key storage device 280 stores the signature generation key of the ID provider device 200.
- the signature generation key for example, a secret key of a key pair of a public key and a secret key in the public key cryptosystem can be used.
- the authentication cooperation response message transmission unit 235 transmits the created authentication cooperation response message to the SP authentication cooperation unit 330.
- the authentication collaboration control system 240 includes an authentication collaboration request message pre-processing unit 241, a policy evaluation information acquisition unit 245, a policy evaluation unit 246, and an account provisioning unit 247.
- the authentication cooperation request message pre-processing unit 241 includes a login state determination unit 242, a user ID acquisition unit 243, and an authentication cooperation request message transfer unit (second message transfer unit) 244.
- the pre-processing will be described later.
- the login state determination unit 242 determines the login state by referring to the IDP authentication token stored in the cookie included in the HTTP request. To do.
- the ID provider device 200 issues the IDP authentication token when a login process described later is performed. That is, when the Cookie in the HTTP request includes the IDP authentication token, the user is in the login completion state in the ID provider device 200.
- the cookie includes a user ID indicating the user who issued the IDP authentication token.
- the cookie is stored in a memory such as a RAM provided in the ID provider device, for example.
- the memory storing the cookie is referred to as an authentication session temporary storage device 270.
- FIG. 7 shows an example of the authentication session temporary storage device 270.
- the user ID acquisition unit 243 acquires a user ID corresponding to the IDP authentication token from the authentication cooperation request message when the login state determination unit 242 determines that the login is completed.
- the authentication cooperation request message transfer unit 244 transfers the authentication cooperation request message to a URL that does not exist in the ID provider device 200 (hereinafter referred to as a dummy URL).
- the dummy URL of the transfer destination is set in advance, and here it is assumed that it is a dummy (1) URL.
- the policy evaluation information acquisition unit 245 acquires policy evaluation information from the IDP user store 250 and a service usage status data store 320 described later.
- the policy evaluation information is information including user attribute information 251 stored in the IDP user store 250 and user service usage status information 321 to 324 stored in the SP service store 320 described later.
- the policy evaluation unit 246 determines whether or not the user who intends to use the service provider 300 can use the policy evaluation information acquired by the policy evaluation information acquisition unit 245 and the policy information managed by the policy store 260.
- the policy store 260 stores a plurality of pieces of policy information indicating users to whom communication is permitted.
- FIG. 8 shows an example of the policy store 260.
- the policy store 260 includes, for each service provider ID, a plurality of authentication linkages indicating affiliations and positions of users who are permitted to transmit service data by the service provider device 300 identified by the service provider ID.
- a policy hereinafter referred to as policy information 261 (262, 263, 264,...) Is stored.
- the policy store 260 further includes the number of used services and usage-based billing.
- a dynamic policy such as a sum (for example, [4] of C in FIG. 8) may be included.
- “subject” is a name, title, affiliation, etc.
- “resource” is a service provider ID or URL
- “action” is the start or resumption of use
- “environmental condition” is any request This corresponds to the IP address, accessible period, time, etc.
- the “responsibility condition” is an operation imposed upon execution of authentication cooperation in response to the result of policy (accessibility condition) evaluation. For example, an instruction such as “Allow a request to“ register a new user ”, but instead execute“ deleting an ID of an idling person ”instead” (for example, in FIG. 8).
- B [4] [Responsibility conditions]).
- the account provisioning unit 247 acquires the user attribute information 251 from the IDP user store 250 based on the determination result of the availability of the policy evaluation unit 246 and uses the acquired user attribute information 251 to account for the SP user store 310. Register. That is, the account provisioning unit 247 issues an authentication linkage ID. Further, the account provisioning unit 247 performs account cooperation for both the IDP user store 250 and the SP user store 310.
- the authentication collaboration control system 240 performs an account registration process and an account collaboration process, which will be described later, based on policy information when a user requests SSO or at the timing of login performed during the SSO process.
- the policy information is a set of user service provider availability conditions in which who (which user) can perform what operation (action) on which service provider device is defined. Point to.
- the policy information indicates a user to whom the service provider apparatus 300 is permitted to transmit service data.
- some policy information also defines environmental conditions and responsibility conditions as options.
- the service provider device 300 provides a service used by the user.
- the service provider device 300 includes a service provider (hereinafter referred to as SP) user store 310, a service usage status data store 320, an SP authentication linkage unit 330, a verification policy store 340, and a temporary storage device (second memory) 350.
- SP service provider
- the SP user store 310 functions as a user attribute partial information storage unit.
- the user attribute partial information is a part of item names and item values of user attribute item names and item values in the user attribute information 251 in the IDP user store 250.
- Information associated with the user attribute partial information and the user ID (hereinafter referred to as SP-side user ID) in the service provider apparatus 300 is referred to as account registration information 311.
- the SP user store 310 stores identity information of users who use service data transmitted by the service provider 300.
- the SP user store 310 may store all user attribute information 251 in association with the SP-side user ID, not the user attribute partial information.
- the SP user store 310 is an SP that identifies a user in the service provider apparatus 300 and a part of user attribute information such as an authentication linkage ID, name, address information, and telephone number.
- Account registration information 311 associated with the side user ID is stored.
- the service usage status data store 320 includes a user usage management table 321, a usage count management table 322, a disk usage management table 323, and a charging fee management table 324 for each service provider device 300. And the service usage status of the user is monitored.
- the user usage management table 321 is a service indicating either the SP-side user ID and the service being used indicating that the transmission of service data is permitted or the service not being used indicating that the transmission of service data is not permitted. Written in association with usage status.
- the usage number management table 322 is written in association with the usage number indicating the number of services in use indicated by the service usage status in the user usage management table 321 and the upper limit value of the usage number.
- the disk usage management table 323 is written in association with the disk capacity used by the service data being used by the service indicated by the service usage status in the user usage management table 321 and the upper limit of the disk capacity in the service provider device 300. It is.
- the charging fee management table 324 is written in association with the total fee charged for the service being used indicated by the service usage status in the user usage management table 321 and the upper limit value of the charging fee in the service provider device 300.
- the service data store 322 may store a table for managing the number of licenses, for example.
- the SP authentication linkage unit 330 has an SSO service provider function. Specifically, the SP authentication cooperation unit 330 performs an authentication cooperation response confirmation process and an SP use response process.
- the authentication cooperation response confirmation processing is performed by the authentication assertion 231 created by the IDP authentication cooperation unit 230 of the ID provider device 200 based on the authentication method name and the signature verification key in the authentication assertion verification policy in the verification policy store 340 described later.
- Each of the authentication method name and the digital signature is verified, and if both of the verification results are valid, an SP authentication token is issued, and the SP authentication token is associated with the authentication cooperation ID and the SP side user ID in the temporary storage device 350.
- the SP use response process is a process of responding to the user terminal 100 that the service provider apparatus 300 is available when an SP authentication token is issued in the authentication cooperation response confirmation process.
- the verification policy store 340 obtains an authentication method name of login processing that permits transmission of service data when the login processing is successful, and a signature verification key corresponding to the signature generation key of the ID provider device 200.
- An authentication assertion verification policy 341 is stored.
- the signature verification key for example, a public key of a key pair of a public key and a secret key in the public key cryptosystem can be used.
- the temporary storage device 350 is a temporary memory such as a RAM. As shown in FIG. 12, for example, an authentication cooperation ID in the registered account registration information 311 and a user ID on the SP side are issued. The SP authentication token is stored in association with each other.
- an SSO process is possible between the ID provider device 200 and the service provider device 300, and a user belonging to the organization on the ID provider side registers an account in the service provider device 300. It starts from a state that is not done.
- the user login state is the completed state
- the SSO request origin from the user is the service provider device 300. Start.
- step numbers are assigned to the sequence diagrams, and processing is performed in order from the smallest number.
- step S1 the user operates the user terminal 100 to make a service request to a desired service provider apparatus 300 in order to use the service of the service provider apparatus 300 whose account is not registered.
- the service request to the service provider apparatus 300 is obtained by using, for example, a user's desired link among service public URL links displayed on a display unit (not shown) of the user terminal 100 using an input unit (not shown). click.
- step S2 the user terminal 100 transmits a service request (hereinafter referred to as an SP use request message) to the service provider apparatus 300 by a user operation.
- the SP authentication cooperation unit 330 responsible for access management receives the SP use request message.
- step S3 the SP authentication cooperation unit 330 that has received the SP use request message confirms the user's authentication cooperation state. For example, if the SP use request message from the user is in the form of an HTTP request, whether the SP authentication token issued by the SP authentication cooperation unit 330 is present in the cookie included in the HTTP request. Judge by whether or not.
- the SP authentication cooperation unit 330 considers that the authentication cooperation of the user terminal 100 has been completed. On the other hand, when the SP authentication token does not exist, the SP authentication cooperation unit 330 considers that the authentication cooperation of the user terminal 100 is incomplete, and creates an authentication cooperation request message including the address information of the user terminal. In the present embodiment, the authentication linkage is in an incomplete state.
- step S4 the SP authentication cooperation unit 330 confirms the authentication cooperation state in step S3, and the authentication cooperation is in an incomplete state. Therefore, “Authentication cooperation request message reception unit 232 of IDP authentication cooperation unit 230” is set as the destination. The authentication cooperation request message is issued and transmitted to the user terminal 100.
- step S5 when the user terminal 100 receives the authentication cooperation request message, the user terminal 100 redirects to a specified destination (here, the authentication cooperation request message reception unit 232 of the IDP authentication cooperation unit 230).
- step S6 the Web server 220 once receives the authentication cooperation request message redirected by the user terminal 100 in step S5.
- the reverse proxy device 221 determines whether message transfer is necessary based on the transfer destination URL management table 223 stored in the transfer destination URL storage device 222.
- the determination method searches the Internet public URL field of the transfer destination URL management table 223 for a URL that matches the destination of the received authentication cooperation request message.
- the transfer destination is “the authentication cooperation request message pre-processing unit 241 of the authentication cooperation control system 240” with the ID “1-B”.
- step S ⁇ b> 7 the Web server 220 sends the “authentication cooperation request message pre-processing unit 241 of the authentication cooperation control system 240” having the ID “1-B” determined as the transfer destination in the determination of the previous step through the reverse proxy device 221.
- the authentication cooperation request message is transferred as a destination. Subsequently, the process proceeds to the process of FIG.
- step S8 of FIG. 14 the login state determination unit 242 of the authentication cooperation request message pre-processing unit 241 that has received the transferred authentication cooperation request message determines the login state of the user. Confirmation of the login state is confirmed by the presence or absence of an IDP authentication token in the authentication session temporary storage device 270. According to the present embodiment, since the login is completed, an IDP authentication token exists in the authentication session temporary storage device 270. Therefore, the login state determination unit 242 determines that the login is complete, and transmits the determination result to the user ID acquisition unit 243.
- step S9 the user ID acquisition unit 243 acquires the user ID associated with the IDP authentication token confirmed in step S8 from the authentication session temporary storage device 270.
- step S10 the authentication cooperation request message pre-processing unit 241 requests the policy evaluation information acquisition unit 245 to acquire policy evaluation information.
- the user ID acquired in step S9 is also transmitted to the policy evaluation information acquisition unit 245.
- step S11 the policy evaluation information acquisition unit 245 accesses the service usage status data store 320 of the service provider apparatus 300 and acquires service usage status information 321 to 324 (hereinafter referred to as service usage status information acquisition processing).
- step S12 the policy evaluation information acquisition unit 245 acquires the user attribute information 251 from the IDP user store 250 shown in FIG. , Referred to as user attribute information acquisition processing).
- step S13 the authentication cooperation request message pre-processing unit 241 requests the policy evaluation unit 246 to execute policy evaluation.
- the service usage status information 321 to 324 obtained by execution of step S11 and the user attribute information 251 obtained by execution of step S12 are collected as policy evaluation information and delivered to the policy evaluation unit 246.
- step S14 the policy evaluation unit 246 acquires the policy information 261 regarding the service provider device 300 specified by the user from the policy store 260 of FIG.
- step S15 the policy evaluation unit 246 performs policy evaluation using the policy evaluation information acquired in step S13 and the policy information acquired in step S14.
- policy evaluation processing the processing from step S13 to step S15 is referred to as policy evaluation processing.
- step S16 if the service use is permitted, the account provisioning unit 247 of the authentication cooperation request message pre-processing unit 241 performs account provisioning for the user. At this time, the user ID acquired in step S12 is also transmitted.
- step S17 the account provisioning unit 247 acquires user attribute partial information, which is partial attribute information of the user attribute information 251 of the user, from the IDP user store 250 using the user ID received in step S16 as a search key.
- step S18 the account provisioning unit 247 creates the SP-side user ID of the user, registers it in the SP user store 310 in association with the acquired user attribute partial information, and sets the ID provider device 200 and the service provider device 300.
- An authentication linkage ID that links both accounts is also registered.
- the user ID of the ID provider device 200 is designated as the authentication linkage ID.
- step S16 the processing from step S16 to step S18 is referred to as account provisioning processing (account linkage processing). Subsequently, the process proceeds to step S19 in FIG.
- step S19 of FIG. 15 the authentication collaboration request message transfer unit 244 of the authentication collaboration request message pre-processing unit 241 uses the dummy URL that does not exist in the ID provider device 200 as a destination and requests the authentication collaboration request toward the user terminal 100. Forward the message.
- the dummy URL is a dummy (1) URL.
- step S20 the user terminal 100 that has received the authentication cooperation request message redirects the authentication cooperation request message to a specified URL, that is, a dummy (1) URL.
- step S21 the Web server 220 once receives the authentication cooperation request message redirected by the user terminal 100.
- the reverse proxy device 221 of the Web server 220 determines whether message transfer is necessary based on the transfer destination URL management table 223 stored in the transfer destination URL storage device 222.
- a URL that matches the destination of the authentication cooperation request message received in step S20 is searched from the Internet public URL field of the transfer destination URL management table 223.
- the transfer destination is ID “1-D”, that is, the authentication cooperation request message receiving unit 232 of the IDP authentication cooperation unit 230. Subsequently, message transfer processing is performed.
- step S22 the reverse proxy device 221 of the Web server 220 transfers the authentication cooperation request message with the authentication cooperation request message reception unit 232 of the IDP authentication cooperation unit 230 as a destination based on the determination result of step S21.
- step S23 after receiving the authentication cooperation request message, the authentication cooperation request message receiving unit 232 of the IDP authentication cooperation unit 230 confirms the login state of the user.
- the login state is confirmed by, for example, confirming whether or not the IDP authentication token issued to the user is stored in the authentication session temporary storage device 270. In this embodiment, since the login is completed, an IDP authentication token exists.
- step S24 since the authentication cooperation request message reception unit 232 of the IDP authentication cooperation unit 230 is in the login completion state after confirming the login state, the authentication cooperation response message transmission unit 235 is requested to transmit the authentication cooperation response message. To do.
- the authentication cooperation response message includes an authentication assertion that indicates to the service provider 300 that the ID provider device 200 has authenticated the user.
- step S25 the authentication collaboration response message transmission unit 235 creates an authentication assertion that proves that the ID provider device 200 has authenticated the user, and creates an authentication collaboration response message that includes the created authentication assertion.
- the created authentication cooperation response message is transmitted to the user terminal 100 with the SP authentication cooperation unit 330 as a destination.
- step S26 the user terminal 100 redirects the received authentication cooperation response message to the SP authentication cooperation unit 330 that is the designated destination.
- step S27 the SP authentication cooperation unit 330 that has received the authentication cooperation response message performs an authentication cooperation response confirmation process, and performs authentication cooperation based on the confirmation result.
- the SP authentication cooperation unit 330 verifies the authentication assertion included in the received message.
- the verification of the authentication assertion is performed according to the authentication assertion verification policy of the verification policy store 340 shown in FIG.
- the SP authentication cooperation unit 330 completes the authentication cooperation and issues an SP authentication token.
- the SP authentication token issued by the SP authentication cooperation unit 330 is stored in, for example, HTTP Cookie or session information. Note that the processing in steps S24 to S27 is referred to as authentication cooperation response processing.
- step S28 the SP authentication cooperation unit 330 that has completed the authentication cooperation transmits an SP use response message including the SP authentication token and service data to the user terminal 100, and notifies the user that the SP is usable. Perform response processing. As a result, the SSO process between the user belonging to the ID provider device 200 and the service provider device 300 ends.
- the user belonging to the organization of the ID provider device 200 is in a state in which no account is registered in the service provider device 300, and the user's login state is in a completed state.
- the SSO request starting point from the user starts from the service provider apparatus 300, it is possible to determine whether or not the service can be used without manual intervention when executing account registration and cooperation in the SSO process.
- the authentication cooperation system of this embodiment includes policy information 261 on service usage and a service usage status data store 320 stored in advance in the policy store 260 between the SSO processing procedures (2) and (3). After evaluating whether or not the service provided by the service provider apparatus 300 can be used by the user who made the authentication cooperation request based on the usage statuses 321 to 324 of the user, the account registration to the service provider apparatus 300 and the account cooperation are performed. By interrupting the processing, it is possible to automate a series of processing from use application of the service provided by the service provider apparatus 300 via the user terminal 100 to SSO. Therefore, the authentication cooperation system according to the present embodiment allows the user to start using the service smoothly without the need for human resources such as the senior manager of the user or the IS department.
- the authentication collaboration server 230 of the ID provider device 200 performs the processes of the SSO procedures (2) to (4) continuously, immediately before the SSO procedure (3).
- interruption of account provisioning processing for policy evaluation and account registration / account linkage without directly remodeling the authentication linkage server product of the ID provider device. For this reason, it is possible to provide an authentication linkage system that is low in introduction cost and can easily determine whether or not the service can be used without human intervention.
- the starting point is when the operation of the service provider device 300 is started, and when the user login is completed, the appropriate timing Policy assessment and account provisioning.
- the present embodiment is a state in which SSO processing is possible between the ID provider device 200 and the service provider device 300, and the user belongs to the organization in which the ID provider device 200 is installed. Is started from a state where no account is registered in the service provider apparatus 300. Also, in the authentication collaboration system of this embodiment, SSO is performed according to the procedures (1) to (6) described above as in the first embodiment.
- the user login state is an incomplete state
- the SSO request origin from the user is the service provider apparatus 300. Start with.
- FIG. 16 is a diagram illustrating an example of a functional configuration of the authentication cooperation control system 240 according to the present embodiment.
- the authentication collaboration control system 240 of this embodiment includes a policy evaluation information acquisition unit 245, a policy evaluation unit 246, an account provisioning unit 247, and a login response message preprocessing unit 290.
- the login response message pre-processing unit 290 includes an authentication information extraction unit 291, an authentication identification unit 292, and a login response message transfer unit 293.
- the authentication information extraction unit 291 extracts the user ID and password included in the login response message as authentication information.
- the login response message is input by the user terminal 100 in order to respond to the login request message transmitted from the ID provider device 200 when the user has not completed login.
- the login response message is input via a login screen displayed on the user terminal 100 when the user has not completed login, for example. Specifically, a column for inputting a user ID and a password is displayed on the login screen.
- the authentication identification unit 292 authenticates and identifies the user based on the authentication information extracted by the authentication information extraction unit 291 and the user ID and reference information included in the IDP user store 250 shown in FIG.
- the authentication identification unit 292 searches the IDP user store 250 based on the user ID extracted by the authentication information extraction unit 291, and the reference information and authentication information extraction unit 291 included in the user attribute information with the matching user ID. Determine whether the extracted passwords match.
- the login response message transfer unit 293 transfers the login response message to the dummy URL.
- 17 to 19 are sequence diagrams illustrating an example of the authentication cooperation process according to the present embodiment.
- the authentication cooperation process of this embodiment performs the process of step S30-step S50 shown in FIG. 17 thru
- step S1 to step S7 Since the processing from step S1 to step S7 is the same as that in the first embodiment, it will be omitted and will be described from step S30 in FIG.
- step S30 the login state determination unit 242 of the present embodiment determines that the login state is an incomplete state, and transmits the determination result to the authentication cooperation request message transfer unit 244.
- step S31 the authentication cooperation request message transfer unit 244 transfers the authentication cooperation request message to the dummy URL.
- the dummy URL is a dummy (1) URL.
- step S32 the user terminal 100 that has received the authentication cooperation request message redirects the authentication cooperation request message to a specified URL, that is, a dummy (1) URL.
- step S33 the Web server 220 once receives the authentication cooperation request message redirected by the user terminal 100.
- the reverse proxy device 221 of the Web server 220 determines whether message transfer is necessary based on the transfer destination URL management table 223 stored in the transfer destination URL storage device 222.
- the transfer destination is ID “1-D”, that is, the authentication cooperation request message receiving unit 232 of the IDP authentication cooperation unit 230. Subsequently, message transfer processing is performed.
- step S34 based on the determination result in step S33, the reverse proxy device 221 of the Web server 220 transfers the authentication cooperation request message to the authentication cooperation request message reception unit 232 of the IDP authentication cooperation unit 230 as a destination.
- step S35 after receiving the authentication cooperation request message, the authentication cooperation request message receiving unit 232 of the IDP authentication cooperation unit 230 confirms the login state of the user.
- the confirmation of the login state is the same process as step S8 in FIG. In this embodiment, login is not completed.
- step S36 based on the determination result in step S35, the login request message transmission unit 233 transmits a login request message to the user terminal 100.
- step S37 a login screen is displayed on the user terminal 100 that has received the login request message, and the user inputs a user ID and a password via the login screen.
- step S38 the user terminal 100 transmits a login response message including the user ID and password input in step S37 with the login response message receiving unit 234 of the IDP authentication cooperation unit 230 as a destination.
- step S39 of FIG. 18 the Web server 220 once receives the login response message transmitted by the user terminal 100 in step S38. Further, the reverse proxy device 221 of the Web server 220 determines whether or not transfer control of the login response message is necessary based on the transfer destination URL management table 223 stored in the transfer destination URL storage device 222. The determination method searches the Internet public URL field of the transfer destination URL management table 223 for a URL that matches the destination of the received login response message. Here, since the ID “3-A” matches, it is determined that message transfer is necessary. If there is no matching URL in the transfer destination URL management table 223, it is determined that transfer control is unnecessary.
- the forwarding destination is the ID “3-B”, that is, the login response message pre-processing unit 290 of the authentication cooperation system 240. Subsequently, message transfer processing is performed.
- step S40 the reverse proxy device 221 of the Web server 220 transfers the login response message to the login response message pre-processing unit 290 as a destination based on the determination result in step S39.
- step S41 the authentication information extraction unit 291 of the login response message pre-processing unit 291 extracts the user ID and password as authentication information from the received login response message.
- step S42 the authentication identifying unit 292 of the login response message pre-processing unit 291 searches the user attribute information in the IdP user store 250 using the user ID extracted in step S41 as a search key, and acquires a password.
- step S43 the authentication identifying unit 292 of the login response message pre-processing unit 291 checks the acquired password against the password extracted from the login response message to authenticate the user and identify the user by the user ID. Do. In this embodiment, it is assumed that the user can be authenticated.
- step S44 the login response message pre-processing unit 291 transmits a policy evaluation information acquisition request to the policy evaluation information acquisition unit 245. At this time, the user ID acquired from the login response message is also transmitted.
- step S44 service data acquisition processing in step S11 in FIG. 14, user attribute information acquisition processing in step S12 in FIG. 14, policy evaluation processing in steps S13 to S15, and account provisioning processing in steps S16 to S18 are performed. Done. Since these processes have already been described in the first embodiment, a description thereof will be omitted.
- step S45 of FIG. 19 the login response message transfer unit 293 of the login response message pre-processing unit 291 uses the dummy URL that does not exist in the ID provider device 200 as a destination to log in response to the user terminal 100. Forward the message.
- the dummy URL transferred by the login response message transfer unit 293 is set in advance and is “dummy (3) URL”.
- step S46 the user terminal 100 that has received the login response message redirects the login response message to the dummy (3) URL that is the destination.
- step S47 the Web server 220 once receives the login response message redirected by the user terminal 100.
- the reverse proxy device 221 of the Web server 220 determines whether message transfer is necessary based on the transfer destination URL management table 223 stored in the transfer destination URL storage device 222.
- a URL that matches the destination of the received login response message in the Internet public URL field of the transfer destination URL management table 223 is searched, and “transfer required” is set when a matching URL exists.
- the transfer destination is the ID “3-D” of the corresponding transfer destination URL. That is, the reverse proxy device 221 determines that the login response message needs to be transferred to the login response message receiving unit 234 of the IDP authentication cooperation unit 230.
- step S48 based on the determination result in step S47, the reverse proxy device 221 of the Web server 220 transfers the login response message to the login response message receiving unit 234 of the IDP authentication cooperation unit 230 as a destination.
- step S49 the login response message receiving unit 234 of the IDP authentication cooperation unit 230 performs login processing based on the received login response message. Specifically, in the login process, the login response message receiving unit 234 acquires the user ID and password from the received login response message login. Using the acquired user ID as a search key, the login response message receiving unit 234 acquires a password from the IDP user store 250 and compares the password extracted from the login response message to authenticate the user. In this embodiment, it is assumed that user authentication has been confirmed.
- step S50 the login response message receiving unit 234 issues an IDP authentication token indicating that login is completed in the ID provider device 200, and stores the IDP authentication token together with the user ID in the authentication session temporary storage device 270.
- step S50 the authentication cooperation response process in steps S24 to S27 of FIG. 15 and the SP use response process in step S28 are performed, and the authentication cooperation process of the present embodiment ends.
- the user belonging to the organization of the ID provider device 200 is in a state in which no account is registered in the service provider device 300, and the login state of the user is in an incomplete state.
- the SSO request starting point from the user starts from the service provider apparatus 300, it is possible to determine whether or not the service can be used without manual intervention when executing account registration and cooperation in the SSO process.
- the user belonging to the organization of the ID provider device 200 is in a state where no account is registered in the service provider device 300, the user's login state is in an incomplete state, and When the SSO request origin from the user starts from the service provider device 300, policy evaluation and account provisioning can be performed at an appropriate timing.
- this embodiment is in a state where SSO processing is possible between the ID provider device 200 and the service provider device 300, and a user belonging to the organization on the ID provider device 200 side
- the service provider apparatus 300 is started from a state where no account is registered.
- the user login state is the complete state
- the SSO request origin from the user is the ID provider device 200. Start (IDP start model).
- the IDP start model is a model that starts when the user terminal requests the ID provider to provide a service provider service in the SSO procedure (1) described above. Therefore, in the present embodiment, the SSO procedure (2) is not performed, and the processes (3) to (6) are performed following the procedure (1).
- FIG. 20 is a diagram illustrating an example of a functional configuration of the IDP authentication cooperation unit 230 of the present embodiment.
- the IDP authentication cooperation unit 230 of this embodiment includes a login request message transmission unit 233, a login response message reception unit 234, an authentication cooperation response message transmission unit 235, and an authentication cooperation response issue request message reception. Part 236.
- the authentication cooperation response issue request message receiving unit 236 receives the authentication cooperation response issue request message.
- the authentication cooperation response issue request message is an authentication cooperation request message to the service provider device 300 issued in the IDP start model. That is, this message is issued by the ID provider device 200 that has received a service use request from the user terminal 100 to request the service provider device 300 for authentication cooperation.
- the authentication cooperation request message issued by the service provider device 300 may be referred to as an SP authentication cooperation request message, and the authentication cooperation request message (authentication cooperation response issue request message) issued by the ID provider device 200 may be referred to as an IDP authentication cooperation request message.
- FIG. 21 is a diagram illustrating an example of a functional configuration of the authentication cooperation control system 240 according to the present embodiment.
- the authentication collaboration control system 240 of this embodiment includes an authentication collaboration response issue request message pre-processing unit 294.
- the authentication collaboration response issuance request message pre-processing unit 294 includes an authentication collaboration response issuance request message transfer unit 295, and performs processing for transferring the received authentication collaboration response issuance request message.
- 22 to 24 are sequence diagrams illustrating an example of the authentication cooperation process in the present embodiment.
- step S61 in order to use the service of the service provider apparatus 300, the service public URL provided by the service provider apparatus 300 via the portal menu screen displayed on the user terminal 100 by the portal server 210 is displayed. By clicking a desired link among the links, an SP use request is input to the user terminal 100.
- step S62 the user terminal 100 transmits an SP use request message to the portal server 210.
- step S63 the Web server 220 receives the SP use request message transmitted from the user terminal 100, and performs a transfer necessity determination process for the received SP request message.
- the reverse necessity determination process is performed by the reverse proxy device 221 included in the Web server 220 based on the transfer destination URL management table 223 stored in the transfer destination URL storage device 222. For example, a URL that matches the destination of the received SP use request message is searched in the Internet public URL field of the transfer destination URL management table 223 of FIG. Here, the destination is the portal server 220, but the reverse proxy device 221 determines that the transfer process is unnecessary because there is no match in the Internet public URL field of FIG.
- step S64 the reverse proxy device 221 transfers the SP use request message to the portal server 220, which is the original destination, based on the determination result in step S63.
- step S ⁇ b> 65 the portal server 220 that has received the SP use request message creates an authentication collaboration response issue request message addressed to the authentication collaboration response issue request message reception unit 236 of the IDP authentication collaboration unit 230 and transmits it to the user terminal 100. To do. That is, the portal server 220 has an authentication cooperation response issue request function.
- step S66 the user terminal 100 that has received the authentication cooperation response issue request message redirects to the authentication cooperation response issue request message reception unit 294 that is the designated destination.
- step S67 the Web server 220 receives the redirected authentication cooperation response issue request message, and performs a transfer necessity determination process for the received message.
- the transfer necessity determination process is the same as the process in step S63.
- the reverse proxy device 221 determines that transfer is necessary.
- the transfer destination URL is a transfer destination URL of ID “2-B” corresponding to ID “2-A”. That is, the transfer destination URL is the authentication cooperation response issue request message pre-processing unit 294 of the authentication cooperation control system 240.
- step S68 based on the determination result in step S67, the reverse proxy device 221 transfers the authentication cooperation response issue request message to the authentication cooperation response issue request message pre-processing unit 294 of the authentication cooperation control system 240 as a destination.
- the login state determination unit 242 of the authentication cooperation response issue request message pre-processing unit 294 that has received the authentication cooperation response issue request message determines the login state of the user.
- the login state is confirmed by checking whether the IDP authentication token issued to the user is stored in the authentication session temporary storage device 270.
- the IDP authentication token is stored in the authentication session temporary storage device 270, and it is determined that the login is completed.
- step S70 the user ID acquisition unit 243 acquires the user ID associated with the IDP authentication token in step S69 from the authentication session temporary storage device 270.
- step S71 the authentication cooperation response issue request message pre-processing unit 294 requests the policy evaluation information acquisition unit 245 to acquire policy evaluation information.
- the user ID acquired in step S70 is also delivered to the policy evaluation information acquisition unit 245.
- step S71 service data acquisition processing in step S11 in FIG. 14, user attribute information acquisition processing in step S12 in FIG. 14, policy evaluation processing in steps S13 to S15, and account provisioning processing in steps S16 to S18 are performed. . Since these processes have already been described in the first embodiment, a description thereof will be omitted.
- step S72 after the account provisioning in step S18 is completed, the authentication collaboration response issue request message receiving unit 294 transmits an authentication collaboration response issue request message whose destination is a dummy URL to the user terminal 100.
- the dummy URL transmitted by the authentication cooperation response issue request message receiving unit 294 is set in advance, and is “dummy (2) URL” in the present embodiment.
- step S73 the user terminal 100 that has received the authentication cooperation response issue request message redirects the authentication cooperation response issue request message to the dummy (2) URL that is the destination of the authentication cooperation response issue request message.
- step S74 the reverse proxy device 221 performs transfer necessity determination processing for the authentication cooperation response issue request message redirected by the user terminal 100 based on the transfer destination URL management table 223 stored in the transfer destination URL storage device 223. Do.
- the transfer destination is a transfer destination URL corresponding to the ID “2-C”. That is, the authentication cooperation response issue request message reception unit 236 of the IDP authentication cooperation unit 230 with ID “2-D”.
- step S75 based on the determination result in step S74, the reverse proxy device 221 transfers the authentication cooperation response issue request message with the authentication cooperation response issue request message reception unit 236 of the IDP authentication cooperation unit 230 as a destination.
- step S76 after receiving the authentication cooperation response issue request message, the authentication cooperation response issue request message reception unit 236 of the IDP authentication cooperation unit 230 determines the login state of the user.
- the login state determination result is performed, for example, by confirming whether or not the IDP authentication token issued to the user is stored in the authentication session temporary storage device 270. In this embodiment, since the login is completed, an IDP authentication token exists.
- step S77 the authentication cooperation response issue request message reception unit 236 of the IDP authentication cooperation unit 230 transmits the authentication cooperation response message to the authentication cooperation response message transmission unit 235 because the determination result of the login state is the login completion state. Request.
- the authentication cooperation response message transmission unit 235 creates an authentication assertion that proves that the user has been authenticated on the IDP side.
- step S77 the processing in steps S25 to S28 in FIG. 15 is performed, and the authentication cooperation processing in the present embodiment ends. Since the processing in steps S25 to S28 has been described in the first embodiment, a description thereof will be omitted.
- the user belonging to the organization of the ID provider device 200 is in a state where no account is registered in the service provider device 300, and the user's login state is a completed state.
- the SSO request starting point from the user starts from the ID provider device 200, it is possible to determine whether or not the service can be used without manual intervention when performing account registration and cooperation in the SSO process.
- the authentication collaboration server 230 of the ID provider device 200 performs the processes of the SSO procedures (2) to (4) continuously, immediately before the SSO procedure (3).
- interruption of account provisioning processing for policy evaluation and account registration / account linkage without directly remodeling the authentication linkage server product of the ID provider device. For this reason, it is possible to provide an authentication linkage system that is low in introduction cost and that can determine whether or not the service can be used without human intervention.
- the user belonging to the organization of the ID provider device 200 is in a state where an account is not registered in the service provider device 300, the user's login state is a completed state, and the user Policy start and account provisioning can be performed at an appropriate timing when the SSO request starting point is started from the ID provider device 200.
- the present embodiment is in a state where SSO processing is possible between the ID provider device 200 and the service provider device 300, and a user belonging to the organization on the ID provider side is the service provider.
- the process starts from a state where no account is registered in the apparatus 300.
- SSO is performed according to the procedures (1) to (6) described above as in the first embodiment.
- the user's login state is an incomplete state, and the SSO request starting point from the user is started from the ID provider device 200.
- FIG. 25 is a diagram illustrating an example of a functional configuration of the authentication cooperation control system 240 according to the present embodiment.
- the authentication collaboration control system 240 of this embodiment includes a policy evaluation information acquisition unit 245, a policy evaluation unit 246, an account provisioning unit 247, a login response message preprocessing unit 290, and an authentication collaboration response.
- the request message pre-processing unit 294 is replaced.
- FIG. 26 is a sequence diagram illustrating an example of the authentication collaboration process according to the present embodiment.
- the authentication collaboration system of this embodiment performs processing from the SP use request in step S61 in FIG. 22 to the transfer of the authentication collaboration response issue request message in step S68. Since these processes have been described in the third embodiment, a description thereof will be omitted.
- step S81 the login state determination unit 242 of the authentication cooperation response issue request message pre-processing unit 294 that has received the mobile response issue request message determines the login state of the user.
- the login state is confirmed by checking whether the IDP authentication token issued to the user is stored in the authentication session temporary storage device 270. In this embodiment, the IDP authentication token is not stored in the authentication session temporary storage device 270, and it is determined that the login is incomplete.
- step S81 Since it is determined in step S81 that the login has not been completed, processing in steps S72 to S75 shown in FIG. 24 is subsequently performed. Since these processes are also described in the third embodiment, they are omitted.
- step S75 the processing from step S35 in FIG. 17 to step S28 in FIG. 19 is performed, and the authentication cooperation processing of this embodiment is completed. Since the processing from step S35 in FIG. 17 to step S28 in FIG. 19 has been described in the second embodiment, a description thereof will be omitted.
- the user belonging to the organization of the ID provider device 200 is in a state in which no account is registered in the service provider device 300, and the login state of the user is in an incomplete state.
- the SSO request starting point from the user starts from the ID provider device 200, it is possible to determine whether or not the service can be used without manual operations when performing account registration and cooperation during the SSO process.
- the user belonging to the organization of the ID provider device 200 is in a state where an account is not registered in the service provider device 300, the user login state is incomplete, and the user Policy start and account provisioning can be performed at an appropriate timing in the case where the SSO request starting point from the ID provider device 200 starts.
- the authentication collaboration server 230 of the ID provider device 200 performs the processes of the SSO procedures (2) to (4) continuously, immediately before the SSO procedure (3).
- interruption of account provisioning processing for policy evaluation and account registration / account linkage without directly remodeling the authentication linkage server product of the ID provider device. For this reason, it is possible to provide an authentication linkage system that is low in introduction cost and that can determine whether or not the service can be used without human intervention.
- DESCRIPTION OF SYMBOLS 100 ... User terminal, 200 ... ID provider, 210 ... Portal server, 220 ... Web server, 221 ... Reverse proxy apparatus, 222 ... Transfer URL memory
- storage device 230 ... IDP authentication cooperation part, 240 ... Authentication cooperation control system, 250 ... IDP User store, 260 ... Policy store, 270 ... Authentication session temporary storage device, 280 ... Key storage device, 290 ... Login response message pre-processing unit, 300 ... Service provider device, 310 ... SP user store, 320 ... Service usage status data store , 330 ... Temporary storage device, 340 ... Verification policy store, 350 ... SP authentication cooperation unit
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Description
以下、図1乃至図15を参照して本実施形態の認証連携システムについて説明する。
第2の実施形態の認証連携システムについて図16乃至図19を参照して説明する。
第3の実施形態の認証連携システムについて図20乃至図24を参照して説明する。
第4の実施形態の認証連携システムについて図25乃至図26を参照して説明する。
Claims (5)
- ユーザが操作するユーザ端末のログイン処理を行うIDプロバイダ装置と、前記ログイン処理が完了した場合に前記ユーザ端末にサービスデータを送信するサービスプロバイダ装置とを備え、前記ユーザ端末は前記サービスプロバイダ装置にサービス利用要求を行なう認証連携システムであって、
前記IDプロバイダ装置は、
前記ユーザを識別するユーザ識別子含む前記ユーザを特定するためのユーザ属性の項目名と前記ユーザ属性の項目値とを関連付けたIDPユーザ属性情報を記憶するIDPユーザ属性情報記憶部と、
前記ユーザIDと前記ユーザのログイン状態がログイン完了状態であることを示す認証トークンとを対応付けて記憶するIDP認証セッション記憶部と、
前記サービスデータの送信が許可される対象となるユーザを示すポリシ情報を記憶するポリシ情報記憶部と、
前記IDプロバイダ装置の署名生成鍵を記憶する鍵記憶部と、
前記ユーザ端末のログイン処理が未完了状態である場合には、前記ユーザ端末にログイン要求を行い、前記ユーザ端末のログイン処理が完了状態である場合には、前記サービス利用要求を受信した前記サービスプロバイダ装置から発行されるSP認証連携要求を受信し、前記ログイン処理の認証方式名を含むアサーション本文に対して前記署名生成鍵に基づくデジタル署名を生成し、当該アサーション本文と当該デジタル署名とを含む認証アサーションを作成し、前記認証アサーション含む認証連携応答を前記サービスプロバイダ装置に送信するIDP認証連携部と、
前記ユーザ端末から前記SP認証連携要求を受信した場合に、前記認証セッション記憶部に当該ユーザに発行された認証トークンが記憶されているか否かを確認するログイン状態確認処理を行うログイン状態判定部と、前記ログイン状態確認処理の結果がログイン未完了の状態であれば、前記SP認証連携要求を前記IDP認証連部に転送する認証連携要求転送部と、前記ユーザ端末から、前記IDP認証連携部からの前記ログイン要求に基づいて送信された前記ユーザの認証情報を受信し、受信した前記認証情報に基づいて前記ログイン処理を行う認証識別部と、前記ログイン状態確認処理の結果がログイン完了状態である場合に、前記認証セッション記憶部に当該ユーザに発行された認証トークンに対応付けて記憶されたユーザIDに基づいて前記IDPユーザ属性情報記憶部から取得したIDPユーザ属性情報と前記ポリシ情報とに基づいて前記ユーザ端末を操作するユーザがサービスデータの送信が許可される対象となるユーザであるか否かを評価し、前記ログイン状態確認処理の結果がログイン未完了の状態である場合に、前記認証情報に含まれるユーザIDに基づいて前記IDPユーザ属性情報記憶部から取得したIDPユーザ属性情報と前記ポリシ情報とに基づいて前記ユーザ端末を操作するユーザがサービスデータの送信が許可されるユーザであるか否かを評価するポリシ評価部と、前記ポリシ評価部による評価結果が許可である場合に、前記取得されたIDPユーザ属性情報を参照して前記サービスプロバイダ装置とのアカウント連携処理を行い、前記サービスプロバイダ装置における前記ユーザの識別子であるSP側ユーザIDを作成するアカウント連携部と、前記アカウント連携処理後に前記SP認証連携要求を前記IDP認証連携部に送信する認証連携要求転送部とを具備する認証連携制御部と、
を備え、
前記サービスプロバイダ装置は、
前記認証連携応答を受信した場合に前記サービスデータの送信を許可するログイン処理の認証方式名と、前記署名生成鍵に対応する署名検証鍵とを含む検証ポリシを記憶する検証ポリシ記憶部と、
前記アカウント連携処理において発行される前記SP側ユーザIDと、前記ユーザ属性情報に含まれるユーザ属性の項目名および項目値のうちの少なくとも一つの項目名と項目値とであるユーザ属性部分情報とを関連付けたアカウント登録を記憶するSPユーザ属性情報記憶部と、
前記サービス利用要求を受信した場合、当該サービス利用要求が認証トークンを含むか否かを判定し、前記サービス利用要求が前記認証トークンを含む場合には当該認証トークンと前記サービスデータとを前記ユーザ端末に送信し、前記サービス利用要求が前記認証トークンを含まない場合には、前記ユーザ端末のアドレス情報を含む前記IDプロバイダ装置に対する前記SP認証連携要求を発行し、
前記認証連携応答を受信した場合、前記検証ポリシ内の認証方式名と署名検証鍵とに基づいて、前記認証方式名とデジタル署名とをそれぞれ検証し、前記検証した結果がいずれも正当のとき、認証トークンを発行し、前記認証トークンと前記サービスデータとを前記ユーザ端末に送信するSP認証連携部と、
前記SP側ユーザIDと、前記認証トークンとを関連付けて記憶するSP認証セッション記憶部と、
を備える認証連携システム。 - ユーザが操作するユーザ端末のログイン処理を行うIDプロバイダ装置と、前記ログイン処理が完了した場合に前記ユーザ端末にサービスデータを送信するサービスプロバイダ装置とを備え、前記ユーザ端末は前記IDプロバイダ装置にサービス利用要求を行なう認証連携システムであって、
前記IDプロバイダ装置は、
前記ユーザを識別するユーザ識別子含む前記ユーザを特定するためのユーザ属性の項目名と前記ユーザ属性の項目値とを関連付けたIDPユーザ属性情報を記憶するIDPユーザ属性情報記憶部と、
前記ユーザIDと前記ユーザのログイン状態がログイン完了状態であることを示す認証トークンとを対応付けて記憶するIDP認証セッション記憶部と、
前記サービスデータの送信が許可される対象となるユーザを示すポリシ情報を記憶するポリシ情報記憶部と、
前記IDプロバイダ装置の署名生成鍵を記憶する鍵記憶部と、
前記ユーザ端末からサービス利用要求を受信した場合に、前記サービスプロバイダ装置に対するIDP認証連携要求を発行するIDP認証連携要求部と、
前記ユーザ端末のログイン処理が未完了状態である場合には、前記ユーザ端末にログイン要求を行い、前記ユーザ端末のログイン処理が完了状態である場合には、前記IDP認証連携要求を受信し、前記ログイン処理の認証方式名を含むアサーション本文に対して前記署名生成鍵に基づくデジタル署名を生成し、当該アサーション本文と当該デジタル署名とを含む認証アサーションを作成し、前記認証アサーション含む認証連携応答を前記サービスプロバイダ装置に送信するIDP認証連携部と、
前記IDP認証連携要求を受信した場合に、前記認証セッション記憶部に当該ユーザに発行された認証トークンが記憶されているか否かを確認するログイン状態確認処理を行うログイン状態判定部と、前記ログイン状態確認処理の結果がログイン未完了の状態であれば、前記IDP認証連携要求を前記IDP認証連部に転送する認証連携要求転送部と、前記ユーザ端末から、前記IDP認証連携部からの前記ログイン要求に基づいて送信された前記ユーザの認証情報を受信し、受信した前記認証情報に基づいて前記ログイン処理を行う認証識別部と、前記ログイン状態確認処理の結果がログイン完了状態である場合に、前記認証セッション記憶部に当該ユーザに発行された認証トークンに対応付けて記憶されたユーザIDに基づいて前記IDPユーザ属性情報記憶部から取得したIDPユーザ属性情報と前記ポリシ情報とに基づいて前記ユーザ端末を操作するユーザがサービスデータの送信が許可される対象となるユーザであるか否かを評価し、前記ログイン状態確認処理の結果がログイン未完了の状態である場合に、前記認証情報に含まれるユーザIDに基づいて前記IDPユーザ属性情報記憶部から取得したIDPユーザ属性情報と前記ポリシ情報とに基づいて前記ユーザ端末を操作するユーザがサービスデータの送信が許可されるユーザであるか否かを評価するポリシ評価部と、前記ポリシ評価部による評価結果が許可である場合に、前記取得されたIDPユーザ属性情報を参照して前記サービスプロバイダ装置とのアカウント連携処理を行い、前記サービスプロバイダ装置における前記ユーザの識別子であるSP側ユーザIDを作成するアカウント連携部と、前記アカウント連携処理後に前記IDP認証連携要求を前記IDP認証連携部に送信する認証連携要求転送部とを具備する認証連携制御部と、
を備え、
前記サービスプロバイダ装置は、
前記認証連携応答を受信した場合に前記サービスデータの送信を許可するログイン処理の認証方式名と、前記署名生成鍵に対応する署名検証鍵とを含む検証ポリシを記憶する検証ポリシ記憶部と、
前記アカウント連携処理において発行される前記SP側ユーザIDと、前記ユーザ属性情報に含まれるユーザ属性の項目名および項目値のうちの少なくとも一つの項目名と項目値とであるユーザ属性部分情報とを関連付けたアカウント登録を記憶するSPユーザ属性情報記憶部と、
前記IDP認証連携部から前記認証連携応答を受信した場合、前記検証ポリシ内の認証方式名と署名検証鍵とに基づいて、前記認証方式名とデジタル署名とをそれぞれ検証し、前記検証した結果がいずれも正当のとき、認証トークンを発行し、前記認証トークンと前記サービスデータとを前記ユーザ端末に送信するSP認証連携部と、
前記SP側ユーザIDと、前記認証トークンとを関連付けて記憶するSP認証セッション記憶部と、
を備える認証連携システム。 - ユーザが操作するユーザ端末にサービスデータを送信するサービスプロバイダ装置と接続され認証連携システムを構成する、前記サービスプロバイダ装置にサービス利用要求を行なう前記ユーザ端末のログイン処理を行うIDプロバイダ装置であって、
前記ユーザを識別するユーザ識別子含む前記ユーザを特定するためのユーザ属性の項目名と前記ユーザ属性の項目値とを関連付けたIDPユーザ属性情報を記憶するIDPユーザ属性情報記憶部と、
前記ユーザIDと前記ユーザのログイン状態がログイン完了状態であることを示す認証トークンとを対応付けて記憶するIDP認証セッション記憶部と、
前記サービスデータの送信が許可される対象となるユーザを示すポリシ情報を記憶するポリシ情報記憶部と、
前記IDプロバイダ装置の署名生成鍵を記憶する鍵記憶部と、
前記ユーザ端末のログイン処理が未完了状態である場合には、前記ユーザ端末にログイン要求を行い、前記ユーザ端末のログイン処理が完了状態である場合には、前記サービス利用要求を受信した前記サービスプロバイダ装置から発行されるSP認証連携要求を受信し、前記ログイン処理の認証方式名を含むアサーション本文に対して前記署名生成鍵に基づくデジタル署名を生成し、当該アサーション本文と当該デジタル署名とを含む認証アサーションを作成し、前記認証アサーション含む認証連携応答を前記サービスプロバイダ装置に送信するIDP認証連携部と、
前記ユーザ端末から前記SP認証連携要求を受信した場合に、前記認証セッション記憶部に当該ユーザに発行された認証トークンが記憶されているか否かを確認するログイン状態確認処理を行うログイン状態判定部と、前記ログイン状態確認処理の結果がログイン未完了の状態であれば、前記SP認証連携要求を前記IDP認証連部に転送する認証連携要求転送部と、前記ユーザ端末から、前記IDP認証連携部からの前記ログイン要求に基づいて送信された前記ユーザの認証情報を受信し、受信した前記認証情報に基づいて前記ログイン処理を行う認証識別部と、前記ログイン状態確認処理の結果がログイン完了状態である場合に、前記認証セッション記憶部に当該ユーザに発行された認証トークンに対応付けて記憶されたユーザIDに基づいて前記IDPユーザ属性情報記憶部から取得したIDPユーザ属性情報と前記ポリシ情報とに基づいて前記ユーザ端末を操作するユーザがサービスデータの送信が許可されるユーザであるか否かを評価し、前記ログイン状態確認処理の結果がログイン未完了の状態である場合に、前記認証情報に含まれるユーザIDに基づいて前記IDPユーザ属性情報記憶部から取得したIDPユーザ属性情報と前記ポリシ情報とに基づいて前記ユーザ端末を操作するユーザがサービスデータの送信が許可される対象となるユーザであるか否かを評価するポリシ評価部と、前記ポリシ評価部による評価結果が許可である場合に、前記取得されたIDPユーザ属性情報を参照して前記サービスプロバイダ装置とのアカウント連携処理を行い、前記サービスプロバイダ装置における前記ユーザの識別子であるSP側ユーザIDを作成するアカウント連携部と、前記アカウント連携処理後に前記SP認証連携要求を前記IDP認証連携部に送信する認証連携要求転送部とを具備する認証連携制御部と、
前記サービスプロバイダ装置から送信された前記認証連携要求を前記認証連携制御部に転送する転送装置と、
を備えるIDプロバイダ装置。 - ユーザが操作するユーザ端末にサービスデータを送信するサービスプロバイダ装置と接続され認証連携システムを構成し、ユーザ端末のログイン処理を行うIDプロバイダ装置であって、
前記ユーザを識別するユーザ識別子含む前記ユーザを特定するためのユーザ属性の項目名と前記ユーザ属性の項目値とを関連付けたIDPユーザ属性情報を記憶するIDPユーザ属性情報記憶部と、
前記ユーザIDと前記ユーザのログイン状態がログイン完了状態であることを示す認証トークンとを対応付けて記憶するIDP認証セッション記憶部と、
前記サービスデータの送信が許可される対象となるユーザを示すポリシ情報を記憶するポリシ情報記憶部と、
前記IDプロバイダ装置の署名生成鍵を記憶する鍵記憶部と、
前記ユーザ端末からサービス利用要求を受信した場合に、前記サービスプロバイダ装置に対するIDP認証連携要求を発行するIDP認証連携要求部と、
前記ユーザ端末のログイン処理が未完了状態である場合には、前記ユーザ端末にログイン要求を行い、前記ユーザ端末のログイン処理が完了状態である場合には、前記IDP認証連携要求を受信し、前記ログイン処理の認証方式名を含むアサーション本文に対して前記署名生成鍵に基づくデジタル署名を生成し、当該アサーション本文と当該デジタル署名とを含む認証アサーションを作成し、前記認証アサーション含む認証連携応答を前記サービスプロバイダ装置に送信するIDP認証連携部と、
前記IDP認証連携要求を受信した場合に、前記認証セッション記憶部に当該ユーザに発行された認証トークンが記憶されているか否かを確認するログイン状態確認処理を行うログイン状態判定部と、前記ログイン状態確認処理の結果がログイン未完了の状態であれば、前記IDP認証連携要求を前記IDP認証連部に転送する認証連携要求転送部と、前記ユーザ端末から、前記IDP認証連携部からの前記ログイン要求に基づいて送信された前記ユーザの含む認証情報を受信し、受信した前記認証情報に基づいて前記ログイン処理を行う認証識別部と、前記ログイン状態確認処理の結果がログイン完了状態である場合に、前記認証セッション記憶部に当該ユーザに発行された認証トークンに対応付けて記憶されたユーザIDに基づいて前記IDPユーザ属性情報記憶部から取得したIDPユーザ属性情報と前記ポリシ情報とに基づいて前記ユーザ端末を操作するユーザがサービスデータの送信が許可される対象となるユーザであるか否かを評価し、前記ログイン状態確認処理の結果がログイン未完了の状態である場合に、前記認証情報に含まれるユーザIDに基づいて前記IDPユーザ属性情報記憶部から取得したIDPユーザ属性情報と前記ポリシ情報とに基づいて前記ユーザ端末を操作するユーザがサービスデータの送信が許可されるユーザであるか否かを評価するポリシ評価部と、前記ポリシ評価部による評価結果が許可である場合に、前記取得されたIDPユーザ属性情報を参照して前記サービスプロバイダ装置とのアカウント連携処理を行い、前記サービスプロバイダ装置における前記ユーザの識別子であるSP側ユーザIDを作成するアカウント連携部と、前記アカウント連携処理後に前記IDP認証連携要求を前記IDP認証連携部に送信する認証連携要求転送部とを具備する認証連携制御部と、
を備えるIDプロバイダ装置。 - 前記ユーザIDと、前記各サービスプロバイダ装置のサービス利用状況とを関連付けたサービス利用状況情報を記憶するサービス利用状況記憶部を備え、
前記認証連携要求事前処理部は、前記サービス利用状況記憶部に記憶された前記サービス利用状況情報と前記ポリシ情報記憶部に記憶された前記ポリシ情報とを参照して前記ユーザ端末を操作するユーザがサービスデータの送信が許可されるユーザであるか否かを評価する請求項3に記載のIDプロバイダ装置。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201280002728.7A CN103282909B (zh) | 2011-12-27 | 2012-09-25 | 认证联合***及id提供者装置 |
SG2013016761A SG188436A1 (en) | 2011-12-27 | 2012-09-25 | Authentication collaboration system, and id provider device |
US13/785,746 US8793759B2 (en) | 2011-12-27 | 2013-03-05 | Authentication collaboration system and ID provider device |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2011-287021 | 2011-12-27 | ||
JP2011287021A JP5197843B1 (ja) | 2011-12-27 | 2011-12-27 | 認証連携システムおよびidプロバイダ装置 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/785,746 Continuation US8793759B2 (en) | 2011-12-27 | 2013-03-05 | Authentication collaboration system and ID provider device |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2013099065A1 true WO2013099065A1 (ja) | 2013-07-04 |
Family
ID=48534025
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2012/006085 WO2013099065A1 (ja) | 2011-12-27 | 2012-09-25 | 認証連携システムおよびidプロバイダ装置 |
Country Status (5)
Country | Link |
---|---|
US (1) | US8793759B2 (ja) |
JP (1) | JP5197843B1 (ja) |
CN (1) | CN103282909B (ja) |
SG (1) | SG188436A1 (ja) |
WO (1) | WO2013099065A1 (ja) |
Families Citing this family (36)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2974125B1 (en) * | 2013-03-14 | 2019-04-24 | Intel Corporation | Systems, methods, and computer program products for providing a universal persistence cloud service |
US9154488B2 (en) * | 2013-05-03 | 2015-10-06 | Citrix Systems, Inc. | Secured access to resources using a proxy |
KR101464724B1 (ko) | 2013-10-15 | 2014-11-27 | 순천향대학교 산학협력단 | 멀티 클라우드 환경을 위한 OpenID 기반의 사용자 인증 기법 |
JP6071847B2 (ja) * | 2013-11-06 | 2017-02-01 | 株式会社東芝 | 認証システム、方法及びプログラム |
CN103731269A (zh) * | 2013-12-20 | 2014-04-16 | 湖北安标信息技术有限公司 | 基于考评服务平台的跨域认证方法 |
JP6248641B2 (ja) | 2014-01-15 | 2017-12-20 | 株式会社リコー | 情報処理システム及び認証方法 |
WO2016014120A1 (en) * | 2014-07-24 | 2016-01-28 | Hewlett-Packard Development Company, L.P. | Device authentication agent |
US10021088B2 (en) | 2014-09-30 | 2018-07-10 | Citrix Systems, Inc. | Fast smart card logon |
US10841316B2 (en) | 2014-09-30 | 2020-11-17 | Citrix Systems, Inc. | Dynamic access control to network resources using federated full domain logon |
US9600548B2 (en) | 2014-10-10 | 2017-03-21 | Salesforce.Com | Row level security integration of analytical data store with cloud architecture |
US10049141B2 (en) | 2014-10-10 | 2018-08-14 | salesforce.com,inc. | Declarative specification of visualization queries, display formats and bindings |
US9767145B2 (en) | 2014-10-10 | 2017-09-19 | Salesforce.Com, Inc. | Visual data analysis with animated informational morphing replay |
US10101889B2 (en) | 2014-10-10 | 2018-10-16 | Salesforce.Com, Inc. | Dashboard builder with live data updating without exiting an edit mode |
US9449188B2 (en) | 2014-10-10 | 2016-09-20 | Salesforce.Com, Inc. | Integration user for analytical access to read only data stores generated from transactional systems |
US10509898B2 (en) | 2015-01-21 | 2019-12-17 | Jim Barney et al. | Enhanced security authentication methods, systems and media |
US11503031B1 (en) | 2015-05-29 | 2022-11-15 | Pure Storage, Inc. | Storage array access control from cloud-based user authorization and authentication |
US9300660B1 (en) * | 2015-05-29 | 2016-03-29 | Pure Storage, Inc. | Providing authorization and authentication in a cloud for a user of a storage array |
US10115213B2 (en) | 2015-09-15 | 2018-10-30 | Salesforce, Inc. | Recursive cell-based hierarchy for data visualizations |
US10089368B2 (en) | 2015-09-18 | 2018-10-02 | Salesforce, Inc. | Systems and methods for making visual data representations actionable |
CN108701276B (zh) | 2015-10-14 | 2022-04-12 | 剑桥区块链有限责任公司 | 用于管理数字身份的***和方法 |
US9923929B2 (en) | 2015-11-20 | 2018-03-20 | Nasdaq, Inc. | Systems and methods for in-session refresh of entitlements associated with web applications |
KR101795592B1 (ko) * | 2015-12-24 | 2017-12-04 | (주)소만사 | 기업용 클라우드 서비스의 접근 통제 방법 |
US10311047B2 (en) | 2016-10-19 | 2019-06-04 | Salesforce.Com, Inc. | Streamlined creation and updating of OLAP analytic databases |
US10484358B2 (en) | 2017-05-05 | 2019-11-19 | Servicenow, Inc. | Single sign-on user interface improvements |
CN110770695B (zh) * | 2017-06-16 | 2024-01-30 | 密码研究公司 | 物联网(iot)设备管理 |
WO2019107314A1 (ja) * | 2017-11-30 | 2019-06-06 | 株式会社アドテクニカ | 情報処理装置、情報処理方法、情報処理システム及びプログラム |
US10958640B2 (en) | 2018-02-08 | 2021-03-23 | Citrix Systems, Inc. | Fast smart card login |
CN108632264B (zh) * | 2018-04-23 | 2021-08-06 | 新华三技术有限公司 | 上网权限的控制方法、装置及服务器 |
US10819695B2 (en) * | 2018-05-25 | 2020-10-27 | Citrix Systems, Inc. | Electronic device including local identity provider server for single sign on and related methods |
US10484234B1 (en) * | 2018-06-11 | 2019-11-19 | Sap Se | Dynamic logging framework for multi-tenant cloud environment |
US10938801B2 (en) * | 2018-09-21 | 2021-03-02 | Microsoft Technology Licensing, Llc | Nonce handler for single sign on authentication in reverse proxy solutions |
JP7238558B2 (ja) | 2019-04-08 | 2023-03-14 | 富士フイルムビジネスイノベーション株式会社 | 認証仲介装置及び認証仲介プログラム |
US11271933B1 (en) | 2020-01-15 | 2022-03-08 | Worldpay Limited | Systems and methods for hosted authentication service |
JP7510340B2 (ja) | 2020-12-14 | 2024-07-03 | Kddi株式会社 | 認証装置、認証方法及び認証プログラム |
CN113630273A (zh) * | 2021-08-06 | 2021-11-09 | 百果园技术(新加坡)有限公司 | 账号注销***、方法、设备及存储介质 |
CN114070651B (zh) * | 2022-01-11 | 2022-04-12 | 中国空气动力研究与发展中心计算空气动力研究所 | 一种单点登录***和方法 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2007219935A (ja) * | 2006-02-17 | 2007-08-30 | Nec Corp | 分散認証システム及び分散認証方法 |
JP2007299259A (ja) * | 2006-05-01 | 2007-11-15 | Nippon Telegr & Teleph Corp <Ntt> | 認証情報管理システムおよびアプリケーションサーバ |
JP2008282212A (ja) * | 2007-05-10 | 2008-11-20 | Mitsubishi Electric Corp | 認証装置及び認証システム |
WO2011080874A1 (ja) * | 2009-12-28 | 2011-07-07 | 日本電気株式会社 | ユーザ情報活用システム、装置、方法およびプログラム |
JP2011221729A (ja) * | 2010-04-08 | 2011-11-04 | Hitachi Ltd | Id連携システム |
Family Cites Families (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6243816B1 (en) * | 1998-04-30 | 2001-06-05 | International Business Machines Corporation | Single sign-on (SSO) mechanism personal key manager |
US7624421B2 (en) * | 2003-07-31 | 2009-11-24 | Microsoft Corporation | Method and apparatus for managing and displaying contact authentication in a peer-to-peer collaboration system |
US7636941B2 (en) * | 2004-03-10 | 2009-12-22 | Microsoft Corporation | Cross-domain authentication |
US7631346B2 (en) | 2005-04-01 | 2009-12-08 | International Business Machines Corporation | Method and system for a runtime user account creation operation within a single-sign-on process in a federated computing environment |
WO2007027154A1 (en) * | 2005-08-31 | 2007-03-08 | Encentuate Pte Ltd | Fortified authentication on multiple computers using collaborative agents |
JP2007323340A (ja) | 2006-05-31 | 2007-12-13 | Toshiba Corp | アカウントリンクシステム,アカウントリンク用コンピュータ,およびアカウントリンク方法 |
US20100024015A1 (en) * | 2006-12-21 | 2010-01-28 | Sxip Identity Corp. | System and method for simplified login using an identity manager |
JP5153591B2 (ja) * | 2008-11-26 | 2013-02-27 | 株式会社日立製作所 | 認証仲介サーバ、プログラム、認証システム及び選択方法 |
JP4649523B2 (ja) | 2009-06-03 | 2011-03-09 | 株式会社東芝 | アクセス制御システム |
JP5361625B2 (ja) | 2009-09-09 | 2013-12-04 | 株式会社東芝 | アクセス制御システム、装置及びプログラム |
JP4951092B2 (ja) | 2010-06-03 | 2012-06-13 | 株式会社東芝 | アクセス制御プログラム及び装置 |
JP4892093B1 (ja) | 2010-11-09 | 2012-03-07 | 株式会社東芝 | 認証連携システム及びidプロバイダ装置 |
JP2012212210A (ja) * | 2011-03-30 | 2012-11-01 | Hitachi Ltd | 接続先決定装置、接続先決定方法、および、サービス連携システム |
JP2012212211A (ja) * | 2011-03-30 | 2012-11-01 | Hitachi Ltd | 認証連携システム、および、認証連携方法 |
-
2011
- 2011-12-27 JP JP2011287021A patent/JP5197843B1/ja active Active
-
2012
- 2012-09-25 SG SG2013016761A patent/SG188436A1/en unknown
- 2012-09-25 WO PCT/JP2012/006085 patent/WO2013099065A1/ja active Application Filing
- 2012-09-25 CN CN201280002728.7A patent/CN103282909B/zh active Active
-
2013
- 2013-03-05 US US13/785,746 patent/US8793759B2/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2007219935A (ja) * | 2006-02-17 | 2007-08-30 | Nec Corp | 分散認証システム及び分散認証方法 |
JP2007299259A (ja) * | 2006-05-01 | 2007-11-15 | Nippon Telegr & Teleph Corp <Ntt> | 認証情報管理システムおよびアプリケーションサーバ |
JP2008282212A (ja) * | 2007-05-10 | 2008-11-20 | Mitsubishi Electric Corp | 認証装置及び認証システム |
WO2011080874A1 (ja) * | 2009-12-28 | 2011-07-07 | 日本電気株式会社 | ユーザ情報活用システム、装置、方法およびプログラム |
JP2011221729A (ja) * | 2010-04-08 | 2011-11-04 | Hitachi Ltd | Id連携システム |
Non-Patent Citations (3)
Title |
---|
SAML RIYO KENTO HOKOKUSHO, 31 March 2003 (2003-03-31), pages 3 - 18 * |
TAKAO FUKUDA ET AL.: "Chumoku no Internet Gijutsu", NIKKEI INTERNET TECHNOLOGY, 22 August 2002 (2002-08-22), pages 94 - 97 * |
TIM MATHER, CLOUD SECURITY & PRIVACY, 11 June 2010 (2010-06-11), pages 82 - 85 * |
Also Published As
Publication number | Publication date |
---|---|
JP2013137588A (ja) | 2013-07-11 |
SG188436A1 (en) | 2013-08-30 |
CN103282909A (zh) | 2013-09-04 |
US8793759B2 (en) | 2014-07-29 |
JP5197843B1 (ja) | 2013-05-15 |
CN103282909B (zh) | 2016-03-30 |
US20130198801A1 (en) | 2013-08-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5197843B1 (ja) | 認証連携システムおよびidプロバイダ装置 | |
KR101590076B1 (ko) | 개인정보 관리 방법 | |
CN102638454B (zh) | 一种面向http身份鉴别协议的插件式单点登录集成方法 | |
JP4551369B2 (ja) | サービスシステムおよびサービスシステム制御方法 | |
US8683565B2 (en) | Authentication | |
JP4579546B2 (ja) | 単一サインオンサービスにおけるユーザ識別子の取り扱い方法及び装置 | |
EP2307982B1 (en) | Method and service integration platform system for providing internet services | |
TWI439883B (zh) | 在聯合環境中供識別提供者用之數位權利管理(drm)致能之策略管理 | |
JP5296726B2 (ja) | Webコンテンツ提供システム、Webサーバ、コンテンツ提供方法、及びこれらのプログラム | |
JP5422753B1 (ja) | ポリシ管理システム、idプロバイダシステム及びポリシ評価装置 | |
US11874905B2 (en) | Establishing access sessions | |
CN105074713A (zh) | 用于当连接至网络时识别安全应用程序的***和方法 | |
JP4932154B2 (ja) | アイデンティティ管理ネットワークにおいてユーザーの認証をメンバーサイトに与える方法及びシステム、アイデンティティ管理ネットワークに属するホームサイトでユーザーの認証を行う方法、コンピュータ読み取り可能な媒体、ならびに、階層的分散アイデンティティ管理のためのシステム | |
JP4551367B2 (ja) | サービスシステムおよびサービスシステム制御方法 | |
JP2016115260A (ja) | 権限移譲システム、権限移譲システムに用いられる認可サーバー、リソースサーバー、クライアント、媒介装置、権限移譲方法およびプログラム | |
US9232078B1 (en) | Method and system for data usage accounting across multiple communication networks | |
JP2011076506A (ja) | アプリケーションサービス提供システム及びアプリケーションサービス提供方法 | |
AU2020273301A1 (en) | Pre-registration of authentication devices | |
US7565356B1 (en) | Liberty discovery service enhancements | |
JP4993083B2 (ja) | セッション管理装置、プログラム、及び記憶媒体 | |
TWI768307B (zh) | 開源軟體整合方法 | |
TWI399070B (zh) | 驗證登入方法 | |
Edge et al. | Identity and Device Trust | |
KR20100073884A (ko) | Id 연계 기반의 고객정보 중개 및 동기화 방법 | |
JP2022165546A (ja) | 認証システム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 201280002728.7 Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 12863096 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 12863096 Country of ref document: EP Kind code of ref document: A1 |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 12863096 Country of ref document: EP Kind code of ref document: A1 |