JP2005141613A - Authentication system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a system with which connection propriety to an intranet in a company can be authenticated by centralizing different connection paths and a plurality of companies. <P>SOLUTION: When users U1, U2 and the like access one of authentication request sources RS1, RS2, WL, VPN and APS, the authentication request source acquires attribute information being the object of authentication from the user. The authentication request source transmits user attribute information and self-attribute information to the authentication processing system S. The authentication processing system S authenticates the user by referring to recorded authentication necessary information V on the basis of combination of received attribute information being the object of authentication and attribute information of the authentication request source. When an authentication result is affirmative, return data which is previously decided is transmitted to the authentication request source. Even when the authentication request source performs access restriction on an authentication request device-side, an authentication processor can perform unified management. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to an authentication system, and more particularly, to unification of authentication processing.

  Japanese Patent Application Laid-Open No. 2002-73561 discloses a system in which the same user can be identified even when accessed by different communication terminals. In this technology, in addition to the communication terminal ID, a unique personal ID is given to each individual, and authentication is performed by a combination of both. Therefore, even if there is an access from a different communication terminal, the same person is identified. Can be recognized.

JP 2002-73561 A

  In the above prior art, access by different communication terminals from the same person can be determined, and in this sense, authentication is unified. However, only authentication in one system is considered, and it is not a system that can perform centralized authentication for server systems and services in a plurality of companies. Further, even within a single system, unification of access from different communication paths that perform different authentications has not been considered. Thus, information required for authentication is generally different for each communication path, for each company, and for each service, and it has not been easy to unify these.

  In particular, if an attempt is made to construct a device that centrally manages authentication for a plurality of devices (authentication request devices) that desire authentication, the authentication request device also restricts access to specific users and groups. In some cases, it is difficult to unify these processes.

  An object of the present invention is to solve the above-described problems and provide a system that can unify authentication processing for different communication terminals in different companies and services.

(1) An authentication system, an authentication processing device, and an authentication processing program according to the present invention are:
The authentication requesting device is
User attribute information for authentication processing is received from the user terminal device,
Send the authentication request including the received user attribute information to the authentication processing device,
The authentication processing device is
For each authentication request device, if the authentication processing result is affirmative, the user attribute to be returned to the authentication request device is recorded for each user and the return data information described for each authentication request source ,
In response to an authentication request from the authentication requesting device, authentication processing is performed based on the user attribute information. If the result is negative, a negative user authentication result is sent to the authentication requesting device that made the authentication request. If the result is affirmative, a positive user authentication result is transmitted to the authentication requesting device that has issued the authentication request.
When the authentication result is affirmative, the user attribute specified by the user and the authentication request source is extracted from the return data information, and the user attribute is also returned to the authentication requesting apparatus.
Therefore, even if the authentication requesting device performs the processing related to authentication while realizing the centralization of the authentication processing, by returning the return data for the authentication requesting device to the authentication device, Centralization can be achieved.

(4) In the authentication system, the authentication processing device, and the authentication processing program according to the present invention, the return data information includes attribute information recorded for each user and information indicating the type of attribute information recorded for each authentication requesting device. And when the authentication result is affirmative, the authenticating means returns based on attribute information recorded for each user and information indicating the type of attribute information recorded for each authentication requesting device. It is characterized by extracting user attributes as data.

  Therefore, the return data information can be efficiently recorded, and the return data extraction process is quick.

(5) In the authentication system, the authentication processing device, and the authentication processing program according to the present invention, the plurality of authentication request devices include two or more authentication request devices connected to the user terminal device through different types of communication paths. It is said.

(6) The authentication system, authentication processing device, and authentication processing program according to the present invention are characterized in that the authentication requesting device changes the processing content for the user based on the content of the received return data.

  Therefore, the authentication requesting apparatus can realize different processing depending on the user based on the return data while realizing the centralization of the authentication processing.

(7) An authentication system, an authentication processing device, and an authentication processing program according to the present invention include:
The recording unit includes, for each user, permitted device information that clarifies an authentication requesting device that is permitted to access the user, and a required user that the authentication requesting device needs for authentication for each user. Authentication required information that clarifies the attribute is recorded,
The authentication means includes
Based on the permission device information of the recording unit, it is determined whether or not the user specified by the user identification information in the user attribute information is permitted to access the authentication requesting device that has sent the user attribute information. 1 judging means,
Second determination means for determining whether the transmitted user attribute information matches the required attribute information required for authentication of the user based on the authentication required information of the recording unit; ,
If both the first and second determination means make an affirmative determination, a positive user authentication result and return data are transmitted to the authentication requesting apparatus that has issued the authentication request, and the first and second When any one of the determination means makes a negative determination, a transmission means for transmitting a negative user authentication result to the authentication requesting apparatus that has issued the authentication request;
Is further provided.

  Therefore, the combination of the permitted device information and the authentication required information can be used to unify the authentication processing while supporting various forms of authentication.

  In the present invention, the “program” is a concept including not only a program that can be directly executed by the CPU but also a source format program, a compressed program, an encrypted program, and the like.

  The “return data information” may be a single table in which the user attributes returned to the authentication requesting device are described for each user and for each authentication request source, or may be realized by two or more tables. Good. In the embodiment, the authentication target response attribute of the authentication request source data table 62 and the attribute information of the authentication target data table 64 correspond to the return data information.

  In the embodiment, the “reception unit of the authentication requesting apparatus” corresponds to the CPU function realized by step S1 in the flowchart of FIG.

  In the embodiment, “the transmitting means of the authentication requesting apparatus” corresponds to the function of the CPU realized by step S2 in the flowchart of FIG.

  In the embodiment, “reception means of the authentication processing device” corresponds to the function of the authentication processing device receiving this corresponding to step S2 in the flowchart of FIG.

  In the embodiment, the “authentication means” corresponds to the CPU function realized by steps S54, S55, S56, S57, and S58 in the flowchart of FIG.

  In the embodiment, the “first determination unit” corresponds to the function of the CPU realized by step S54 in the flowchart of FIG.

  In the embodiment, the “second determination means” corresponds to the function of the CPU realized by step S56 in the flowchart of FIG.

  In the embodiment, the “transmitting means of the authentication processing apparatus” corresponds to the function of the CPU realized by steps S55 and S58 in the flowchart of FIG.

  1 is a conceptual diagram of an authentication system according to an embodiment of the present invention. It is assumed that the authentication targets T1, T2 .... Tn can be connected by selecting one of the authentication request sources R1, R2 .... Rm, respectively. That is, the same authentication target T1, T2 .... Tn can be connected to different authentication request sources R1, R2 .... Rm. Authentication request sources R1, R2... Rm are connected to an authentication processing device S.

  One of authentication targets T1, T2 .... Tn (here, authentication target T2) is one of authentication request sources R1, R2 .... Rm (here, authentication request source R5) When accessing the authentication request source R5, the authentication target attribute information is acquired from the authentication target T2. The authentication request source R5 transmits the authentication target attribute information and its own attribute information to the authentication processing device S.

  Based on the combination of the received authentication target attribute information and the authentication request source attribute information, the authentication processing device S refers to the recorded authentication required information V and performs authentication for the authentication target T2.

  In this way, since authentication is determined based on the combination of the authentication target attribute information and the authentication request source attribute information, the authentication target belongs to a different group (company, department, etc.) Even when the authentication method differs for each group, the authentication processing apparatus can perform unified management. Even if the authentication target is the same, even when it is desired to change whether or not authentication is possible depending on which authentication request source is requested to access, the authentication processing apparatus can perform unified management.

  FIG. 2 shows the overall configuration of an authentication system according to an embodiment of the present invention. The users U1, U2, U3, U4 correspond to the authentication targets T1, T2,... In the conceptual diagram of FIG. The remote access server devices RS1, RS2, the wireless LAN access point device WL, the virtual private network (VPN) gateway device VPN, and the application server device APS correspond to authentication request sources R1, R2. Users U1, U2, U3, and U4 can communicate with these authentication request sources through a terminal device or the like. Further, in the authentication processing device S, authentication target information V1 related to the user and authentication request source information V2 related to the authentication request source are recorded as the authentication required information V.

  FIG. 3 shows an example of the overall hardware configuration of the authentication system. The intranet INT1 is an in-house intranet of a company to which the users U1, U2, and U3 belong. The intranet INT2 is an in-house intranet of a company to which the user U4 belongs.

  Each user U1, U2, U3, U4 can access the permitted intranets INT1, INT2 from the terminal devices 20, 22, 24, 26, 28, and the like.

  The intranet INT1 provided in the company can be accessed via a plurality of communication paths. A VPN gateway device VPN is provided for access via the Internet INN. A remote access server device RS1 is provided for access via the public network PBN. In addition, a web application server APS for accessing the intranet INT1 by a LAN card or the like from within the company is provided. Furthermore, a wireless LAN access point device WL for accessing the intranet INT1 by wireless LAN from the office is provided. The intranet INT1 and the authentication processing device S are connected by a router ROOT1.

  The other in-house intranet INT2 is provided with a remote access server device RS2 for access via the public network PBN. Although not shown, like the intranet INT1, a VPN gateway device, a web application server device, and a wireless LAN access point device are provided as in the intranet INT1. The intranet INT2 and the authentication processing device S are connected by a router ROOT2.

  FIG. 4 shows a basic hardware configuration of each device of the remote access server devices RS1 and RS2, the VPN gateway device VPN, the web application server device APS, and the wireless LAN access point device WL. FIG. 4 shows components common to each device, and each device has a configuration and a program corresponding to each function.

  The communication circuit 2 is for communicating with the terminal devices 20, 22, 24, 26, 28 operated by the users U1, U2, U3, U4 and communicating with the authentication processing device S. The CPU 4 performs authentication request processing according to the operating system 12 and the authentication request program 10 stored in the hard disk 8. The memory 6 is a work area such as temporary storage. The hard disk 8 stores an operating system 12 and an authentication request program 10. These programs are installed from a recording medium such as a CD-ROM (not shown) via a CD-ROM drive (not shown).

  FIG. 5 shows a hardware configuration of the authentication processing device S. The communication circuit 52 is for communicating with the remote access server devices RS1 and RS2, the VPN gateway device VPN, the web application server device APS, and the wireless LAN access point device WL, which are authentication requesting devices. The CPU 54 performs authentication processing using the authentication request source data table 62 and the authentication object data table 64 according to the operating system 66 and the authentication processing program 60 stored in the hard disk 58. The memory 56 is a work area such as temporary storage. The hard disk 58 stores an operating system 66, an authentication processing program 60, an authentication request source data table 62, and an authentication target data table 64. These programs and data are installed from a recording medium such as a CD-ROM (not shown) via a CD-ROM drive (not shown).

  FIG. 6 shows an example of the authentication request source data table 62. In this table 62, information for authenticating the authentication requesting device itself is recorded in association with each authentication requesting device (attribute information column). In the figure, it is recorded that the authentication requesting device id (id = item), password (password = item), and IP address (ipaddress = item) are information for authentication.

  In addition, the type of user authentication information requested in the authentication requesting device is recorded in association with each authentication requesting device (authentication target confirmation attribute column). For example, it is shown that the remote access server RS1 requires authentication based on user identification information (uid1), password (password1), and caller telephone number (clid). Further, it is shown that the wireless LAN access point device WL requires authentication based on user identification information (uid1), password (password1), and user group ID (ssid).

  Further, when the authentication result is affirmative, information to be returned to the authentication apparatus is recorded (reaction attribute column to be authenticated). For example, it is indicated that an IP address (ipaddress) is returned to the remote access server apparatus RS1. It is indicated that group information (group) is returned to the VPN gateway device VPN. The return information can be acquired from the attribute information column for the user in the authentication request source table 62. Also, nothing is returned to the wireless LAN access point device WL.

  FIG. 7 shows an example of the authentication target data table 64. This table 64 shows, for each user U1, U2, U3, U4 to be authenticated, through which authentication requesting device the user is allowed to connect to the intranets INT1, INT2. (Authorized authentication requester field). For example, it is shown that the user U1 can connect via the remote access server device RS1, the wireless LAN access point device WL, the application server device APS, and the VPN gateway device VPN.

  In addition, attribute information as an authentication item requested by the authentication requesting apparatus permitted to be connected is recorded for each user U1, U2, U3, U4 (attribute information column). When performing authentication processing, among the attribute information described here, it corresponds to the type of user authentication information corresponding to the authentication request source recorded in the authentication request source data table 62 (column of verification attribute to be authenticated) Only the attributes to be extracted are used. In this embodiment, an attribute (for example, ipaddress) for returning to the authentication requesting device when the authentication is positive is also recorded.

  8 to 10 show flowcharts of the authentication request program 10 of the authentication requesting device and the authentication processing program 60 of the authentication processing device S. Here, as an example, the user U1 uses the terminal device 24 (in this embodiment, the authentication result does not change depending on the terminal device, so any terminal device may be used) and performs remote access via the public line network PBN. Description will be made assuming that the server apparatus RS1 has been accessed. Hereinafter, what is shown as the processing operation of the apparatus is a processing operation performed by the CPU based on a program.

  First, the remote access server device RS1 that has received access from the terminal device 24 transmits a screen for inputting user attribute information (user identification information, password, etc.) to the terminal device 24. In response to this, the user of the terminal device 24 inputs user attribute information and transmits it to the remote access server device RS1. At this time, information clid (such as a telephone number of the caller) that identifies the terminal device 24 is also transmitted. In this way, the remote access server device RS1 acquires user attribute information (step S1). Here, as predetermined, uesr1 is sent to the remote access server apparatus RS1 as user id, password1 as password pasword, and 07000000001 as sender information crid. The remote access server device RS1 adds the IP address assigned to the terminal device 24 to the received information to obtain user attribute information.

Subsequently, the remote access server device RS1 makes an authentication request to the authentication processing device S. First, in order to authenticate the remote access server RS1 itself, predetermined attribute information of the remote access server RS1 is transmitted. Here, data as shown in FIG. 11 is recorded on the hard disk 8 as attribute information. It shall be. Ras01 is recorded as the identification information id, passwordras01 is recorded as the password password, and 172.16.1.1 is recorded as the IP address ipaddress.
Upon receiving this attribute information, the authentication processing device S reads from the authentication request source data table 62 the attribute information for authentication corresponding to the authentication requesting device that has issued the authentication request. Note that it is possible to know from which authentication requesting device the request is received by the authentication requesting device identification information id included in the attribute information. Here, ras01 is read as the identification information id described for the remote access server device RS1, passwordras01 is read as the password password, and 172.16.1.1 is read as the IP address ipaddress (see FIG. 6). Next, the authentication processing device S performs authentication by determining whether or not the transmitted attribute information of the authentication requesting device is equal to the authentication information read from the table 62 (step S51).

  If they do not match, an authentication “impossible” message is returned to the authentication requesting device (step S52). If the authentication is “impossible”, the authentication requesting device proceeds from step S3 to step S7, and transmits an authentication “impossible” message to the terminal device.

  Here, the attribute information (FIG. 11) from the remote access server device RS1 that is the authentication requesting device matches the attribute information (FIG. 6) of the authentication request source data table 62. Therefore, the authentication processing device S sends back an authentication “permitted” message to the remote access server device RS1 (step S53).

  The remote access server apparatus RS1 that has received the result of the authentication “OK” proceeds from step S3 to step S4. In step S4, the remote access server apparatus RS1 transmits the user attribute information acquired in step S1 to the authentication processing apparatus S.

  In response to this, the authentication processing device S identifies the user based on the user identification information in the user attribute information. Next, referring to the “permitted authentication request source” column of the authentication target data table 64, the authentication requesting apparatus that has issued the authentication request determines whether or not access to the user is permitted. (Step S54). That is, if the authentication requesting apparatus that has issued the authentication request is described in the “permitted authentication request source” column of the user, it is determined that access is permitted.

  If not described, it is determined that access is not permitted. If it is determined that access is not permitted for the user, an authentication “impossible” message is sent back to the authentication requesting device (step S55). The authentication requesting device executes step S7 through step S5, and transmits an authentication “impossible” message to the terminal device.

  Here, in the authentication target data table 64, the “permitted authentication request source” column for the user U1 includes the remote access server device RS1, and therefore it is determined that access is possible.

  Next, the authentication processing device S acquires the “authentication target confirmation attribute” corresponding to the authentication requesting device from the authentication request source data table 62. Here, the user identification information uid1, password password, and transmission source information clid corresponding to the remote access server device RS1 are acquired. Subsequently, with reference to the authentication target table 64, attribute information matching the above type is extracted from the “attribute information” column corresponding to the user. Here, uid1 = user1, password1 = password01, and clid = 07000000001 are extracted from the description of the attribute information corresponding to the user U1. In this way, user attribute information necessary for authentication is obtained.

  Next, the authentication processing device S determines whether or not the user attribute information acquired from the remote access server device RS1 in step S2 matches the user attribute information necessary for the authentication (step S56). If they do not match, the process proceeds to step S55, and processing is performed when authentication is not possible as described above.

  Here, in step S2, uesr1 is acquired as the user id, password1 is acquired as the password pasword, and 07000000001 is acquired as the transmission source information crid. Assume that it is “possible”.

  If it is determined that the authentication is “permitted”, the authentication request source data table 62 is referred to, and the response attribute type is acquired from the “response attribute to be authenticated” column corresponding to the authentication requesting device. Here, the IP address ipaddress described in correspondence with the remote access server apparatus RS1 is acquired. Next, the authentication processing device S extracts an IP address from the user attribute information sent from the authentication requesting device (step S57). Subsequently, the data indicating that the authentication is “permitted” and the extracted response data (IP address here) are transmitted to the authentication requesting device (step S58).

  Upon receiving this, the authentication requesting device determines whether or not authentication is possible (step S5), and if it is not “permitted”, it sends an authentication “not permitted” message to the terminal device 42 and does not permit access (step) S7). On the other hand, if it is “permitted”, the terminal device 42 is transmitted “authentication permitted” to permit access (step S6).

  Note that after the authentication, the authentication requesting device performs a predetermined process. The processing content is changed based on the content of the response data. For example, processing such as restricting access to predetermined content is performed based on the IP address.

  Further, if the users are grouped and the group identification information is transmitted as return data to the authentication requesting device, the authentication requesting device can perform access restriction according to the group. In the table 62 of FIG. 6, the VPN gateway VPN and the application server APS return the group identification information group, and the group identification information group is recorded in the user attribute information of the authentication target data table 64. This is realized. Authentication is performed as described above.

  The above example shows a case where the authentication is “permitted”. For example, when the user U2 tries to access the intranet INT1 through the application server device APS, it is determined that the authentication is “impossible” in step S54. Access is denied.

  Further, even when the same user U1 tries to access the intranet INT2 through the remote access server device RS2, in step S54, it is determined that the authentication is “impossible” and the access is denied.

  In the authentication request source data table 62, group information ssid is included as a confirmation attribute to be authenticated for the wireless LAN access point device WL. This group information is predetermined and recorded between the terminal device and the authentication requesting device, and the same group information ssid is recorded for terminal devices (that is, users) belonging to the same group. Will be.

  This group information ssid is acquired from the terminal device by the authentication requesting device, is included in the user information, and is sent to the authentication processing device. In this way, by using the group information ssid for authentication, only a terminal device (user) belonging to a specific group can be authenticated, and a special service can be provided.

  In this embodiment, the authentication processing device can centrally manage the authentication processing while realizing whether or not the same person can change the authentication depending on which authentication requesting device is used to access the intranet. Is possible.

  In the above embodiment, the intranet INT1 and the authentication processing device S are connected by the router ROOT1. However, a dedicated line or a substantial dedicated line may be used instead of the router ROOT1. For example, the intranet INT1 and the authentication processing device S may be connected using a virtual private network on the Internet.

  The web application server APS is placed in the same authentication service provider network NT as the authentication processing device S, and the application server APS and the intranet INT1 are connected by a dedicated line or a substantial dedicated line. Also good.

  In the above embodiment, the type of the authentication attribute to be authenticated is described in the authentication request source data table 62, and data used for authentication is recorded in the authentication target data table 64 corresponding to the type. As a result, for each user, authentication required information that clarifies necessary user attributes required for authentication by the authentication requesting device is recorded.

  However, for each user, for each authentication requesting device, a table that records the data used for authentication is created, and for each user, authentication required information that clarifies the necessary user attributes required for authentication by the authentication requesting device May be recorded.

It is a figure which shows the concept of this invention. It is a figure showing the whole authentication system composition by one embodiment of the present invention. It is a figure which shows the whole hardware configuration of an authentication system. It is a figure which shows the hardware constitutions of an authentication request | requirement apparatus. It is a figure which shows the hardware constitutions of the authentication processing apparatus S. It is an example of the authentication request source data table 62. It is an example of the authentication object data table 64. FIG. It is the figure which showed the authentication request | requirement program and the authentication process program with the flowchart. It is the figure which showed the authentication request | requirement program and the authentication process program with the flowchart. It is the figure which showed the authentication request | requirement program and the authentication process program with the flowchart. It is a figure which shows the attribute information currently recorded on the remote access server apparatus.

Explanation of symbols

U1, U2, U3 ・ ・ ・ User
RS1, RS2 ・ ・ ・ Remote access server device
WL ... Wireless LAN access point device
VPN ・ ・ ・ VPN gateway device
APS: Application server device
S ... Authentication processing device
V1 Information for authentication
V2 ... Authentication requester information

Claims (8)

A plurality of authentication requesting devices that permit access from the user after receiving an access request from the user terminal device and obtaining a positive result for user authentication;
An authentication processing device communicably connected to each authentication requesting device;
An authentication system comprising:
The authentication requesting device includes:
Receiving means for receiving user attribute information for authentication processing from the user terminal device;
A transmission means for transmitting an authentication request including the received user attribute information to the authentication processing device;
The authentication processing device includes:
For each authentication requesting device, if the authentication processing result is affirmative, a recording unit that records return data information describing the user attributes to be returned to the authentication requesting device for each user and for each authentication requesting source When,
In response to an authentication request from the authentication requesting device, authentication processing is performed based on the user attribute information. If the result is negative, a negative user authentication result is sent to the authentication requesting device that made the authentication request. If the result is affirmative, an authentication means for transmitting a positive user authentication result to the authentication requesting device that has issued the authentication request;
With
When the authentication result is affirmative, the authentication means extracts a user attribute specified by a user and an authentication request source from the return data information, and returns the user attribute to the authentication request apparatus. What to do. After receiving an access request from a user terminal device and obtaining a positive result for user authentication, an authentication processing device connected to be communicable with a plurality of authentication request devices that permit access from the user,
For each authentication requesting device, if the authentication processing result is affirmative, a recording unit that records return data information describing the user attributes to be returned to the authentication requesting device for each user and for each authentication requesting source When,
Receiving means for receiving an authentication request including user attribute information transmitted from the authentication requesting device;
In response to an authentication request from the authentication requesting device, authentication processing is performed based on the user attribute information. If the result is negative, a negative user authentication result is sent to the authentication requesting device that made the authentication request. If the result is affirmative, an authentication means for transmitting a positive user authentication result to the authentication requesting device that has issued the authentication request;
With
When the authentication result is affirmative, the authentication means extracts a user attribute specified by a user and an authentication request source from the return data information, and returns the user attribute to the authentication request apparatus. Authentication processing device to do. After receiving an access request from a user terminal device and obtaining a positive result for user authentication, the authentication processing is performed for each authentication requesting device connected to a plurality of authentication requesting devices that permit access from the user. When the result is affirmative, an authentication processing device provided with a recording unit that records return data information described for each user and for each authentication request source, user attributes to be returned to the authentication request device, A program for realizing using a computer,
Receiving means for receiving an authentication request including user attribute information transmitted from the authentication requesting device;
In response to an authentication request from the authentication requesting device, authentication processing is performed based on the user attribute information. If the result is negative, a negative user authentication result is sent to the authentication requesting device that made the authentication request. If the result is affirmative, an authentication means for transmitting a positive user authentication result to the authentication requesting device that has issued the authentication request;
Is a program for realizing the above by a computer,
When the authentication result is affirmative, the authentication means extracts a user attribute specified by a user and an authentication request source from the return data information, and returns the user attribute to the authentication request apparatus. Program to do. In the system, apparatus, or program in any one of Claims 1-3,
The return data information includes attribute information recorded for each user and information indicating the type of attribute information recorded for each authentication requesting device,
If the authentication result is affirmative, the authenticating means is a user as return data based on the attribute information recorded for each user and the information indicating the type of attribute information recorded for each authentication requesting device. A feature characterized by extracting attributes. In the system, apparatus, or program in any one of Claims 1-4,
The plurality of authentication requesting devices include two or more authentication requesting devices connected to the user terminal device by different types of communication paths. In the system, apparatus or program according to any one of claims 1 to 5,
The authentication requesting apparatus changes processing contents for the user based on contents of the received return data. In the system, apparatus, or program in any one of Claims 1-6,
The recording unit includes, for each user, permitted device information that clarifies an authentication requesting device that is permitted to access the user, and a required user that the authentication requesting device needs for authentication for each user. Authentication required information that clarifies the attribute is recorded,
The authentication means includes
Based on the permission device information of the recording unit, it is determined whether or not the user specified by the user identification information in the user attribute information is permitted to access the authentication requesting device that has sent the user attribute information. 1 judging means,
Second determination means for determining whether the transmitted user attribute information matches the required attribute information required for authentication of the user based on the authentication required information of the recording unit; ,
If both the first and second determination means make an affirmative determination, a positive user authentication result and return data are transmitted to the authentication requesting apparatus that has issued the authentication request, and the first and second When any one of the determination means makes a negative determination, a transmission means for transmitting a negative user authentication result to the authentication requesting apparatus that has issued the authentication request;
It is further provided with. After receiving an access request from a user terminal device and obtaining a positive result for user authentication, a plurality of authentication request devices permitting access from the user, and authentication connected to be communicable with each authentication request device An authentication method using a processing device,
The authentication requesting device includes:
User attribute information for authentication processing is received from the user terminal device,
Send the authentication request including the received user attribute information to the authentication processing device,
The authentication processing device includes:
For each authentication request device, if the authentication processing result is affirmative, the user attribute to be returned to the authentication request device is recorded for each user and the return data information described for each authentication request source ,
In response to an authentication request from the authentication requesting device, authentication processing is performed based on the user attribute information. If the result is negative, a negative user authentication result is sent to the authentication requesting device that made the authentication request. If the result is affirmative, a positive user authentication result is transmitted to the authentication requesting apparatus that has issued the authentication request.
When the authentication result is affirmative, the user attribute specified by the user and the authentication request source is extracted from the return data information, and the user attribute is also returned to the authentication requesting device.

Images