JP2007206851A - Authentication linkage system, method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an authentication linkage system, for attaining an effect equal to single sign-on function in an environment where systems which provide different functions are simultaneously used while requiring independent authentication procedures. <P>SOLUTION: In consideration that devices used by a user are arranged in physically close to each other, and physical connection information represented by interface information held by a switching system as a means for mutually associating devices of each system, each device is arranged so that it can be recognized as the same segment in a system structure, and the connection information is collected in advance and associated in an authentication linkage server. The correspondence between devices are dynamically changeable. According to this, an authentication linkage system having the effect equal to attainment of single sign-on function can be established also in the systems which provide different functions. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to an authentication linkage system, method, and program having an effect equivalent to that of a single sign-on function using an authentication linkage server between systems that require different authentication procedures.

  Currently, client terminals used by employees and the like in corporate information systems tend to have higher performance and complexity. Therefore, application software installation work and version upgrade work and hardware resource maintenance work occur for each client terminal, resulting in an increase in costs, reducing the operating and management costs (TCO) of corporate information systems. Is required. In addition, there is an increasing tendency to place importance on security measures through the enforcement of the Personal Information Protection Law, and while raising the security awareness of employees, etc., there is a need for technical solutions as a way to prevent information leaks. It has been. Under such an era background, a form of a thin client system is attracting attention as one means for solving these problems.

  The thin client system has the minimum functions such as display function and input function on the client terminal to be used, and hardware resources such as HDD, memory, and CPU on the server side that manages the client terminal, and applications to be used Software resources such as files and files, and only the functions are provided for each user. With this configuration, the above-described work for each user is eliminated, and hardware resources are not prepared for each user. Therefore, it is possible to reduce TCO and reduce the risk of information leakage.

  Although the concept of the thin client system itself is not so new, it is now being recognized as an effective system that can enjoy the above-mentioned merit at the time when the communication environment between networks has dramatically improved.

  By the way, instead of conventional telephones, communication using VoIP (Voice Over Internet Protocol) technology, so-called IP telephones, is known along with the difference in charge systems and the spread of the Internet, and the number of companies that introduce IP telephones is increasing. .

  In companies that introduce IP telephones, it has become possible to set a usage environment for each user for a given IP telephone in order to make the work environment more efficient. However, in a company where the system for managing the IP phone and the existing information system are different, not all can be used by a single authentication procedure, and the user has to perform the authentication procedure individually.

  In addition, the relationship between IP telephone systems and the above-mentioned thin client systems in enterprise information systems is a transitional period between the integration of conventional telephone systems and information systems, and the design and design of thin client systems themselves differ from company to company. In other words, we are looking for a situation. For the reasons described above, even a company realizing single sign-on within a thin client system has not been integrated with an IP telephone system.

In addition, the conventional information system and the telephone system are linked, and the VoIP server environment by SIP (Session Initiation Protocol) and the Web (World Wide Web) application server environment are merged to enable detailed business progress and business management. Patent Document 1 is known as a service providing method for the purpose.
JP 2005-318439 A

  However, Patent Document 1 does not mention a single sign-on function related to an information system and a telephone system that require different authentication procedures.

  In addition, in a corporate information system that requires different authentication procedures, when trying to realize the single sign-on function, the existing information system must be rebuilt from scratch to integrate the user identification information of all systems, or authentication linkage Although a system is constructed and a plurality of authentication procedures are substantially required, a means of making it appear as a single system is selected by constructing a system that cooperates inside the system. The former should be judged according to the company size and necessity, and the latter is likely to be generally adopted in the enterprise information system.

  However, at first glance, it may seem easy to build an authentication collaboration system. For example, by gathering conventional database technology and directory service technology, user identification information in the IP telephone system manually by the authentication linkage server, telephone number, IP telephone identification information, thin client terminal identification information in the thin client terminal management system, This is a system construction method based on the idea of storing user identification information and constructing them by associating them statically.

  However, the system construction method based on the above idea has the following problems. First, there is a problem of how to recognize and associate a predetermined thin client terminal, which is a separate device, and a predetermined IP telephone on the system. Information that uniquely identifies the thin client terminal itself and information that uniquely identifies the IP telephone itself exist in each system, but are information that dynamically associates the user with the IP telephone and the user with the thin client terminal. There is no information that uniquely determines an IP telephone and a thin client terminal as a set in advance.

  Even if IP telephones and thin client terminals are associated with each other artificially and statically, the arrangement of the equipment itself changes due to equipment relocation work due to user personnel changes or office layout changes. The work of changing the linked portions that are artificially and statically associated will occur each time. Even if the convenience on the user side is improved, the maintainability and operability on the system management side are remarkably inefficient, and the expandability and flexibility of the system are lacking.

In this way, although it seems that it can be easily conceived at first glance, there are no methods and linkage means for recognizing that the system is a thin client terminal and an IP telephone used by the user in other technical fields. I couldn't think of it.
That is, for systems that need to perform different authentication procedures, it is practically impossible to produce the same effect as collective authentication unless the cooperation part is dynamically associated.

  Therefore, paying attention to the function of the exchange that can hold the information that associates the thin client terminal and the IP telephone, and the fact that the thin client terminal and the IP telephone used by the user are physically located, In order to solve the above-mentioned problem by collecting the connection information in advance so that the segments can be recognized as the same segment and dynamically changing the linkage part, the present invention is realized. It came to.

  That is, the present invention provides a system including an apparatus that provides a predetermined function and a management server for providing the predetermined function, an apparatus that provides other predetermined functions, and other predetermined functions. In the authentication linkage system, the system including the management server is connected to the authentication linkage server via a computer network via at least one exchange, and the devices of each system are of the nature of being used at the same time. The authentication linkage server requests the connection information of each device from the exchange and the management server of each system and collects the information and the collected information based on the notification of the connection status change from the exchange as preparation for authentication linkage. In addition, there is provided means for associating and storing each device in the storage area of the authentication cooperation server, and a system for providing a predetermined function as actual authentication cooperation. Means for determining a device that provides another predetermined function corresponding to a device that provides a predetermined function based on physical connection information collected from the management server of the system with reference to the storage area of the authentication cooperation server; Means for transmitting physical connection information, user identification information, etc. relating to a device that provides the determined other function to the management server of the system that provides the other function, and a pair with the device that provides a predetermined function This is an authentication cooperation system (claim 1) characterized in that it provides the same effect as a simultaneous authentication procedure for a device that provides other predetermined functions.

  The reason why the functions of the “providing a certain predetermined function” system and the “providing other predetermined functions” system according to the present invention are not limited is that it is essential to link authentication procedures in different systems. The functions of each system are not questioned. However, it is intended that the device is in an environment where it is used at the same time, and for example, a dedicated terminal for providing a specific function and a general-purpose terminal for providing other functions are used simultaneously.

  In the authentication collaboration system, a device of the system is made available by the management server of the system that provides other functions, and a reply to the physical connection information and user identification information transmitted to the management server of the system that provides other functions is provided. The authentication cooperation system according to claim 1, further comprising means for displaying an authentication procedure success / failure screen on a device that provides a predetermined other function upon receiving the request. is there.

  Further, the connection information possessed by the exchange collected from the authentication collaboration server includes the interface information possessed by the exchange, and the authentication collaboration server has the same interface information. 3. The authentication linkage system according to claim 1, further comprising means for determining that a device that provides a predetermined function and another device that provides a predetermined function are associated devices. ).

  According to a preferred embodiment, the present invention provides a thin client terminal management system including one or more thin client terminals and a thin client terminal management server, and an IP telephone system including one or more IP telephones and an IP telephone management server. And the authentication collaboration server are connected via a computer network via at least one switch, and in the authentication collaboration system, each device is used at the same time. Requesting and collecting connection information, etc. from the switch and the management server of each system as advance preparation for cooperation, and associating a predetermined thin client terminal and IP phone with the authentication cooperation server storage area based on the collected information And physical connection information collected from the thin client terminal management server as the actual authentication linkage The IP telephone corresponding to a predetermined thin client terminal is determined by referring to the storage area of the authentication cooperation server, and the physical connection information and user identification information relating to the determined IP telephone are transmitted to the IP telephone management server. And an authentication cooperative system (Claim 4), characterized in that the same effect as the authentication procedure is simultaneously performed for the IP telephone paired with the thin client terminal. .

  In addition, the IP phone management server can use the specified IP phone, and the authentication procedure for the specified IP phone succeeds when it receives a reply to the physical connection information and user identification information sent to the IP phone management server. The authentication cooperation system (claim 5) according to claim 4, further comprising means for displaying an availability screen.

  The connection information held by the exchange collected from the authentication linkage server includes the interface information held by the exchange. 6. The authentication linkage system according to claim 4 or 5, wherein the client terminal and the IP telephone are determined to be associated with each other (claim 6).

  Subsequently, when the present invention is expressed in the category of method, a system including an apparatus that provides a certain predetermined function, a management server for providing the predetermined function, an apparatus that provides other predetermined function, and others The system that includes the management server for providing the specified functions is connected to the authentication linkage server via a computer network via at least one switch, and the devices of each system are used simultaneously Is an authentication collaboration method executed by the authentication collaboration server in the authentication collaboration system, and the connection status change notification from the exchange as an advance preparation for the authentication collaboration is triggered by the switch and the management server of each system. Requesting and collecting connection information, etc., and associating each device with the storage area of the authentication collaboration server based on the collected information And storing other predetermined functions corresponding to a device that provides a predetermined function based on physical connection information collected from a management server of a system that provides the predetermined function as an actual authentication linkage. A step of determining a device by referring to the storage area of the authentication cooperation server, and a physical connection information and user identification information related to the determined device that provides the other function to the management server of the system that provides the other function All of the above steps bring about the same effect as the simultaneous authentication procedure for a device that provides a predetermined function and another device that provides a predetermined function. This is an authentication cooperation method (claim 7).

  In addition, the management server of the system providing other functions can use the system device, and has received a reply to the physical connection information and user identification information transmitted to the management server of the system providing other functions. 8. The authentication cooperation method according to claim 7, further comprising a step of displaying an authentication procedure success / failure screen on a device that provides another predetermined function as an opportunity.

  Then, the connection information possessed by the exchange collected from the authentication collaboration server includes the interface information possessed by the exchange, and the authentication collaboration server has the same interface information. 9. The authentication cooperation method according to claim 7 or 8, wherein an apparatus that provides a predetermined function and another apparatus that provides a predetermined function are determined to be associated with each other. .

  According to a preferred embodiment, a thin client terminal management system including one or more thin client terminals and a thin client terminal management server, an IP telephone system including one or more IP telephones and an IP telephone management server, and authentication cooperation In an authentication collaboration system that is connected to a server via a computer network via at least one switch and each device is used at the same time, an authentication collaboration method executed by the authentication collaboration server And requesting and collecting connection information and the like from the exchange and the management server of each system as advance preparation for authentication cooperation, and a predetermined thin client terminal and IP in the storage area of the authentication cooperation server based on the collected information Thin client terminal management server as a step of storing and associating telephones with each other and actual authentication cooperation A step of determining an IP telephone corresponding to a predetermined thin client terminal based on the physical connection information and the like collected from the storage area of the authentication cooperation server, and physical connection information and user identification information relating to the determined IP telephone Transmitting to the IP telephone management server, and all the above steps provide the same effect as the simultaneous authentication procedure for the IP telephone paired with the thin client terminal. This is an authentication linkage method (claim 10).

  In addition, the IP phone management server can use the specified IP phone, and the authentication procedure for the specified IP phone succeeds when it receives a reply to the physical connection information and user identification information sent to the IP phone management server. The authentication cooperation method (claim 11) according to claim 10, further comprising a step of displaying a propriety screen.

  The connection information held by the exchange collected from the authentication linkage server includes the interface information held by the exchange. 12. The authentication cooperation method according to claim 10 or 11, wherein the authentication terminal determines that the client terminal and the IP telephone are associated with each other (claim 12).

  When the present invention is limited to a program or the like as a product invention, a system including a device that provides a certain predetermined function, a management server for providing the predetermined function, and a device that provides other predetermined functions, and A system including a management server for providing other predetermined functions is connected to the authentication linkage server via a computer network via at least one exchange, and the devices of each system are used simultaneously. In the authentication linkage system of the nature, the authentication linkage server requests connection information etc. of each device from the exchange and the management server of each system, triggered by the connection status change notification from the exchange as advance preparation for authentication linkage, A step of collecting, a step of associating and storing each device in the storage area of the authentication cooperation server based on the collected information, A device that provides another predetermined function corresponding to a device that provides a predetermined function based on the physical connection information collected from the management server of the system that provides the predetermined function as the authentication cooperation of the authentication cooperation server Performing a step of determining with reference to the storage area, and a step of transmitting physical connection information, user identification information, and the like relating to the determined device that provides the other function to a management server of the system that provides the other function. An authentication cooperation program characterized in that it provides the same effect as the simultaneous authentication procedure for a device that provides a predetermined function and a device that provides a pair of other predetermined functions. 13).

  In addition, the management server of the system providing other functions can use the system device, and has received a reply to the physical connection information and user identification information transmitted to the management server of the system providing other functions. The authentication cooperation program (claim 14) according to claim 13, wherein a step of displaying an authentication procedure success / impossibility screen on an apparatus that provides a predetermined other function as an opportunity is executed.

  Then, the connection information possessed by the exchange collected from the authentication collaboration server includes the interface information possessed by the exchange, and the authentication collaboration server has the same interface information. 15. The authentication linkage program according to claim 13 or 14, wherein an apparatus that provides a predetermined function and another apparatus that provides a predetermined function are determined to be associated with each other. .

  According to a preferred embodiment of the present program, a thin client terminal management system including one or more thin client terminals and a thin client terminal management server, an IP telephone system including one or more IP telephones and an IP telephone management server, The authentication linkage server is connected to the authentication linkage server via an at least one switch via a computer network, and each device can be used simultaneously. Requesting and collecting connection information, etc. from the exchange and the management server of each system as advance preparations, and associating a predetermined thin client terminal and an IP telephone to the storage area of the authentication linkage server based on the collected information Collected from the thin client terminal management server as a step of memorizing and actual authentication linkage The step of determining an IP telephone corresponding to a predetermined thin client terminal based on the physical connection information etc. with reference to the storage area of the authentication cooperation server, and the IP telephone management of physical connection information and user identification information regarding the determined IP telephone And a step of transmitting to the server, and providing an authentication cooperation program characterized in that the same effect as that of simultaneously performing the authentication procedure for the IP telephone paired with the thin client terminal is provided. ).

  In addition, the IP phone management server can use the specified IP phone, and the authentication procedure for the specified IP phone succeeds when it receives a reply to the physical connection information and user identification information sent to the IP phone management server. The authentication cooperation program (claim 17) according to claim 16, further comprising a step of displaying an availability screen.

  The connection information possessed by the exchange collected from the authentication cooperation server includes the interface information possessed by the exchange, and the authentication cooperation server indicates that the interface information is the same, so that the thin client terminal The authentication link program according to claim 16 or 17 (claim 18), characterized in that the device is associated with an IP telephone.

  According to the present invention, focusing on physical connection information typified by interface information held by the exchange as a means of associating the devices used by the user with each other in a physically close location, as a means of associating the devices of each system, After arranging each device so that it can be recognized as the same segment in the system configuration, the authentication linkage server collects and associates the connection information in advance. And by making it possible to dynamically change the association between devices, even in a system that provides different functions, it is possible to construct an authentication cooperation system similar to the realization of the single sign-on function.

  A preferred embodiment according to the present invention will be described. In addition, illustration and description are abbreviate | omitted about the part which is not directly related to this invention.

  In FIG. 1, a thin client terminal management system (20), an IP telephone management system (40), and an authentication collaboration system (10) are connected to each other via a computer network via a switch (50). Each system can transmit and receive data according to its function. In addition, the environment of connection forms such as LAN (Local Area Network) and WAN (Wide Area Network) is not particularly limited as long as communication between TCP / IP groups is possible between the networks.

Next, the authentication cooperation system (10) will be described with reference to FIG.
The authentication collaboration system (10) consists of an authentication collaboration server (11), a control function unit (12), a storage management function unit (13), a Web-API (14), a DB-API (15), a web container (16), Cooperation management function section (17), search function section (18), image transmission function section (19), switch (60), control function section (61), storage management function section (62), information notification function section (63) It is a system that includes

  The authentication cooperation server (11) is a main part of the present invention, and has a function of linking user authentication procedures in the thin client terminal system (20) and the IP telephone management system (40). In addition, when a new thin client terminal (21) and IP phone (52) are newly added or when the equipment itself is relocated due to layout changes, the corresponding equipment varies depending on the replacement due to a failure. Even in such a case, it is possible to automatically update the linkage information managed by the storage management function unit (13) upon receiving a notification from the information notification unit (63) of the exchange. . The functions of the authentication collaboration server (11) will be described below. However, it is not always necessary to physically implement one server, and a server is built for each function according to the need for redundancy or decentralization. It is also possible to do.

  The control function unit (12) is a so-called OS (Operating system) and is a platform of a so-called authentication cooperation server (11). The control function part (12) provides basic functions commonly used by many application software, such as input / output functions such as keyboard input and screen output, and disk and memory management. Basic software to manage Specific products include Microsoft (registered trademark) Windows (registered trademark) 2003 Server, Sun Microsystems (registered trademark) Solaris (registered trademark), HP HP-UX, IBM (registered trademark) AIX. UNIX (registered trademark) products such as Linux, Linux (registered trademark), which is free software compatible with UNIX (registered trademark), or distributions of distribution packages that combine Linux (registered trademark) kernel and software, etc. Applicable.

  The storage management function unit (13) is a so-called RDBMS (Relational Data Base Management System), which is software for managing a relational database. Relational database is a method of expressing a single data as a set of multiple items (fields) and a set of data as a table called a table, using key data such as ID numbers and names, Data can be easily combined and extracted. Specifically, it can be implemented by software typified by Oracle (registered trademark) Data Base of Oracle (registered trademark) or SQL Server of Microsoft (registered trademark). FIG. 5 shows information managed by the storage management function unit (13) in the preferred embodiment of the present invention.

The storage management function unit (13) manages the user correspondence management table (X) and the device correspondence management table (Y) as shown in FIG. The user correspondence management table (X) holds at least user identification information (X1) on the thin client terminal management system, user identification information (X3) on the IP telephone management system, and a setting file name (X2). .
The user who logged in / logged off the thin client terminal management system by associating the user identification information (X1) on the thin client terminal management system with the user identification information (X3) on the IP telephone management system is logged in / It is possible to log off. Further, the user identification information (X3) on the IP phone management system is associated with a setting file name (X2) when using the IP phone for each user. By notifying the setting file name and the model name (Y4) of the IP phone to be described later to the cooperation management unit (51) and the authentication management unit (47) of the IP phone management server, the predetermined IP phone (52) is notified. It becomes possible to make settings for each user.

  The device correspondence management table (Y) includes at least IP phone physical connection information (Y1), exchange information on the exchange (Y3 and Y6), IP phone model name (Y4), and IP phone logical connection information (Y5). It is a table that is out.

  In the device correspondence management table (Y), the physical connection information (Y1) of the IP telephone and the physical connection information (Y2) of the thin client terminal can be associated with each other by the cooperation information (Y3 and Y6) on the exchange. The IP phone model name (Y4) and IP phone logical connection information (Y5) are also associated with the IP phone physical connection information (Y1). The information acquisition method and the like will be described later.

  Web-API (14) is a so-called API (Application Program Interface), and API is a set of instructions and functions that can be used when developing software for a certain platform (OS and middleware). Also, it is a set of rules that define the program procedures for using them. The Web-API (14) provides a function for providing an operating environment and a function for transmitting / receiving data to / from other Web servers so that the Web service can be used in the authentication collaboration server (11). It can be said that it is an indispensable function for operating the web container (16) on the control function unit (12). Typical APIs include HTTP Servlet API, EJB (Enterprise JAVA Beans), and SAX for analyzing XML format data defined in the Java2 Enterprise Edition (J2EE) environment proposed by Sun Microsystems (registered trademark). (Simple API for XML), DOM (Document Object Model), SOAP (Simple Object Access Protocol), and SOAP SOAP that enable communication.

  DB-API (15) is the same API as Web-API (14), and the linkage function management unit (17) running on the WEB container (16) is stored in the storage management function unit (13). API for manipulating data or data to be stored. Typical APIs include JDBC (registered trademark) (Java Database Connectivity) defined in the Java2 Enterprise Edition (J2EE) environment proposed by Sun Microsystems (registered trademark) and ODBC proposed by Microsoft (registered trademark). (Open Database Connectivity).

The web container (16) is an execution environment for causing the authentication linkage server (11) to function as a web application server. Specifically, Tomcat, an open source software developed as a subproject of the Jakarta project, BEA Web Logic Server (registered trademark) from BEA Systems, and Web Sphere (registered trademark) Application from IBM (registered trademark) It can be implemented by Web application servers such as Server.
The Web application server generally has transaction processing, session management, security function, load distribution function, multi-thread / multi-process function, etc., and can be used together as appropriate when implementing the present invention. is there.

  The cooperation management function unit (17) is a generic name for a program (including objects, instances, methods, etc., omitted below) or software library for managing the situation of each system in cooperation. For example, a program that requests and collects data from each system in order to manage physical link information between the thin client terminal (21) and the IP telephone (52), and a result of a search made to the storage management function unit (13) Is sent to the authentication management function part (47) of the IP telephone management server as information, and the image transmission function part (19) is called after receiving a normal response from the authentication management function part (47) of the IP telephone management server. Has programs etc.

  The search function unit (18) is a program that retrieves data to the storage management function unit (13) and obtains the results. Data operations are performed on the storage management function unit (13) via the DB-API (15). Make a request. The data information that is the result of operating the storage management function unit (13) can be referred to from the cooperation management function unit (17). The DB-API (15) can perform operations such as data registration, change, deletion, selection, projection, and combination by operating instructions using SQL (Structured Query Language) statements.

  The image transmission function part (19) is an output function part of a predetermined IP phone by receiving a response from the cooperation management function part (51) of the IP telephone management server and then calling from the cooperation management function part (17). This is a program for transmitting and displaying a login / logoff success / failure screen to (52b). The output function part (52b) of the received IP telephone requests the designated image to the cooperation management function part (17) and acquires it, thereby displaying a login / logoff success / failure screen on the browser on the display. .

  The exchange (60) is a layer 3 switch or router, or an exchange having equivalent functions. A layer 3 switch is a switch for performing communication at the third layer (network layer) level of the OSI reference model established by the International Organization for Standardization (ISO), and selects a communication path for delivering data to the communication partner. It is also an exchange that can manage addresses in a communication path. A router is an exchange that performs communication at the third and fourth layer (transport layer) level or higher of the OSI reference model. Data compression, error correction, and retransmission for reliable and efficient delivery of data to the communication partner An exchange that performs control and the like.

  The control function unit (61) is software or OS for managing and controlling network information passing through the exchange. As a typical control function unit (61), there is IOS (Cisco Internetworking Operating System) which is a control OS of Cisco Systems (registered trademark).

  The storage management function unit (62) is a storage area that holds network information managed by the control function unit (61). FIG. 8 shows information managed by the storage management function unit (62) in the preferred embodiment of the present invention. The storage management function unit (62) includes a device correspondence management table (L). The device correspondence management table (L) includes interface information (L1), thin client terminal physical connection information (L2), IP telephone physical connection information (L3), and logical connection information (L4).

  The interface information (L1) is information on the port (connection port) itself that the exchange physically has. The physical connection information (L2) of the thin client terminal is the MAC address of the thin client terminal connected to the exchange. The physical connection information (L3) and logical connection information (L4) of the IP telephone are the MAC address and IP address of the IP telephone connected to the exchange. The storage management function unit (62) manages which device is connected to which port.

  The information notification function part (63) is a notification function by Syslog (RFC3196) or the like. When a device is newly connected to the port of the exchange or a device that has been connected is removed, the fact that the physical connection information has changed may be notified to the cooperation management function unit (17) of the authentication cooperation server it can.

VLAN function (Virtual LAN: IEEE 802.1Q as defined by the Institute of Electrical and Electronics Engineers (IEEE), so-called tagged VLAN and port-based VLAN) to enhance system expandability and maintainability as an additional function May be added.
In this embodiment, a DHCP (Dynamic Host Configuration Protocol) server is constructed (omitted, not shown), and an IP address is automatically assigned to the IP telephone.

  A design change that occurs depending on which device implements the above-described function can be dealt with by a method common to those skilled in the art, for example, replacement with an exchange having an optimum function.

Next, the thin client terminal management system (20) will be described with reference to FIG.
The thin client terminal management system (20) includes a thin client terminal (21), a thin client terminal input function unit (21a), a thin client terminal input function unit (21b), a thin client terminal management server (22), and an authentication device. (23), Control function part (24), Storage management function part (25), Web-API (26), DB-API (27), Web container (28), Authentication management function part (29), Registration function part (30), a change function part (31), a deletion function part (32), and a cooperation management function part (33) are included.

  The thin client terminal management system (20) manages each thin client terminal (21) based on physical information as a premise and holds user information for using the thin client terminal (21). It is a system that realizes a so-called multi-user environment that can provide the user's own usage environment without being limited to 21).

  Further, the thin client terminal management system (20) includes at least one thin client terminal (21) and a thin client terminal management server (22) in order to cooperate with the authentication cooperation server (11). It has a storage management function unit (25) capable of storing and managing user identification information and thin client terminal connection information on the terminal management system, and the user identification information transmitted from the thin client terminal and the physical information of the thin client terminal By comparing the connection information with the user identification information and the thin client terminal connection information on the thin client terminal management system managed by the storage management function unit (25), and determining whether or not the user is permitted to use. The authentication means for authentication and the authenticated user identification information and thin client terminal connection information It is necessary to have a means for transmitting the cooperative management function portion of the server (17).

  Thin client terminal management server (22) means control function part (24), storage management function part (25), Web-API (26), DB-API (27), Web container (28), authentication management function part (29) A server having a registration function unit (30), a change function unit (31), a deletion function unit (32), and a cooperation management function unit (33). It also has a function of managing the thin client terminal (21) and performing authentication when the user logs in / off the system by the authentication device (23). The system administrator can register, change, and delete user identification information. It is possible to manage applications and storage areas used for each user, and to provide predetermined applications and storage areas to the thin client terminal that has logged in.

  Note that the functions do not necessarily need to be physically realized by a single server, and a server can be constructed for each function according to the need for redundancy or decentralization.

  The thin client terminal (21) is a client terminal having hardware resources capable of realizing at least an input function and an output function and software resources for controlling them.

  For example, a client terminal having a keyboard as an input function and a display as an output function. Also, a smart card reader or the like that reads an interface necessary for network communication or a smart card necessary for an authentication procedure needs to be mounted. Although a thin client terminal is adopted as a preferred embodiment of the present invention, the present invention is not intended to exclude a client terminal that has its own storage management function, arithmetic function, calculation function, and control function.

  The authentication device (23) is a medium used for the user to log in / off the thin client terminal management system (40). The authentication device (23) stores user identification information and physical connection information in advance. The user identification information is information for identifying a predetermined individual. For example, there is a method of using a smart card or the like equipped with a PKCS (Public Key Cryptography Standards) # 11 module. The physical connection information is a MAC address or the like.

  The control function unit (24) is a so-called OS (Operating system) and is a platform of a so-called thin client terminal management server (22). The control function unit (24) provides basic functions that are commonly used by many application software, such as input / output functions such as keyboard input and screen output, and disk and memory management. Software. Specific products include Windows 2003 Server from Microsoft (registered trademark), Solaris from Sun Microsystems (registered trademark), HP-UX from HP, UNIX (registered trademark) such as AIX from IBM (registered trademark). ) Products, Linux (registered trademark), which is free software compatible with UNIX (registered trademark), or distributions of distribution packages in which Linux (registered trademark) kernels and software are combined.

  The storage management function unit (25) is a so-called RDBMS (Relational Data Base Management System), which is software for managing a relational database. Relational database is a method of expressing a single data as a set of multiple items (fields) and a set of data as a table called a table, using key data such as ID numbers and names Data can be easily combined and extracted. Specifically, it can be implemented by software typified by Oracle (registered trademark) Data Base of Oracle (registered trademark) or SQL Server of Microsoft (registered trademark). Information managed by the storage management function unit in the preferred embodiment of the present invention is shown in FIG. The storage management function unit (25) includes at least an authentication management table (J). The authentication management table (J) includes an authentication device ID (J1), physical connection information (J2) included in the authentication device, user identification information (J3) on the thin client terminal, and a password (J4) set for each user. included.

  The authentication device ID (J1) is, for example, the serial number of the authentication device (23) used by the user. The physical connection information (J2) included in the authentication device is, for example, a MAC address registered in advance in the authentication device (23). The password (J4) set for each user is a password created by the user himself.

  Various methods can be used for the authentication method. For example, personal authentication methods using passwords (including one-time password methods such as S / KEY and challenge / response methods), RADIUS (Remote Authentication Dial-In User Service) established by RFC2138 by the Internet Engineering Task Force (IETF) Personal authentication method using IEEE 802.1x authentication, personal authentication method using smart card with built-in IC conforming to ISO 15408, human face and voiceprint, pupil iris, vein biometric authentication (biological It may be a personal authentication method based on (authentication) or another authentication method for identifying a user. Any of the above authentication methods is not an element on which the present invention relies, and the present invention can be implemented in combination with each method.

  At this time, a user authentication system is constructed in consideration of the specifications and characteristics of the user identification information handled between the thin client terminal management server (22) and the thin client terminal (21) and between the cooperative authentication server (11). However, it is possible to easily cope with the addition or selection of optimum software, components, modules, etc., and system design changes.

  Web-API (26) is a so-called API (Application Program Interface), a function that provides an operating environment in order to make Web services available on the thin client terminal management server (), and a control function section (24) It is an indispensable function to operate the web container (28) above. Typical APIs include HTTP Servlet API, EJB (Enterprise JAVA Beans), and SAX for analyzing XML format data defined in the Java2 Enterprise Edition (J2EE) environment proposed by Sun Microsystems (registered trademark). (Simple API for XML), DOM (Document Object Model), SOAP (Simple Object Access Protocol), and SOAP SOAP that enable communication.

  DB-API (27) is the same API as Web-API (26), and the linkage function management unit (33) running on the WEB container (28) is stored in the storage management function unit (25). API for manipulating data or data to be stored. Typical APIs include JDBC (registered trademark) (Java Database Connectivity) defined in the Java2 Enterprise Edition (J2EE) environment proposed by Sun Microsystems (registered trademark) and ODBC proposed by Microsoft (registered trademark). (Open Database Connectivity).

  The web container (28) is an execution environment for causing the thin client terminal management server (22) to function as a web application server. Specific examples include Tomcat, an open source software developed as a subproject of the Jakarta project, BEA Web Logic Server (registered trademark) from BEA Systems, and Web Sphere Application Server from IBM (registered trademark). Can be implemented by a Web application server.

  The Web application server generally has transaction processing, session management, security function, load distribution function, multi-thread / multi-process function, etc., and can be used together as appropriate when implementing the present invention. is there.

  The authentication management function part (29) is a program that authenticates the user who uses the thin client terminal (21), stores the connection information of the authenticated user in the memory management function part (25), and changes the previous state. It has a function to do. Further, it has a registration function unit (30), a change function unit (31), and a deletion function unit (32). The function can be registered, changed, and deleted by the system administrator. Apart from this function, it is also possible to manage the thin client terminal by registering, changing, or deleting using the physical connection information of the thin client terminal (21) itself.

  In the present invention, information for identifying a user and physical connection information are stored in advance in the authentication device (23) and the storage management function unit (25), respectively. Authenticate. In this embodiment, the token ID and the MAC address (physical connection information) of the thin client terminal are used to identify the user.

  The cooperation management function unit (33) is a program that transmits the identification information of the user authenticated by the authentication management function unit (29) to the cooperation function management unit (17) of the authentication cooperation server. Specifically, search the memory management function part (25) for predetermined information for the user authenticated by the authentication management function part (29), and use the WEB-API (26) to retrieve the acquired information. Can be transmitted to the link management function unit (17). The flow of transmission information and data will be described later.

  Next, the IP telephone management system (40) will be described with reference to FIG. What is an IP phone management system (40)? Each IP phone (52) is managed by physical information, and holds user identification information that uses the IP phone (52), and is limited to a specific IP phone (52). This is a system that realizes a so-called multi-user environment that can provide the user's own usage environment. When using this system, hardware resources and software resources (IP-PBX, gatekeeper, H.323 compliant application software, etc.) on the network or each device to enable IP communication with the external environment (WAN, etc.) ) Is not directly related to the present invention, and the illustration and description are omitted.

  IP phone management system (40) includes IP phone management server (41), control function part (42), storage management function part (43), Web-API (44), DB-API (45), Web container ( 46), authentication management function part (47), registration function part (48), change function part (49), delete function part (50), linkage management function part (51), IP phone (52), IP phone input Function part (52a) The output function part (52b) of the IP telephone is included.

  IP phone management server (41) is a control function unit (42), storage management function unit (43), Web-API (44), DB-API (45), Web container (46), authentication management function unit ( 47), a registration function unit (48), a change function unit (49), a deletion function unit (50), and a cooperation management function unit (51).

  As a prerequisite, the IP phone management server (41) has a function to perform authentication when a user logs in / off the system by an authentication procedure using a password or the like, and the system administrator adds a user registration. It is possible to change, delete, etc. Then, setting information used for each user can be managed, and predetermined setting information can be provided to the IP telephone (52) that has logged in.

  Further, means for transmitting predetermined information to the cooperation management function section (17) of the cooperation server in response to a request from the cooperation management function section (17) of the cooperation server before the user logs into the thin client terminal management system (20). The user identification information on this system received from the cooperation management function part (17) of the authentication cooperation server after the user logs in to the thin client terminal management system (20), and the storage management function part (43) Authentication management function unit based on the means for comparing the identification information of the current user and referring to whether or not the user exists and the IP telephone connection related information received from the cooperation management function unit (17) of the cooperation server (47) includes means for setting or canceling setting of predetermined telephone setting information set for a user who is authenticated with respect to the corresponding IP telephone (52).

  In addition, the authentication management function unit (47) can also set a shared setting for a representative phone or the like as an initial setting of the IP phone.

  The functions of the IP telephone management server (41) will be described below. However, it is not always necessary to physically implement them by one server. Depending on the necessity of redundancy or decentralization, a server is provided for each function. It is also possible to construct.

  The control function unit (42) is a so-called OS (Operating system) and is a platform of a so-called IP phone management server (41). The control function part (42) provides basic functions that are commonly used by many application software, such as input / output functions such as keyboard input and screen output, and disk and memory management. Software. Specific products include Windows 2003 Server from Microsoft (registered trademark), Solaris from Sun Microsystems (registered trademark), HP-UX from HP, UNIX (registered trademark) such as AIX from IBM (registered trademark). ) Products, Linux (registered trademark), which is free software compatible with UNIX (registered trademark), or distributions of distribution packages in which Linux (registered trademark) kernels and software are combined.

  The storage management function unit (43) is a so-called RDBMS (Relational Data Base Management System), which is software for managing a relational database. Relational database is a method of expressing a single data as a set of multiple items (fields) and a set of data as a table called a table, using key data such as ID numbers and names, Data can be easily combined and extracted. Specifically, it can be implemented by software typified by Oracle (registered trademark) Data Base of Oracle (registered trademark) or SQL Server of Microsoft (registered trademark). Information managed by the storage management function unit in the preferred embodiment of the present invention is shown in FIG.

  The storage management function unit (43) includes at least an authentication management table (K) and a device correspondence management table (L).

  The authentication management table (K) includes user identification information (K1) on the IP phone management system, a password (K2) set for each user, an IP phone setting file name (K3) set for each user, and its setting file. (K4) is included.

  The user identification information (K1) on the IP telephone management system is information that uniquely identifies the user on the IP telephone management system. The password (K2) set for each user is a password created by the user himself. The IP phone setting file name (K3) and its setting file (K4) set for each user are a file name and its setting file storing the environment used by the user. The configuration file (K4) has a user configuration file for each IP phone model. This is because physical specifications (for example, differences in the number of push buttons) vary depending on the IP phone model.

  The device correspondence management table (L) includes the model name (L1) of the IP phone and the physical connection information (L2) of the IP phone. The model name (L1) of the IP phone is information for identifying the physical specification of each IP phone, and is information necessary for selecting a user setting file (K4) that conforms to the physical specification. The IP phone physical connection information (L2) is, for example, the IP phone MAC address. By registering the MAC address in advance, the IP phone can be managed and the IP phone model name can be determined. It becomes. The information acquisition method and the like will be described later.

  The Web-API (45) is a so-called API (Application Program Interface), a function that provides an operating environment in order to make the Web service available in the IP telephone management server (41). The control function section (42) It is an indispensable function to operate the web container (46) above. Typical APIs include HTTP Servlet API, EJB (Enterprise JAVA Beans), and SAX for analyzing XML format data defined in the Java2 Enterprise Edition (J2EE) environment proposed by Sun Microsystems (registered trademark). (Simple API for XML), DOM (Document Object Model), SOAP (Simple Object Access Protocol), and SOAP SOAP that enable communication.

  DB-API (45) is the same API as Web-API (45), and the linkage function management unit (51) running on the web container (46) operates the data to the storage management function unit (43). API for this. Typical APIs include JDBC (registered trademark) (Java Database Connectivity) defined in the Java2 Enterprise Edition (J2EE) environment proposed by Sun Microsystems (registered trademark) and ODBC proposed by Microsoft (registered trademark). (Open Database Connectivity).

  The web container (46) is an execution environment for causing the IP telephone management server (41) to function as a web application server. Specific examples include Tomcat, an open source software developed as a subproject of the Jakarta project, BEA Web Logic Server (registered trademark) from BEA Systems, and Web Sphere Application Server from IBM (registered trademark). Can be implemented by a Web application server.

  The Web application server generally has transaction processing, session management, security function, load distribution function, multi-thread / multi-process function, etc., and can be used together as appropriate when implementing the present invention. is there.

  The authentication management function unit (47) is a program for authenticating a user who uses the IP telephone (52), and stores the connection information of the authenticated user in the storage management function unit (43) or changes the previous state. It has a function. Further, it has a registration function section (48), a change function section (49), and a deletion function section (50). Each function can be registered, changed, and deleted by the system administrator. Apart from this function, it is also possible to manage by registering, changing, or deleting using the physical information of the IP telephone (52) itself.

In the present invention, information for identifying a user such as a password is stored in the storage management function unit (43) in advance, and the information matches the password entered by the user using the input function unit (52a) of the IP telephone. Thus, it is possible to authenticate whether or not the user is a valid user.
If the user is a legitimate user, the user can be permitted to use the user after setting the user to a predetermined IP telephone (52). The link management function unit (51) is used to perform authentication procedures from the link management function unit (17) of the authentication link server to the authentication management function unit (47) and storage management function unit (43) of the IP phone management system. A generic term for programs or software libraries. For example, a program that receives predetermined information transmitted from the cooperation management function part (17) of the authentication cooperation server, permits login to a predetermined IP telephone (52), and transmits a telephone setting file corresponding to the user And a program for transmitting a notification of completion to the cooperation management function unit (17) of the authentication cooperation server after the processing is normally completed for the IP telephone (52).

  The IP phone (52) is a service that converts voice into IP packets using so-called VoIP technology and makes voice calls via the Internet (IP network), not via the telephone company's general subscriber telephone network. Is a phone that can. In addition, due to the configuration of the present invention, it is necessary to arrange on the same interface port as the thin client terminal. For example, if there are two LAN connector ports on the IP phone (52), connect one to the thin client terminal (21) and the other to the switch (60), so that Then, the same interface port number is given, and it can be used as identification information for associating both devices.

  In this embodiment, a general call function is omitted, but login from an input function unit (52a) such as a push button for inputting a call or a password, or an image transmission function unit (19) of the authentication cooperation server. / To display the logoff success / failure screen, it is necessary to have an output function section (52b) such as a display.

  Finally, specific information and processing flow in a preferred embodiment to which the present invention is applied will be described in detail with reference to FIGS.

  The linkage management function part (17) of the authentication linkage server can receive the connection information change notification from the information notification function part (63) of the exchange (S1 in FIG. 9 and A1 in FIG. 10). Request and collect information from switch control function unit (61) and IP phone management system link management function unit (51) to establish linkage information of thin client terminal (21) and IP phone (52) (S2 and S3 in FIG. 9 and B1 to C2 in FIG. 10).

  As specific acquisition information, the interface function, the MAC address of the connected thin client terminal, and the IP address / MAC address of the IP phone are requested to the control function unit (61) of the exchange. Subsequently, the IP telephone model name is requested to the cooperation management function part (51) of the IP telephone management system based on the MAC address of the IP telephone acquired from the exchange. The acquired information is stored in the storage area (HDD) by the storage management function unit (13) of the authentication collaboration server (S4 in FIG. 9).

  When the user logs in / out of the thin client terminal (21) using the authentication device (23) (S5 in FIG. 9 and E0 and E1 in FIG. 11), the authentication management function unit (29 of the thin client terminal management server) ) Uses the DB-API (27) to inquire the storage management function unit (25) as to whether it is already registered user identification information and physical connection information of the thin client terminal (FIG. 11). E2). As a result of the inquiry, if the user is the corresponding user, a login / logoff procedure is performed (E3 in FIG. 11). When the authentication management function unit (29) determines that the user has logged in with a legitimate authority, the cooperation management function unit (33) uses the thin client terminal management system (33) based on the information transmitted from the thin client terminal. The user identification information in 20) and the MAC address information of the thin client terminal are transmitted to the cooperation function management unit (17) of the authentication cooperation server (E4 in FIG. 11).

  Next, the linkage function management unit (17) of the authentication linkage server uses the search function unit (16), and based on the information received from the linkage function management unit (33) of the thin client terminal management server, the DB-API (15 ) To request a data search to the storage management function unit (13) (S6 in FIG. 9). The storage management function unit (13) that has received the search request is associated with physical connection information of the IP telephone (52) associated with the thin client terminal (21) and user identification information on the thin client terminal management system. The user identification information / user setting file name on the IP telephone management system is returned to the link function management unit (17) (S6 to S11 in FIG. 9, E5 in FIG. 11). At this time, the user identification information on the thin client terminal management system and the user identification information on the IP telephone management system need to be associated in advance in the user correspondence management table (X) of the storage management function unit (17). . In this regard, in this embodiment, it is assumed that the system administrator manually performs association on the user correspondence management table in advance.

  However, it is a server that has a function to manage users by LDAP (Light Weight Directory Access Protocol) etc., and a system that associates user information between different systems exists in the system and can be referenced. In such a case, it is possible to search for user identification information from the linkage function management unit (17) to the system and obtain it.

  After that, the cooperation management function part (17) of the authentication cooperation server sends the user identification information, user setting file name, and IP phone MAC address on the IP telephone management system to the cooperation management function part (51) of the IP telephone management server. (S12 in FIG. 9, E6 in FIG. 11). The received information is handled as a logged-in / logged-out user by the authentication management function unit (47).

  Thereafter, the authentication management function unit (47) transmits the telephone setting file for the user to the predetermined IP telephone (52), and enters the usable / terminated state (E8 in FIG. 11). In addition, the cooperation management function unit (51) of the IP telephone management server returns a response to the cooperation management function unit (17) of the authentication cooperation server that the processing result has been normally performed when the above processing is performed normally. (E9 in FIG. 11).

  The cooperation management function part (17) of the authentication cooperation server transmits a login / logoff success / failure display image to the output function part (52b) of the predetermined IP telephone (S16 in FIG. 9 and E11 in FIG. 11). As a result, a login / logoff success / failure display image is displayed on the output function section (52b) of the IP telephone (E13 in FIG. 11), and the IP telephone (52) is in a usable / unusable state. Also, a processing completion response is received from the IP telephone (52) (S13 in FIG. 9, E12 in FIG. 11), and the processing in this system ends normally.

  As described above, the interface information for associating the IP telephone (52) and the thin client terminal (21) held by the exchange (60) in advance in the storage management function unit (13) of the authentication linkage server, in the thin client terminal management system Client terminal that holds user identification information and user identification information in the IP telephone system, and is set for each user for both a predetermined IP telephone (52) and a thin client terminal (21) according to the user's usage situation It is possible to provide the usage environment and IP phone usage information, and after the authentication linkage server (11) is operated, the linkage information changes dynamically and operates autonomously without bothering the system administrator. Is possible.

1 is an overall schematic diagram in a preferred embodiment of the present invention. It is a detailed functional diagram in the authentication cooperation server and exchange in a preferred embodiment of the present invention. It is a detailed functional diagram in the thin client terminal management server in a preferred embodiment of the present invention. It is a detailed functional diagram in the IP telephone management system in a preferred embodiment of the present invention. It is the management table which the memory | storage management function part in the authentication cooperation server in suitable embodiment of this invention manages. It is the management table which the memory | storage management function part in the thin client terminal management server in suitable embodiment of this invention manages. It is the management table which the memory | storage management function part in the IP telephone management server in suitable embodiment of this invention manages. It is the management table which the memory | storage management function part in the exchange in preferable embodiment of this invention manages. It is the figure which showed the algorithm in the authentication cooperation server in suitable embodiment of this invention. It is the sequence diagram (advance preparation part) which showed the data flow between each system component. It is the sequence diagram (cooperation authentication part) which showed the data flow between each system component.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Authentication cooperation system 11 Authentication cooperation server 12 Control function part 13 Memory management function part 14 Web-API
15 DB-API
16 Web container 17 Cooperation management function part 18 Search function part 19 Image transmission function part 20 Thin client terminal management system 21 Thin client terminal 21a Input function part 21b Output function part 22 Thin client terminal management server 23 Authentication device 24 Control function part 25 Storage Management function part 26 Web-API
27 DB-API
28 Web container 29 Authentication management function part 30 Registration function part 31 Change function part 32 Deletion function part 33 Cooperation function management part 40 IP telephone management system 41 IP telephone management server 42 Control function part 43 Storage management function part 44 Web-API
45 DB-API
46 Web container 47 Authentication management function part 48 Registration function part 49 Change function part 50 Deletion function part 51 Cooperation management function part 52 IP telephone 52a Input function part 52b Output function part
60 Exchange 61 Control Function Unit 62 Storage Management Function Unit 63 Information Notification Function Unit

Claims (18)

A system including an apparatus that provides a predetermined function and a management server for providing the predetermined function; a system that provides another predetermined function; and a system including a management server for providing another predetermined function However, in the authentication linkage system, which is connected to the authentication linkage server via a computer network via at least one exchange, the devices of each system are of the nature of being used at the same time.
Authentication linkage server
A means for requesting and collecting connection information of each device from the management server of the exchange and each system, triggered by a connection status change notification from the exchange as advance preparation for authentication linkage,
Means for associating and storing each device in the storage area of the authentication collaboration server based on the collected information;
An apparatus that provides another predetermined function corresponding to an apparatus that provides a predetermined function based on physical connection information collected from a management server of a system that provides the predetermined function as an actual authentication cooperation Means for determining with reference to the storage of
Means for transmitting physical connection information and user identification information relating to a device that provides the determined other function to a management server of the system that provides the other function, and
An authentication cooperation system characterized in that the same effect as that when an authentication procedure is simultaneously performed on a device that provides a predetermined function and a device that provides a pair of other predetermined functions is provided.   In addition, the management server of the system providing other functions can use the system device, and has received a reply to the physical connection information and user identification information transmitted to the management server of the system providing other functions. 2. The authentication linkage system according to claim 1, further comprising means for displaying an authentication procedure success / failure screen on a device that provides another predetermined function as an opportunity.   The connection information possessed by the exchange collected from the authentication collaboration server includes the interface information possessed by the exchange. 3. The authentication cooperation system according to claim 1, further comprising means for determining that the device that provides the function and the device that provides the other predetermined function are associated devices. At least one thin client terminal management system including at least one thin client terminal and a thin client terminal management server, at least one IP telephone system including at least one IP telephone and an IP telephone management server, and an authentication linkage server In the authentication linkage system, which is connected by a computer network via the exchange of
Authentication linkage server
Means for requesting and collecting connection information, etc. from the exchange and the management server of each system as advance preparation for authentication linkage;
Means for storing a predetermined thin client terminal and an IP telephone in association with each other in the storage area of the authentication cooperation server based on the collected information;
Means for determining an IP telephone corresponding to a predetermined thin client terminal based on physical connection information collected from the thin client terminal management server as actual authentication cooperation with reference to the storage area of the authentication cooperation server;
Means for transmitting physical connection information and user identification information regarding the determined IP telephone to the IP telephone management server,
An authentication linkage system characterized in that it provides the same effect as a simultaneous authentication procedure for an IP telephone paired with a thin client terminal.   In addition, the IP phone management server can use the specified IP phone, and the authentication procedure for the specified IP phone succeeds when it receives a reply to the physical connection information and user identification information sent to the IP phone management server. 5. The authentication cooperation system according to claim 4, further comprising means for displaying an availability screen.   The connection information possessed by the exchange collected from the authentication cooperation server includes the interface information possessed by the exchange, and the authentication cooperation server indicates that the interface information is the same, so that the thin client terminal 6. The authentication cooperation system according to claim 4, wherein the authentication telephone system is determined to be a device associated with the IP telephone. A system including an apparatus that provides a predetermined function and a management server for providing the predetermined function; a system that provides another predetermined function; and a system including a management server for providing another predetermined function However, the authentication linkage server executes in an authentication linkage system that is connected to the authentication linkage server via a computer network via at least one exchange and the devices of each system are used at the same time. An authentication linkage method,
Requesting and collecting connection information of each device from the switch and the management server of each system, triggered by a connection status change notification from the switch as advance preparation for authentication linkage, and
Storing each device in association with each other in the storage area of the authentication collaboration server based on the collected information;
An apparatus that provides another predetermined function corresponding to an apparatus that provides a predetermined function based on physical connection information collected from a management server of a system that provides the predetermined function as an actual authentication cooperation Determining with reference to the storage of
Transmitting physical connection information, user identification information, and the like related to the apparatus that provides the determined other function to the management server of the system that provides the other function, and
An authentication cooperation method characterized in that, by all the steps described above, the same effect is obtained as when an authentication procedure is simultaneously performed on a device that provides a predetermined function and a device that provides a pair of other predetermined functions. .   In addition, the management server of the system providing other functions can use the system device, and has received a reply to the physical connection information and user identification information transmitted to the management server of the system providing other functions. 8. The authentication cooperation method according to claim 7, further comprising a step of displaying an authentication procedure success / failure screen on a device that provides another predetermined function when triggered.   The connection information possessed by the exchange collected from the authentication collaboration server includes the interface information possessed by the exchange. 9. The authentication cooperation method according to claim 7, wherein the function providing device and another device providing a predetermined function are determined to be associated with each other. At least one thin client terminal management system including at least one thin client terminal and a thin client terminal management server, at least one IP telephone system including at least one IP telephone and an IP telephone management server, and an authentication linkage server In an authentication collaboration system that is connected by a computer network via an exchange of each other and each device is of a nature that is used at the same time, an authentication collaboration method executed by the authentication collaboration server,
Requesting and collecting connection information, etc. from the exchange and the management server of each system as preparation for authentication linkage; and
Storing a predetermined thin client terminal and an IP telephone in association with each other in the storage area of the authentication cooperation server based on the collected information;
Determining an IP telephone corresponding to a predetermined thin client terminal based on physical connection information collected from the thin client terminal management server as actual authentication cooperation with reference to the storage area of the authentication cooperation server;
Transmitting physical connection information and user identification information related to the determined IP phone to the IP phone management server,
An authentication cooperation method characterized in that, by all the steps described above, the same effect is obtained as when an authentication procedure is simultaneously performed for an IP telephone paired with a thin client terminal.   In addition, the IP phone management server can use the specified IP phone, and the authentication procedure for the specified IP phone succeeds when it receives a reply to the physical connection information and user identification information sent to the IP phone management server. The authentication cooperation method according to claim 10, further comprising a step of displaying an availability screen.   The connection information possessed by the exchange collected from the authentication cooperation server includes the interface information possessed by the exchange, and the authentication cooperation server indicates that the interface information is the same, so that the thin client terminal 12. The authentication linkage method according to claim 10 or 11, wherein it is determined that the device is associated with the IP telephone. A system including an apparatus that provides a predetermined function and a management server for providing the predetermined function; a system that provides another predetermined function; and a system including a management server for providing another predetermined function However, in the authentication linkage system, which is connected to the authentication linkage server via a computer network via at least one exchange, the devices of each system are of the nature of being used at the same time.
On the authentication linkage server,
Requesting and collecting connection information of each device from the switch and the management server of each system, triggered by a connection status change notification from the switch as advance preparation for authentication linkage, and
Storing each device in association with each other in the storage area of the authentication collaboration server based on the collected information;
An apparatus that provides another predetermined function corresponding to an apparatus that provides a predetermined function based on physical connection information collected from a management server of a system that provides the predetermined function as an actual authentication cooperation Determining with reference to the storage of
Transmitting the physical connection information and user identification information relating to the apparatus that provides the determined other function to the management server of the system that provides the other function, and
An authentication cooperation program characterized in that it provides the same effect as a simultaneous authentication procedure for a device that provides a predetermined function and another device that provides a predetermined function.   In addition, the management server of the system providing other functions can use the system device, and has received a reply to the physical connection information and user identification information transmitted to the management server of the system providing other functions. 14. The authentication linkage program according to claim 13, wherein a step of causing an apparatus that provides a predetermined other function to display an authentication procedure success / failure screen is triggered.   The connection information possessed by the exchange collected from the authentication collaboration server includes the interface information possessed by the exchange. The authentication cooperation program according to claim 13 or 14, wherein a device that provides a function and a device that provides another predetermined function are determined to be associated with each other. At least one thin client terminal management system including at least one thin client terminal and a thin client terminal management server, at least one IP telephone system including at least one IP telephone and an IP telephone management server, and an authentication linkage server In the authentication linkage system, which is connected by a computer network via the exchange of
On the authentication linkage server,
Requesting and collecting connection information, etc. from the exchange and the management server of each system as preparation for authentication linkage; and
Storing a predetermined thin client terminal and an IP telephone in association with each other in the storage area of the authentication cooperation server based on the collected information;
Determining an IP telephone corresponding to a predetermined thin client terminal based on physical connection information collected from the thin client terminal management server as actual authentication cooperation with reference to the storage area of the authentication cooperation server;
Transmitting the physical connection information and user identification information regarding the determined IP telephone to the IP telephone management server, and
An authentication cooperation program characterized in that it provides the same effect as a simultaneous authentication procedure for an IP telephone paired with a thin client terminal.   In addition, the IP phone management server can use the specified IP phone, and the authentication procedure for the specified IP phone succeeds when it receives a reply to the physical connection information and user identification information sent to the IP phone management server. The authentication cooperation program according to claim 16, further comprising a step of displaying an availability screen.   The connection information possessed by the exchange collected from the authentication cooperation server includes the interface information possessed by the exchange, and the authentication cooperation server indicates that the interface information is the same, so that the thin client terminal 18. The authentication linkage program according to claim 16, wherein the authentication cooperation program is determined to be a device associated with the IP telephone.

Images