JP2017224179A - Information processing system, information processing device, and information processing program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an information processing device that makes authentication of a process at a second time or later unnecessary when the process is requested of another information processing device even if authentication servers of a requesting side and a requested side do not accord.SOLUTION: First transmission means of an information processing device transmits identification information on a user and identification information on an authentication server for the information processing device when requesting a process of a second information processing device. Second transmission means transmits identification information on an authentication server for the second information processing device when information indicating authentication failure is received from the second information processing device in response to the transmission, and information is stored indicating that authentication at the authentication server of the second information processing device has been performed in the past.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an information processing system, an information processing apparatus, and an information processing program.

  Patent Document 1 proposes to reduce the burden of authentication work performed by a user when executing a series of processes in cooperation with a plurality of information processing apparatuses while enabling usage restrictions on the user. When the original MFP requests the request destination MFP for fax transmission processing, when the authentication unit receives a successful user authentication by the first authentication server, the processing unit sends the fax transmission data and the requested MFP to the request destination MFP. Job data including cooperation information for performing fax transmission processing, user information, and job information is created, and the communication control unit transmits the job data to the requested MFP, and the requested MFP performs authentication. Check the authentication method in the job data from the requesting MFP and the authentication method of the own device, determine whether or not the authentication server of the authentication destination is the same, The MFP user be permitted to use the self-MFP is disclosed requested processing as authenticated as the user of the request source of the MFP.

JP 2012-155568 A

Requesting processing to another information processing apparatus is performed.
By the way, when making such a request, authentication in another information processing apparatus is required. In the technique described in Patent Document 1, if the requesting side has the same authentication server as the requesting side and the requesting side, the user permits the processing requested as authenticated as the requesting user. doing. However, if the authentication server does not match, authentication is required every time.
The present invention makes it unnecessary to perform authentication in the second and subsequent processes even when a request is made to another information processing apparatus and the requesting server and the requesting authentication server do not match. An object of the present invention is to provide an information processing system, an information processing apparatus, and an information processing program.

The gist of the present invention for achieving the object lies in the inventions of the following items.
According to the first aspect of the present invention, in requesting processing to the second information processing apparatus, first transmission means for transmitting user identification information and identification information of an authentication server in the first information processing apparatus, and the transmission In contrast, when information indicating that authentication is impossible is received from the second information processing apparatus, information indicating that authentication in the authentication server of the second information processing apparatus has been performed in the past is stored. A first information processing apparatus having a second transmission means for transmitting identification information of the authentication server in the second information processing apparatus, and user identification information from the first information processing apparatus, First receiving means for receiving identification information of the authentication server in the first information processing apparatus, identification information of the authentication server received by the first receiving means, and identification of the authentication server in the second information processing apparatus Information If made, an information processing system having a second information processing apparatus having a third transmitting means for transmitting information indicating an authentication not to the first information processing apparatus.

  According to a second aspect of the present invention, when the third transmission unit matches the identification information of the authentication server received by the first reception unit and the identification information of the authentication server in the second information processing device, The information processing system according to claim 1, wherein information indicating successful authentication is transmitted to the first information processing apparatus.

  The invention according to claim 3 is the case where the second transmission means receives information indicating that authentication is impossible from the second information processing apparatus for the transmission, and the second information processing apparatus 3. The authentication information of the user in the authentication server of the second information processing apparatus is transmitted when information indicating that authentication in the authentication server has been performed in the past is not stored. Is an information processing system.

  According to a fourth aspect of the present invention, when the second information processing apparatus receives the authentication information of the user in the authentication server of the second information processing apparatus from the first information processing apparatus, the authentication information 4. The information processing according to claim 3, further comprising: an authentication unit that performs authentication processing in the authentication server using the authentication unit; and a fourth transmission unit that transmits an authentication result by the authentication unit to the first information processing apparatus. System.

  According to a fifth aspect of the present invention, when the first information processing apparatus receives information indicating a successful authentication as an authentication result from the second information processing apparatus, the authentication server of the second information processing apparatus The information processing system according to claim 4, further comprising a storage control unit that controls the storage device to store information indicating that the authentication has been performed.

  The invention according to claim 6 is the first transmission means for transmitting the identification information of the user and the identification information of the authentication server in the information processing apparatus when requesting the processing to the second information processing apparatus; Information indicating that authentication is not possible is received from the second information processing apparatus, and information indicating that authentication in the authentication server of the second information processing apparatus has been performed in the past is stored. The information processing apparatus has second transmission means for transmitting the identification information of the authentication server in the second information processing apparatus.

  According to a seventh aspect of the present invention, there is provided: first receiving means for receiving user identification information from the first information processing apparatus and authentication server identification information in the first information processing apparatus; and the first receiving means. Information processing having third transmission means for transmitting information indicating that authentication is impossible to the first information processing apparatus when the received identification information of the authentication server is different from the identification information of the authentication server in the information processing apparatus. Device.

  The invention according to claim 8 is the first transmission means for transmitting the identification information of the user and the identification information of the authentication server in the information processing apparatus when the computer requests processing to the second information processing apparatus, In response to transmission, information indicating that authentication is not possible is received from the second information processing apparatus, and information indicating that authentication in the authentication server of the second information processing apparatus has been performed in the past is stored. When it is, it is an information processing program for functioning as a second transmission means for transmitting the identification information of the authentication server in the second information processing apparatus.

  According to a ninth aspect of the present invention, there is provided a computer comprising: a first receiving unit configured to receive user identification information from the first information processing apparatus and identification information of an authentication server in the first information processing apparatus; When the identification information of the authentication server received by the receiving means is different from the identification information of the authentication server in the information processing apparatus, a third transmission means for transmitting information indicating that authentication is impossible to the first information processing apparatus. An information processing program for functioning.

  According to the information processing system of claim 1, even when a request is made to another information processing apparatus, even if the requesting side does not match the requesting authentication server, the second and subsequent times Authentication in processing can be made unnecessary.

  According to the information processing system of the second aspect, when the authentication server matches, authentication can be made unnecessary.

  According to the information processing system of the third aspect, authentication can be performed when authentication has not been performed in the past.

  According to the information processing system of the fourth aspect, when the authentication information is received, the authentication process can be performed by the authentication server using the authentication information.

  According to the information processing system of the fifth aspect, when the information indicating the authentication success is received, the information indicating that the authentication has been performed can be stored.

  According to the information processing apparatus of claim 6, even when a request is made to another information processing apparatus and the authentication server on the requesting side does not match the requesting authentication server, Authentication in processing can be made unnecessary.

  According to the information processing apparatus of claim 7, even when a request for processing is received from another information processing apparatus and the requesting side and the authentication server on the receiving side do not match, the second and subsequent times Authentication in this process can be made unnecessary.

  According to the information processing program of claim 8, even when a request is made to another information processing apparatus, even if the requesting side does not match the requesting authentication server, the second and subsequent times Authentication in processing can be made unnecessary.

  According to the information processing program of claim 9, even when a request for processing is received from another information processing apparatus, even if the requesting side and the authentication server on the receiving side do not match, the second and subsequent times Authentication in this process can be made unnecessary.

It is a conceptual module block diagram about the structural example of this Embodiment. It is a conceptual module block diagram about the structural example of this Embodiment. It is explanatory drawing which shows the system configuration example using this Embodiment. It is explanatory drawing which shows the example of a data structure of an authentication server table. It is explanatory drawing which shows the example of a data structure of a log table. It is explanatory drawing which shows the example of a data structure of an authentication corresponding table. It is explanatory drawing which shows the example of a data structure of an authentication table. It is a flowchart which shows the process example by this Embodiment. It is a flowchart which shows the process example by this Embodiment. It is explanatory drawing which shows the example of a data structure of an authentication corresponding table. It is a flowchart which shows the process example by this Embodiment. It is a block diagram which shows the hardware structural example of the computer which implement | achieves this Embodiment.

Hereinafter, an example of a preferred embodiment for realizing the present invention will be described with reference to the drawings.
FIG. 1 shows a conceptual module configuration diagram of a configuration example of the present embodiment.
The module generally refers to components such as software (computer program) and hardware that can be logically separated. Therefore, the module in the present embodiment indicates not only a module in a computer program but also a module in a hardware configuration. Therefore, the present embodiment is a computer program for causing these modules to function (a program for causing a computer to execute each procedure, a program for causing a computer to function as each means, and a function for each computer. This also serves as an explanation of the program and system and method for realizing the above. However, for the sake of explanation, the words “store”, “store”, and equivalents thereof are used. However, when the embodiment is a computer program, these words are stored in a storage device or stored in memory. This means that control is performed so as to be stored in the apparatus. Modules may correspond to functions one-to-one, but in mounting, one module may be configured by one program, or a plurality of modules may be configured by one program, and conversely, one module May be composed of a plurality of programs. The plurality of modules may be executed by one computer, or one module may be executed by a plurality of computers in a distributed or parallel environment. Note that one module may include other modules. Hereinafter, “connection” is used not only for physical connection but also for logical connection (data exchange, instruction, reference relationship between data, etc.). “Predetermined” means that the process is determined before the target process, and not only before the process according to this embodiment starts but also after the process according to this embodiment starts. Also, if it is before the target processing, it is used in accordance with the situation / status at that time or with the intention to be decided according to the status / status up to that point. When there are a plurality of “predetermined values”, they may be different values, or two or more values (of course, including all values) may be the same. In addition, the description having the meaning of “do B when it is A” is used in the meaning of “determine whether or not it is A and do B when it is judged as A”. However, the case where it is not necessary to determine whether or not A is excluded.
In addition, the system or device is configured by connecting a plurality of computers, hardware, devices, and the like by communication means such as a network (including one-to-one correspondence communication connection), etc., and one computer, hardware, device. The case where it implement | achieves by etc. is also included. “Apparatus” and “system” are used as synonymous terms. Of course, the “system” does not include a social “mechanism” (social system) that is an artificial arrangement.
In addition, when performing a plurality of processes in each module or in each module, the target information is read from the storage device for each process, and the processing result is written to the storage device after performing the processing. is there. Therefore, description of reading from the storage device before processing and writing to the storage device after processing may be omitted. Here, the storage device may include a hard disk, a RAM (Random Access Memory), an external storage medium, a storage device via a communication line, a register in a CPU (Central Processing Unit), and the like.

The information processing system according to the present embodiment includes a plurality of information processing apparatuses 100. The information processing apparatus 100 includes a reception module 110 and a communication module 120 as illustrated in the example of FIG. , An authentication module 130, a storage module 140, and a processing module 150. The information processing apparatus 100 requests another information processing apparatus 100 for processing (also referred to as a job). Conversely, the information processing apparatus 100 receives a processing request from another information processing apparatus 100. Then, the information processing apparatus 100 executes processing in the own information processing apparatus 100 or executes processing received from another information processing apparatus 100.
The information processing apparatus 100 includes personal computers, portable information communication devices (including mobile phones, smartphones, mobile devices, wearable computers, etc.), information appliances, robots, copiers, fax machines, scanners, printers, multifunction devices (scanners, An image processing apparatus having two or more functions such as a printer, a copier, and a fax machine) may be used. Hereinafter, in the case of illustration, a multifunction machine is used.

The reception module 110 receives an operation by a user (hereinafter also referred to as a user). Specifically, an operation for user authentication, a request for processing, and the like are accepted. As an operation for user authentication, there are, for example, acceptance of a user ID and password, reading of an IC card, reading for biometric authentication (for example, reading of fingerprint information, etc.) and the like. The requested processing includes, for example, a combination of copying, printing, scanning, fax communication, and the like. In addition, these processes may be accepted by a user operation using a mouse, a keyboard, a touch panel, sound, line of sight, gestures, and the like. For example, it may be received by operating a button corresponding to the process, or may be selected from a menu displayed on the display device of the information processing apparatus 100.
The communication module 120 communicates with another information processing apparatus 100, the authentication server 200, and the like via a communication line.

The case where the authentication module 130 is requested to process another information processing apparatus 100 (the authentication module 130 in the first information processing apparatus 100) will be described.
When the authentication module 130 requests processing from the second information processing apparatus 100 (here, another information processing apparatus 100), the authentication module 130 and the first information processing apparatus 100 (here, the own information processing apparatus 100). The identification information of the authentication server is transmitted via the communication module 120.
The authentication module 130 receives information indicating that authentication is impossible from the second information processing apparatus 100 in response to the transmission described above, and the authentication in the authentication server of the second information processing apparatus 100 has been past. When the information indicating that the process has been performed is stored, the identification information of the authentication server in the second information processing apparatus 100 is transmitted via the communication module 120.
The authentication module 130 is a case where information indicating that authentication is not possible is received from the second information processing apparatus 100 in response to the transmission described above, and the authentication in the authentication server of the second information processing apparatus 100 has been performed in the past. When the information indicating that the process has been performed is not stored, the user authentication information in the authentication server of the second information processing apparatus 100 may be transmitted via the communication module 120. Here, the “user authentication information” is information generated by an operation for user authentication received by the receiving module 110. Specifically, as described above, there are a user ID, a password, a reading result of an IC card, a reading result for biometric authentication, and the like.
Further, when the authentication module 130 receives information indicating successful authentication as the authentication result from the second information processing apparatus 100, the authentication module 130 indicates that the authentication in the authentication server of the second information processing apparatus 100 has been performed. Control may be performed so that information is stored in the storage module 140.

The case where the authentication module 130 receives a processing request from another information processing apparatus 100 (the authentication module 130 in the second information processing apparatus 100) will be described.
The authentication module 130 receives the identification information of the user and the identification information of the authentication server in the first information processing apparatus 100 from the first information processing apparatus (here, another information processing apparatus 100) via the communication module 120. To do.
If the received identification information of the authentication server is different from the identification information of the authentication server in the second information processing apparatus 100 (here, the own information processing apparatus 100), the authentication module 130 Information indicating that authentication is impossible is transmitted to 100 via the communication module 120.
Further, when the received identification information of the authentication server matches the identification information of the authentication server in the second information processing apparatus 100, the authentication module 130 sends information indicating successful authentication to the first information processing apparatus 100. The data may be transmitted via the communication module 120.
In addition, when the authentication module 130 receives user authentication information in the authentication server of the second information processing apparatus 100 from the first information processing apparatus 100, the authentication module 130 uses the authentication information (second information). An authentication process at an authentication server in the processing apparatus 100 may be performed.
Then, the authentication module 130 may transmit the authentication result to the first information processing apparatus 100 via the communication module 120.

The storage module 140 stores information indicating that authentication in the authentication server of the second information processing apparatus 100 has been performed in the past under the control of the authentication module 130. For example, an authentication server table 400, a log table 500, and an authentication correspondence table 600 are stored. An authentication server table 400 and a log table 500 are stored as data including user information.
FIG. 4 is an explanatory diagram showing an example of the data structure of the authentication server table 400. The authentication server table 400 includes a user ID column 410, an authentication server ID column 420, a user layer column 430 for login devices, and an available function column 440 for login devices. The user ID column 410 stores information (user ID: IDentification) for uniquely identifying a user in the present embodiment. In the present embodiment, authentication server ID column 420 stores information (authentication server ID) for uniquely identifying an authentication server. This is an authentication server used when the information processing apparatus 100 authenticates a user with the user ID. This authentication server ID may be called an authentication method. The user layer column 430 for the login device stores a user layer for the login device (own information processing apparatus 100). For example, there are general users and administrators. The usable function column 440 in the login device stores information on the usable function in the login device. The information on the usable function is information indicating a function permitted to be used for each user in the information processing apparatus 100 to be used. For example, the copy function and the fax communication of the information processing apparatus 100 that the user intends to use are used. The use of the function is permitted, the use of the print function is not permitted, and the like.
FIG. 5 is an explanatory diagram showing an example of the data structure of the log table 500. The log table 500 has a login date / time column 510 and a login device ID column 520. The login date / time column 510 stores the date / time (year, month, day, hour, minute, second, second or less, or a combination thereof) when logging in to the information processing apparatus 100. In the present embodiment, the login device ID column 520 stores information (login device ID) for uniquely identifying the logged-in device (own information processing apparatus 100).
When the information processing apparatus 100 requests the other information processing apparatus 100 to process the data of the authentication server table 400 and the log table 500, the requested information processing apparatus 100 (the other information processing apparatus 100) together with the request data. ).

  FIG. 6 is an explanatory diagram showing an example of the data structure of the authentication correspondence table 600. “Information indicating that authentication in the authentication server of the second information processing apparatus 100 has been performed in the past” is stored as an authentication correspondence table 600 as a specific example. The authentication correspondence table 600 includes an authentication server ID column 610, a user ID column 620, a function providing side authentication server ID column 630, and a corresponding user ID column 640. The authentication server ID field 610 stores an authentication server ID in the information processing apparatus 100 that performs authentication when the user in the user ID field 620 uses the information processing apparatus 100. The user ID column 620 stores a user ID. The function providing side authentication server ID column 630 stores the function providing side authentication server ID. That is, it is the authentication server ID of the authentication server in the other information processing apparatus 100 to which the processing is requested. Of course, the authentication server in the other information processing apparatus 100 here has been authenticated in the past when the user in the corresponding user ID column 640 uses the other information processing apparatus 100. The corresponding user ID column 640 stores the corresponding user ID. The user ID in the user ID column 620 and the corresponding user ID in the corresponding user ID column 640 indicate the same user. This is because the user ID in the information processing apparatus 100 and the user ID in another information processing apparatus 100 may be different. The data set of the authentication server ID column 610 and the user ID column 620 and the data set of the authentication server ID column 630 on the function providing side and the corresponding user ID column 640 are associated (linked).

The processing module 150 has a self-processing module 155 and a processing request module 160.
The own processing module 155 performs processing by the information processing apparatus 100 itself. For example, a combination process such as copying, printing, scanning, and fax communication is performed. Some of these processes cannot be performed depending on the authority of the user.
The processing request module 160 requests the other information processing apparatus 100 to perform processing via the communication module 120. Then, the processing result is received via the communication module 120.

FIG. 2 is a conceptual module configuration diagram of a configuration example of the present embodiment. The authentication server 200 is connected to the information processing apparatus 100 via a communication line, and authenticates a user according to an authentication request from the information processing apparatus 100.
The authentication server 200 includes a communication module 210, an authentication processing module 220, and a storage module 230.
The communication module 210 communicates with the information processing apparatus 100 or the like via a communication line.
The authentication processing module 220 performs authentication processing using data in the storage module 230 in accordance with the authentication request received by the communication module 210. For example, it is determined whether or not a combination of a user ID and a password is stored in the storage module 230.
The storage module 230 stores data necessary for authentication. For example, an authentication table 700 is stored. FIG. 7 is an explanatory diagram showing an example of the data structure of the authentication table 700. The authentication table 700 has a user ID column 710, a password column 720, and a login device ID column 730. The user ID column 710 stores a user ID. The password column 720 stores a password corresponding to the user ID. The login device ID column 730 stores a login device ID (ID of the information processing apparatus 100) that is authenticated by a user ID and a password.

FIG. 3 is an explanatory diagram showing a system configuration example using the present embodiment.
In the example of FIG. 3A, an information processing device 1: 100-1 used by a user, an information processing device N: 100-N, and an authentication server 1: 200- authenticating a user of each information processing device 100 are used. 1. The authentication server N: 200-N and the like are connected to each other via a communication line 390 so that they can communicate with each other. The communication line 390 may be wireless, wired, or a combination thereof, and may be, for example, the Internet or an intranet as a communication infrastructure.
In the example of FIG. 3B, the information processing device 1: 100-1, the information processing device 2: 100-2, the information processing device 3: 100-3, and the authentication server 1: 200-1 are the communication line 390-1. Connected through. The information processing device 21: 100-21, the information processing device 22: 100-22, and the authentication server 2: 200-2 are connected via a communication line 390-2. For example, the communication line 390-1 and the communication line 390-2 are local area networks (LAN), and form a wide area network (WAN) as an entire communication line. Of course, the Internet, an intranet, etc. may be sufficient.

These examples include a plurality of information processing apparatuses 100 and a plurality of authentication servers 200. Each of the information processing apparatuses 100 performs authentication with a predetermined authentication server 200.
When a service is provided by using functions of a plurality of information processing apparatuses 100, authentication is performed by the information processing apparatus 100 that is operating (the operation side), and then another information processing apparatus 100 (function that uses the function) Authentication on the provider side).
As an example, the following processing is performed.
In order to perform authentication in the information processing apparatus 100 (function providing side), the information processing apparatus 100 (operation side) transmits the identifier of the authentication server 200 and the user ID. The information processing apparatus 100 (function providing side) checks whether the authentication server identifier of the information processing apparatus 100 (operation side) matches the authentication server identifier of the information processing apparatus 100 (function providing side).
(1) When they match The function is provided assuming that the user ID transmitted from the information processing apparatus 100 (operation side) has been authenticated.
(2) When they do not coincide Notify the information processing apparatus 100 (operation side) that the authentication has failed. An authentication server identifier of the information processing apparatus 100 (function providing side) is also transmitted in the authentication failure notification.
When the information processing apparatus 100 (operation side) receives a notification of authentication failure from the information processing apparatus 100 (function providing side), the authentication correspondence table 600 confirms whether there is information associated with the authentication server 200 included in the notification. To do. If there is corresponding information, authentication is performed by transmitting a corresponding authentication server ID and user ID. If there is no corresponding information, the user inputs authentication information (user ID, password, etc.) of the information processing apparatus 100 (function providing side), and transmits the authentication information to the information processing apparatus 100 (function providing side). Authenticate. When the authentication is successful, the information processing apparatus 100 (operation side) displays the authentication server ID / user ID pair of the information processing apparatus 100 (operation side) and the authentication server ID / user ID of the information processing apparatus 100 (function providing side). Are associated with the authentication correspondence table 600 and stored. Thereafter, the function of the information processing apparatus 100 (function providing side) is used.
Once the information associated with the authentication correspondence table 600 is registered, re-input is not required when the information processing apparatus 100 (operation side) uses the function of the information processing apparatus 100 (function providing side).

The authentication server 200 stores the user information (user information) of the user in advance so that each information processing apparatus 100 can be used only by a previously registered user, and user information transmitted from each information processing apparatus 100 and The user information (user information) registered in the self-authentication server 200 is collated, and the collation result is notified to each information processing apparatus 100.
When the user wants to use the information processing apparatus 1: 100-1 or the like, the user registers user information in the authentication server 1: 200-1 that performs authentication of each information processing apparatus 100 on the communication line 390-1, and uses it. If the authentication is not received, the information processing device 1: 100-1, the information processing device 2: 100-2, the information processing device 3: 100-3, etc. on the communication line 390-1 cannot be used. In addition, for the information processing device 21: 100-21 and the information processing device 22: 100-22 on the communication line 390-2, user information is registered in the authentication server 2: 200-2, and the user information is authenticated when used. Otherwise, the information processing device 21: 100-21 and the information processing device 22: 100-22 on the communication line 390-2 cannot be used.
For example, when the user registers in advance in the authentication server 1: 200-1 and uses the information processing apparatus 1: 100-1 on the communication line 390-1, the user is registered with the information processing apparatus 1: 100-1. When the user information is input and authentication is performed by the authentication server 1: 200-1, the information processing apparatus 1: 100-1 can be used.

The system configuration shown in the example of FIG. 3 is as follows.
A plurality of authentication servers and a plurality of information processing apparatuses each responsible for user authentication can communicate with each other on a communication line,
Each of the authentication servers stores user information of users of a plurality of information processing apparatuses that are responsible for user authentication by the self-authentication server, and each of the information processing apparatuses is used by the information processing apparatus for user authentication. User information input by the user of the information processing apparatus is transmitted to the authentication server being used, and the authentication server that has received the user information stores the received user information and the self-authentication server, respectively. User information is collated, and when both user information matches, each information processing device that has transmitted the user information transmits an authentication success, and each information processing device that has received the authentication success notifies each user An information processing system that permits the use of its own information processing device,
In the information processing apparatus,
When requesting processing to another information processing apparatus, transmission means for transmitting the identification information of the authentication server used by the requesting information processing apparatus for user authentication together with the request;
When a processing request is received from another information processing apparatus, the identification information of the authentication server used for authentication of the user by the other information processing apparatus of the request source received together with the request and the processing request are received. The identification information stored in the identification information stored in the identification information processing apparatus used by the identification information processing apparatus used for user authentication is determined to be the same. A permission unit for permitting use of the own information processing apparatus for the requested process as authenticated as a user of the own information processing apparatus from which the user of the other information processing apparatus of the request source has received the request for the processing; This is an information processing system characterized by that.
Furthermore, the information processing apparatus 100 illustrated in the example of FIG. 1 may be employed as the information processing apparatus (including the own information processing apparatus and other information processing apparatuses).

Further, the information processing apparatus shown in the example of FIG. 3 is as follows.
On the communication line, each of the other information processing apparatus, the authentication server used for authenticating the user of the information processing apparatus, and the plurality of authentication servers responsible for authentication of the user of the other information processing apparatus Can communicate,
User information of a user of the information processing apparatus is stored in the authentication server used for authentication of the user of the information processing apparatus, and the authentication server is used for user authentication from the information processing apparatus The user information input by the user of the information processing apparatus is transmitted to the server, and the user information received by the authentication server that received the user information is collated with the user information stored in the authentication server. When the user information matches, the authentication success is transmitted to the information processing device, and when the authentication success is received, the information processing device permits the user to use the information processing device,
When requesting processing to another information processing apparatus, transmission means for transmitting the identification information of the authentication server used by the requesting information processing apparatus for user authentication together with the request;
When a processing request is received from another information processing apparatus, the identification information of the authentication server used for authentication of the user by the other information processing apparatus of the request source received together with the request and the processing request are received. The identification information stored in the identification information stored in the identification information processing apparatus used by the identification information processing apparatus used for user authentication is determined to be the same. A permission unit for permitting use of the own information processing apparatus for the requested process as authenticated as a user of the own information processing apparatus from which the user of the other information processing apparatus of the request source has received the request for the processing; This is an information processing apparatus characterized by that.
Furthermore, the information processing apparatus 100 illustrated in the example of FIG. 1 may be employed as the information processing apparatus (including the own information processing apparatus and other information processing apparatuses).

FIG. 8 is a flowchart showing an example of processing according to this embodiment. In this processing example, authentication is based on a combination of a user ID and a password (the same applies hereinafter). Note that the authentication method (authentication server) of the information processing apparatus 1: 100-1 and the information processing apparatus 2: 100-2 is the same.
In step S802, the information processing apparatus 1: 100-1 requests the user for a user ID and a password.
In step S804, the information processing apparatus 1: 100-1 receives (User01, pass01) in response to a user operation. Then, processing (for example, fax communication) is received according to the user's operation. This fax communication cannot be used by the information processing apparatus 1: 100-1, but can be used by the information processing apparatus 2: 100-2. Accordingly, it is necessary to request the information processing apparatus 2: 100-2 for fax communication processing.

In step S806, the information processing apparatus 1: 100-1 transmits (User01, pass01) to the authentication server 1: 200-1 to request authentication.
In step S808, the authentication server 1: 200-1 performs an authentication process, and returns an authentication success as an authentication result to the information processing apparatus 1: 100-1.
In step S810, the information processing apparatus 1: 100-1 transmits (authServer1, User01) to the information processing apparatus 2: 100-2 to make a function use request. Note that “authServer1” is the authentication server ID of the authentication server 1: 200-1.
In step S812, the information processing apparatus 2: 100-2 has the same authentication server ID (authServer1) as the authentication server ID received in step S810 and the authentication server of the information processing apparatus 2: 100-2. 1: Authentication success is returned to 100-1.
In step S814, the information processing apparatus 1: 100-1 uses the function of the information processing apparatus 2: 100-2. For example, processing for using functions such as fax communication is performed.

  FIG. 9 is a flowchart showing an example of processing according to the present embodiment. In this processing example, the authentication method (authentication server) of the information processing device 1: 100-1 and the information processing device 21: 100-21 is different. And it is the first request to the information processing device 21: 100-21. That is, the authentication correspondence table 600 is not yet registered. This is an example of the case where “information indicating that authentication in the authentication server 2: 200-2 of the information processing device 21: 100-21 has been performed in the past is not stored” in the information processing device 1: 100-1. .

In step S902, the information processing apparatus 1: 100-1 requests the user ID and password from the user.
In step S904, the information processing apparatus 1: 100-1 receives (User01, pass01) in response to a user operation. Then, processing (for example, fax communication) is received according to the user's operation. This fax communication cannot be used in the information processing apparatus 1: 100-1, but can be used in the information processing apparatus 21: 100-21. Accordingly, it is necessary to request the information processing apparatus 21: 100-21 to perform fax communication processing (the same applies hereinafter).

In step S906, the information processing apparatus 1: 100-1 transmits (User01, pass01) to the authentication server 1: 200-1 to request authentication.
In step S908, the authentication server 1: 200-1 performs an authentication process, and returns an authentication success as an authentication result to the information processing apparatus 1: 100-1.
In step S910, the information processing apparatus 1: 100-1 transmits (authServer1, User01) to the information processing apparatus 21: 100-21 to make a function use request.
In step S912, the information processing apparatus 21: 100-21 differs from the authentication server ID received in step S910 and the information processing apparatus 21: 100-21 in the information processing apparatus 1: 100-1. On the other hand, authentication NG (authentication failure) is returned and authentication information of (authServer2) is requested. Note that “authServer2” is the authentication server ID of the authentication server 2: 200-2.

  In step S914, the information processing apparatus 1: 100-1 checks the authentication correspondence table 600. Specifically, it is checked whether or not (authServer2) exists in the authentication correspondence table 600. Further, in the authentication correspondence table 600, it may be checked whether there is a combination of “authServer2” and the corresponding user ID corresponding to the combination of “authServer1” and “User01”. In this example, since it is the first request to the information processing device 21: 100-21, it is not yet registered.

In step S916, the information processing apparatus 1: 100-1 requests the user for the user ID and password in the information processing apparatus 21: 100-21 (authentication server 2: 200-2).
In step S918, the information processing apparatus 1: 100-1 receives (UserA, pass02) in response to a user operation.

In step S920, the information processing apparatus 1: 100-1 transmits the authentication information (UserA, pass02) in the authentication server 2: 200-2 to the information processing apparatus 21: 100-21.
In step S922, the information processing apparatus 21: 100-21 transmits (UserA, pass02) to the authentication server 2: 200-2 to request authentication.
In step S924, the authentication server 2: 200-2 performs an authentication process, and returns an authentication success as an authentication result to the information processing apparatus 21: 100-21.
In step S926, the information processing device 21: 100-21 returns authentication success to the information processing device 1: 100-1.

In step S928, the information processing apparatus 1: 100-1 registers the authentication correspondence table. Specifically, the authentication correspondence table 600 illustrated in the example of FIG. 6 is similar to the authentication correspondence table 600 illustrated in the example of FIG. In the authentication correspondence table 600 shown in the example of FIG. 10, “authServer1” is stored in the authentication server ID column 610, “User01” is stored in the user ID column 620, and the authentication server ID column 630 on the function providing side is stored. “AuthServer2” is stored, and “UserA” is stored in the authentication server ID column 610. That is, it indicates that there is a combination of “authServer2” and “UserA” corresponding to a combination of “authServer1” and “User01”. This indicates that the information processing apparatus 1: 100-1 stores “information indicating that authentication in the authentication server 2: 200-2 of the information processing apparatus 21: 100-21 has been performed in the past”. ing.
In step S930, the information processing apparatus 1: 100-1 uses the function of the information processing apparatus 21: 100-21. For example, use processing of a function of fax communication is performed. Note that as the processing in step S930, (authServer2, UserA) may be transmitted to make a function use request.

  FIG. 11 is a flowchart showing an example of processing according to the present embodiment. This is a process after the process shown in the example of FIG. 9 is performed. In other words, the authentication correspondence table 600 shown in the example of FIG. 10 is used, and the information processing device 1: 100-1 to the information processing device 21: 100-21 are used for the second time and thereafter.

In step S1102, the information processing apparatus 1: 100-1 requests a user ID and password from the user.
In step S1104, the information processing apparatus 1: 100-1 receives (User01, pass01) in response to a user operation. Then, processing (for example, fax communication) is received according to the user's operation. Then, processing (for example, fax communication) is received according to the user's operation.

In step S1106, the information processing apparatus 1: 100-1 transmits (User01, pass01) to the authentication server 1: 200-1 to request authentication.
In step S1108, the authentication server 1: 200-1 performs an authentication process, and returns an authentication success as an authentication result to the information processing apparatus 1: 100-1.
In step S1110, the information processing apparatus 1: 100-1 transmits (authServer1, User01) to the information processing apparatus 21: 100-21 to make a function use request.
In step S1112, the information processing apparatus 21: 100-21 is different from the authentication server ID received in step S1110 and the authentication server ID of the information processing apparatus 21: 100-21. On the other hand, authentication NG (authentication failure) is returned and authentication information of (authServer2) is requested.

  In step S1114, the information processing apparatus 1: 100-1 checks the authentication correspondence table 600. Specifically, it is checked whether or not (authServer2) exists in the authentication correspondence table 600. Further, in the authentication correspondence table 600, it may be checked whether there is a combination of “authServer2” and the corresponding user ID corresponding to the combination of “authServer1” and “User01”. In this example, since it is like the authentication correspondence table 600 shown in the example of FIG. 10, it is determined that there is (authServer2).

In step S1116, the information processing apparatus 1: 100-1 transmits (authServer2, UserA) to the information processing apparatus 21: 100-21 to make a function use request. Here, (authServer2, UserA) is extracted from the authentication server ID column 630 and the corresponding user ID column 640 on the function providing side of the authentication correspondence table 600 shown in the example of FIG.
In step S1118, the information processing apparatus 21: 100-21 has the same authentication server ID (authServer2) as the authentication server ID received in step S1116 and the authentication server of the information processing apparatus 21: 100-21. 1: Authentication success is returned to 100-1.
In step S1120, the information processing apparatus 1: 100-1 uses the function of the information processing apparatus 21: 100-21. For example, processing for using functions such as fax communication is performed.
Therefore, in the process example of FIG. 11, since the process of step S916 in the process example of FIG. 9 is not performed, the user performs an operation of entering authentication information in the information processing apparatus 21: 100-21 (authentication server 2: 200-2). It becomes unnecessary.

  A hardware configuration example of the information processing apparatus 100 and the authentication server 200 according to the present embodiment will be described with reference to FIG. The configuration shown in FIG. 12 is configured by a personal computer (PC), for example, and shows a hardware configuration example including a data reading unit 1217 such as a scanner and a data output unit 1218 such as a printer.

  A CPU (Central Processing Unit) 1201 includes various modules described in the above-described embodiments, that is, a reception module 110, a communication module 120, an authentication module 130, a processing module 150, a self-processing module 155, a processing request module 160, and the like. It is a control part which performs the process according to the computer program which described the execution sequence of each module.

  A ROM (Read Only Memory) 1202 stores programs used by the CPU 1201, calculation parameters, and the like. A RAM (Random Access Memory) 1203 stores programs used in the execution of the CPU 1201, parameters that change as appropriate during the execution, and the like. These are connected to each other by a host bus 1204 configured by a CPU bus or the like.

  The host bus 1204 is connected to an external bus 1206 such as a PCI (Peripheral Component Interconnect / Interface) bus via a bridge 1205.

  A keyboard 1208 and a pointing device 1209 such as a mouse are devices operated by an operator. The display 1210 includes a liquid crystal display device or a CRT (Cathode Ray Tube), and displays various types of information as text or image information. Further, a touch screen or the like having both functions of the pointing device 1209 and the display 1210 may be used.

  An HDD (Hard Disk Drive) 1211 includes a hard disk (may be a flash memory or the like), drives the hard disk, and records or reproduces a program executed by the CPU 1201 and information. The hard disk realizes functions as the storage module 140, the storage module 230, and the like. Further, various other data, various computer programs, and the like are stored.

  The drive 1212 reads data or a program recorded in a removable recording medium 1213 such as a magnetic disk, an optical disk, a magneto-optical disk, or a semiconductor memory, and the data or program is read out to the interface 1207 and the external bus 1206. , The bridge 1205, and the RAM 1203 connected via the host bus 1204. Note that the removable recording medium 1213 can also be used as a data recording area.

  The connection port 1214 is a port for connecting the external connection device 1215 and has a connection unit such as USB, IEEE1394. The connection port 1214 is connected to the CPU 1201 and the like via the interface 1207, the external bus 1206, the bridge 1205, the host bus 1204, and the like. The communication unit 1216 is connected to a communication line and executes data communication processing with the outside. The data reading unit 1217 is a scanner, for example, and executes document reading processing. The data output unit 1218 is a printer, for example, and executes document data output processing.

  Note that the hardware configuration of the information processing apparatus or the like shown in FIG. 12 shows one configuration example, and the present embodiment is not limited to the configuration shown in FIG. Any configuration can be used. For example, some modules may be configured with dedicated hardware (for example, Application Specific Integrated Circuit (ASIC), etc.), and some modules are in an external system and connected via a communication line Further, a plurality of systems shown in FIG. 12 may be connected to each other via communication lines so as to cooperate with each other. In particular, in addition to a personal computer, it may be incorporated in a portable information communication device, information appliance, robot, copying machine, fax machine, scanner, printer, multifunction device, or the like.

In the above-described embodiment, the method for updating the authentication correspondence table 600 may be as follows.
In the above-described embodiment, the authentication correspondence table 600 is held in the information processing apparatus 100 (operation side). However, the authentication correspondence table 600 may be held in the information processing apparatus 100 (function providing side). Further, the authentication load can be reduced. In this case, it is necessary to transmit not only the available authentication server ID and user ID but also the corresponding authentication server ID and user ID.
In the above-described embodiment, the expiration date of the authentication correspondence table 600 may be as follows.
In the above-described embodiment, once authentication is performed, the information in the authentication correspondence table 600 continues to remain. Therefore, the authentication information can be used forever, but the security risk increases. Therefore, the date and time of the first authentication is recorded in the authentication correspondence table 600, the date and time is checked when the information in the authentication correspondence table 600 is used, and the period from the first authentication date to the present time exceeds a predetermined threshold ( Or the above), the information in the authentication correspondence table 600 is discarded. The timing (threshold value) for discarding is matched with the policy for each information processing apparatus 100. This makes it possible to suppress security risks.

The program described above may be provided by being stored in a recording medium, or the program may be provided by communication means. In that case, for example, the above-described program may be regarded as an invention of a “computer-readable recording medium recording the program”.
The “computer-readable recording medium on which a program is recorded” refers to a computer-readable recording medium on which a program is recorded, which is used for program installation, execution, program distribution, and the like.
The recording medium is, for example, a digital versatile disc (DVD), which is a standard established by the DVD Forum, such as “DVD-R, DVD-RW, DVD-RAM,” and DVD + RW. Standard “DVD + R, DVD + RW, etc.”, compact disc (CD), read-only memory (CD-ROM), CD recordable (CD-R), CD rewritable (CD-RW), Blu-ray disc ( Blu-ray (registered trademark) Disc), magneto-optical disk (MO), flexible disk (FD), magnetic tape, hard disk, read-only memory (ROM), electrically erasable and rewritable read-only memory (EEPROM (registered trademark)) )), Flash memory, Random access memory (RAM) SD (Secure Digital) memory card and the like.
Then, the whole or a part of the program may be recorded on the recording medium for storage or distribution. Also, by communication, for example, a local area network (LAN), a metropolitan area network (MAN), a wide area network (WAN), a wired network used for the Internet, an intranet, an extranet, or a wireless communication It may be transmitted using a transmission medium such as a network or a combination of these, or may be carried on a carrier wave.
Furthermore, the program may be a part or all of another program, or may be recorded on a recording medium together with a separate program. Moreover, it may be divided and recorded on a plurality of recording media. Further, it may be recorded in any manner as long as it can be restored, such as compression or encryption.

DESCRIPTION OF SYMBOLS 100 ... Information processing apparatus 110 ... Reception module 120 ... Communication module 130 ... Authentication module 140 ... Storage module 150 ... Processing module 155 ... Self-processing module 160 ... Processing request module 200 ... Authentication server 210 ... Communication module 220 ... Authentication processing module 230 ... Storage module 390 ... communication line

Claims (9)

A first transmission means for transmitting the identification information of the user and the identification information of the authentication server in the first information processing apparatus in requesting the processing to the second information processing apparatus;
In response to the transmission, information indicating that authentication is not possible is received from the second information processing apparatus, and information indicating that authentication in the authentication server of the second information processing apparatus has been performed in the past. A first information processing apparatus having a second transmission means for transmitting the identification information of the authentication server in the second information processing apparatus,
First receiving means for receiving user identification information and authentication server identification information in the first information processing apparatus from the first information processing apparatus;
When the identification information of the authentication server received by the first receiving unit is different from the identification information of the authentication server in the second information processing apparatus, information indicating that authentication is impossible is transmitted to the first information processing apparatus. An information processing system having a second information processing apparatus having a third transmission unit. The third transmission means includes
If the identification information of the authentication server received by the first receiving means matches the identification information of the authentication server in the second information processing apparatus, information indicating successful authentication is transmitted to the first information processing apparatus. To
The information processing system according to claim 1. The second transmission means includes
In response to the transmission, information indicating that authentication is not possible is received from the second information processing apparatus, and information indicating that authentication in the authentication server of the second information processing apparatus has been performed in the past. When not stored, the authentication information of the user in the authentication server of the second information processing apparatus is transmitted.
The information processing system according to claim 1 or 2. The second information processing apparatus
An authentication unit that, when receiving authentication information of the user in the authentication server of the second information processing apparatus from the first information processing apparatus, performs authentication processing in the authentication server using the authentication information; ,
The information processing system according to claim 3, further comprising: a fourth transmission unit configured to transmit an authentication result obtained by the authentication unit to the first information processing apparatus. The first information processing apparatus includes:
When information indicating successful authentication is received as an authentication result from the second information processing apparatus, information indicating that authentication in the authentication server of the second information processing apparatus has been performed is stored in the storage device. The information processing system according to claim 4, further comprising storage control means for controlling the information. A first transmission means for transmitting the identification information of the user and the identification information of the authentication server in the information processing apparatus in requesting the processing to the second information processing apparatus;
In response to the transmission, information indicating that authentication is not possible is received from the second information processing apparatus, and information indicating that authentication in the authentication server of the second information processing apparatus has been performed in the past. An information processing apparatus comprising: a second transmission unit configured to transmit the identification information of the authentication server in the second information processing apparatus when stored. First receiving means for receiving identification information of a user and identification information of an authentication server in the first information processing apparatus from the first information processing apparatus;
If the identification information of the authentication server received by the first receiving means is different from the identification information of the authentication server in the information processing apparatus, information indicating that authentication is impossible is transmitted to the first information processing apparatus. An information processing apparatus comprising: Computer
A first transmission means for transmitting the identification information of the user and the identification information of the authentication server in the information processing apparatus in requesting the processing to the second information processing apparatus;
In response to the transmission, information indicating that authentication is not possible is received from the second information processing apparatus, and information indicating that authentication in the authentication server of the second information processing apparatus has been performed in the past. An information processing program for functioning as second transmission means for transmitting identification information of an authentication server in the second information processing apparatus when stored. Computer
First receiving means for receiving identification information of a user and identification information of an authentication server in the first information processing apparatus from the first information processing apparatus;
If the identification information of the authentication server received by the first receiving means is different from the identification information of the authentication server in the information processing apparatus, information indicating that authentication is impossible is transmitted to the first information processing apparatus. Processing program for functioning as a transmission means.

Images