JP5086142B2 - Authentication system, authentication method, and program executed by computer - Google Patents

Description

  The present invention relates to an authentication system, an authentication method, and a program, and more particularly, to an authentication system, an authentication method, and a program for a terminal device that includes an application presumed to use an external service.

  Conventionally, in an application that is premised on the use of an external service, if the user authentication mechanism required by the external service can be used as it is and the access control of the application itself can be performed, it is convenient for the user and the application itself It is generally used in the form of an SSO (Single Sign On) function.

  However, at present, the external service is incorporated in a part of the external service, not a general-purpose user authentication unit (referred to as a first authentication unit in the present specification) that performs authentication using a general ID and password. In many cases, authentication means (referred to as second authentication means in this specification) is provided. However, this second authentication means is not necessarily assumed to be used for other than external services. For example, there is an application that uses an external service that does not transmit who is identified as an authentication result and only transmits whether authentication is successful or unsuccessful. As a result, only information indicating whether or not the user has been successfully authenticated is obtained on the application side, and it is difficult to realize a detailed access control function based on the authentication result.

  In addition, in order to perform access control on the application side, it is necessary for the administrator to assign authority to the user in advance. In order to realize such a function, it is necessary to obtain a list of candidate users, select a user from the list, and grant authority. However, there are authentication means that do not have a function of providing a list of users in the external service.

  As this type of conventional example, there are, for example, Patent Documents 1 to 3 shown below.

JP 2002-333828 A JP 2004-86490 A JP 2000-106552 A

  However, in such a user authentication system, even if there is an external service that has a user authentication mechanism and provides an access control function based on the user authentication mechanism, the security function is only a function that is closed in the device. If not provided, there is a problem that it is difficult to ensure sufficient security and convenience.

  In such a case, the authentication procedure and the service use procedure are often inseparable. For this reason, when a plurality of external services are used in combination, it is advantageous in terms of maintenance, function expansion, etc. if the procedure can be abstracted and handled as “authentication” and “service use”. However, when the procedure is individually optimized as described above, the abstraction is hindered, and there is a problem that an individual response is required for each service.

  The present invention has been made in view of the above, and an authentication procedure that is automatically required in the minimum login operation of the user without considering the authentication required by the external service of the application user. It is an object to provide an authentication system, an authentication method, and a program that is executed by a computer.

To solve the above problems and achieve the object, the invention according to claim 1, an access control means for a terminal device provided with an application, the access control to the application, for the previous Kia application a first authentication means for authenticating the access control, before and external service device that provides external services Kia application utilizes the provided external service device, a second authenticating to the external service Authentication means, and the access control means authenticates the first authentication means and the second authentication means based on authentication information input by a user, and the application is successful when both authentications are successful. as well as allow access to, to using said first authenticator obtained authentication result by the first authentication means application By access, wherein the application uses the external service.
The invention according to claim 2 is the authentication system according to claim 1, wherein the application corresponds to each external function corresponding to each function indicated by setting information in which a series of functions to be executed by the terminal device is set. It is characterized by using service equipment.

Further, according the invention in claim 3 is the authentication system according to claim 1 or claim 2, wherein the access control means checks the setting information to customize the function and operation of the application, the setting further comprising an extraction means for extracting an authentication means necessary in, in the authentication process when the use start of the application, characterized that you perform the authentication for authentication unit extracted by said extraction means.

The invention according to claim 4 is the authentication system according to claim 1, wherein the access control means, when creating the setting information to customize the function and operation of the application, in accordance with the set In the authentication process at the start of use of the application, the recording unit further includes an extraction unit that extracts an authentication unit necessary to perform the operation, and a recording unit that records the extracted authentication unit and setting information in association with each other. that perform authentication for all authentication means recorded on the means and features.

The invention according to claim 5 is the authentication system according to any one of claims 1-4, of the second authentication means, a required authentication required to perform the functions and authentication means, an authentication regarding additional functions classified as an optional authentication unit, if the mandatory authentication about the authentication means has failed, stops the processing related to all authentication, authentication regarding the optional authentication means has failed when, characterized in that cause skip processing related to the authentication.

The invention according to claim 6 is the authentication system according to claim 5, wherein the distinction between essential authentication unit and the optional authentication unit, when customizing the setting information, specified by the administrator It is characterized by that.

The invention according to claim 7 is the authentication system according to claim 5, wherein the distinction between essential authentication unit and the optional authentication unit, and being determined by the external service attributes To do.

Moreover, the role invention according to claim 8 is the authentication system according to claim 5, the distinction between the essential authentication means and the optional authentication unit is applied to the external service which the application-defined characterized Rukoto determined by.

To solve the above problems and achieve the object, the invention according to claim 9, the terminal device comprising an application, an access control means for access control related to the terminal device, the previous Kia application and the external service device that provides the use external service, the provided external service device, a second authentication means for performing authentication to the external service, the authentication information and the user attribute storage means for storing in association with If, comprising an attribute information acquiring means for acquiring user attribute corresponding to the input authentication information of the user from the storage unit, wherein the access control means, the second authentication based on the input the user authentication information authenticates the unit, access if the authentication is successful, based on the user attribute acquired by said attribute information acquiring unit to the application By, wherein the application uses the external service.
The invention according to claim 10 is the authentication system according to claim 9, wherein the application is the external service device corresponding to each function indicated by setting information in which a series of functions executed by the terminal device is set. It is characterized by using.

Further, the invention relates to a certification system of claim 9 or claim 10, and a second authenticator obtained as a result of authentication by said second authentication means, the attribute information according to claim 11 A third authenticator is newly created by combining with the user attribute acquired by the acquiring means, and the application uses the external service using the second and third authenticators.

The invention according to claim 1 2, a certification system according to any one of claims 9 to 11, wherein the access control means, the first authentication means and the second authentication means After both authentications are successful, the second authenticator obtained as a result of the authentication by the second authenticating means, the connection information to the external service obtained in the session establishment procedure after the authentication, A fourth authenticator is generated by combining the first authenticator obtained as a result of authentication by the first authenticator, and the application of the terminal device uses the fourth authenticator to generate the external authenticator. It is characterized by using services .

The invention according to claim 1 3, a certification system of claim 10, wherein the access control means, after the authentication by certifying the second authentication unit is successful, the second Obtained as a result of searching the storage means by the attribute information acquisition means, the second authenticator obtained as a result of the authentication by the authentication means, the connection information to the external service obtained by the session establishment procedure after the authentication Generating a fifth authenticator by combining with user attributes necessary for controlling access to the external service device, and the application of the terminal device uses the external service by using the fifth authenticator It is characterized by.

To solve the above problems and achieve the object, the invention according to claim 1 4, based on the input authentication information of the user, prior to the first authenticating means for performing authentication of the access control to Kia application when the application if the the steps provided in the external service device performs authentication with the second authentication means for performing authentication to the external service, both of the first authentication and the second authentication is successful as well as allow access to by accessing to the application using the first authenticator obtained authentication result by the first authentication unit, the steps of the application utilizing the external service, the authentication how to, characterized in that it comprises.

To solve the above problems and achieve the object, the invention according to claim 1 5, computer, characterized in that to execute the steps of the authentication method according to claim 1 4 in the computer executes It is a program for.

It includes an application performs access control to the application by the access control means, to authenticate the access control to the first authentication means there application, the external service device is an external service application utilizes provided, the second authentication means provided in the external service device, performs authentication to the external service. The access control means performs authentication of the first authentication means and the second authentication means based on authentication information input by the user, and permits access to the application when both authentications are successful, The application uses the external service by accessing the application using the first authenticator obtained as a result of authentication by the first authentication means . In this way, when an application user inputs authentication information, the access control means authenticates the first authentication means and the second authentication means based on the authentication information, and the application can be used when both authentications are successful. become. For this reason, without considering the authentication required by the external service, the necessary procedure is automatically performed and the use is enabled only by performing a minimum login operation. In particular, even when multiple external services are used, or even when the external services to be used change dynamically, the response can be done without the burden on the user, reducing management effort and setting errors. be able to.

Further, according to the present invention includes an application, provides access control for the terminal apparatus by the access control means, the external service device provides external service application terminal equipment utilizes, second authentication means provided in the external service device, it performs authentication to the external service. Access control means performs authentication of the second authentication means based on the input the user authentication information, when the authentication is successful, to the based on the user attribute acquired by said attribute information acquiring unit Application By accessing, the application uses the external service . Thus, by delegating authentication function to the second authentication means of the external service device, the user can centrally manage, even if there is insufficient authentication by obtaining user attributes from the storage means, supplementing There is an effect that can be.

  Exemplary embodiments of a user authentication system, a user authentication method, and a program executed by a computer will be described below in detail with reference to the accompanying drawings.

(First embodiment)
FIG. 1 is a block diagram showing a schematic configuration of a user authentication system of the present invention. The user authentication system shown in FIG. 1 includes a terminal device that includes an application 10 that assumes use of an external service such as a printer function, an access control unit 11 that performs access control related to the terminal device, and access control for the application 10 of the terminal device. The first authentication unit 30 such as an authentication server that performs authentication of the external device, the external service device that provides the external service 20 that is used by the application 10 of the terminal device, and the use of the external service 20 that is incorporated in a part of the external service device A second authentication unit 21 that sometimes requests authentication, an access control unit 22 that performs access control related to the external service 20, and the like.

  The application 10 provides a function to a user who uses the terminal device based on setting information set in advance. As setting information at that time, it is possible to specify to provide a function using the external service 20.

  The access control unit 11 controls login processing for a user to access the application 10. The feature of this access control unit 11 is that the authentication procedure of the first authentication unit 30 and the second authentication unit 21 is automatically performed based on the authentication information input by the user, and when both authentications are successful, In addition to access to the application 10, external services can be used using the application 10. Further, even when there are a plurality of external services to be used, the user can use them with a minimum login operation.

  The external service 20 is a service that is assumed to be used by the application 10 of the terminal device, and is provided by an external service device. For example, a printer for a printer application may provide a print service.

  The second authentication unit 21 is an authentication unit incorporated as a part of the external service 20 and is not normally assumed to be used outside the external service. For this reason, the second authentication unit 21 provides an authentication function. When the security function is only provided in the device, the second authentication unit 21 ensures both sufficient security function and convenience. Is difficult. However, in the present invention, the access control unit 11 automatically performs the authentication procedure of the first authentication unit 30 and the second authentication unit 21 based on the authentication information input by the user, and when both authentications are successful. Since access to the application 10 and use of the external service 20 using the application 10 are enabled, both security functions and convenience can be ensured.

  The access control unit 22 controls login processing for accessing the external service 20. In the present invention, the access control unit 11 performs the authentication procedure for the first authentication unit 30 and the second authentication unit 21 based on the authentication information input by the user of the application 10, and when both authentications are successful, the access control unit 11 22 permits the application 10 to access an external service, and the application can use the external service.

  The 1st authentication part 30 is comprised by the authentication server etc., and is a general purpose authentication means to authenticate based on the user information which the user input user ID and password. In the present invention, the authentication procedure for the first authentication unit 30 and the second authentication unit 21 is performed based on the authentication information input by the user of the application 10, and when both authentications are successful, the user can access the application 10. The external service 20 can be used using the application 10. When the user accesses the application 10, the first authenticator obtained as a result of authentication by the first authentication unit 30 is used.

  FIG. 3 is a diagram showing an example of a management screen in the application of the terminal device of FIG. The application in the first embodiment uses a plurality of external services in combination in order to provide a series of functions to the user. Therefore, the management screen shown in FIG. 3 simply represents the data flow executed by the application 10. Here, for example, when document data is input from the left on the main flow of the management screen (Svr (1) Input), various processes are performed in the process of flowing to the right and necessary information is added (Svr (7) OCR, Svr (8) Search), and finally output to the outside (Svr (2) Output).

  FIG. 4 is a diagram showing a list of external services referred to in the data flow set as shown in FIG. When defining a data flow as shown in FIG. 3, it is possible to define a data flow simply by selecting from the services registered in the list of FIG. The external service list is associated with the name, function, connection destination URL, authentication method, authentication service URL, and the like of the external service.

  FIG. 5 is a diagram showing an example of a list of authentication methods in the user authentication system generated in advance, and is associated with a processing flow name and an authentication service URL. This authentication method list is generated in advance, and the access control unit 11 in FIG. 1 examines the setting information for customizing the function and operation of the application 10 as an extraction means for extracting an authentication method necessary for the setting from the list. The extraction part (illustration omitted) is further provided. As described above, when the authentication process is performed at the start of use of the application 10, authentication can be attempted for all the authentication methods extracted by the extraction unit. It becomes possible to use it only by performing the limit login operation.

  Further, the access control unit 11 examines the setting information for customizing the function and operation of the application 10, and in addition to the extraction unit that extracts the authentication method necessary for the setting from the list, the extracted authentication method and setting information. May be further provided as a recording unit (not shown) as a recording unit that records the information in association with each other. As described above, in the case of an application in which the external service used dynamically changes depending on the setting of the application, the required authentication method also changes. However, here, the authentication method necessary for performing the operation according to the setting is extracted by the extraction unit, the extracted authentication method and the setting information are associated with each other, recorded in the recording unit, and recorded in the recording unit. Since authentication is attempted for all the authentication methods, it is possible to perform without any burden on the user, and it is possible to reduce management effort and setting errors.

  FIG. 2 is a flowchart for explaining the operation according to the first embodiment. When the user of the application 10 starts the login process, the process is automatically executed according to the procedure shown in FIG. 2. As a result, whether the login process of FIG. Prove. When the user of the terminal device accesses the application 10 on the premise that the external service 20 is used, a login process is performed. When the login process is started, the access control unit 11 extracts the flow definition information of the data flow set as shown in FIG. 3 from the list of FIG. 4 (step S100).

  Here, it is determined whether there is an unchecked external service (step S101). If there is an external service, one piece of external service information used in the flow definition is extracted (step S102), and the external service is extracted. Determines whether the second authentication is requested (step S103). If the second authentication is requested, the second authentication is marked as the authentication destination (step S104). If the second authentication is not requested, the process returns to step S101 as it is.

  If there is no unchecked external service in step S101 or if all the authentication destinations have been marked, a login screen is displayed on the operation screen of the terminal device (not shown) (step S105). Here, when the user inputs the user ID and password necessary for login, the access control unit 11 performs the first authentication for the first authentication unit 30 using the input information (step S106). The first authenticator obtained by the first authentication is used when the user performs access control on the application.

When the first authentication is successful (step S107), the process proceeds to step S108, and it is determined whether or not another authentication destination such as the second authentication unit 21 is marked. If there is another authentication destination, authentication is attempted for the marked authentication service (step S109). If the authentication is successful as a result (step S110), the process returns to step S108 to determine whether any other authentication destination is marked. When there is no other authentication destination and all the authentications to be performed are successful, the external service 20 can be used using the application 10.

  However, in step S107, the authentication in the first authentication unit 30 results in an error, or even if the first authentication is successful, the authentication in the second authentication unit 21 or any other marked authentication unit results in an error. If this happens (step S110), it is processed as a login failure.

  As described above, according to the first embodiment, the first authentication unit that performs access control authentication for the application and the second authentication unit that is incorporated in a part of the external service device and requests authentication when using the external service. Even if there is an authentication unit, the user can perform both authentication processes automatically by performing a minimum login operation, and if both authentications are successful, an external service can be used using an application. it can.

  Further, according to the first embodiment, the access control unit of the application inspects the setting information for customizing functions and operations to create a list of authentication methods, and lists the required authentication methods according to the settings. Since the authentication is attempted for all the extracted authentication methods, even if there are a plurality of external services that the user wants to use, the user can use them only by performing a minimum login operation.

  Further, according to the first embodiment, the access control unit of the application extracts a required authentication method from the list according to the setting, and records the extracted authentication method and setting information in association with each other. Therefore, even if the external service used by the setting changes dynamically, authentication is attempted for all authentication methods that are recorded in association with the authentication method, so there is no burden on the user. It is possible to reduce the trouble of management and setting mistakes.

(Second Embodiment)
The feature of the second embodiment is that the second authentication unit 21 shown in FIG. 1 is an essential authentication unit as an essential authentication unit that performs essential authentication in order to execute the function of the application, and authentication related to an optional function. This is classified into two types, that is, an optional authentication unit as an optional authentication means for performing the processing. Although the essential authentication unit and the optional authentication unit are not illustrated in FIG. 1, the essential authentication unit and the optional authentication unit are provided in the second authentication unit 21. Even if the authentication related to the optional authentication unit fails, only the authentication process is skipped and the entire authentication process is not stopped.

  FIG. 6 is a flowchart for explaining the operation according to the second embodiment. The flowchart of FIG. 6 is obtained by changing the part related to the second authentication processing operation of the flowchart of FIG. That is, Steps S200 to S203 in FIG. 6 correspond to Steps S105 to S108 in FIG. 2, but the processing in subsequent Steps S204 to S207 is different.

  FIG. 7 is a diagram showing an example of a management screen in which an administrator can explicitly classify authentication required for designing a data flow or authentication related to an optional function. For example, the administrator determines that authentication of a service that inputs document data (Svr (1) Input) and finally outputs to the outside (Svr (2) Output) is indispensable. Assume that the additional service (Svr (8) Search) that performs optical reading (Svr (7) OCR) or searches based on the read data is determined to be authentication related to an optional function. In that case, when designing the data flow, the administrator must enter “Optional” for optional functions on the management screen as shown in FIG. Can do.

  FIG. 8 is a diagram showing another example of a management screen that enables an administrator to explicitly classify authentication that is essential or authentication related to an optional function when designing a data flow. As shown in FIG. 8, for the services (Svr (1) Input, Svr (2) Output) that make up the left and right end points of the data flow, it is impossible to omit this, so the (x) mark is put. This means that it is mandatory authentication, and for services (Svr (7) OCR, Svr (8) Search) that handle data processing, etc., which are located in the middle of other flows, authentication for optional functions (× ) It can be clearly indicated by not entering the mark.

  Furthermore, FIG. 9 is a diagram showing a list of external services in which attribute information of external services is classified as a criterion for determination as to whether authentication is required when an administrator designs a data flow or authentication related to an optional function. In the list of FIG. 9, it is determined whether the authentication is essential authentication or optional function authentication using the attribute information of the external service as a determination criterion. As an example of the determination criteria, classification can be performed by determining whether the service can be omitted based on the function or service type of the service, or whether the service is an indispensable service in which the function is not established if omitted. Here, based on the service function and service type, the basic services (Svr (1) Input, Svr (2) Output, Svr (9) Output) are mandatory authentications and filters (Svr (7) OCR, Svr (8) Search) is determined to be authentication related to an optional function.

  The operation according to the second embodiment will be described with reference to the flowchart of FIG. FIG. 6 continues to step S101 of FIG. When a login screen is displayed on an operation screen of a terminal device (not shown) (step S200) and the user inputs a user ID and password necessary for login, the access control unit 11 uses the input information to generate a first authentication unit. The first authentication is executed for 30 (step S201). The first authenticator obtained by the first authentication is used when the user performs access control on the application.

  When the first authentication is successful (step S202), the process proceeds to step S203, and it is determined whether there is another authentication destination such as the second authentication unit 21. If there is another authentication destination, authentication is attempted for the specified authentication service (step S204). As a result, if the authentication is successful (step S205), the process returns to step S203 to determine whether there is another second authentication destination. When there is no other authentication destination and all the authentications to be performed are successful, the external service 20 is used using the application 10.

  In step S204, if an authentication error occurs as a result of attempting to authenticate the designated authentication service (step S205), the process proceeds to step S206 to determine whether the second authentication is an essential authentication. Here, as shown in FIG. 7, the classification result designated by the administrator, as shown in FIG. 8, the classification result based on the role of the external service such as which position of the data flow constitutes the service, or FIG. As shown in FIG. 4, the determination is made based on the classification result based on the attributes (category information, etc.) of the external service such as the service function and service type. In step S206, if an authentication error occurs in the required authentication, login fails and the authentication process is stopped. In step S202, if an authentication error occurs in the first authentication process, the login process is similarly failed, and the authentication process is stopped.

  In step S206, if an authentication error occurs in the authentication related to the optional function, the entire authentication process is not made an error, but is skipped not to use only the service corresponding to the authentication and used for the corresponding service. The disabled mark is recorded, and the process returns to step S203.

  As described above, according to the second embodiment, when the second authentication results in an error, instead of canceling the authentication process uniformly, if the second authentication is an essential authentication, The authentication process is stopped, but in the case of authentication related to an optional function, the process related to the authentication is skipped so that the entire authentication process is not stopped. For this reason, in an application that provides a function to a user using a plurality of external services, it is possible to eliminate the inconvenience that the application cannot be used at all unless the authority is given to all the external services. Also, if you have the authority for some services, you can use only basic functions.

(Third embodiment)
The feature of the third embodiment is that when an application using an external service that requests the second authentication performs the second authentication based on the authentication information input by the user and the login is successful, the authentication information The directory service is searched based on the user attribute, the user attribute is acquired, and the access control of the application itself is performed based on the user attribute.

  FIG. 10 is a flowchart for explaining the operation according to the third embodiment. The flowchart of FIG. 10 is obtained by changing the operation after the login screen is displayed in the flowchart of FIG. That is, step S300 in FIG. 10 corresponds to step S105 in FIG. 2, and the processing in subsequent steps S301 to S305 is different.

  In the third embodiment, a directory service storing user attributes is provided in the application 10 of FIG. Further, the access control unit 11 as the attribute information acquisition unit searches the directory service based on the authentication information input by the user, and if the user attribute corresponding to the user authentication information cannot be searched, the login fails. It becomes. When a user attribute necessary for controlling access to the external service 20 is acquired, access control of the application itself is performed based on the user attribute.

  Further, a second authenticator obtained as a result of the second authentication and a user attribute obtained as a result of searching the directory service are combined to newly create a third authenticator. A third authenticator is used.

  FIG. 11 is a diagram illustrating an example of the third authenticator. As shown in FIG. 11, the authentication result related to the external service 20 is included as part of a newly created authenticator as external authentication information. In addition, for example, organization information, employee classification, a list of management group names registered as members are included in the authenticator, and these can be acquired separately from the directory service. These can be extracted from the authenticator and used inside the application as information for determining the authority level of the user.

  The operation according to the third embodiment will be described with reference to the flowchart of FIG. FIG. 10 continues to step S101 of FIG. When a login screen is displayed on an operation screen of a terminal device (not shown) (step S300) and the user inputs a user ID and password necessary for login, the access control unit 11 uses the input information to generate a second authentication unit. The second authentication is performed on 21 (step S301).

  When the second authentication is successful (step S302), the process proceeds to step S303, and the directory service storing the user attribute is searched using the authentication information input by the user (step S303). If user attribute information necessary for access control can be acquired as a result of the search (NO in step S304), the second authenticator obtained as a result of the second authentication and the search result of the directory service are merged. A new third authenticator is created (step S305). The application starts using the second and third authenticators.

  If the second authentication result results in an error (step S302), and if a search error occurs as a result of searching the directory service (step S304), the authentication process is stopped as a login failure.

  Thus, according to the third embodiment, by entrusting the user authentication function to the second authentication unit 21 of the external service 20, the user is centrally managed, and even when the authentication function is insufficient, By using the directory service to acquire user attributes, the lack of authentication function can be compensated.

  Further, according to the third embodiment, it is assumed that the authentication mechanism functions differently by combining the second authentication result and the user identity information (user attribute) as a new third authenticator. However, when using the result, it can be utilized without being aware of the difference.

(Fourth embodiment)
The feature of the fourth embodiment is obtained as a result of the second authentication after the first authentication and the second authentication are performed in the same manner as in the first embodiment, and both authentications are successful. The fourth authenticator is obtained by fusing the second authenticator, the connection information to the external service obtained in the session establishment procedure after authentication, and the first authenticator obtained as a result of the first authentication. The generated application uses the fourth authenticator.

  Further, the feature of the fourth embodiment is that the second authenticator obtained as a result of the second authentication after the second authentication is performed and the authentication is successful, as in the third embodiment. A combination of the connection information to the external service obtained in the session establishment procedure after authentication and the user information necessary for controlling access to the external service obtained as a result of searching the directory service by the attribute information acquisition means Is generated, and the application uses the fifth authenticator.

  As described above, in the fourth embodiment, an external service is used or user information is acquired using an authenticator obtained as a result of the authentication procedure. After the authentication is successful, all information necessary for the application is collected as an authentication result in an authenticator (authentication certificate) received by the application. Information required by the application includes connection information to an external service, identity information of the user, and the like. As described above, when an application uses an external service or when access control is performed by the application itself, the processing is unified so as to always use information included in the authenticator.

  FIG. 12 is a diagram in which the provided function forms when the user authentication function is provided by an external service are classified for each pattern. The basic function is to perform user authentication first, and if successful, the actual service function can be used. This point is common, but the actual design results are implemented in various patterns. Yes.

  The normalized function division is shown on the right side of FIG. 12, and an example of the function division of the external service is shown on the left side. Here, the service interface shown on the left side can be converted into the service interface shown on the right side. Applications will always be able to use this normalized service interface.

  First, the function of each service interface will be described. login (userName, password) ⇒ For Credential, the “authentication information entered by the user” is checked against “information that can confirm the identity” to identify the user. The Credential obtained as a result is a certificate of the identified user information, and it can be confirmed that the content is correct when an application or the like uses the user information later.

  For startSession (Credential) ⇒ sessionId, it is not efficient to verify the user's identity each time the application uses the service repeatedly. Issue SessionId with expiration date. The service only needs to confirm the SessionId presented by the application, and there is no need to confirm the identity of the user from the beginning. In addition, security vulnerabilities do not occur if properly implemented.

  UseService (SessionId, otherParameters) represents the function that the service originally provides. The result of the call and the information that can be obtained are various, so they are not described individually. SessionId etc. are passed as parameters, but this part changes depending on whether authentication is required or communication is performed using Session with the service.

  Next, a conversion method for each pattern will be described. In pattern 1, user authentication is performed, and then a session is established between the application and the service with the result (Credential), and then the original service function can be used. This is the most basic function provision form, and the authentication function and other provision functions are completely separated. Therefore, even when using an independent authentication service (first authentication), such an implementation is used. Often has become. In the normalized service interface, the session does not appear clearly on the interface, but by including the SessionId in the Credential, it is possible to hide the Session from the application and match the normalization pattern .

  Pattern 2 is a service interface based on Session, but authentication and a session start request are combined as one function. Comparing this pattern with the normalization pattern, the difference is that the data to be exchanged is replaced from Credential to SessionId. However, the original function of Credential shown here is only to show the authentication result (taking countermeasures against tampering, etc.), and is completed with the data itself. However, since SessionId means the reference information to the user connection information temporarily recorded on the service side, when destroying the data, tell the service side about it, and the service side data Also need to be destroyed. Therefore, in the normalization pattern, logout is called and transmitted to the service side.

  The pattern 3 is the same as the pattern 2 except for the name of the method to be called, and the description is omitted.

  Pattern 4 is an interface that does not have a session between the service and the application. Depending on the functions provided by the service, there are cases where it is not necessary to create a session. In the normalization pattern, logout is called, but it is not necessary to transmit information corresponding to logout for the service of this pattern.

  Pattern 5 is a service interface specification in which the session is established first and then the user is confirmed. When the service is used in an anonymous session (when the service is provided without revealing its identity), the function may be provided in such a procedure. Even in such a case, it is possible to normalize by merging SessionID and Credential.

  Pattern 6 has a service interface specification that has neither an independent authentication function nor a concept of Session, and an interface that presents the user's identity information when using the service. In this case, it can be considered that Credential = authentication information, and the difference in interface can be hidden. Regarding logout, as in the case of the above pattern 4, there is no information to be transmitted to the service.

  As described above, according to the fourth embodiment, when using various external services and their authentication function, the usage method related to the authentication function can be handled in a unified manner. By executing, even an unknown external application can be used by the same procedure.

It is a block diagram which shows schematic structure of the user authentication system of this invention. It is a flowchart explaining the operation | movement concerning 1st Embodiment. It is a figure which shows the example of a management screen in the application of the terminal device of FIG. FIG. 4 is a diagram showing a list of external services referred to in the data flow set as shown in FIG. 3. It is a figure which shows the example of a list | wrist of the authentication method in the user authentication system produced | generated beforehand. It is a flowchart explaining the operation | movement concerning 2nd Embodiment. It is a figure which shows the example of a management screen which enabled it to classify | categorize explicitly whether an administrator is authentication required when designing a data flow, or the authentication regarding an optional function. It is a figure which shows another example of a management screen which enabled it to classify | categorize explicitly whether an administrator is authentication required when designing a data flow, or authentication regarding an optional function. It is a figure which shows the list of the external service which classified the attribute information which an external service has as a criterion with whether it is authentication required when an administrator designs a data flow, or authentication regarding an optional function. It is a flowchart explaining the operation | movement concerning 3rd Embodiment. It is a figure which shows an example of a 3rd authenticator. It is the figure which classified the provided function form in case a user authentication function is provided by an external service for every pattern.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Application 11 Access control part 20 External service 21 2nd authentication part 22 Access control part 30 1st authentication part

Claims (15)

A terminal device comprising an application,
Access control means for controlling access to the application ;
A first authentication means for authenticating the access control to the previous Kia application,
And external service equipment to provide external services before Kia application to use,
Provided in the external service device, a second authentication means for performing authentication to the external service,
With
The access control unit authenticates the first authentication unit and the second authentication unit based on authentication information input by a user, and permits access to the application when both authentications are successful. the by accessing the application first authentication means by using the first authenticator obtained as a result of the authentication, authentication system that is characterized in that the application is using the external service. The authentication system according to claim 1, wherein the application uses the external service device corresponding to each function indicated by setting information in which a series of functions executed by the terminal device is set. The access control means further comprises extraction means for examining setting information for customizing the function and operation of the application and extracting authentication means necessary for the setting,
In the authentication process when the use start of the application, authentication system according to claim 1 or claim 2, characterized that you perform authentication on the extracted authentication means by the extraction means. The access control means includes: an extraction means for extracting an authentication means necessary for performing an operation according to the setting when creating setting information for customizing the function and operation of the application; and the extracted authentication means and the setting Recording means for recording in association with information,
In the authentication process when the use start of the application, authentication system according to claim 1, characterized that you perform authentication for all authentication means is recorded in the recording means. Among the second authentication means, authentication essential for executing the function is classified as essential authentication means, and authentication related to the additional function is classified as optional authentication means,
If the authentication regarding the mandatory authentication means has failed, it stops the processing related to all authentication, if the authentication regarding the optional authentication means has failed, according to claim 1, wherein the cause skip processing related to the authentication authentication system according to any one of 1-4. The essential distinction between the authentication unit and the optional authentication unit, authentication system according to claim 5, when customizing the configuration information, characterized in that specified by the administrator. The essential distinction between the authentication unit and the optional authentication unit, authentication system according to claim 5, characterized in that it is determined by the external service attributes. The essential distinction between the authentication unit and the optional authentication unit, authentication system according to claim 5, characterized in Rukoto determined by the role given to external service which the application is defined. The terminal device comprising an application,
Access control means for performing access control on the terminal device;
And external service equipment to provide external services before Kia application to use,
Provided in the external service device, a second authentication means for performing authentication to the external service,
Memory means for storing the authentication information and the user attribute in association with,
Attribute information acquisition means for acquiring user attributes corresponding to the authentication information input by the user from the storage means ;
Wherein the access control unit performs authentication of the second authentication means based on the input the user authentication information, when the authentication is successful, based on the user attribute acquired by said attribute information acquiring means by accessing the application Te, authentication system the application you characterized by using the external service. The authentication system according to claim 9, wherein the application uses the external service device corresponding to each function indicated in setting information in which a series of functions executed by the terminal device is set. A second authenticator obtained as a result of authentication by the second authenticating means and a user attribute acquired by the attribute information acquiring means are combined to newly create a third authenticator, and the application authentication system according to claim 9 or claim 10, characterized in that using the external service using the second and third authenticator. The access control means performs authentication of the first authentication means and the second authentication means, and after both authentications are successful, a second authenticator obtained as a result of authentication by the second authentication means. And the connection information to the external service obtained in the session establishment procedure after the authentication and the first authenticator obtained as a result of the authentication by the first authenticating means are combined to generate a fourth authenticator. ,
The application of the terminal device, authentication system according to any one of claims 9 to 11, characterized by using the external service using the authenticator fourth. The access control means performs authentication of the second authentication means, and after successful authentication, the second authenticator obtained as a result of authentication by the second authentication means, and a session establishment procedure after authentication. A fifth authenticator is obtained by combining the obtained connection information to the external service and the user attribute necessary for controlling the access to the external service device obtained as a result of searching the storage unit by the attribute information acquisition unit. Generate
The application of the terminal device, authentication system according to claim 10, characterized by using the external service using the authenticator fifth. Based on input authentication information of the user, prior to a first authentication means for authenticating the access control to Kia application, a second authentication means provided in the external service device to authenticate to the external service The step of authenticating
The access to the application is permitted when both the first authentication and the second authentication are successful, and the first authenticator obtained as a result of authentication by the first authentication means is used. Accessing the application to allow the application to use the external service ;
Authentication how to characterized in that it comprises a. Program for computer, characterized in that to execute the steps of the authentication method according to claim 1 4 in the computer executes.

Images