JP6710230B2 - Authentication system and authentication method - Google Patents

Description

The present invention relates to an authentication system and an authentication method for authenticating a web service whose access is restricted by single sign-on.

In recent years, an integrated authentication technique called Single Sign-On (SSO) has become widespread (for example, Patent Document 1). According to SSO, it becomes possible to use a plurality of web services (for example, groupware applications) that require individual authentication processing by user authentication by a single login operation. A web service linked by SSO is referred to as "SSO linked service".

In particular, in the case of Internet Explorer (registered trademark, hereinafter referred to as “IE”), which is a standard browser of Windows (registered trademark), when accessing a plurality of web services that require individual authentication processing, By joining the active directory, integrated windows authentication can be used (for example, Patent Document 2). In the integrated windows authentication, the authentication at the first access is performed by the account information (user ID and password, hereinafter referred to as “OS account information”) when logging in to the operating system (hereinafter referred to as “OS”).

FIG. 1 is a diagram showing an example of a conventional authentication system 60 that performs single sign-on using integrated windows authentication. As shown in FIG. 1, the authentication system 60 is used when using a web service provided by a plurality of web servers 20 that require an authentication process and are connected to a corporate network N1 such as a LAN (Local Area Network). Authenticate. For this authentication, the client terminal 53 existing in the in-company network N1 can use the integrated windows authentication by participating in the active directory 40. Further, the external client terminal 51 also participates in the active directory 40 via the VPN server 55 (VPN: Virtual Private Network) from the Internet N2, so that integrated windows authentication can be similarly used.

The authentication system 60 is an integrated windows authentication environment that realizes integrated windows authentication, and includes a reverse proxy server 61 and an SSO server 62. The reverse proxy server 61 and the SSO server 62 cooperate to perform the authentication process by the integrated windows authentication. The authentication process at the time of the first access to the web server 20 will be described below.

When the client terminal 50 makes an access request to the URL of the web service provided by the web server 20, the DNS server 54 connects to the reverse proxy server 61.

When the client terminal 53 logs in to the OS, an authentication ticket called a TGT (Ticket Granting Ticket) is issued from the active directory 40. When the IE of the client terminal 53 requests access to the web service provided by the web server 20 in this state, the reverse proxy server 61 determines whether the client terminal 53 is authenticated by the SSO server 62.

If it is confirmed that the user is not authenticated, the SSO server 62 responds with an authentication error (401 error). When the IE of the client terminal 53 receives the 401 error, the IE of the SSO server 62 is requested to collate the authentication ticket information with the OS account information registered in the active directory 40. Upon receiving this request, the SSO server 62 collates the information of the authentication ticket with the OS account information registered in the active directory 40, and if the collation is established, the SSO server 62 authentication cookie is sent to the IE of the client terminal 53. Issue.

As a result, the integrated windows authentication is established, and the client terminal 53 can use the SSO cooperation service including the web service provided by the web server 20 by using this authentication cookie. That is, each time the SSO cooperation service is used, access is permitted by owning the authentication cookie without performing a login operation.

On the other hand, the client terminal 52 is an iPhone (registered trademark) or an iPad (registered trademark), and a web service provided by the web server 20 from a web browser other than IE (for example, Safari (registered trademark) that is a standard browser of iOS). When the access is requested to the user, the integrated window authentication is not performed in the authentication system 60. This is because the integrated Windows authentication is premised on the use of IE, and web browsers other than IE are not supported.

In this case, Safari ignores the authentication error (401 error) and requests the SSO server 62 for a login screen to enter the login ID and login password for performing authentication. The act of establishing authentication to the SSO server 62 using this login screen is referred to as "Form authentication". When the user performs the Form authentication and the login ID and the login password entered in the SSO server 62 are verified, the authentication cookie is issued to Safari of the client terminal 52.

Japanese Patent No. 4652350 JP, 2013-8140, A

As described above, the web browsers other than IE do not perform the integrated window authentication, but the Form authentication. However, depending on the web browser used, there is a case where the authentication error cannot be interpreted and even the Form authentication cannot be performed. For example, in iOS 7.0 and later versions, if an attempt is made to use integrated windows authentication with Safari, a communication error will occur and Safari will hang up. The following three methods are generally used as a solution to such a problem.

First, since the version of iOS 7.0 or later has the enterprise single sign-on function, it is conceivable to change the configuration profile of iOS and enable the authentication by the integrated windows authentication. However, since it is necessary to manage all the client terminals that originally have the access right, and since the iOS is automatically updated, there is a possibility that a sudden malfunction may occur.

Second, by using the function of the load balancer installed when introducing the SSO environment, the type of the web browser of the access source is determined at the time of authentication, and the authentication environment of the access destination (for integrated Windows authentication) is determined based on the determination result. It is conceivable to distribute the authentication environment of (1) or the authentication environment for Form authentication). However, the function for discriminating the type of web browser is not an essential function for the load balancer, and some load balancers do not have the function, and therefore it is not a standard solution.

Thirdly, it is conceivable to install a DNS server accessed by the IE and a DNS server accessed by a web browser other than the IE, and allocate the authentication environment of the access destination by the DNS server. However, changing the DNS server for each client terminal or web browser is not a general operation, and in many cases it is necessary to rebuild the system infrastructure environment.

An object of the present invention is to provide an authentication system and an authentication method capable of solving a problem that occurs when authenticating a web service whose access is restricted by SSO using OS account information without drastically changing the existing system infrastructure environment. Is to provide.

The authentication system according to the present invention is
An authentication system that authenticates by SSO when an access request is made from a web browser of a client terminal for a web service provided by a web server and whose access is restricted,
A first authentication device for performing authentication based on the OS account information of the client terminal;
A second authentication device that authenticates by using the Form authentication information entered in the login form in the web browser;
When there is an access request specifying the URL of the web service from the client terminal, the type of the web browser is determined based on the user agent information included in the access request, and the web browser is a predetermined web browser. While responding to the web browser to access the URL of the first authentication device in a certain case, access the URL of the second authentication device when the web browser is not the predetermined web browser. And a distribution server that responds to the web browser,
The first authentication device, accept the OS account information from the client terminal, in the case of authenticating the OS account information, relative to the previous Symbol the web service the web browser allow the use of the client terminal Issue an authentication cookie ,
The second authentication apparatus receives the Form authentication information from the client terminal, when authenticating the Form authentication information for the previous SL the web service the web browser to allow the use of the client terminal Issue an authentication cookie,
The web browser to which the authentication cookie has been issued can access the web server via the first authentication device or the second authentication device .

The authentication method according to the present invention is
An authentication method for performing authentication by SSO when an access request is made from a web browser of a client terminal for a web service provided by a web server with access restriction,
(A) When the distribution server receives an access request specifying the URL of the web service from the client terminal, the distribution server determines the type of the web browser based on the user agent information included in the access request, and determines the web browser. When the browser is a predetermined web browser, the web browser responds to the URL of the first authentication device so as to access the URL of the first authentication device, and when the web browser is not the predetermined web browser, the second authentication device Responding to the web browser to access the URL,
(B) when the web browser determined in step A is a predetermined web browser, the first authentication device authenticates with the OS account information of the client terminal;
(C) when the web browser determined in step A is not the predetermined web browser, the second authentication device performs authentication by using the Form authentication information entered in the login form in the web browser, Equipped with
In the step B, the first authentication apparatus receives the OS account information from the client terminal, when authenticating the OS account information, the permit to use the web service before SL client terminal Issue an authentication cookie to a web browser ,
In the step C, the second authentication apparatus receives the Form authentication information from the client terminal, when authenticating the Form authentication information, the permit to use the web service before SL client terminal Issue an authentication cookie to a web browser,
The web browser to which the authentication cookie has been issued can access the web server via the first authentication device or the second authentication device .

According to the present invention, since the authentication device previously associated with the web browser performs the authentication process suitable for the web browser, when performing the authentication of the web service whose access is restricted by the SSO using the OS account information. It is possible to solve the problems that occur without significantly changing the existing system infrastructure environment.

It is a figure which shows an example of the conventional authentication system which performs single sign-on using integrated windows authentication. It is a figure which shows an example of the authentication system which concerns on one embodiment of this invention. It is a figure which shows an example of the authentication process at the time of the first access using the authentication system of this Embodiment. It is a figure which shows another example of the authentication processing at the time of the first access using the authentication system of this Embodiment.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

FIG. 2 is a diagram showing an authentication system 10 according to an embodiment of the present invention. As shown in FIG. 2, the authentication system 10, the web server 20, the distribution server 30, and the active directory 40 are connected to a corporate network N1 such as a LAN.

The authentication system 10 realizes single sign-on when the client terminal 50 uses the web service provided by the web server 20 with access restriction. When the authentication system 10 authenticates the first access and issues the authentication cookie, the SSO cooperation service including the web service provided by the web server 20 can be used without individually performing the authentication process.

The web service provided by the web server 20 includes not only client terminals 53 existing in the corporate network N1 and participating in the active directory 40 but also external client terminals from the Internet N2 via the VPN server 55. 51 and 52 are also accessible.

When the OS of the client terminals 51 and 53 is Windows and the web service is used by IE, which is a standard browser of Windows, SSO in the integrated Windows authentication environment is supported. In the client terminal 52, when the OS is iOS and the web service is used in Safari which is the standard browser of iOS, SSO by the integrated windows authentication environment is not supported by default unless the configuration file of iOS is changed. ..

The authentication system 10 includes a distribution server 30 that determines the types of the first authentication device 11, the second authentication device 12, and the web browser, and controls the authentication device destination based on the determination result.

The first authentication device 11 is an authentication environment that realizes integrated windows authentication and includes a reverse proxy server 111 and an SSO server 112. At the first access to the web service provided by the web server 20, the reverse proxy server 111 and the SSO server 112 cooperate with each other to perform an authentication process by integrated windows authentication.

The second authentication device 12 is an authentication environment that realizes Form authentication and includes a reverse proxy server 121 and an SSO server 122. When the web service provided by the web server 20 is accessed for the first time, the reverse proxy server 121 and the SSO server 122 cooperate with each other to perform authentication processing by Form authentication.

In the active directory 40, the regular user OS account information of the corporate network N1 is registered.

When the client terminals 51 and 52 connected to the Internet N2 make an access request to the service provided by the web server 20 via the VPN server 55, the distribution server 30 operates as a web browser of the client terminals 51 and 52. The type is determined and the access destination is determined. Specifically, the distribution server 30 determines the type of the web browser that is the access source, and controls so that the first authentication device 11 performs authentication when the web browser is IE, while the web browser concerned. If it is not IE, the second authentication device 12 is controlled to perform authentication.

As the distribution server 30, for example, “Apache HTTP Server” (hereinafter referred to as “Apache”) is applied. By setting Apache, the type of the web browser of the access source is discriminated based on the User-Agent HTTP header included in the access request, and transferred to the first authentication device 11 or the second authentication device 12.

When the client terminals 51 and 52 request access to the URL of the web service provided by the web server 20, the DNS server 54 connects to the distribution server 30.

The authentication process at the time of the first access to the web service provided by the web server 20 will be described below.

FIG. 3 is a diagram showing an example of an authentication process at the time of first access using the authentication system 10 of the present embodiment. FIG. 3 shows a processing flow when an access request is made from the client terminal 51 whose web browser is IE.

In step S101, the IE of the client terminal 51 makes an access request to the web service provided by the web server 20. The URL of the web service is “http://test-web.com”, for example. The DNS server 54 finds the IP address associated with “http://test-web.com”, and sends the access request to the distribution server 30.

In step S102, the distribution server 30 determines the type of web browser that has made the access request. Here, the web browser making the access request is the IE.

In steps S103 and S104, the distribution server 30 responds to the web browser so as to access the first authentication device 11 which is the SSO environment corresponding to the IE. The URL of the first authentication device 11, which is the response content, is, for example, “http://test-web-win.com” based on the setting file managed by the distribution server 30.

In step S105, the first authentication device 11 performs authentication by integrated windows authentication. Specifically, the SSO server 112 compares the information of the authentication ticket of the client terminal 51 with the OS account information registered in the active directory 40, and when the comparison is established, the SSO server 112 authenticates the IE of the client terminal 51 with the authentication cookie. To issue.

In step S106, the first authentication device 11 permits the web server 20 to use the web service by the client terminal 51. At this time, the URL of the access destination is converted into "http://test-web.com" which is the original access destination. This is because if the URL of the access destination remains the URL “http://test-web-win.com” of the first authentication device 11, malfunction may occur in the web service. The web service can be operated normally by converting the URL of the access destination.

In step S107, the web server 20 provides the access-requested web service to the client terminal 51. The client terminal 51 can use the authentication cookie issued by the first authentication device 11 to use the SSO cooperation service including the web service provided by the web server 20 without individually performing the authentication process. ..

FIG. 4 is a flowchart showing an example of the authentication process at the time of the first access using the authentication system of this embodiment. FIG. 4 shows a processing flow when an access request is made from the client terminal 52 whose web browser is Safari.

In step S201, Safari of the client terminal 52 makes an access request to the web service provided by the web server 20. The URL of the web service is “http://test-web.com”, for example. The DNS server 54 finds the IP address associated with “http://test-web.com”, and sends the access request to the distribution server 30.

In step S202, the distribution server 30 determines the type of web browser that has made the access request. Here, the web browser that issued the access request is Safari.

In steps S203 and S204, the distribution server 30 makes a response to the web browser so as to access the second authentication device 12, which is an SSO environment corresponding to Safari. The URL of the second authentication device 12, which is the response content, is, for example, “http://test-web-form.com” based on the setting file managed by the distribution server 30.

In step S205, the second authentication device 12 performs authentication by Form authentication. Specifically, the SSO server 122 displays a login form screen for Form authentication on Safari of the client terminal 52. As the user inputs and sends the Form authentication information (login ID and login password), the second authentication device 12 performs verification using the input login ID and login password information and the OS account information, and When established, the authentication cookie is issued to the IE of the client terminal 52.

In step S206, the second authentication device 12 permits the web server 20 to use the web service by the client terminal 52. At this time, the URL of the access destination is converted into "http://test-web.com" which is the original access destination. This is because if the URL of the access destination remains the URL “http://test-web-form.com” of the second authentication device 12, malfunction may occur in the web service. The web service can be operated normally by converting the URL of the access destination.

In step S207, the web server 20 provides the client terminal 52 with the web service requested to be accessed. Note that the client terminal 52 can use the authentication cookie issued by the second authentication device 12 and use the SSO cooperation service including the web service provided by the web server 20 without individually performing the authentication process. ..

The authentication system 10 according to the embodiment is an authentication system that authenticates by SSO when a web browser of the client terminal 50 makes an access request to a web service whose access is restricted, and is an OS of the client terminal 50. The first authentication device 11 that performs authentication based on the account information, the second authentication device 12 that performs authentication based on the Form authentication information entered in the login form on the web browser, and the type of web browser are determined. When the web browser is not IE (predetermined web browser), control is performed so that the first authentication device 11 performs authentication, while when the web browser is not IE, control is performed so that the second authentication device 12 performs authentication. Distribution server 30 for

Further, the authentication method according to the present embodiment is an authentication method for performing authentication by SSO when an access request is made from the web browser of the client terminal 50 to the access-restricted web service. a step of determining the type of the web browser, (B) a step of authenticating with the OS account information of the client terminal 50 when the web browser determined in step A is an IE (predetermined web browser), (C) ) If the web browser determined in step A is not IE, the step of authenticating by the Form authentication information input in the login form in the web browser is included.

According to the authentication system 10 and the authentication method according to the embodiment, the first authentication device 11 or the second authentication device 12, which is associated with a web browser in advance, performs an authentication process suitable for the web browser. Therefore, by providing the distribution server 30 for a problem (such as a hang-up of a web browser that is not supported in the SSO environment) that occurs when authenticating a web service whose access is restricted by SSO using OS account information, It is possible to solve it without significantly changing the existing system infrastructure environment. That is, it is possible to construct an SSO environment that does not depend on the web browser, in which the user does not need to be aware of whether or not the integrated windows authentication is performed by the web browser.

Further, the network administrator does not need to change the configuration files of all client terminals that originally have the access right, and even if the iOS is automatically updated, the malfunction does not occur.

Although the invention made by the present inventor has been specifically described based on the embodiments, the present invention is not limited to the above embodiments and can be modified without departing from the scope of the invention.

For example, since the present invention is not limited to the type of web browser, it can be applied to web browsers other than IE, such as Safari, FireFox, and GoogleChrome, only by editing the setting file managed by the distribution server 30.

Further, when it is necessary to distribute the authentication method for each version in the same web browser, it can be dealt with only by editing the setting file managed by the distribution server 30.

Even if a new web browser is used in the future, it can be dealt with simply by editing the setting file managed by the distribution server 30.

Further, by applying the present invention, it is conceivable that the authentication method is distributed according to the IP address of the client terminal 50 or the language information of the web browser. Can be dealt with.

Alternatively, a plurality of reverse proxy servers 111 and 121 may be prepared, and a load balancer may be provided in front of each of them. As a result, the processing requests from the client terminals 50 can be dispersed and the load per unit can be reduced.

The embodiments disclosed this time are to be considered as illustrative in all points and not restrictive. The scope of the present invention is shown not by the above description but by the claims, and is intended to include meanings equivalent to the claims and all modifications within the scope.

10 Authentication System 11 1st Authentication Device 12 2nd Authentication Device 111, 121 Reverse Proxy Server 112, 122 SSO Server 20 web Server 30 Distribution Server 40 Active Directory 50, 51-53 Client Terminal 54 DNS Server 55 VPN Server

Claims (4)

An authentication system that authenticates by SSO when an access request is made from a web browser of a client terminal for a web service provided by a web server and whose access is restricted,
A first authentication device for performing authentication based on the OS account information of the client terminal;
A second authentication device that authenticates by using the Form authentication information entered in the login form in the web browser;
When there is an access request specifying the URL of the web service from the client terminal, the type of the web browser is determined based on the user agent information included in the access request, and the web browser is a predetermined web browser. While responding to the web browser to access the URL of the first authentication device in a certain case, access the URL of the second authentication device when the web browser is not the predetermined web browser. And a distribution server that responds to the web browser,
The first authentication device, accept the OS account information from the client terminal, in the case of authenticating the OS account information, relative to the previous Symbol the web service the web browser allow the use of the client terminal Issue an authentication cookie ,
The second authentication apparatus receives the Form authentication information from the client terminal, when authenticating the Form authentication information for the previous SL the web service the web browser to allow the use of the client terminal Issue an authentication cookie,
The authentication system, wherein the web browser to which the authentication cookie is issued can access the web server via the first authentication device or the second authentication device . The predetermined web browser is a standard browser of Windows (registered trademark),
The authentication system according to claim 1, wherein the first authentication device performs authentication by integrated windows authentication. The authentication system according to claim 1, wherein the web browser accesses the web service from the Internet via a VPN server. An authentication method for performing authentication by SSO when an access request is made from a web browser of a client terminal for a web service provided by a web server with access restriction,
(A) When the distribution server receives an access request specifying the URL of the web service from the client terminal, the distribution server determines the type of the web browser based on the user agent information included in the access request, and determines the web browser. When the browser is a predetermined web browser, the web browser responds to the URL of the first authentication device so as to access the URL of the first authentication device, and when the web browser is not the predetermined web browser, the second authentication device Responding to the web browser to access the URL,
(B) when the web browser determined in step A is a predetermined web browser, the first authentication device authenticates with the OS account information of the client terminal;
(C) when the web browser determined in step A is not the predetermined web browser, the second authentication device performs authentication by using the Form authentication information entered in the login form in the web browser, Equipped with
In the step B, the first authentication apparatus receives the OS account information from the client terminal, when authenticating the OS account information, the permit to use the web service before SL client terminal Issue an authentication cookie to a web browser ,
In the step C, the second authentication apparatus receives the Form authentication information from the client terminal, when authenticating the Form authentication information, the permit to use the web service before SL client terminal Issue an authentication cookie to a web browser,
The authentication method, wherein the web browser to which the authentication cookie is issued can access the web server via the first authentication device or the second authentication device .

Images