JP2013250894A - Mapping server and single sign-on system, mapping function providing method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To solve the problems that the conventional single sign-on setting method is not satisfactory because a user of a tenant having a different SP can be subjected to SSO mapping to an IDP in the case where a plurality of tenants use the same SP, that the opposite situation is not satisfactory in the same manner, and that SSP mapping has to be performed to a registered IDP by a proper method because an SSO mapping method for guaranteeing security is different due to IDP characteristic.SOLUTION: A proper SSO mapping function is provided to each of a plurality of IDPs. Therefore, a mapping function is preliminarily associated with each IDP, a mapping function corresponding to an IDP selected from available IDPs by a user is executed, and mapping information is registered.

Description

  The present invention relates to a mapping server, a single sign-on system, and a mapping function providing method for realizing a single sign-on between, for example, a multi-tenant server group.

  In particular, the present invention relates to a mapping server, a single sign-on system, and a mapping function providing method suitable for each IDP in a system capable of registering a plurality of IDPs composed of servers.

  2. Description of the Related Art Conventionally, a single sign-on (hereinafter referred to as SSO) mechanism based on Security Association Markup Language (hereinafter referred to as SAML) is known as a technique for linking authentication between a plurality of servers existing under different domains. A system for realizing SAML includes a server group (identity provider, hereinafter referred to as IDP) that provides an authentication function. It also includes at least one server group (service provider, hereinafter referred to as SP) that provides a function by trusting the IDP authentication result. A user who uses SSO by SAML registers authentication information such as a user ID in each of the above-described IDP and SP domains.

  When the user is provided with the SP function, it is necessary to access the IDP for authentication. For example, a user is authenticated by IDP using a user ID and password managed by IDP. The IDP issues a SAML assertion, which is a proof of authentication, to the SP for the authenticated user. The SP authenticates the user by verifying whether this SAML assertion is issued by a trusted IDP. For example, this verification is performed by verifying an electronic signature using an IDP certificate. At this time, the user can receive a service provided by the server group linked with the SP without inputting authentication information managed by the SP.

  When the user accesses the SP using SSO, the user ID for the SP is not handed over to the SP as described above. Therefore, prior to using SSO, the user needs to maintain the correspondence between the IDP user ID authenticated by IDP and the SP user ID when accessing the SP in the above system. There is. The process of registering this correspondence is called single sign-on mapping (hereinafter referred to as SSO mapping).

  Thus, SAML SSO is established by the trust relationship between IDP and SP. In other words, before realizing SSO, it is necessary to establish a trust relationship between the IDP and the SP in advance. This trust relationship is established by exchanging metadata describing which method the SSO is performed in the SAML protocol and an electronic certificate for proving that the assertion is issued from the IDP.

  As described above, SAML provides SSO safely by verifying that the user is authenticated by IDP and that the IDP is reliable from the viewpoint of the SP. More specifically, the SP realizes SSO by verifying the signature of the assertion issued by the IDP using a digital certificate set in advance. However, even if the SAML mechanism itself is safe, if the SAML setting, for example, the SSO mapping is wrong, a user who is authenticated by IDP is mapped to an unintended user and accesses the SP. The user has been approved as another user at the SP. For this reason as well, in order to use the SAML mechanism safely, it is necessary to set the SSO safely.

  Next, consider the relationship between IDP and SP. When viewed from the SP, the IDP is identified by an ID called an entity ID. This entity ID is described in the metadata exchanged in advance. Here, depending on the IDP, there are a server group that provides an authentication function and a server group that has only a single entity ID and a server group that has a plurality of entity IDs. Whether the entity ID is single or plural depends on the configuration of the IDP.

  For example, since SAML is realized by HTTP, an endpoint is defined by a URL. In order to sign an assertion, a different electronic certificate is required for each entity ID, but the electronic certificate is issued in association with a host name. As a result, in order for the IDP to have a plurality of entity IDs, it is necessary to have different host names for each entity ID and to resolve the IP addresses of those host names. If the IDP dynamically adds an entity ID in response to a user request, the IDP has a DNS server, and works such as registering a new host name and IP address in the DNS server in response to the addition of the entity ID. I need it. Therefore, it is difficult for an IDP to have a plurality of entity IDs unless it is a relatively large IDP.

On the other hand, in a case where a service is provided to a third party such as an application service provider, convenience and safety may be improved by limiting access from the third party to a specific URL. In such a case, the URL is single and the entity ID is single.
As described above, whether the entity ID is single or plural depends on the configuration of the IDP.

  Here, consider a case where SSO is possible with a plurality of IDPs for one SP. In order to realize this, it is necessary to register the IDP in advance with the SP in order to enable SSO with any IDP.

  Therefore, there has conventionally been a method that allows a plurality of SSO target server groups to be registered (see Patent Document 1). According to this method, a plurality of SSO target server groups can be registered. Further, when canceling registration of a server group targeted for SSO, an image corresponding to the server group is displayed, thereby preventing unintended server group registration from being cancelled.

Japanese Patent No. 4186521

  However, the conventional method has the following problems. In other words, in order to perform SSO, it is necessary to set SSO mapping in advance, but when multiple IDPs or SPs that are SSO target server groups are registered, an appropriate means for each IDP or SP is used. SSO mapping is required. For example, when considering the case where a plurality of user companies use the same SP, the information of each company managed on the SP needs to be separated independently from each other. Such a unit of separation is hereinafter referred to as a tenant. Consider a case where a plurality of IDPs are registered in one SP. At this time, SSO mapping of a tenant with a different SP to a user with IDP is not desirable in terms of security because there is a risk of information leakage. On the other hand, it is also not preferable that users of different IDPs can be SSO mapped to one SP tenant. This is because the SP can be accessed with the authority of another user exceeding the original authority of the user. Therefore, it is necessary to prevent erroneous SSO mapping and ensure security. Here, since the SSO mapping method for ensuring security differs depending on the characteristics of the IDP, it is necessary to perform SSO mapping on the registered IDP by an appropriate method.

  Further, when performing SSO mapping, an IDP API may be called to confirm the validity of the SSO mapping action. At this time, in order to call the API of IDP, IDP authentication and authorization are required. Therefore, pre-processing for receiving authentication and authorization is required. This pre-processing may require authentication with an ID and password depending on the policy for each IDP, or may require the use of an authorization mechanism called OAuth. As described above, it is necessary to perform preprocessing for each IDP by an appropriate method.

  In some cases, a plurality of preprocessing can be used with the same IDP. In such a case, it is necessary to be able to determine which pre-processing method is used at the time of SSO mapping according to the user's selection.

  The present invention has been made in view of the above-described conventional example, and an object thereof is to provide a mapping server, a single sign-on system, and a mapping function providing method capable of realizing SSO mapping that suppresses security risks such as information leakage. .

  In order to achieve the above object, the present invention comprises the following arrangement.

Mapping information associated with a user ID is provided in a single sign-on system that allows access to the server by associating user authentication information indicating that the authentication server has authenticated the user with the user ID of the user in another server. A mapping server,
Mapping function information that associates and registers the mapping function for associating the user ID for each authentication server;
A receiving unit that refers to the mapping function information and receives a selection of an authentication server associated with the mapping function;
Execution means for executing the processing according to the mapping function associated with the selected authentication server to configure the mapping information.

  Alternatively, according to another aspect, the present invention resides in a single sign-on system including a mapping server, an authentication server, and other servers.

  According to the present invention, it is possible to display a list of IDPs that can be used by a user and to associate an appropriate SSO mapping function with each IDP. Therefore, an appropriate SSO mapping function can be provided in order to ensure security in accordance with the characteristics of IDP.

It is a figure which shows a network structure. It is a lineblock diagram of PC concerning an embodiment of the invention. It is a module block diagram concerning this Embodiment. , It is an example of data concerning this embodiment. , It is a flow for the SSO mapping which concerns on this Embodiment. It is a module block diagram which concerns on the 2nd Embodiment. , , It is an example of data concerning the 2nd form of this embodiment. , It is the first half flow for the SSO mapping which concerns on this 2nd Embodiment. , , It is the latter half flow for the SSO mapping which concerns on this 2nd Embodiment. It is a module block diagram which concerns on the 2nd Embodiment. It is an example of data concerning the 2nd form of this embodiment. It is a flow for the SSO mapping which concerns on the 2nd Embodiment. , It is an example of a screen concerning this embodiment. , , It is an example of a screen concerning the 2nd form of this embodiment. It is an example of a screen concerning the 3rd form of this Embodiment.

[First Embodiment]
An object of the present invention is to provide an appropriate SSO mapping function between server groups for which authentication is desired to be coordinated. The mapping function referred to in the present embodiment and the second to fourth embodiments is a function for associating user IDs between servers (or services) to form an ID correspondence table (or mapping information). The best mode for carrying out the present invention will be described below with reference to the drawings.

<System configuration>
The single sign-on system according to the present embodiment is realized on a network configured as shown in FIG. The WAN 100 is a wide area network. In this embodiment, the WAN 100 is, for example, the Internet, and in particular, a World Wide Web (WWW) system using HTTP. A LAN 101 is a local area network that connects each component. The client PC 200 is a client PC operated by the user, and the mapping server 300 has mapping information that associates an IDP user ID and an SP user ID for each entity ID, and performs SSO mapping. Provides a function for managing mapping information. IDP-A400, IDP-B410, and IDP-C420 are identity providers that authenticate users. Although the mapping server is assumed to be a service provider (SP) here, the mapping server may be an identity provider (IDP), and 400, 410, and 420 may be SPs. An identity provider may be referred to as an authentication server, or a service provider may simply be referred to as a service or server.

  The client PC 200, the mapping server 300, the IDP-A 400, the IDP-B 410, and the IDP-C 420 are connected via the WAN network 100 and the LAN 101, respectively. The client PC 200, the mapping server 300, and each IDP may be configured on individual LANs or may be configured on the same LAN. Further, they may be configured on the same PC or server computer. For example, IDP-A-TRIAL, which is an IDP (not shown), may be configured on a server computer in which IDP-A300 is configured. The mapping server 300, IDP-A400, IDP-B410, and IDP-C420 each operate on a server computer described later.

  The mapping server 300 first accepts a user login. Next, a list of IDPs available to the user is displayed. When the mapping server 300 receives the SSO mapping setting request from the user, the mapping server 300 performs appropriate SSO mapping for the IDP corresponding to the SSO mapping setting request.

<Computer configuration>
FIG. 2 is a diagram showing a configuration of the client PC 200 according to the present embodiment. The configuration of the server computer of the mapping server 300, IDP-A400, IDP-B410, and IDP-C420 is the same. The hardware block diagram shown in FIG. 2 corresponds to the hardware block diagram of a general information processing apparatus, and the hardware configuration of a general information processing apparatus is used for the client PC 200 and the server computer of this embodiment. Can be applied.

  In FIG. 2, the CPU 201 executes a program such as an OS or an application stored in the program ROM of the ROM 203 or loaded from the hard disk 211 to the RAM 202. Here, OS is an abbreviation for an operating system running on a computer. The processing of each flowchart to be described later can be realized by executing this program. The RAM 202 functions as a main memory, work area, and the like for the CPU 201. A keyboard controller (KBC) 205 controls key input from a keyboard (KB) 209 or a pointing device (not shown). A CRT controller (CRTC) 206 controls display on the CRT display 210. A disk controller (DKC) 207 controls data access in a hard disk (HD) 211 or a floppy (registered trademark) disk (FD) that stores various data. The NC 212 is connected to the network and executes communication control processing with other devices connected to the network.

  In all the descriptions below, unless otherwise specified, the execution hardware main body is the CPU 201, and the software main body is an application program installed in the hard disk (HD) 211.

<Mapping server module configuration>
FIG. 3 is a module configuration diagram of the mapping server 300 according to the present embodiment. The mapping server 300 includes a mapping function management module 301, a mapping function providing module 302, and a usage IDP management module 303. One mapping function providing module 302 may provide an SSO mapping function corresponding to a plurality of IDPs, and a different SSO mapping function providing module 302 may exist for each IDP. When the user accesses the mapping server 300, the usage IDP management module 303 returns the IDP available for the user. Further, the mapping function management module 301 returns the URL of the screen that provides the function of the corresponding mapping function providing module 302 for each IDP returned by the use IDP management module.

<Data managed by the mapping server>
4A and 4B are data examples according to the present embodiment. FIG. 4A is a data example of a mapping function list according to the present embodiment. The mapping function list 350 is data managed by the mapping function management module 301. Here, the mapping function list 350 has a plurality of pieces of mapping function information. Each mapping function information has an IDP identifier that identifies an IDP, and mapping management location information that indicates whether the mapping server 300 manages settings related to SSO mapping with the IDP. The mapping management location information takes one of the values “inside server” (internal) indicating that the mapping server 300 manages and “outside server” (external) indicating that the mapping server 300 does not manage. Further, when the mapping server 300 provides the SSO mapping function, each mapping function information has a URL of a screen (SSO mapping screen) that provides the function of the mapping function providing module 302 corresponding to the IDP.

  FIG. 4A shows a state where three IDPs of IDP-A400, IDP-A-TRIAL, and IDP-B410 are registered. Among these IDPs, IDP-A400 and IDP-A-TRIAL indicate that the mapping server 300 manages SSO mapping, and also have a URL of the corresponding SSO mapping screen. IDP-B 410 indicates that the SSO mapping management location is outside the mapping server 300 and does not have a corresponding mapping screen.

  FIG. 4B is a data example of a usage IDP list according to the present embodiment. The usage IDP list 351 is data managed by the usage IDP management module 303. Here, the usage IDP list 351 has a plurality of usage IDP information. Each use IDP information has a user identifier for identifying a user who has accessed the mapping server 300 and an IDP identifier of an IDP that can be used by the user. The user identifier may be the identifier of the user itself or the identifier of the tenant to which the user belongs, but here the user identifier is assumed to be a tenant identifier. Here, if the user belongs to the tenant T001, three IDPs IDP-A400, IDP-A-TRIAL, and IDP-B410 can be used.

<IDP list display processing>
FIG. 5A and FIG. 5B are a list of functions for SSO mapping and a distribution flow to each SSO mapping function, respectively, according to the present embodiment.

  FIG. 5A is a flowchart for displaying a list of functions for SSO mapping according to the present embodiment. When a user accesses the mapping server 300, IDPs that can be used by the user are displayed in a list together with a transition button to the corresponding SSO mapping function providing screen.

  In step S1001, the mapping server 300 acquires a usage IDP list corresponding to the user identifier of the logged-in user from the usage IDP list 351 from the usage IDP management module 303. Here, if the user identifier of the user is T001 which is the identifier of the tenant to which the user belongs, the available IDP list that can be acquired includes three IDPs of IDP-A400, IDP-A-TRIAL, and IDP-B410. It can be seen from the example of FIG. 4B. When the number of IDPs included in the usage IDP list 351 increases or decreases, the number of IDPs processed in a flow described later increases or decreases accordingly.

  In step S1002, the mapping server 300 determines whether there is unprocessed usage IDP information in the usage IDP list (referred to as target IDP) acquired in step S1001. If there is an unprocessed IDP, the process proceeds to step S1003. If there is no unprocessed IDP, the flow ends.

  In step S1003, the mapping server 300 takes out an unprocessed IDP from the target IDPs acquired in step S1001, or pays attention to an unprocessed IDP. Of the target IDPs acquired in step S1001, the IDP focused in step S1003 may be referred to as the focused IDP.

  In step S1004, the mapping server 300 extracts mapping function information (see FIG. 4A) corresponding to the target IDP extracted in step S1003 from the mapping function management module 301. This may be called attention mapping function information.

  In step S1005, the mapping server 300 refers to the target mapping function information extracted in step S1004, and determines whether the mapping server 300 manages SSO mapping, that is, whether the SSO mapping management location information is in the server. As a result of the determination, if the mapping server 300 manages the SSO mapping, the process proceeds to step S1006. If the mapping server 300 does not manage the SSO mapping, the process related to the IDP of interest is terminated, and the process proceeds to step S1002. For example, if the target mapping function information extracted in step S1004 relates to the IDP-A 400, the IDP-A 400 transitions to step S1006 because the mapping server 300 manages the SSO mapping as shown in FIG. 4A.

  In step S1006, the mapping server 300 extracts the URL of the screen that provides the SSO mapping function (SSO mapping screen URL in FIG. 4A) from the target mapping function information extracted in step S1004.

  In step S1007, the mapping server 300 causes the SSO mapping screen URL extracted in step S1006 to be displayed on the screen together with the identifier of the target IDP extracted in step S1003. The process related to the IDP is thus completed, and the process proceeds to step S1002.

  When the flow of FIG. 5A is completed, what is displayed on the screen is an IDP list display screen 500 as shown in FIG. 13A, for example. As shown in FIG. 13A, an IDP list 500 that can be used by a logged-in user is displayed on the user interface, and a link (URL) to an SSO mapping screen corresponding to the IDP is embedded in association with the IDP identifier. An object such as a transition button 1301 is displayed. When the user presses this button, the processing in FIG. 5B is started.

<Mapping function provision processing>
FIG. 5B is a distribution flow to each SSO mapping function according to the present embodiment. When the user presses a transition button 1301 to a URL providing an SSO mapping function corresponding to each IDP displayed in FIG. 5A, this flow is started.

  In step S1101, the mapping server 300 accepts pressing of a transition button to a URL that provides an SSO mapping function corresponding to IDP. Alternatively, when the transition button is pressed, the process starts from S1102.

  In step S1102, the mapping server 300 redirects the user to the SSO mapping screen URL associated with the transition button.

  In step S1103, the mapping function providing module 302 provides a unique SSO mapping function for each URL through the SSO mapping screen specified by the URL corresponding to each IDP, and ends the flow. Here, the screen displayed with the redirect destination URL is a mapping function providing screen 501 as shown in FIG. 13B, for example. When the user designates a setting file and presses the setting button, the setting file is set as mapping information held and managed by the mapping server. However, before setting, it is checked whether there is any inconvenient mapping of the setting file by the SSO mapping function for each URL, ie, for each IDP. Here are some examples of this check function. For example, in one mapping function, the mapping server 300 acquires a list of user IDs possessed by each from each IDP and SP for each tenant. The IDP user ID and the SP user ID defined in the input setting file are collated with each other to determine whether or not an inconvenient association is made. Inconvenient association is, for example, association of a plurality of tenants with different IDPs or SPs to the other tenant as described in the problem section. In this case, the tenant to which each of the IDP user ID and the SP user ID defined in the setting file belongs is specified with reference to the acquired user ID list for each tenant. If there is one SP or IDP tenant associated with a plurality of IDP or SP tenants, it is determined that the setting file may be inconvenient. The result of the determination is sent to the client on another screen. Whether or not an inconvenient setting is permitted depends on the setting by a service provider, for example. When the mapping information is managed in units of IDP entity IDs, for example, such a mapping function is preferably applied to IDPs to which entity IDs are assigned for each tenant. On the other hand, for IDPs that give the same entity ID to a plurality of tenants, the mapping server also manages a plurality of tenants together with a single mapping information. Associated. Therefore, it is difficult to determine inconvenient association by the above-described method.

  Therefore, for such an IDP, in addition to the above-described check, the following determination is further performed. That is, for example, consider a case where a user ID is deleted from a tenant with IDP and the same user ID is added to another tenant. As described above, when one tenant is managed by one entity ID, the mapping server manages mapping information for each entity ID, that is, for each tenant, so that unintended mapping is not performed. This is because the added user ID is also managed in the mapping information as a user of a tenant different from the tenant to which the deleted user ID belongs. However, in the case of an IDP that manages a plurality of tenants with a single entity ID, if there is a move between user IDs as described above, the tenant after the move is associated with the association between user IDs remaining in the mapping information. It can happen. Therefore, for an IDP that manages a plurality of tenants with a single entity ID, the IDP user ID and the SP user ID are not directly associated, but are associated through an intermediate ID. Even if the user ID is moved between tenants as described above, an inconvenient association can be prevented by assigning a new intermediate ID to the user ID after the transfer. As described above, the association of the user ID defined in the setting file is converted into the association via an intermediate ID and set as mapping information. As described above, the setting of mapping information is realized by different mapping functions according to the IDP. The association between the IDP and the mapping function is determined in advance, and is defined in the SSO mapping function list as shown in FIG. 4A. This mapping function list is registered and referred to in advance in the mapping server. For this purpose, for example, the mapping function management module of FIG. 3 may be configured to maintain the mapping function list 350 in response to access from a client browser. An SSO mapping screen and its URL, and a program for realizing a mapping function for registering the setting file designated on the SSO mapping screen as mapping information must be prepared separately.

  13A and 13B are screen examples according to the present embodiment. FIG. 13A shows an example of an IDP list display screen. Here, on the IDP list display screen 500, three IDPs of IDP-A400, IDP-A-TRIAL, and IDP-B410 are displayed. Among these IDPs, for IDP-A400 and IDP-A-TRIAL, a transition button 1301 to a URL providing a mapping function is also displayed.

  FIG. 13B shows an example of a mapping function providing screen. Here, the mapping function providing screen 501 accepts upload of a setting file related to the SSO mapping setting from the user. Also, SSO mapping is performed according to the uploaded setting file.

  In the setting file, for example, a user ID to be SSO mapped is stored in association with each other. For example, the setting file is a file in which an IDP user ID for the user to be authenticated by the IDP and an SP user ID for the user to be authenticated by the SP are stored in association with each other. Here, by changing the mapping method for each IDP, mapping between tenants that should not be associated with each other is prevented. Tenants that should not be associated with each other are, for example, tenants with different actual users or companies.

  The mapping function providing module 302 performs SSO mapping based on a designated setting file by a mapping method determined in advance for each IDP. For example, it is stored as a map file of a predetermined format based on the ID association defined in the setting file.

  The SSO procedure itself is known. Here, an example of the SSO procedure will be briefly described. First, the user makes an access request to the first service provider who also serves as the identity provider, using a browser of the client PC. The identity provider requests authentication from the user. For user authentication, for example, a user ID (here, a user ID for an identity provider) and a password are used. When the identity provider performs user authentication, it issues user authentication information (SAML assertion), which is proof of authentication, and holds it. At the same time, the user is authenticated and an access request to the first service provider is accepted. Thereafter, when the user requests access to the second service provider, the second service provider requests authentication from the identity provider. In response to the authentication request, the identity provider responds with user authentication information of the user who requested access, that is, a SAML assertion. The SAML assertion includes a user ID and an electronic signature for the user's identity provider. The electronic signature is verified to determine whether this SAML assertion is issued by a trusted identity provider. If the verification is successful, the user ID for the identity provider is read and the user ID for the corresponding service provider is read. Request matching server to convert to. The user accesses the second service provider with the authority of the responded user ID. SSO is realized as described above.

  According to the present embodiment, the mapping server can display a list of IDPs that can be used by the user, and can associate an appropriate SSO mapping function with each IDP. Therefore, an appropriate SSO mapping function can be provided in order to ensure security in accordance with the characteristics of IDP.

[Second Embodiment]
Next, a second embodiment for carrying out the present invention will be described with reference to the drawings. Note that description of parts common to the first embodiment will be omitted, and only different parts will be described below.

  FIG. 6 is a module configuration diagram of the mapping server 300 according to the second embodiment. The mapping server 300 includes a mapping function management module 301, a mapping function providing module 302, and a usage IDP management module 303. Further, it has a preprocessing function management module 311 and a preprocessing function provision module 312. One preprocessing function providing module 312 may provide a preprocessing function corresponding to a plurality of IDPs, and a different preprocessing function providing module 312 may exist for each IDP. When the user accesses the mapping server 300, the usage IDP management module 303 returns the IDP available to the user. The preprocessing function management module 311 returns a URL that provides the function of the corresponding preprocessing function providing module 312 for each IDP returned by the use IDP management module.

  FIG. 7 shows an example of data according to the second embodiment. FIG. 7A is a data example of a mapping function list managed by the mapping function management module 301 according to the second embodiment. Here, mapping function information related to IDP-C 420 is added to the mapping function list 360.

  FIG. 7B is a data example of a usage IDP list managed by the usage IDP list management module 303 according to the second embodiment. Here, in the usage IDP list 361, IDP-C420 is added as an IDP that can be used by a user belonging to the tenant T001.

  FIG. 7C is a data example of a preprocessing function list according to the second embodiment. The preprocessing function list 362 is data managed by the preprocessing function management module 311 and has a plurality of preprocessing function information. Each piece of preprocessing function information has an IDP identifier that identifies an IDP and a preprocessing URL that provides a preprocessing function required prior to SSO mapping with the IDP. Here, for IDP-A400 and IDP-A-TRIAL, the screen in the mapping server 300 has a pre-processing function. This is the case, for example, when the user inputs the IDP-A 400 ID and password from the screen of the mapping server 300. At this time, the mapping server 300 calls an API such as WebService provided by the IDP-A 400 based on the user's input, receives authentication, and receives an authentication session. Here, regarding IDP-C420, it shows that the screen of IDP-C420 has a preprocessing function. This corresponds to a case where the user is once redirected to the authorization screen provided by the IDP-C 420, such as OAuth, and the mapping server 300 receives the evidence authorized by the user via the browser operated by the user. In any case, a device having a preprocessing function can be designated by the preprocessing URL.

<IDP list display and preprocessing>
FIG. 8 shows a list of functions for SSO mapping including pre-processing and a distribution flow to each SSO mapping function according to the second embodiment.

  FIG. 8A is a flowchart for displaying a list of functions for SSO mapping including preprocessing according to the second embodiment. When a user accesses the mapping server 300, IDPs that can be used by the user are displayed in a list together with a transition button to a corresponding preprocessing function providing screen.

  Steps S1001 to S1004 are the same as those in the first embodiment, and a description thereof will be omitted. When step S1004 is completed, the flow moves to step S2001.

  In step S2001, the mapping server 300 confirms the mapping function information extracted in step S1004, and determines whether the mapping server 300 manages SSO mapping. As a result of the determination, if the mapping server 300 manages SSO mapping, the process proceeds to step S2002. If the mapping server 300 does not manage SSO mapping, the process related to the IDP is terminated, and the process proceeds to step S1002. For example, if the mapping function information extracted in step S1004 relates to IDP-A 400, IDP-A 400 transitions to step S2002 because mapping server 300 manages SSO mapping.

  In step S2002, the mapping server 300 extracts the URL of the screen that provides the preprocessing function from the preprocessing function management module 311.

  In step S2003, the mapping server 300 displays the URL extracted in step S2002 on the screen together with the IDP identifier extracted in step S1003. The process related to the IDP is thus completed, and the process proceeds to step S1002.

  When the flow of FIG. 8A is completed, what is displayed on the screen is an IDP list display screen 510 as shown in FIG. 14A, for example.

  FIG. 8B is a distribution flow to each preprocessing function according to the second exemplary embodiment. When the user presses a transition button to a URL that provides a preprocessing function corresponding to each IDP displayed in FIG. 8A, this flow is started.

  In step S2101, the mapping server 300 accepts pressing of a transition button to a URL that provides a preprocessing function corresponding to IDP.

  In step S2102, the mapping server 300 determines whether the URL associated with the button pressed in step S2101 is the URL on the mapping server side or the URL on the IDP side. As a result of the determination, if the URL is on the mapping server side, the mapping server 300 transitions to step S2103 in order to provide a pre-processing function. If the URL is on the IDP side, the process proceeds to step S2150 to use the IDP preprocessing function.

  In step S2103, the mapping server 300 redirects the user access to the URL associated with the button pressed in step S2101 in order to provide the preprocessing function on the mapping server side.

  In step S2104, the preprocessing function providing module 312 of the mapping server 300 performs preprocessing and receives an IDP authentication session.

  In step S2105, the mapping server 300 extracts the mapping function information corresponding to the IDP preprocessed in step S2104 from the mapping function management module 301.

  In step S2106, the mapping server 300 extracts a URL that provides the mapping function from the mapping function information extracted in step S2105.

  In step S2107, the mapping server 300 redirects user access to the URL extracted in step S2106.

  In step S2108, the mapping server 300 receives the redirect in step S2107 and calls the IDP API using the authentication session acquired in the preprocessing in step S2104.

  In step S2109, the mapping function providing module 302 of the mapping server 300 generates an SSO mapping using the value returned for the API call in step S2108. At that time, a screen as shown in FIG. 13B may be displayed to accept a file upload related to the SSO mapping setting from the user. When the generation of the SSO mapping is completed in step S2109, the flow ends.

  In step S2150, in order to use the IDP pre-processing function, the mapping server 300 redirects the user access to the URL associated with the button pressed in step S2101 and ends the flow.

<Example of pre-processing procedure>
FIG. 9 is a flow of an example of preprocessing and an SSO mapping function according to the second embodiment. FIG. 9A is an example of preprocessing corresponding to IDP in the mapping server 300 according to the second embodiment. This flow is a detailed flow of step S2104 in FIG. 8B. In this example, the preprocessing function providing module 312 requests the user to input an ID and a password for logging in to the IDP. In addition, IDP authentication is performed using the ID and password input by the user, and an authentication session is received.

  In step S2201, the preprocessing function provision module 312 displays a first preprocessing function provision screen 511 as shown in FIG. 14B and accepts input of an ID and a password for logging in to the IDP.

  In step S2202, the preprocessing function providing module 312 accesses the IDP using the ID and password received in step S2201.

  In step S2203, the preprocessing function providing module 312 receives IDP authentication, and receives an authentication session as a response to access to the IDP in step S2202. When the authentication session is received, this flow ends.

  FIG. 9B is an example of IDP-side preprocessing according to the second embodiment. This flow starts when the IDP receives the access of the user redirected in step S2150 of FIG. 8B. In this example, it is assumed that the IDP that receives the redirect is IDP-C420. In IDP-C420, it is assumed that an OAuth authorization mechanism can be used.

  In step S2301, the IDP-C 420 receives the redirected user access from the mapping server 300.

  In step S2302, the IDP-C 420 authenticates the access accepted in step S2301. Here, for example, the IDP-C 420 may require the user to input an ID and password.

  In step S2303, the IDP-C 420 determines whether the authentication in step S2302 is successful. If the authentication is successful, the process proceeds to step S2304. If the authentication fails, the process proceeds to step S2350.

  In step S2304, the IDP-C 420 displays a screen asking whether to allow the mapping server 300 to perform the SSO mapping, and requests permission from the user. The screen displayed here may be, for example, a second preprocessing function provision screen 512 as shown in FIG. 14C.

  In step S2305, the IDP-C 420 determines whether the user permission has been obtained in step S2304. If the user permission has been obtained, the process proceeds to step S2306. If the user's permission has not been obtained, the process proceeds to step S2350.

  In step S2306, the IDP-C 420 generates an authorization token and redirects the user access to the mapping server 300. At this time, the redirect includes an authorization token, and the authorization token is returned to the mapping server 300 via the client operated by the user. Here, it is assumed that the redirect destination URL is a URL that the mapping server 300 provides a mapping function. When the user's access is redirected to the mapping server 300, this flow ends.

  In step S2350, the IDP-C 420 redirects access from the user to the mapping server 300. At this time, the redirection is performed via a client operated by the user, and the redirection includes information indicating that the preprocessing has failed. When the user's access is redirected to the mapping server 300, this flow ends.

  FIG. 9C is an example of a processing flow in the mapping server 300 after the preprocessing on the IDP side according to the second embodiment. This flow is started when the mapping server 300 receives the access of the user redirected in step S2306 of FIG. 9B.

  In step S2401, the mapping server 300 receives a redirect to the URL that provides the mapping function from the IDP.

  In step S2402, the mapping server 300 takes out the authorization token included in the redirect accepted in step S2401.

  In step S2403, the mapping server 300 calls the API of IDP using the authorization token extracted in step S2402.

  In step S2404, the mapping function providing module 302 of the mapping server 300 generates an SSO mapping by using the value returned from the IDP API as a response in step S2403. At that time, the SSO mapping screen URL is extracted from the mapping function information corresponding to the IDP, the screen as shown in FIG. 13B specified by the URL is displayed, and the upload of the file related to the SSO mapping setting is accepted from the user. Also good. When the generation of the SSO mapping is completed in step S2404, the flow ends.

<Example of Display Screen of Second Embodiment>
FIG. 14 shows an example of a screen according to the second embodiment. FIG. 14A shows an example of an IDP list display screen. Here, the IDP list display screen 510 displays four IDPs of IDP-A400, IDP-A-TRIAL, IDP-B410, and IDP-C. Among these IDPs, for IDP-A400, IDP-A-TRIAL, and IDP-C, a transition button to a URL that provides a pre-processing function for SSO mapping is also displayed.

  FIG. 14B shows a first example of the preprocessing function provision screen. Here, the first preprocessing function provision screen 511 accepts input of an ID and a password for logging in to the IDP from the user. Further, according to the input ID and password, the preprocessing function providing module 312 receives IDP authentication and receives an authentication session.

  FIG. 14C shows a second example of the preprocessing function provision screen. Here, the second pre-processing function provision screen 512 is an authorization screen in OAuth, and asks the user whether to permit SSO mapping by the mapping server 300. Here, when the user presses the “permit” button, an authorization token is issued according to OAuth. The issued authorization token is passed to the mapping server 300.

    As described above, for each IDP, it is possible to execute predetermined processing not only for the mapping function but also for the preprocessing. According to the second embodiment, it is possible to call an IDP API when performing SSO mapping after performing preprocessing for each IDP in an appropriate manner. Therefore, appropriate preprocessing can be performed even when authentication by ID and password is required according to a policy for each IDP, or when an OAuth authorization mechanism is used.

[Third Embodiment]
Next, a third embodiment for carrying out the present invention will be described with reference to the drawings. In addition, description is abbreviate | omitted about the part which is common in 1st Embodiment and 2nd Embodiment, and only a different part is demonstrated below.

  FIG. 10 is a module configuration diagram of the mapping server 300 according to the third embodiment. The mapping server 300 includes a mapping function management module 301, a mapping function providing module 302, and a usage IDP management module 303. Further, it has a preprocessing function providing module 312 and a second preprocessing function management module 321. The second preprocessing management module 321 has a second preprocessing function list 370 and can store a plurality of preprocessing URLs for one IDP. In addition, by presenting the plurality of preprocessing URLs to the user, the user can select and use the preprocessing URL desired by the user.

  FIG. 11 is a data example of the second preprocessing function list according to the third embodiment. The second preprocessing function list 370 is data managed by the second preprocessing function management module 321. Here, the second preprocessing function list 370 has a plurality of pieces of second preprocessing function information. Each of the second pre-processing function information includes an IDP identifier that identifies the IDP, a pre-processing URL that provides a pre-processing function required prior to SSO mapping with the IDP, and a pre-processing type that represents the type of pre-processing. Has processing type.

  Here, for the IDP-A 400, the screen in the mapping server 300 has a pre-processing function, and the IDP-A 400 screen has a pre-processing function. For example, a pre-processing function for inputting an ID and a password as shown in FIG. 14B and a pre-processing function by OAuth as shown in FIG. 14C are provided, and the user can select one of them.

  FIG. 12 is a flowchart for displaying a list of mapping functions according to the third embodiment. When a user accesses the mapping server 300, IDPs that can be used by the user are displayed in a list together with a transition button to a corresponding preprocessing function providing screen.

  Steps S1001 to S1004 are the same as those in the first embodiment, and a description thereof will be omitted. When step S1004 is completed, the flow moves to step S3001.

  In step S3001, the mapping server 300 confirms the mapping function information extracted in step S1004, and determines whether the mapping server 300 manages SSO mapping. As a result of the determination, if the mapping server 300 manages SSO mapping, the process proceeds to step S3002. If the mapping server 300 does not manage SSO mapping, the process related to the IDP is terminated, and the process proceeds to step S1002. For example, if the mapping function information extracted in step S1004 relates to IDP-A 400, IDP-A 400 transitions to step S3002 because mapping server 300 manages SSO mapping.

  In step S3002, the mapping server 300 extracts all second pre-processing function information corresponding to the IDP being processed from the second pre-processing function management module 321. For example, if the IDP being processed here is IDP-A400, the two pieces of second preprocessing information to be extracted are those with the preprocessing type “ID / Password” and “OAuth”.

  In step S3003, the mapping server 300 extracts URLs and preprocessing types that provide the respective preprocessing functions from all the second preprocessing function information extracted in step S3002.

  In step S3004, the mapping server 300 displays a corresponding transition button on the screen for each URL that provides the preprocessing function extracted in step S3003. Each button is displayed together with a corresponding IDP identifier and a word indicating a preprocessing type. The process related to the IDP is thus completed, and the process proceeds to step S1002.

  When the flow of FIG. 12 is completed, an IDP list display screen 520 as shown in FIG. 15 is displayed on the screen, for example.

  FIG. 15 shows an example of an IDP list display screen according to the third embodiment. Here, on the IDP list display screen 520, four IDPs of IDP-A400, IDP-A-TRIAL, IDP-B410, and IDP-C are displayed. Among these IDPs, for IDP-A400, two transition buttons are displayed: a transition button to the pre-processing function screen by ID and password and a transition button to the pre-processing function screen by OAuth. Yes.

  When the IDP list display screen 520 is displayed, when the user performs SSO mapping with respect to IDP-A, the user desires among the two pre-processes of the pre-process using ID and password and the pre-process using OAuth. SSO mapping can be performed in the preprocessing.

According to the third embodiment, when a plurality of preprocessing can be used with the same IDP, the preprocessing at the time of SSO mapping can be performed according to the user's selection.
<Other embodiments>
The present invention can also be realized by executing the following processing. That is, software (program) that realizes the functions of the above-described embodiments is supplied to a system or apparatus via a network or various storage media, and a computer (or CPU, MPU, etc.) of the system or apparatus reads the program. It is a process to be executed.

Claims (9)

Mapping information associated with a user ID is provided in a single sign-on system that allows access to the server by associating user authentication information indicating that the authentication server has authenticated the user with the user ID of the user in another server. A mapping server,
Mapping function information for associating the user ID with the mapping function information registered in association with each authentication server;
A receiving unit that refers to the mapping function information and receives a selection of an authentication server associated with the mapping function;
A mapping server comprising: an execution unit configured to execute the process according to the mapping function associated with the selected authentication server to configure the mapping information.   The accepting unit accesses the mapping server by referring to the mapping function information and associating the identifier of the authentication server with an object embedded with a link to the mapping function associated with each authentication server. The mapping server according to claim 1, wherein the mapping server is displayed as a user interface on a client. Pre-processing function information registered in association with each authentication server, pre-processing to be performed before executing the mapping function,
The execution means refers to the preprocessing function information, and when the preprocessing function associated with the selected authentication server is executed by the authentication server, executes the preprocessing function. The mapping server according to claim 1, wherein the mapping information is configured by executing a process according to a mapping function associated with the selected authentication server.   When the preprocessing function associated with the selected authentication server is executed by the authentication server, the execution means causes the authentication server to execute preprocessing, and obtains a result of the preprocessing, The mapping server according to claim 3, wherein the mapping information is configured by executing processing according to a mapping function associated with the selected authentication server.   5. The preprocessing function is a function of receiving a user permission for execution of mapping by the mapping server through the authentication server, and the result of the preprocessing is received as an authorization token. The listed mapping server. The mapping information is managed in units of entities having entity IDs, and the user ID is managed for each tenant to which a user belongs,
The execution means includes a mapping function for checking that the associated user ID does not exist for a plurality of tenants for one entity ID according to the selected authentication server, and the user ID associated with each other via an intermediate ID. The mapping server according to claim 1, further comprising a mapping function that generates mapping information associated with each other.   A single sign-on system comprising the mapping server according to any one of claims 1 to 6, the authentication server, and another server. Mapping information associated with a user ID is provided in a single sign-on system that allows access to the server by associating user authentication information indicating that the authentication server has authenticated the user with the user ID of the user in another server. A program for causing a computer to function as a mapping server,
Means for storing mapping function information for associating the mapping function for associating the user ID with each authentication server;
A receiving unit that refers to the mapping function information and receives a selection of an authentication server associated with the mapping function;
A program for causing a computer to function as an execution unit that executes processing according to a mapping function associated with the selected authentication server to configure the mapping information. Mapping information associated with a user ID is provided in a single sign-on system that allows access to the server by associating user authentication information indicating that the authentication server has authenticated the user with the user ID of the user in another server. A mapping function providing method executed by a mapping server,
A receiving step of accepting a selection of an authentication server associated with the mapping function with reference to mapping function information registered in association with each authentication server, mapping function for associating the user ID;
A mapping function providing method comprising: executing a process according to a mapping function associated with the selected authentication server to configure the mapping information.

Images