JP2015049624A - Information processing apparatus, and processing method and program therefor - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a mechanism for authenticating using the same authentication information even if synchronization timing of the authentication information is shifted in plural apparatuses.SOLUTION: A method includes: determining standby time for executing synchronization of authentication information; executing synchronization of authentication information stored in an IC card authentication server and a multi-function machine in accordance with synchronization reference time and the standby time; authenticating input authentication information in accordance with authentication information stored in the synchronized multi-function machine; and transmitting, in a case where the input authentication information is received within the determined standby time so that authentication is executed by using authentication information that is the same data as for another multi-function machine, an authentication request including authentication information that has been received so as to be authenticated in the IC card authentication server that stores authentication information of plural users, as master data, instead of authenticating on the multi-function machine.

Description

  The present invention relates to an information processing apparatus that synchronizes authentication information, a processing method thereof, and a program.

In recent years, with the heightened awareness of security in offices, security related to multifunction devices, which are information input / output units, has been required, and the concept of “authentication” has been applied to multifunction devices like PCs. It was.
Here, for authentication, an authentication method using an IC card is preferred in the market because of its high usability.

  This system includes an IC card authentication application that reads an IC card with a card reader of the multifunction device and logs in to the multifunction device, an IC card authentication server that manages association of the IC card and user information (stores an authentication table), and In many cases, the authentication table is stored and a local authentication service is used to authenticate the MFP. Patent Document 1 exists as a mechanism using local authentication.

  In the IC card authentication system, an IC card authentication server and a local authentication service may be used in combination in order to reduce the network load as much as possible in an environment of medium scale or larger. In this case, the IC card authentication application transmits an authentication request to itself or a local authentication service installed in a nearby multifunction device. In addition, the local authentication service installed in each multi-function device often communicates with the IC card authentication server periodically to perform synchronization processing of the authentication table. By using such a system, the authentication table is unified and the load on the network is reduced.

JP 2013-4035 A

  However, as the number of multifunction devices increases and the system becomes larger, the load on the network increases further. Therefore, using local authentication service, normal authentication requires authentication by the multifunction device that reads the IC card. It is done.

  In the case of local authentication, it is necessary to have an authentication table with the same contents in all the MFPs, so it is necessary to synchronize the authentication table. The load on the server storing the authentication table becomes high.

  In this case, the load can be reduced by changing the setting of the synchronization time for each multifunction device. However, since it takes time to actually perform this setting for each multifunction device, each multifunction device (local authentication service) A mechanism is considered in which synchronization is performed by automatically shifting the synchronization execution time within a predetermined time from a predetermined time (synchronization designation time).

  However, since it is not known at what timing between the specified synchronization time and the predetermined time the actual synchronization is performed, the user does not know whether the latest authentication table is used for authentication, or authentication is performed using the old authentication table. There were security issues such as being able to log in by unauthorized users.

  Therefore, an object of the present invention is to provide a mechanism for performing authentication using the same authentication information even if the synchronization timing of the authentication information is shifted between a plurality of information processing apparatuses.

  In order to achieve the object of the present invention, an information processing apparatus capable of communicating with an information processing apparatus that stores authentication information of a plurality of users as master data and that stores a synchronization reference time for synchronizing the authentication information. And waiting time determination means for determining a waiting time until synchronization of the authentication information is performed, and authentication stored in the information processing apparatus and the information processing apparatus according to the synchronization reference time and the waiting time. Synchronization execution means for performing synchronization of information, authentication means for authenticating the input authentication information in accordance with authentication information stored in the information processing apparatus synchronized by the synchronization execution means, and another information processing apparatus, When the input authentication information is received within the standby time determined by the standby time determination means in order to execute authentication using the authentication information that is the same data Transmitting means for transmitting an authentication request including the received authentication information so as to be authenticated by an information processing apparatus storing authentication information of a plurality of users as the master data without performing authentication by the authentication means. It is characterized by.

  ADVANTAGE OF THE INVENTION According to this invention, even if the synchronous timing of authentication information shifts | deviates with several information processing apparatus, it can authenticate using the same authentication information.

1 is a system configuration diagram illustrating an example of a configuration of an information processing system 3 is a block diagram illustrating an example of a hardware configuration of an information processing apparatus applicable to the client PC 100 and the IC card authentication server 200. FIG. 2 is a block diagram illustrating an example of a hardware configuration of a multifunction machine 300. FIG. It is a figure which shows the functional block of each apparatus in this system. It is a flowchart of an IC card authentication process. It is a flowchart of an IC card authentication (search) process. It is a flowchart of an authentication table synchronous process. It is a figure which shows an example of an authentication table. It is a figure which shows an example of the setting file for IC card authentication It is a figure which shows an example of the setting file for local authentication services It is an image figure which shows an example of an IC card authentication screen. It is an image figure which shows an example of an IC card authentication error screen It is an application block diagram which shows the structure of an application

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

  FIG. 1 is a system configuration showing an example of a configuration of an information processing system using a multifunction peripheral 300 (image forming apparatus) according to the present invention, a card reader 500 provided in the multifunction peripheral 300, an IC card authentication server 200, and a client PC 100. FIG.

In the present embodiment, an authentication table that is a source (master) when synchronizing with the IC card authentication server 200 is stored. However, the MFP 300 includes the function of the IC card authentication server 200, and the MFP An authentication table serving as a master may be stored in 300 (the parent multifunction device). That is, the information processing apparatus stores authentication information of a plurality of users as master data.
In this case, a file in which authentication information of a plurality of users is stored from the administrator client PC is transmitted to the parent multifunction device 300 for storage.

In this embodiment, the IC card is held over the multifunction device. However, the present embodiment can be applied to any information processing apparatus that executes local authentication without being limited to the multifunction device.
Further, the present invention is not limited to an IC card, and can be realized even in a form in which a user ID, a password, and other fingerprints are input to the multifunction device 300.

  As shown in FIG. 1, the system according to the present embodiment has a configuration in which an IC card authentication server 200, a multifunction peripheral 300, and a client PC 100 are connected via a local area network (LAN) 400. Note that communication via the Internet is not limited to the local network.

  When the MFP 300 receives a print job from the client PC 100, the print job is stored in the MFP 300. The IC card is used to authenticate with the authentication table of the multifunction device 300 or the authentication table of the IC card authentication server 200 and log in to the multifunction device.

  When the MFP 300 is logged in, a print job list of the logged-in user is displayed, and designation of a print job to be printed is accepted. The multi-function device 300 outputs the print job that has received the designation.

  The multifunction device 300 stores the authentication table (synchronized authentication table) received from the IC card authentication server 200. The multifunction device 300 reads the IC card and performs authentication using the stored authentication table.

  The IC card authentication server 200 stores an authentication table serving as a master, and transmits the authentication table to the multifunction device 300 in accordance with the synchronization request from the multifunction device 300. When an authentication request is received from the multifunction device 300, authentication is performed using the master authentication table, and an authentication result is transmitted to the multifunction device 300.

  This authentication table stores the latest authentication information. The authentication table is stored in the storage unit of the IC card authentication server 200 as one or more files. It may be a database instead of a file format.

  Hereinafter, the hardware configuration of the information processing apparatus applicable to the client PC 100 and the IC card authentication server 200 shown in FIG. 1 will be described with reference to FIG.

In FIG. 2, reference numeral 2001 denotes a CPU that comprehensively controls each device and controller connected to the system bus 2004. Further, the ROM 2003 or the external memory 2011 is necessary to realize a BIOS (Basic Input / Output System) or an operating system program (hereinafter referred to as an OS) which is a control program of the CPU 2001, and a function executed by each server or each PC. Various programs are stored.
The external memory 2011 of the IC card authentication server 200 stores a master authentication table. An example of the authentication table is shown in FIG.

  Reference numeral 2002 denotes a RAM that functions as a main memory, work area, and the like of the CPU 2001. The CPU 2001 implements various operations by loading a program or the like necessary for execution of processing from the ROM 2003 or the external memory 2011 to the RAM 2002 and executing the loaded program.

  An input controller 2005 controls input from a keyboard (KB) 2009 or a pointing device such as a mouse (not shown). A video controller 2006 controls display on a display device such as a CRT display (CRT) 2010. In FIG. 2, although described as CRT2010, the display may be not only a CRT but also other display such as a liquid crystal display. These are used by clients as needed.

  A memory controller 2007 is connected to the hard disk (HD), flexible disk (FD), or PCMCIA card slot for storing a boot program, various applications, font data, user files, editing files, various data, etc. via an adapter. The access to the external memory 2011 such as a compact flash (registered trademark) memory is controlled.

  A communication I / F controller 2008 is connected to and communicates with an external device via a network (for example, the LAN 400 shown in FIG. 1), and executes communication control processing in the network. For example, communication using TCP / IP is possible.

  Note that the CPU 2001 enables display on the CRT 2010 by executing outline font rasterization processing on a display information area in the RAM 2002, for example. Further, the CPU 2001 enables a user instruction with a mouse cursor (not shown) on the CRT 2010.

  Various programs that operate on the hardware are recorded in the external memory 2011, and are executed by the CPU 2001 by being loaded into the RAM 2002 as necessary.

Next, the hardware configuration of the multifunction machine 300 as the information processing apparatus of the present invention will be described with reference to FIG.
FIG. 3 is a block diagram illustrating a hardware configuration example of the multifunction machine 300.

  In FIG. 3, a controller unit 5000 is connected to a scanner 5015 functioning as an image input device and a printer 5014 functioning as an image output device, and a local area network such as the LAN 400 shown in FIG. By connecting to a public line (WAN) such as ISDN, image data and device information are input and output.

As shown in FIG. 3, the controller unit 5000 includes a CPU 5001, a RAM 5006, a ROM 5002, an external storage device (hard disk drive (HDD)) 5007, a network interface (Network I / F) 5003, a modem (Modem) 5004, an operation unit interface ( Operation unit I / F) 5005, external interface (external I / F) 5009, image bus interface (IMAGE BUS I / F) 5008, raster image processor (RIP) 5010, printer interface (printer I / F) 5011, scanner interface (Scanner I / F) 5012, an image processing unit 5013, and the like.
A CPU 5001 is a processor that controls the entire system.

A RAM 5006 is a system work memory for the CPU 5001 to operate, and is a program memory for recording a program and an image memory for temporarily storing image data.
The ROM 5002 stores a system boot program and various control programs.

  An external storage device (hard disk drive HDD) 5007 stores various programs for controlling the system, image data, and the like. In addition, an authentication table is stored. An example of the authentication table is shown in FIG.

  An operation unit interface (operation unit I / F) 5005 is an interface unit with the operation unit (UI) 5018, and outputs image data to be displayed on the operation unit 5018 to the operation unit 5018.

The operation unit I / F 5005 serves to transmit information (for example, user information) input by the system user from the operation unit 5018 to the CPU 5001. Note that the operation unit 5018 includes a display unit having a touch panel, and various instructions can be given by a user pressing (touching with a finger or the like) a button displayed on the display unit.
A network interface (Network I / F) 5003 is connected to a network (LAN) and inputs / outputs data.
A modem (MODEM) 5004 is connected to a public line and inputs / outputs data such as FAX transmission / reception.

  An external interface (external I / F) 5009 is an interface unit that accepts external inputs such as USB, IEEE 1394, printer port, and RS-232C. In the present embodiment, a card reader for reading an IC card required for authentication is used. 500 is connected.

  Then, the CPU 5001 can control reading of information from the IC card by the card reader 500 via the external I / F 5009, and can acquire information read from the IC card. Note that the storage medium is not limited to an IC card, and any storage medium that can identify a user may be used. In this case, identification information for identifying the user is stored in the storage medium. This identification information may be a production number of the storage medium or a user code given by the user within the company. The above devices are arranged on the system bus.

On the other hand, an image bus interface (IMAGE BUS I / F) 5008 is a bus bridge that connects a system bus 5016 and an image bus 5017 that transfers image data at high speed and converts a data structure.
The image bus 5017 is configured by a PCI bus or IEEE1394. The following devices are arranged on the image bus 5017.
A raster image processor (RIP) 5010 develops, for example, vector data such as a PDL code into a bitmap image.

  A printer interface (printer I / F) 5011 connects the printer 5014 and the controller unit 5000, and performs synchronous / asynchronous conversion of image data.

  A scanner interface (scanner I / F) 5012 connects the scanner 5015 and the controller unit 5000, and performs synchronous / asynchronous conversion of image data.

  An image processing unit 5013 corrects, processes, and edits input image data, and performs printer correction, resolution conversion, and the like on print output image data. In addition to this, the image processing unit 5013 performs rotation of image data and compression / decompression processing such as JPEG for binary image data and JBIG, MMR, MH for binary image data.

  A scanner 5015 connected to the scanner I / F 5012 illuminates an image on paper as a document and scans it with a CCD line sensor, thereby converting it into an electrical signal as raster image data. The original paper is set on the tray of the original feeder, and when the apparatus user gives a reading start instruction from the operation unit 5018, the CPU 5001 gives an instruction to the scanner, and the feeder feeds the original paper one by one to read the original image. I do.

  A printer 5014 connected to the printer I / F 5011 is a part that converts raster image data into an image on paper. The method is an electrophotographic method using a photosensitive drum or a photosensitive belt, and ink is supplied from a micro nozzle array. There is an ink jet method for ejecting and printing an image directly on a sheet, but any method may be used. The printing operation is started in response to an instruction from the CPU 5001. Note that the printer unit 5014 has a plurality of paper feed stages so that different paper sizes or different paper orientations can be selected, and has a paper cassette corresponding thereto.

  An operation unit 5018 connected to the operation unit I / F 5005 includes a liquid crystal display (LCD) display unit. A touch panel sheet is affixed on the LCD and displays a system operation screen. When a displayed key is pressed, the position information is transmitted to the CPU 5001 via the operation unit I / F 5005. The operation unit 5018 includes, for example, a start key, a stop key, an ID key, a reset key, and the like as various operation keys.

Here, the start key of the operation unit 5018 is used when starting a document image reading operation. There are green and red LEDs in the center of the start key, and indicates whether or not the start key can be used depending on the color. The stop key of the operation unit 5018 serves to stop the operation being performed. The ID key of the operation unit 5018 is used when inputting the user ID of the user. The reset key is used when initializing settings from the operation unit 5018.

  A card reader 500 connected to the external I / F 5009 reads information stored in an IC card (for example, Sony FeliCa (registered trademark)) under the control of the CPU 5001, and reads the read information to the external I / F 5009. The CPU 5001 is notified via F5009.

  Next, each functional block of each device in this system will be described with reference to the functional block diagram of FIG. Each function is executed by the CPU, and detailed processing executed by each function will be described with reference to the flowcharts of FIGS.

First, functional units of the client PC 100 will be described.
The print data generation unit 150 on the client PC 100 generates print data (job) based on the data received from the application program, and transmits the print data to the MFP 300 or the like. The print data generation unit 150 is a function of a printer driver, for example.
Next, functional units of the IC card authentication server 200 will be described.
The IC card authentication application communication unit 250 on the IC card authentication server 200 transmits / receives an authentication request to / from the first IC card authentication server communication unit on the multifunction device 300.

  The local authentication service communication unit 251 on the IC card authentication server 200 transmits / receives an authentication request to / from the second IC card authentication server communication unit on the multifunction device 300. Further, the authentication table managed by the authentication table management unit 252 is transmitted in accordance with the synchronization request from the multifunction device 300.

  The authentication table management unit 252 on the IC card authentication server 200 accesses the authentication table managed in the IC card authentication server 200, searches the user information associated with the card number or the user name and the password requested for authentication, Returns the authentication result.

Next, functional units of the multifunction machine 300 will be described.
The card reader control unit 350 on the multifunction device 300 acquires card information (manufacturing number) held over the card reader 500.
The first IC card authentication server communication unit 351 on the multifunction machine 300 transmits and receives an authentication request to and from the IC card authentication server 200.
The local authentication service communication unit 352 on the multifunction device 300 transmits and receives an authentication request to the local authentication service on the multifunction device 300.

The authentication unit 353 on the multifunction device 300 permits the use of the multifunction device by using the authentication information (user ID and authority) of the user when the overall authentication system is successfully controlled and authenticated.
The IC card authentication application communication unit 354 on the multifunction device 300 receives an authentication request from the local authentication service on the multifunction device 300 and returns an authentication result.

  The authentication table management unit 355 on the MFP 300 accesses an authentication table managed in the MFP 300, searches for user information associated with the card number or user name and password requested for authentication, and returns an authentication result. .

  The synchronization processing management unit 356 on the MFP 300 determines whether or not the set synchronization time has been reached, and after waiting for the set load distribution time (standby time) after the synchronization time, the IC card authentication server 200. Synchronize with the authentication table.

  The second IC card authentication server communication unit 357 on the multi-function device 300 sends an IC card authentication application to the IC card authentication server 200 in the time until the synchronization is completed after the synchronization table acquisition request and the synchronization time. The authentication request received from the server is redirected to the synchronization acquisition destination authentication server.

  Next, an outline of processing of this embodiment will be described with reference to the application configuration diagram of FIG. FIG. 13 is an application configuration diagram in the present embodiment.

  (1) The IC card authentication application acquires the card number of the IC card from the card reader 500. (2) The IC card authentication application refers to the IC card authentication setting file (FIG. 9) and transmits an authentication request including the card number to the local authentication service.

  (3-1) When the local authentication service receives the authentication request, the authentication table stored in itself is searched based on the card number included in the authentication request, and authentication (local authentication) is executed. At this time, the synchronization completion wait flag managed in the RAM is referred to, and when the synchronization completion wait flag is FALSE, local authentication is executed. Note that the synchronization completion wait flag may be managed by the local authentication service setting file (FIG. 10).

  In addition, (3-2) the local authentication refers to the synchronization completion wait flag received in the authentication request and managed in the RAM, and when the synchronization completion wait flag is TRUE, the synchronization is waiting and the latest authentication In order to refer to the table, an authentication request is transmitted to the IC card authentication server, and authentication (server authentication) is executed.

If the authentication is successful as a result of the authentication in (3-1) or (3-2), the authentication result is sent to the IC card authentication application (authentication success or authentication failure obtained as a result of authentication, or user in the case of authentication success). Information and authority), and the IC card authentication application sets user information and authority in the login information area managed by the platform of the MFP 300 for login. Thus, the login to the multifunction device 300 is completed.
When the login to the multifunction device 300 is completed, the function of the multifunction device 300 or an application (not shown) becomes available according to the authority.

  (4-1) and (4-2) are synchronization processes. (4-1) and (4-2) are executed asynchronously with the processes (1) to (3-2). For example, the synchronization processing is executed according to the local authentication service setting file. For example, the synchronization is executed once a day at a predetermined time, but is not limited to once a day.

  (4-1) When the synchronization execution time is reached due to the synchronization time and the standby time, the local authentication service transmits a synchronization request to the IC card authentication server 200, and the authentication table stored in the IC card authentication server 200 Receive. When the synchronization time is reached, synchronization may have started in another multifunction device 300, and the contents of the authentication table may differ from other multifunction devices 300. The synchronization completion waiting flag is set to TRUE so that the authentication table is not referred to.

  (4-2) uses the authentication table received from the IC card authentication server 200 to update (synchronize) the authentication table stored in the HDD 5007. The update may be in a format in which a difference is added or in a format in which all authentication tables are replaced with the latest authentication table.

Hereinafter, the processing in the system of the present embodiment will be described in more detail with reference to the flowcharts of FIGS.
In addition, about each step, CPU of each apparatus performs a process.

First, an IC card authentication process in the embodiment of the present invention will be described with reference to FIG. FIG. 5 is a flowchart of the IC card authentication process.
As described above, the present invention can be applied not only to the authentication of an IC card but also to the authentication of a user ID and password, a fingerprint, and the like.

In step S100, the authentication unit 353 of the MFP 300 displays in advance the IC card authentication screen shown in FIG.
In step S <b> 101, the card reader control unit 350 of the multifunction machine 300 detects that an IC card is held over the card reader 500.

In step S102, the authentication unit 353 of the MFP 300 acquires the card number stored in the IC card held in step S101. The card number may be any information that can be uniquely identified, such as a card manufacturing number or an arbitrarily stored user ID.
In step S <b> 103, the authentication unit 353 of the MFP 300 acquires the IC card authentication setting file shown in FIG. 9 stored in the HDD 5007.
In step S104, the authentication unit 353 of the MFP 300 acquires connection destination information from the IC card authentication setting file acquired in step S103.

  Here, the setting file for IC card authentication in FIG. 9 will be described. FIG. 9 is a diagram showing an example of an IC card authentication setting file. It is stored in the HDD of the multifunction machine 300.

  The IC card authentication setting file is a file for storing a destination (connection destination) for requesting authentication of the card number of the IC card, and is set and registered by a service person or an administrator when installing the IC card authentication application. Is.

  As the connection destination, an IC card authentication server or an IP address of a local authentication service is set. In this embodiment, in order to reduce the network load, an example has been described in which an inquiry is made to the local authentication service in the multifunction peripheral in which the IC card authentication application is installed by localhost connection. It goes without saying that the address and the IP address of the IC card authentication server can be set.

  In step S105, the local authentication service communication unit 352 of the MFP 300 transmits an authentication request including the card number to the local authentication service of its own here, to the connection destination acquired in step S104.

In step S106, the local authentication service in the MFP 300 performs an authentication process according to the authentication request transmitted in step S105. The process of step S106 will be described in detail in steps S200 to S217 of FIG.
In step S107, the local authentication service communication unit 352 of the MFP 300 receives the authentication result transmitted in step S106.

  In step S108, the authentication unit 353 of the MFP 300 analyzes the authentication result acquired in step S107. If the authentication is successful, the process proceeds to step S109. If the authentication is unsuccessful, the process proceeds to step S111.

In step S109, since the authentication is successful, the authentication unit 353 of the multifunction peripheral 300 acquires the user information and authority of the logged-in user from the authentication result acquired in step S107.
In step S110, the authentication unit 353 of the MFP 300 logs in to the MFP using the user information acquired in step S109.

  That is, in steps S108 to S110, authentication obtained from an information processing apparatus that stores authentication information of a plurality of users as the master data according to a local authentication result or an authentication request transmitted to the IC card authentication server 200. It is a step which shows an example of the login control process which performs login control according to a result.

  In step S111, since authentication has failed, the authentication unit 353 of the multi-function apparatus 300 displays the IC card authentication error screen shown in FIG.

  In this embodiment, the local authentication service is installed in all the MFPs 300. However, for example, the local authentication service may be installed in one of the five MFPs. In this case, the IC card authentication application of the multifunction device in which the local authentication service is not installed transmits an authentication request to the multifunction device in which the local authentication service is installed. The process (3-1) or (3-2) is executed. In addition, as described above, the multifunction machine in which the local authentication service is installed executes the processes (4-1) and (4-2).

  Next, details of the IC card authentication (search) process in step 106 will be described with reference to FIG. FIG. 6 is a flowchart of the IC card authentication (search) process.

  In step S <b> 200, the IC card authentication application communication unit 354 of the MFP 300 receives the authentication request transmitted from the local authentication service communication unit 352 of the MFP 300.

  In step S201, the authentication table management unit 355 of the MFP 300 determines whether the local authentication service is waiting for synchronization completion, that is, whether the synchronization completion time has passed, but the authentication table itself has not been updated yet. Judging. This synchronization completion waiting is determined by a synchronization completion waiting flag managed by the RAM. The synchronization completion wait flag may be managed by the local authentication service setting file of FIG.

This synchronization completion waiting flag is changed in the synchronization processing in steps S302 and S312 described later. When waiting for synchronization completion (when the synchronization completion waiting flag is TRUE), the process proceeds to step S208, and when not waiting for synchronization completion, the process proceeds to step S202.
That is, step S201 is a step showing an example of a synchronization completion determination process for determining whether synchronization is completed.

  In step S202, the authentication table management unit 355 of the multifunction device 300 acquires the authentication table shown in FIG. 8 managed in the multifunction device.

Here, the authentication table of FIG. 8 will be described. FIG. 8 shows an example of the authentication table.
As the authentication table, the master authentication table is stored in the IC card authentication server 200, and the synchronized authentication table is stored in the multi-function device 300.

  The authentication table is managed by a record for each user, and stores values such as a card number, a user name (user ID), a password, an email address, and authority information. This authentication table stores user information of a plurality of users.

  In step S203, the authentication table management unit 355 of the MFP 300 determines whether the card number included in the authentication request acquired in step S200 is registered in the authentication table acquired in step S202. If the card number is registered, the process proceeds to step S204, and if not registered, the process proceeds to step S205. That is, step S203 is a diagram illustrating an example of an authentication process for authenticating input authentication information in accordance with authentication information stored in the synchronized information processing apparatus (for example, the multifunction peripheral 300). Further, when it is determined that the synchronization is completed in the synchronization completion determination process, the input authentication information is authenticated.

  In step S204, since the authentication is successful, the authentication table management unit 355 of the MFP 300 acquires the user information (user ID, mail address, authority, etc.) searched in step S203.

In step S205, the authentication table management unit 355 of the multi-function peripheral 300 generates authentication NG data (authentication failure information) because the card number is not registered in the authentication table.
In step S <b> 206, the authentication table management unit 355 of the multifunction device 300 acquires the local authentication service setting file shown in FIG. 10 managed in the multifunction device.

  In step S207, the authentication table management unit 355 of the MFP 300 determines the setting value 1004 of processing from the synchronization time (synchronization reference time) until the completion of synchronization from the local authentication service setting file acquired in step S206. To do. This setting value is a setting related to authentication processing when waiting for completion of synchronization, and can be selected to redirect to the IC card authentication server 200 or to perform authentication using the pre-synchronization authentication table. In this embodiment, since it is assumed that the setting value is redirect, the process proceeds to step S208. However, in the case of a setting value for performing authentication in the authentication table before synchronization, the process proceeds to step S202.

  In step S208, the authentication table management unit 355 of the MFP 300 acquires the setting value 1001 related to the synchronization source IC card authentication server from the local authentication service setting file acquired in step S206.

  In step S209, the second IC card authentication server communication unit 357 of the MFP 300 transmits the authentication request acquired in step S200 to the IC card authentication server 200 of the setting value (IP address) acquired in step S208. That is, in order to execute authentication using authentication information that is the same data as another information processing apparatus (for example, the multifunction machine 300), authentication information input via a card lead or the like is determined within a determined waiting time. If accepted, the authentication information accepted to be authenticated by an information processing apparatus (for example, IC card authentication server 200) that stores authentication information of a plurality of users as the master data without performing local authentication. It is a step which shows an example of the transmission process which transmits the authentication request | requirement containing.

  As a result, the authentication process while waiting for completion of synchronization is performed by the IC card authentication server 200 that holds the latest authentication table, and in the form of using the local authentication service, the authentication table inconsistency at the time of synchronization (other composites) (Refer to an authentication table with a different content from that of the machine) and appropriate authentication can be performed.

  In step S210, the local authentication service communication unit 251 of the IC card authentication server 200 receives the authentication request transmitted in step S209.

  In step S211, the authentication table management unit 252 of the IC card authentication server 200 acquires the authentication table shown in FIG.

  In step S212, the authentication table management unit 252 of the IC card authentication server 200 determines whether or not the card number included in the authentication request acquired in step S210 is registered in the authentication table acquired in step S211. If the card number is registered, the process proceeds to step S213. If the card number is not registered, the process proceeds to step S214.

  In step S213, the authentication table management unit 252 of the IC card authentication server 200 acquires the user information (user ID, e-mail address, authority, etc.) searched in step S212 as successful authentication.

  In step S214, the authentication table management unit 252 of the IC card authentication server 200 generates authentication NG data as an authentication failure because the card number is not registered in the authentication table.

In step S215, the local authentication service communication unit 251 of the IC card authentication server 200 returns the authentication result generated in step S213 or step S214 to the multifunction peripheral.
In step S216, the second IC card authentication server communication unit 357 of the local authentication service receives the authentication result transmitted in step S215.

  In step S217, the IC card authentication application communication unit 354 of the MFP 300 returns the authentication result generated or received in step S204, step S205, or step S216 to the local authentication service communication unit 352.

Next, details of the authentication table synchronization processing will be described with reference to FIG. FIG. 7 is a flowchart of the authentication table synchronization process.
In step S300, the synchronization processing management unit 356 of the multifunction device 300 acquires a local authentication service setting file shown in FIG. 10 managed in the multifunction device.

  In step S301, the synchronization processing management unit 356 of the MFP 300 acquires the synchronization time setting value 1002 (synchronization reference time) from the local authentication service setting file of FIG. 10 acquired in step S300. Compare with the system time (current time) managed by. If the synchronization time coincides with the current time or if the synchronization time exceeds the current time, the process proceeds to step S302. If the synchronization time is less than the current time, the process returns to step S301.

  In step S302, the synchronization processing management unit 356 of the multifunction machine 300 changes the synchronization completion wait flag managed on the RAM of the multifunction machine from FLASE to TRUE. That is, although the synchronization start time is reached, it means that the actual synchronization processing of the authentication table has not yet been completed.

  In step S303, the synchronization processing management unit 356 of the MFP 300 acquires the load distribution setting value 1003 from the local authentication service setting file of FIG. 10 acquired in step S300. The load distribution setting value 1003 is a setting value for determining a random time between the designated load distribution times after the synchronization time, and executing the actual synchronization processing after waiting for that time. If there is a load distribution setting value, the process proceeds to step S304, and if not set, the process proceeds to step S306.

  In step S304, the synchronization processing management unit 356 of the multifunction peripheral 300 randomly calculates the standby time within the range of the load distribution time acquired in step S303. Various methods such as a method using a random number can be considered for the calculation of the standby time, but since it is a known technique, the description of the method for calculating the standby time is omitted. Further, as long as the standby time that can be load distribution can be calculated, the time may be the same as the standby time of other multifunction devices. That is, it is a step showing an example of a waiting time determination process for determining a waiting time until the synchronization of authentication information as an authentication table is executed. This waiting time can be rephrased as a time that is randomly determined so that the synchronous execution in a plurality of information processing apparatuses is load-balanced.

  In step S305, the synchronization processing management unit 356 of the MFP 300 waits for the actual synchronization processing for the standby time calculated in step S304. If the standby time has elapsed, the process proceeds to step S306. For example, in the example of FIG. 10, when 23:00 is reached, the standby time is determined within 30 minutes. If the standby time is determined to be 10 minutes, the process of step S306 is executed at 23:10, and the actual authentication table synchronization process is performed.

  Here, the local authentication service setting file of FIG. 10 will be described. FIG. 10 is a diagram showing an example of a local authentication service setting file. The setting file for local authentication service is stored in the HDD of the multifunction machine 300.

The synchronization source IC card authentication server setting value 1001 indicates the value of the IP address of the IC card authentication server 200 to which the local authentication service redirects the authentication request.
The synchronization time setting value 1002 is set to the same time in all the multifunction peripherals, and indicates a reference time value that is the start of synchronization processing.
The load distribution set value 1003 is a time for load distribution, and the standby time is determined within the set time.

  A setting value 1004 for processing from the synchronization time to the completion of synchronization indicates a setting value for redirecting the authentication request to the IC card authentication server 200 from the synchronization reference time to the standby time. If redirection is set, the IC card authentication server 200 is sent an authentication request.

  In step S306, the second IC card authentication server communication unit 357 of the MFP 300 sets the setting value 1001 of the synchronization source IC card authentication server described in the local authentication service setting file of FIG. 10 acquired in step S300. An authentication table acquisition request is transmitted to the IP address to synchronize the authentication table. That is, steps S306 to S311 synchronize authentication information stored in the information processing apparatus (for example, the IC card authentication server) and the information processing apparatus (for example, the multifunction device) according to the synchronization reference time and the standby time. It is a step which shows an example of the synchronous execution process performed.

  In step S307, the local authentication service communication unit 251 of the IC card authentication server 200 receives the authentication table acquisition request transmitted in step S306.

  In step S <b> 308, the authentication table management unit 252 of the IC card authentication server 200 acquires an authentication table serving as a master managed in the IC card authentication server 200.

  In step S309, the local authentication service communication unit 251 of the IC card authentication server 200 transmits the authentication table acquired in step S308 to the multifunction peripheral. The information (authentication information) in the authentication table to be transmitted may be transmitted only for the part (difference) updated in the authentication table, or may be configured to transmit all the authentication information in the authentication table.

  In step S310, the second IC card authentication server communication unit 357 of the MFP 300 acquires the authentication table transmitted in step S309.

  In step S311, the authentication table management unit 355 of the MFP 300 replaces the authentication table acquired in step S310 with an authentication table managed in the MFP and stores the authentication table.

In step S312, the synchronization processing management unit 356 of the multifunction device 300 sets the synchronization completion wait flag managed on the RAM of the multifunction device 300 to FALSE. That is, it means that the synchronization process has been completed. As a result, the subsequent authentication is performed using the authentication table of the MFP 300.
Also, the process moves to step S301 and waits until the next synchronization reference time.

  As described above, according to the present embodiment, even when the synchronization timing of authentication information is shifted in a plurality of information processing apparatuses (for example, multifunction devices), authentication can be performed using the same authentication information. In other words, authentication can be performed using the latest authentication information by a plurality of information processing apparatuses (for example, multi-function peripherals).

  In particular, with a device that performs authentication using local authentication, the synchronization process is executed while distributing the load on the authentication table (the authentication table is inconsistent between MFPs over time). Can be executed. This also makes it possible to reduce security risks.

As described above, the system configuration includes a plurality of MFPs 300 and the IC card authentication server 200. However, the IC card authentication server 200 may be the MFP 300, and an authentication table serving as a master stored in the MFP 300 is as follows. Shall be registered by the administrator.
Furthermore, the information processing apparatus is not limited to this as long as it is an information processing apparatus that performs authentication, such as a printer, as well as the multifunction machine 300.

  It should be noted that the configuration and contents of the various data described above are not limited to this, and it goes without saying that the various data and configurations are configured according to the application and purpose.

  Although one embodiment has been described above, the present invention can take an embodiment as, for example, a system, apparatus, method, program, or recording medium, and specifically includes a plurality of devices. The present invention may be applied to a system including a single device.

  Further, the program according to the present invention is a program that allows a computer to execute the processing methods of the flowcharts shown in FIGS. 5 to 7, and the storage medium according to the present invention is a program that allows the computer to execute the processing methods of FIGS. 5 to 7. Is remembered. The program in the present invention may be a program for each processing method of each apparatus in FIGS.

  As described above, a recording medium that records a program that implements the functions of the above-described embodiments is supplied to a system or apparatus, and a computer (or CPU or MPU) of the system or apparatus stores the program stored in the recording medium. It goes without saying that the object of the present invention can also be achieved by executing the reading.

  In this case, the program itself read from the recording medium realizes the novel function of the present invention, and the recording medium storing the program constitutes the present invention.

  As a recording medium for supplying the program, for example, a flexible disk, hard disk, optical disk, magneto-optical disk, CD-ROM, CD-R, DVD-ROM, magnetic tape, nonvolatile memory card, ROM, EEPROM, silicon A disk, solid state drive, or the like can be used.

  Further, by executing the program read by the computer, not only the functions of the above-described embodiments are realized, but also an OS (operating system) operating on the computer based on an instruction of the program is actually It goes without saying that a case where the function of the above-described embodiment is realized by performing part or all of the processing and the processing is included.

  Furthermore, after the program read from the recording medium is written to the memory provided in the function expansion board inserted into the computer or the function expansion unit connected to the computer, the function expansion board is based on the instructions of the program code. It goes without saying that the case where the CPU or the like provided in the function expansion unit performs part or all of the actual processing and the functions of the above-described embodiments are realized by the processing.

  Further, the present invention may be applied to a system composed of a plurality of devices or an apparatus composed of a single device. Needless to say, the present invention can be applied to a case where the present invention is achieved by supplying a program to a system or apparatus. In this case, by reading a recording medium storing a program for achieving the present invention into the system or apparatus, the system or apparatus can enjoy the effects of the present invention.

Furthermore, by downloading and reading a program for achieving the present invention from a server, database, etc. on a network using a communication program, the system or apparatus can enjoy the effects of the present invention.
In addition, all the structures which combined each embodiment mentioned above and its modification are also included in this invention.

100 client PC
200 IC card authentication server 300 MFP 400 LAN
500 card reader

Claims (7)

An information processing apparatus that can communicate with an information processing apparatus that stores authentication information of a plurality of users as master data, and that stores a synchronization reference time for synchronizing the authentication information,
A waiting time determining means for determining a waiting time until the synchronization of the authentication information is executed;
Synchronization execution means for synchronizing the information processing apparatus and authentication information stored in the information processing apparatus according to the synchronization reference time and the standby time;
Authentication means for authenticating the input authentication information according to the authentication information stored in the information processing apparatus synchronized by the synchronization execution means;
In the case where the input authentication information is received within the waiting time determined by the waiting time determining means in order to execute authentication using authentication information that is the same data as other information processing apparatuses, the authentication means And transmitting means for transmitting an authentication request including the received authentication information so as to be authenticated by an information processing apparatus that stores authentication information of a plurality of users as the master data without authenticating in Information processing apparatus. Synchronization completion determination means for determining whether synchronization by the synchronization execution means is completed,
The information processing apparatus according to claim 1, wherein the authentication unit authenticates the input authentication information when the synchronization completion determination unit determines that the synchronization is completed.   The waiting time determined by the waiting time determining means is randomly determined so that synchronous execution in a plurality of information processing apparatuses is load-balanced. Information processing device. Login control for performing login control according to an authentication result obtained from an information processing apparatus that stores authentication information of a plurality of users as the master data in accordance with an authentication result by the authentication unit or an authentication request transmitted by the transmission unit The information processing apparatus according to claim 1, further comprising means. An information processing apparatus that stores authentication information of a plurality of users as the master data is a server,
The information processing apparatus according to claim 1, wherein the synchronization execution unit receives authentication information of the plurality of users from the server and stores the authentication information. A processing method of an information processing apparatus capable of communicating with an information processing apparatus that stores authentication information of a plurality of users as master data, and storing a synchronization reference time for synchronizing the authentication information,
The information processing apparatus is
A standby time determination step of determining a standby time until the synchronization of the authentication information is performed;
A synchronization execution step of performing synchronization of the information processing apparatus and authentication information stored in the information processing apparatus according to the synchronization reference time and the standby time;
An authentication step of authenticating the input authentication information according to the authentication information stored in the information processing apparatus synchronized in the synchronization execution step;
When the authentication information input is received within the standby time determined in the standby time determination step in order to execute authentication using authentication information that is the same data as other information processing apparatuses, the authentication step And transmitting the authentication request including the received authentication information so as to be authenticated by the information processing apparatus that stores the authentication information of a plurality of users as the master data without performing authentication in Processing method. As a master data, a program of an information processing apparatus capable of communicating with an information processing apparatus that stores authentication information of a plurality of users, and storing a synchronization reference time for synchronizing the authentication information,
The information processing apparatus;
A waiting time determining means for determining a waiting time until the synchronization of the authentication information is executed;
Synchronization execution means for synchronizing the information processing apparatus and authentication information stored in the information processing apparatus according to the synchronization reference time and the standby time;
Authentication means for authenticating the input authentication information according to the authentication information stored in the information processing apparatus synchronized by the synchronization execution means;
In the case where the input authentication information is received within the waiting time determined by the waiting time determining means in order to execute authentication using authentication information that is the same data as other information processing apparatuses, the authentication means And functioning as a transmission means for transmitting an authentication request including the received authentication information so as to be authenticated by an information processing apparatus that stores authentication information of a plurality of users as the master data without authenticating in Program to do.

Images