JP2017102882A - Information processing device, terminal device, program, and information processing system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an information processing device capable of easily implementing ID coordination using account information in an on-premise environment.SOLUTION: An information processing device that issues qualification information for a terminal device to use a service includes authentication means and qualification information issuing means. The authentication means receives an authentication request including organization information, domain information, and account information in an on-premise environment from a terminal device and, if the organization information and domain information which are included in the authentication request are associated in organization management information for associating the organization information and domain information, retrieves a user belonging to an organization identified by the organization information from user management information according to the account information in the on-premise environment. The qualification information issuing means issues qualification information to the retrieved user.SELECTED DRAWING: Figure 12

Description

  The present invention relates to an information processing device, a terminal device, a program, and an information processing system.

  In recent years, there is a demand for using a cloud service based on account information managed by an AD (active directory) in a user environment. ID linkage using ADFS (Active Directory Federation Service) or ADFS Proxy is already known.

  For example, methods for establishing single ID / single sign-on on a cloud computing platform are conventionally known. Conventional methods verify user credentials associated with a computer and receive domain identification information from which a single ID will be established.

  The conventional method then configures a directory service on the cloud computing platform for sign-on from domain users in response to verification of user credentials. In the conventional method, in response to the determination that the directory service approves the credential information associated with the login, it is determined to permit the login to the second computer.

  Further, in the conventional method, in response to the determination approved by the directory service, the credential information associated with the login is approved so as to access the software service provided on the cloud computing platform (for example, Patent Document 1). reference).

  However, ID linkage using ADFS or ADFS Proxy has a problem that it requires specialized knowledge and cost such as preparation and construction of a server environment for operating ADFS or ADFS Proxy, and operation after construction.

  Embodiments of the present invention have been made in view of the above points, and an object of the present invention is to provide an information processing apparatus that can easily realize ID linkage using account information in an on-premises environment.

  In order to achieve the above-described problem, claim 1 of the present application is an information processing device that issues qualification information for a terminal device to use a service, and is configured to receive organization information, domain information, and an on-premises environment from the terminal device. If an authentication request including account information is received and the organization information and the domain information included in the authentication request are associated with the organization management information that associates the organization information with the domain information, And authentication means for searching for user belonging to the organization identified by the organization information from user management information by account information in the on-premises environment, and qualification information issuing means for issuing the qualification information to the searched user. It is characterized by.

  According to the embodiment of the present invention, ID linkage using account information in an on-premises environment can be easily realized.

It is a lineblock diagram of an example of an information processing system concerning a 1st embodiment. It is a hardware block diagram of an example of a computer. 1 is a hardware configuration diagram of an example of an image forming apparatus according to a first embodiment. It is a processing block diagram of an example of the service provision system which concerns on 1st Embodiment. It is a processing block diagram of an example of an authentication / authorization unit. It is a processing block diagram of an example of a client terminal. It is a block diagram of an example of the client information which a client management part manages. It is a block diagram of an example of the tenant information which a tenant information storage part memorize | stores. It is a block diagram of an example of the user information which a user information storage part memorize | stores. It is a block diagram of an example of the license information which a license information storage part memorize | stores. It is explanatory drawing which shows an example of the preparation of simple directory authentication. FIG. 10 is a sequence diagram illustrating an example of a print job registration process using simple directory authentication. It is explanatory drawing of an example of the request | requirement of simple directory authentication. It is a flowchart of an example of the simple directory authentication process in an authentication and authorization part. FIG. 10 is a sequence diagram illustrating an example of a print job execution process using simple directory authentication. It is a sequence diagram which shows the other example of the preparation of simple directory authentication. It is an image figure of an example of a service setting screen. It is a block diagram of an example of the file of a tenant authentication key. It is a sequence diagram of an example of processing for setting a tenant authentication key. FIG. 10 is a sequence diagram illustrating another example of a print job registration process using simple directory authentication. It is an image figure of an example of a user setting screen.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
[First Embodiment]
<System configuration>
FIG. 1 is a configuration diagram of an example of an information processing system according to the first embodiment. An information processing system 1000 in FIG. 1 includes a network N1 in an on-premises environment such as an intra-office network, and a network N2 in a cloud computing environment such as the Internet.

  The network N1 is a private network inside the firewall FW. The firewall FW is installed at the contact point between the network N1 and the network N2, and detects and blocks unauthorized access. A client terminal 1011, an AD (active directory) server apparatus 1012, and an image forming apparatus 1013 such as a multifunction peripheral are connected to the network N 1.

  The client terminal 1011 is an example of a terminal device. The client terminal 1011 can be realized by an information processing apparatus equipped with a general OS or the like. The client terminal 1011 has a wireless communication means or a wired communication means. The client terminal 1011 is a terminal that can be operated by a user, such as a desktop PC, a notebook PC, a smartphone, a mobile phone, or a tablet PC.

  The AD server apparatus 1012 performs processing related to the active directory. The AD server apparatus 1012 centrally manages various resources existing on the network N1, user information, authority, and the like. For example, the AD server device 1012 can centrally manage information such as account information of users who use various resources existing on the network N1 and access authority to each resource. The AD server apparatus 1012 manages users using various resources existing on the network N1 in units of domains.

  The image forming apparatus 1013 is an apparatus having an image forming function such as a multifunction peripheral. The image forming apparatus 1013 is also an example of a terminal device. The image forming apparatus 1013 includes a wireless communication unit or a wired communication unit. The image forming apparatus 1013 is an apparatus that performs processing related to image formation, such as a multifunction peripheral, a copier, a scanner, a printer, a laser printer, a projector, and an electronic blackboard. Although FIG. 1 shows an example in which the client terminal 1011, the AD server apparatus 1012, and the image forming apparatus 1013 are each one, a plurality of clients may be used.

  A service providing system 1014 is connected to the network N2. The service providing system 1014 is realized by one or more information processing apparatuses. The service providing system 1014 is an example of a system that provides some service to the client terminal 1011 and the image forming apparatus 1013. In the information processing system 1000 according to the first embodiment, as will be described later, the AD server apparatus 1012 and the service providing system 1014 use ID linkage using account information in the on-premises environment of the user managed by the AD server apparatus 1012. To do. Details of the service providing system 1014 will be described later.

<Hardware configuration>
The client terminal 1011 and the AD server device 1012 in FIG. 1 are realized by a computer having a hardware configuration as shown in FIG. One or more information processing apparatuses that implement the service providing system 1014 are also realized by a computer having a hardware configuration shown in FIG.

  FIG. 2 is a hardware configuration diagram of an example of a computer. The computer 100 of FIG. 2 includes an input device 101, a display device 102, an external I / F 103, a RAM 104, a ROM 105, a CPU 106, a communication I / F 107, an HDD 108, and the like.

  The input device 101 includes a keyboard, a mouse, a touch panel, and the like, and is used by a user to input each operation signal. The display device 102 includes a display and the like, and displays a processing result by the computer 100. The input device 101 and the display device 102 may be connected and used when necessary.

  The communication I / F 107 is an interface that connects the computer 100 to the networks N1 and N2. Thereby, the computer 100 can perform data communication via the communication I / F 107.

  The HDD 108 is a nonvolatile storage device that stores programs and data. The stored programs and data include, for example, an OS that is basic software for controlling the entire computer 100, and application software that provides various functions on the OS. The computer 100 may use a drive device (for example, a solid state drive: SSD) that uses a flash memory as a storage medium instead of the HDD 108.

  The external I / F 103 is an interface with an external device. The external device includes a recording medium 103a. Accordingly, the computer 100 can read and / or write the recording medium 103a via the external I / F 103. Examples of the recording medium 103a include a flexible disk, a CD, a DVD, an SD memory card, and a USB memory.

  The ROM 105 is a nonvolatile semiconductor memory (storage device) that can retain programs and data even when the power is turned off. The ROM 105 stores programs and data such as BIOS, OS settings, and network settings that are executed when the computer 100 is started up. The RAM 104 is a volatile semiconductor memory (storage device) that temporarily stores programs and data.

  The CPU 106 is an arithmetic unit that realizes control and functions of the entire computer 100 by reading a program and data from a storage device such as the ROM 105 and the HDD 108 onto the RAM 104 and executing processing.

  The client terminal 1011 and the AD server device 1012 in FIG. 1 can implement various processes as described later by the hardware configuration of the computer 100. In addition, one or more information processing apparatuses that implement the service providing system 1014 can also implement various processes as described below by the hardware configuration of the computer 100.

  FIG. 3 is a hardware configuration diagram of an example of the image forming apparatus according to the first embodiment. An image forming apparatus 1013 illustrated in FIG. 3 includes a controller 201, an operation panel 202, an external I / F 203, a communication I / F 204, a printer 205, a scanner 206, and the like.

  The controller 201 includes a CPU 211, a RAM 212, a ROM 213, an NVRAM 214, an HDD 215, and the like. The ROM 213 stores various programs and data. The RAM 212 temporarily stores programs and data. The NVRAM 214 stores setting information, for example. The HDD 215 stores various programs and data.

  The CPU 211 implements control and functions of the entire image forming apparatus 1013 by reading programs, data, setting information, and the like from the ROM 213, the NVRAM 214, the HDD 215, and the like onto the RAM 212 and executing processing.

  The operation panel 202 includes an input unit that receives input from the user and a display unit that performs display. The external I / F 203 is an interface with an external device. The external device includes a recording medium 203a. Accordingly, the image forming apparatus 1013 can read and / or write the recording medium 203a via the external I / F 203. Examples of the recording medium 203a include an IC card, a flexible disk, a CD, a DVD, an SD memory card, and a USB memory.

  A communication I / F 204 is an interface for connecting the image forming apparatus 1013 to the network N2. Accordingly, the image forming apparatus 1013 can perform data communication via the communication I / F 204.

  A printer 205 is a printing device for printing print data on a transported object. For example, the object to be conveyed is not limited to paper such as paper, coated paper, cardboard, OHP, plastic film, prepreg, and copper foil. A scanner 206 is a reading device for reading image data (electronic data) from a document and generating an image file (electronic file).

  The image forming apparatus 1013 according to the present embodiment can realize various processes as described below with the above hardware configuration. Note that the description of the hardware configuration of the firewall FW is omitted.

<Software configuration>
《Service provision system》
The service providing system 1014 according to the first embodiment is realized by, for example, the processing blocks illustrated in FIG. FIG. 4 is a processing block diagram of an example of the service providing system according to the first embodiment. The service providing system 1014 implements a processing block as shown in FIG. 4 by executing a program.

  The service providing system 1014 in FIG. 4 realizes an application 1101, a common service 1102, a database (DB) 1103, a management 1104, a business 1105, and a platform API 1106.

  The application 1101 includes a portal service application 1111, a scan service application 1112, and a print service application 1113 as an example.

  The portal service application 1111 is an application that provides a portal service. The portal service provides a service serving as an entrance for using the service providing system 1014. The scan service application 1112 is an application that provides a scan service. The print service application 1113 is an application that provides a print service. The application 1101 may include other service applications.

  The platform API 1106 is an interface for the portal service application 1111, the scan service application 1112, the print service application 1113, and the like to use the common service 1102. The platform API 1106 is a pre-defined interface provided for the common service 1102 to receive a request from the application 1101 and includes, for example, a function and a class.

  The platform API 1106 can be realized by, for example, a Web API that can be used via a network when the service providing system 1014 includes a plurality of information processing apparatuses.

  The common service 1102 includes an authentication / authorization unit 1121, a tenant management unit 1122, a user management unit 1123, a client management unit 1124, a license management unit 1125, a device management unit 1126, a temporary image storage unit 1127, a log collection unit 1128, and an image processing workflow. A control unit 1130 is included.

  The image processing workflow control unit 1130 includes a message queue 1131 and one or more workers 1132. The worker 1132 implements functions such as image conversion and image transmission.

  The authentication / authorization unit 1121 executes authentication / authorization based on an authentication request from an office device such as the client terminal 1011 or the image forming apparatus 1013. Office equipment is a generic term for the client terminal 1011 and the image forming apparatus 1013. For example, the authentication / authorization unit 1121 accesses the database 1103 to authenticate / authorize the user.

  The authentication / authorization unit 1121 accesses the database 1103 to authenticate the image forming apparatus 1013. Further, the authentication / authorization unit 1121 accesses the database 1103 and performs simple directory authentication described later.

  The tenant management unit 1122 manages tenant information stored in a tenant information storage unit 1142 described later. A tenant is a unit of a group such as a company or a department. The user management unit 1123 manages user information stored in a user information storage unit 1143 described later. The client management unit 1124 manages client information described later.

  The license management unit 1125 manages license information stored in a license information storage unit 1144 described later. The device management unit 1126 manages device information stored in a device information storage unit 1145 described later. The temporary image storage unit 1127 stores a temporary image in a temporary image storage unit 1146, which will be described later, and acquires a temporary image from the temporary image storage unit 1146. The log collection unit 1128 manages log information stored in a log information storage unit 1141 described later.

  An image processing workflow control unit 1130 controls a workflow related to image processing based on a request from the application 1101. The message queue 1131 has a queue corresponding to the type of processing. The image processing workflow control unit 1130 puts a request message relating to a process (job) into a queue corresponding to the type of the job.

  Worker 1132 is monitoring the corresponding queue. When a message is input to the queue, the worker 1132 performs processing such as image conversion and image transmission according to the type of the corresponding job. The message put in the queue may be read by the worker 1132 (Pull) or may be provided to the worker 1132 from the queue (Push).

  4 includes a log information storage unit 1141, a tenant information storage unit 1142, a user information storage unit 1143, a license information storage unit 1144, a device information storage unit 1145, a temporary image storage unit 1146, a job information storage unit 1147, and a client. An information storage unit 1148 and an application-specific setting information storage unit 1150 are included.

  The log information storage unit 1141 stores log information. The tenant information storage unit 1142 stores tenant information. The user information storage unit 1143 stores user information. The license information storage unit 1144 stores license information. The device information storage unit 1145 stores device information.

  The temporary image storage unit 1146 stores a temporary image. The temporary image is, for example, a file or data such as a scanned image processed by the worker 1132. The job information storage unit 1147 stores request information (job information) related to processing (job). The client information storage unit 1148 stores client information described later. The application specific setting information storage unit 1150 stores setting information specific to the application 1101.

  The management 1104 in FIG. 4 includes a monitoring unit, a deployment unit, a server account management unit, and a server login management unit as an example. 4 includes, as an example, a customer information management unit, a contract management unit, a sales management unit, a license management unit, and a development environment unit.

  The service providing system 1014 functions as an integrated platform that provides common services such as workflows related to authentication / authorization and image processing, and a service group that provides application services such as a scan service and a print service by using the functions of the integrated platform. .

  The integrated platform is configured by, for example, a common service 1102, a DB 1103, a management 1104, a business 1105, and a platform API 1106. The service group is configured by, for example, the application 1101. The service providing system 1014 shown in FIG. 4 can easily develop an application 1101 that uses the platform API 1106 by separating the service group and the integration platform.

  Note that the processing block classification form of the service providing system 1014 illustrated in FIG. 4 is an example, and the application 1101, the common service 1102, the DB 1103, the management 1104, and the business 1105 are classified in a hierarchy as illustrated in FIG. It is not essential. As long as the processing of the service providing system 1014 according to the first embodiment can be performed, the hierarchical relationship shown in FIG. 4 is not limited to a specific one.

  FIG. 5 is a processing block diagram of an example of the authentication / authorization unit. The authentication / authorization unit 1121 in FIG. 5 includes a simple directory authentication processing unit 11, a user information setting unit 12, a service use authority setting unit 13, a ticket issuing unit 14, and a normal authentication processing unit 15.

  The simple directory authentication processing unit 11 performs simple directory authentication described later using account information in an on-premises environment managed by the AD server device 1012. The user information setting unit 12 performs processing related to user information setting. The service usage authority setting unit 13 performs processing related to setting of service usage authority. The ticket issuing unit 14 performs processing related to issuing an authentication ticket necessary for using the application 1101 such as the print service application 1113. The normal authentication processing unit 15 performs normal authentication using account information in the service providing system 1014.

  FIG. 6 is a processing block diagram of an example of a client terminal. The client terminal 1011 shown in FIG. 6 includes an OS (operating system) 20 and a client application 30. The client terminal 1011 implements a logon processing unit 21 and an AD authentication request unit 22 by executing the OS 20. The client terminal 1011 implements a print job registration processing unit 31 and a simple directory authentication request unit 32 by executing the client application 30.

  The logon processing unit 21 performs processing related to user logon. The AD authentication request unit 22 requests the AD server apparatus 1012 to authenticate with account information in an on-premises environment. Hereinafter, authentication based on account information in an on-premises environment is referred to as AD authentication.

  The print job registration processing unit 31 uses the authentication ticket issued by the authentication / authorization unit 1121 to register the print job in the application 1101 such as the print service application 1113. The simple directory authentication request unit 32 makes a simple directory authentication request, which will be described later using the account information in the on-premises environment, to the authentication / authorization unit 1121.

  FIG. 7 is a configuration diagram of an example of client information managed by the client management unit. The client information in FIG. 7 includes items such as an internal ID, a client ID, a client key, and a provided service.

  The internal ID is a primal key (primary key) in the database 1103 and is used for internal management. The client ID is an ID for identifying the client application 30. The client key is a secret key for authenticating the client application 30. The provided service is information representing a service provided by the client application 30.

  FIG. 8 is a configuration diagram of an example of tenant information stored in the tenant information storage unit. The tenant information in FIG. 8 includes items such as an internal ID, a tenant ID, a tenant authentication key, and a domain. The internal ID is a primal key (primary key) in the database 1103 and is used for internal management. The tenant ID is an ID for identifying a tenant. The tenant authentication key is a secret key for authenticating the tenant. The domain is a domain name of a directory service such as an active directory.

  FIG. 9 is a configuration diagram of an example of user information stored in the user information storage unit. The user information shown in FIG. 9 includes items such as an internal ID, a tenant ID, a user ID, a surname, a first name, a mail address, and an on-premises ID. The internal ID is a primal key (primary key) in the database 1103 and is used for internal management. The tenant ID is the tenant ID of the tenant to which the user belongs.

  The user ID is an ID for identifying the user in the service providing system 1014. The last name is the user's last name. The name is the name of the user. The email address is the user's email address. The on-premises ID is an ID for identifying a user in the on-premises environment (hereinafter referred to as an AD user ID).

  FIG. 10 is a configuration diagram of an example of license information stored in the license information storage unit. The license information in FIG. 10 includes items such as internal ID, service type, number of licenses, tenant ID, and user. The internal ID is a primal key (primary key) in the database 1103 and is used for internal management.

  The service type represents the service type of the license. The number of licenses represents the number of users who can use the service. The tenant ID is the ID of the tenant who holds the license. The user is a user ID of a user who can use the service.

<Details of processing>
Hereinafter, details of processing of the information processing system 1000 according to the first embodiment will be described. In the first embodiment, as an example, a process for printing a print job registered in the service providing system 1014 using the image forming apparatus 1013 will be described.

《Preparation》
FIG. 11 is an explanatory diagram showing an example of preparation for simple directory authentication. For example, the tenant administrator prepares for simple directory authentication according to the procedure shown in FIG. In step S11, the tenant administrator logs in to the service providing system 1014 with the administrator account. In step S <b> 12, the administrator issues a tenant authentication key issuance request for simple directory authentication and domain name registration to the service providing system 1014.

  In step S13, the service providing system 1014 registers the domain name in the item “domain” of the tenant information in FIG. 8 and issues a tenant authentication key. The service providing system 1014 registers the issued tenant authentication key in the tenant information in FIG. Through the processing in step S13, the tenant information shown in FIG. 8 is in a state where the tenant authentication key and the domain are stored. The service providing system 1014 displays the tenant authentication key file and the download screen of the client application 30 on the client terminal 1011.

  In step S <b> 14, the tenant administrator downloads the tenant authentication key file to the client terminal 1011. In step S <b> 15, the tenant administrator downloads the client application 30 to the client terminal 1011. In step S16, the tenant administrator distributes the tenant authentication key file and the client application 30 to the client terminal 1011 of the user who uses the simple directory authentication. With the processing up to step S16, the preparation for the simple directory authentication is completed.

《Register print job》
FIG. 12 is a sequence diagram illustrating an example of a print job registration process using simple directory authentication. In step S21, the user operates the client terminal 1011 participating in the domain, and requests the OS 20 to log on by specifying the AD user ID and password. The logon processing unit 21 of the client terminal 1011 accepts a logon request from the user. In step S22, the AD authentication request unit 22 of the OS 20 specifies an AD user ID and password and requests AD authentication.

  If the combination of the AD user ID and password designated for AD authentication is registered, the AD server device 1012 returns an authentication result of successful logon to the AD authentication request unit 22 of the OS 20. Here, the description is continued assuming that the logon is successful. In step S23, the logon processing unit 21 of the OS 20 notifies the user of successful logon by, for example, a screen display.

  In step S24, the user operates the client terminal 1011 to request the print job registration processing unit 31 of the client application 30 to execute print job registration. In step S25, the simple directory authentication request unit 32 of the client application 30 requests the OS 20 to acquire logon information. The simple directory authentication request unit 32 of the client application 30 acquires a domain and an AD user ID as logon information. In the sequence diagram of FIG. 12, an example in which the logon information is acquired from the OS 20 is shown, but the logon information may be acquired from the AD server device 1012.

  In step S26, the simple directory authentication requesting unit 32 of the client application 30 requests the AD server device 1012 to acquire AD user information, and acquires the first name, last name, and mail address associated with the AD user ID.

  In step S 27, the simple directory authentication request unit 32 requests simple directory authentication from the authentication / authorization unit 1121 of the service providing system 1014. The arguments for simple directory authentication include a client ID, a client key, a tenant authentication key, a domain, an AD user ID, a user ID, a last name, a first name, a mail address, and the like.

  For example, the client ID and client key embedded in the client application 30 can be used. The tenant authentication key can be read from the tenant authentication key file distributed in step S16. As the domain and AD user ID, those acquired from the OS 20 in step S25 can be used. The surname, first name, and e-mail address acquired in step S26 can be used.

  The user ID is an ID for identifying the user in the service providing system 1014. The same user ID as the AD user ID can be used as the argument of the simple directory authentication, but it is necessary to set an appropriate value in the processing, for example, when a prohibited character of the authentication / authorization unit 1121 is included. An appropriate value may be set by the authentication / authorization unit 1121.

  The request for simple directory authentication in step S27 is performed by a request as shown in FIG. 13, for example. FIG. 13 is an explanatory diagram of an example of a simple directory authentication request.

  The simple directory authentication request shown in FIG. 13 represents a client ID “clientA” and a client key “Poehjfkdng712FssfFsA” as information of the client application 30.

  The tenant ID “123456789” and the tenant authentication key “dHJZPLbv8otCTGAyrIwm” are represented as tenant information. The domain “ad.example.com” and the AD user ID “ad_userA” are shown as information of users who are logged on to the OS 20. As user information in the service providing system 1014, a user ID “userA”, a mail address “ad_userA@example.com”, a surname “Yamada”, and a name “Taro” are represented. The service type “CloudPrint” is represented as service information.

  Returning to FIG. 12, the simple directory authentication processing unit 11 of the authentication / authorization unit 1121 performs the process of step S28 if the user parameter is included in the simple directory authentication request of step S27. In step S28, the user information setting unit 12 of the authentication / authorization unit 1121 creates a new user or updates user information based on the user parameters included in the request for simple directory authentication in step S27.

  A new user is created by adding a user information record based on the user parameters included in the request for simple directory authentication in step S27. The simple directory authentication processing unit 11 of the authentication / authorization unit 1121 performs the process of step S29 if the service parameter is included in the request for simple directory authentication of step S27. In step S29, the service usage authority setting unit 13 of the authentication / authorization unit 1121 grants service usage authority based on the service parameters included in the request for simple directory authentication in step S27.

  In step S 30, the ticket issuing unit 14 of the authentication / authorization unit 1121 issues an authentication ticket for using the print service application 1113. In step S31, the authentication / authorization unit 1121 returns an authentication ticket to the client application 30.

  In step S32, the print job registration processing unit 31 of the client application 30 requests the print service application 1113 to register the print job with the issued authentication ticket attached. The print service application 1113 registers a print job in association with the authentication ticket. The print service application 1113 returns the print job registration result to the print job registration processing unit 31 of the client application 30. In step S33, the print job registration processing unit 31 of the client application 30 notifies the user of the completion of print job registration by, for example, a screen display.

  In the sequence diagram of FIG. 12, the authentication / authorization unit 1121 performs simple directory authentication as shown in FIG. FIG. 14 is a flowchart of an example of a simple directory authentication process in the authentication / authorization unit.

  In step S51, the simple directory authentication processing unit 11 of the authentication / authorization unit 1121 refers to the client information shown in FIG. 7 and performs application authentication. In the application authentication, the client ID and the client key of the client information are checked, and the registered client application 30 is authenticated.

  If it is a registered client application 30, the process proceeds to step S52, and the simple directory authentication processing unit 11 performs tenant authentication with reference to the tenant information shown in FIG. Tenant authentication is to check the tenant authentication key of the tenant information and authenticate whether the tenant authentication key is the tenant authentication key of any tenant.

  If the tenant authentication key is the tenant authentication key of any tenant, the simple directory authentication processing unit 11 proceeds to step S53, refers to the tenant information, and checks the domain parameter. The domain parameter check confirms whether the domain of the tenant information matches the domain of the corresponding tenant.

  If the domain of the tenant information matches the domain of the corresponding tenant, the simple directory authentication processing unit 11 proceeds to step S54 and performs a user search based on the on-premises ID. The user search based on the on-premises ID refers to the user information in FIG. 9 and searches for users who belong to the corresponding tenant and have the same on-premises ID (AD user ID).

  If a user belonging to the corresponding tenant and matching the on-premises ID is not found, the simple directory authentication processing unit 11 proceeds to step S55 and checks the parameter of the user ID of the user information.

  If the user ID parameter of the user information is designated, the simple directory authentication processing unit 11 proceeds to step S56 and checks the user parameter. If the user parameter is OK, the user information setting unit 12 creates a new user in step S57.

  If a user belonging to the corresponding tenant and having the same on-premises ID is found, the simple directory authentication processing unit 11 proceeds to step S58 and confirms the presence or absence of the user parameter. If there is a user parameter, the simple directory authentication processing unit 11 proceeds to step S59 and checks the user parameter. If the user parameter is OK, the user information setting unit 12 updates the user information in step S60. For example, updating of user information is a process of updating the first name, last name, and e-mail address in the user information of FIG.

  In step S61, the simple directory authentication processing unit 11 checks the presence / absence of a service parameter. If there is a service parameter, the simple directory authentication processing unit 11 proceeds to step S62 and checks the service parameter. If the service parameter check is OK, the simple directory authentication processing unit 11 proceeds to step S63, and sets the service use authority with reference to the license information in FIG. In setting the service use authority, the license information of the corresponding service type is searched from the license information shown in FIG. 10, and the user ID is added to the item of the use user. At this time, the simple directory authentication processing unit 11 also refers to the client information in FIG. 7 and responds with an error if the service is not provided by the corresponding client application 30. In step S64, the ticket issuing unit 14 issues an authentication ticket and returns the authentication ticket to the client application 30 as a success response.

  If the client application 30 is not registered in step S51, or if the tenant authentication key is not a tenant authentication key of any tenant in step S52, the simple directory authentication processing unit 11 returns a failure response.

  If the domain of the tenant information does not match the domain of the corresponding tenant in step S53, or if the user ID parameter of the user information is not specified in step S55, the simple directory authentication processing unit 11 returns a failure response. .

  If the user parameter is not OK in step S56, if the user parameter is not OK in step S59, or if the service parameter check is not OK in step S62, the simple directory authentication processing unit 11 returns a failure response.

《Print job execution》
FIG. 15 is a sequence diagram illustrating an example of a print job execution process using simple directory authentication. For example, the user who has registered the print job causes the image forming apparatus 1013 to execute the print job according to the procedure shown in FIG.

  In step S81, the user logs in to the image forming apparatus 1013 using, for example, an IC card. In step S82, the image forming apparatus 1013 acquires an AD user ID associated with the IC card from the AD server apparatus 1012. In step S83, the image forming apparatus 1013 makes a job list acquisition request with the AD user ID to the service providing system 1014.

  In step S84, the service providing system 1014 returns an authentication ticket based on the AD user ID and a job list to the image forming apparatus 1013. The image forming apparatus 1013 displays a job list and receives a print instruction specifying a print job from the user. In step S85, the image forming apparatus 1013 requests the service providing system 1014 for a print job designated by the user. In step S86, the service providing system 1014 returns the requested print job data to the image forming apparatus 1013. Then, the image forming apparatus 1013 performs printing using the returned print job data.

(Summary)
As illustrated in the sequence diagram of FIG. 12, the information processing system 1000 according to the first embodiment automatically generates user information in the service providing system 1014 based on account information in an on-premises environment. In addition, the information processing system 1000 according to the first embodiment enables login to the service providing system 1014 using the automatically generated user information. Therefore, the information processing system 1000 according to the first embodiment can easily realize ID linkage using account information in an on-premises environment without using ADFS or ADFS Proxy. According to the first embodiment, a user can use a service provided by the service providing system 1014 by inputting account information in an on-premises environment.
[Second Embodiment]
Since the second embodiment is the same as the first embodiment described above except for a part, the description thereof will be omitted as appropriate.

<Details of processing>
Hereinafter, details of processing of the information processing system 1000 according to the second embodiment will be described. In the second embodiment, as an example, a process for printing a print job registered in the service providing system 1014 by the image forming apparatus 1013 will be described.

《Preparation》
FIG. 16 is a sequence diagram showing another example of preparation for simple directory authentication. For example, the tenant administrator prepares for simple directory authentication according to the procedure shown in FIG. The sequence diagram of FIG. 16 includes a procedure for issuing a tenant authentication key and a procedure for distributing a tenant authentication key.

  In the sequence diagram of FIG. 16, the service providing system 1014 issues a tenant authentication key. The tenant authentication key is used for authentication when registering a print job from the client application 30 to the service providing system 1014. The sequence diagram of FIG. 16 shows a procedure in which the tenant administrator issues and distributes the tenant authentication key in advance. Note that the user and administrator shown in FIG. 16 are the client terminals 1011 operated by the user and administrator.

  In step S101, the tenant administrator requests the login to the portal service application 1111 of the service providing system 1014 with the administrator account. In step S102, the portal service application 1111 requests the authentication / authorization unit 1121 to log in using the administrator account requested to log in by the administrator.

  In step S103, the authentication / authorization unit 1121 verifies the administrator account requested to log in, and returns the verification result to the portal service application 1111. Here, it is assumed that an OK verification result is returned to the portal service application 1111. In step S104, the portal service application 1111 displays a service setting screen on the client terminal 1011 of the administrator.

  In the first procedure shown in steps S <b> 101 to S <b> 104, the tenant administrator logs in to the service providing system 1014 with the administrator account registered in the service providing system 1014. With this login, the service providing system 1014 can determine the tenant that issues the tenant authentication key.

  FIG. 17 is an image diagram of an example of the service setting screen. The service setting screen in FIG. 17 includes a column for setting a domain name of a tenant and a “download file” button for requesting issuance of a tenant authentication key. The service setting screen of FIG. 17 is displayed using a browser, for example. As the domain name of the tenant, for example, a domain used in the AD server device 1012 is registered.

  In step S105, for example, the administrator can set the domain name on the service setting screen of FIG. The administrator's client terminal 1011 designates a domain name and requests issuance of a tenant authentication key.

  In step S106, the portal service application 1111 specifies the domain name and requests the authentication / authorization unit 1121 to issue a tenant authentication key. In step S107, the authentication / authorization unit 1121 issues a tenant authentication key associated with the administrator's tenant.

  In step S108, the authentication / authorization unit 1121 registers the set domain name and the issued tenant authentication key in the tenant information of FIG. The tenant information shown in FIG. 8 is in a state where the tenant authentication key and the domain are stored. The authentication / authorization unit 1121 notifies the portal service application 1111 of the issued tenant authentication key.

  In step S109, the portal service application 1111 downloads the tenant authentication key file to the administrator's client terminal 1011. The tenant authentication key is provided to the administrator's client terminal 1011 by downloading the tenant authentication key file or displaying the tenant authentication key text on the browser.

  In the second procedure shown in steps S105 to S109, the tenant administrator designates the domain name, requests the service providing system 1014 to issue a tenant authentication key, and acquires the tenant authentication key file. .

  FIG. 18 is a configuration diagram of an example of a tenant authentication key file. The tenant authentication key in the file may be encrypted. The tenant authentication key file may be downloaded from the service providing system 1014 to the administrator's client terminal 1011 in a form bundled with the client application 30.

  In step S110, the tenant administrator distributes the tenant authentication key file to the client terminal 1011 of the user. In the third procedure shown in step S110, the tenant authentication key is distributed to the client terminal 1011 of the user in the tenant.

  The user to whom the tenant authentication key has been distributed sets the tenant authentication key in the client terminal 1011 of the user, for example, according to the procedure shown in FIG. FIG. 19 is a sequence diagram illustrating an example of processing for setting a tenant authentication key.

  In step S121, the user places the distributed tenant authentication key on the OS 20 of the user's client terminal 1011. The location of the tenant authentication key may be the same file storage location (folder or the like) as the client application 30 installer, or may be the file storage location selected when the client application 30 is installed. When the tenant authentication key file is distributed to the client terminal 1011 of the user in the form bundled with the client application 30, the process of step S121 is not necessary.

  In step S122, the user operates the client terminal 1011 to install the client application 30. In step S123, the installed client application 30 acquires a tenant authentication key from the tenant authentication key file arranged in the OS 20.

  In step S124, the client application 30 sets the acquired tenant authentication key in the OS 20. In step S125, the OS 20 writes and saves the tenant authentication key in the registry. When the tenant authentication key is encrypted, the client application 30 sets the decrypted tenant authentication key in the OS 20. With the processing so far, the preparation for simple directory authentication is completed.

《Register print job》
FIG. 20 is a sequence diagram illustrating another example of a print job registration process using simple directory authentication. The user registers the print job in the service providing system 1014 according to the procedure shown in FIG. The sequence diagram of FIG. 20 includes a procedure for logging on, a procedure for preparing for printing, and a procedure for registering a print job.

  In step S131, the user operates the client terminal 1011 participating in the domain, requests the OS 20 to log on to the client terminal 1011 by specifying the AD user ID and password. The OS 20 accepts a logon request from the user.

  In step S132, the OS 20 requests the AD server apparatus 1012 for AD authentication by specifying the AD user ID and password. If the combination of the AD user ID and password designated for AD authentication is registered, the AD server device 1012 returns an authentication result of successful logon to the OS 20. Here, the description is continued assuming that the logon is successful.

  In step S133, the OS 20 notifies the user of successful logon by, for example, a screen display. In the first procedure shown in steps S <b> 131 to S <b> 133, the user is logged on to the client terminal 1011 by authentication by the AD server device 1012.

  In step S134, the user instructs the existing document creation software 40 to print and displays a printer list. In step S135, the user operates the client terminal 1011 to select a printer. In the second procedure shown in steps S134 to S135, a printer that performs printing is selected as a preparation for printing.

  In step S136, the user operates the client terminal 1011 to instruct the document creation software 40 to execute printing. The document creation software 40 instructed to execute printing inputs the document to the client application 30 in step S137. In step S138, the client application 30 acquires the tenant authentication key stored in the registry from the OS 20.

  When the tenant authentication key can be acquired from the OS 20, the client application 30 displays a user setting screen shown in FIG. 21, for example, on the client terminal 1011 of the user and requests user information in step S139.

  FIG. 21 is an image diagram of an example of a user setting screen. The user setting screen in FIG. 21 is provided with a selection field (for example, a check box) for allowing the user to select whether or not to use simple directory authentication. In step S140, the user selects whether to use simple directory authentication. Here, it is assumed that use of simple directory authentication (AD cooperation) is selected. If simple directory authentication is used but not selected, normal authentication is performed by entering a user name and password registered in advance in the service providing system 1014, and the print service application 1113 is used.

  In step S141, the client terminal 1011 of the user notifies the client application 30 that simple directory authentication is to be used (AD cooperation). In step S142, the client application 30 requests the OS 20 to acquire logon information. The client application 30 acquires a domain and an AD user ID as logon information.

  In step S143, the client application 30 requests the AD server apparatus 1012 to acquire AD user information, and acquires the first name, last name, and mail address associated with the AD user ID. If user information is not required, the AD server apparatus 1012 may not be inquired.

  In step S144, the client application 30 requests simple directory authentication from the authentication / authorization unit 1121 of the service providing system 1014. The arguments for simple directory authentication include a client ID, a client key, a tenant authentication key, a domain, an AD user ID, a user ID, a last name, a first name, a mail address, and the like.

  The request for simple directory authentication in step S144 is performed by a request as shown in FIG. 13, for example. The authentication / authorization unit 1121 performs the simple directory authentication process illustrated in FIG. 14, issues an authentication ticket for using the print service application 1113, and returns it to the client application 30. The client application 30 can use the API of the print service application 1113 by acquiring the authentication ticket. The authentication ticket is authentication information (information indicating that authentication is permitted) required when using the API of the print service application 1113.

  When issuing the authentication ticket, the authentication / authorization unit 1121 verifies the domain and tenant authentication key registered in advance. The issued authentication ticket is stored in the client application 30 as a cache, and is used at the second and subsequent print job registrations. In addition, the client application 30 uses the authentication ticket to convert the document into a state where the print service application 1113 can print.

  In step S145, the client application 30 requests the print service application 1113 to register a print job with the issued authentication ticket attached. The print service application 1113 registers a print job in association with the authentication ticket. The print service application 1113 returns the print job registration result to the client application 30. In step S146, the client application 30 notifies the user of the completion of print job registration by, for example, a screen display.

《Print job execution》
Since the print job execution process using simple directory authentication is the same as that of the first embodiment, description thereof is omitted.

(Summary)
As shown in the sequence diagram of FIG. 20, the information processing system 1000 according to the second embodiment automatically generates user information in the service providing system 1014 based on account information in an on-premises environment. In addition, the information processing system 1000 according to the second embodiment enables login to the service providing system 1014 using the automatically generated user information. Therefore, the information processing system 1000 according to the second embodiment can easily realize ID linkage using account information in an on-premises environment without using ADFS or ADFS Proxy.

  Thus, according to the second embodiment, the tenant authentication key issued by the service providing system 1014 can be set in the client application 30, and the tenant authentication key can be used when the service providing system 1014 is used.

  The present invention is not limited to the specifically disclosed embodiments, and various modifications and changes can be made without departing from the scope of the claims. The client terminal 1011 is an example of a terminal device. The authentication ticket is an example of qualification information. The simple directory authentication processing unit 11 is an example of an authentication unit. The ticket issuing unit 14 is an example of a qualification information issuing unit. The user information setting unit 12 is an example of a user information setting unit. The service use authority setting unit 13 is an example of a service use authority setting unit.

11 Simple Directory Authentication Processing Unit 12 User Information Setting Unit 13 Service Use Authority Setting Unit 14 Ticket Issuing Unit 20 OS (Operating System)
21 Logon Processing Unit 22 AD (Active Directory) Authentication Request Unit 30 Client Application 31 Print Job Registration Processing Unit 32 Simple Directory Authentication Request Unit 40 Document Creation Software 100 Computer 101 Input Device 102 Display Device 103 External I / F
103a, 203a Recording medium 104 RAM
105 ROM
106 CPU
107 Communication I / F
108 HDD
201 Controller 202 Operation panel 203 External I / F
204 Communication I / F
205 Printer 206 Scanner 211 CPU
212 RAM
213 ROM
214 NVRAM
215 HDD
1000 Information Processing System 1011 Client Terminal 1012 AD (Active Directory) Server Device 1013 Image Forming Device 1014 Service Providing System 1101 Application 1102 Common Service 1103 Database 1104 Management 1105 Business 1106 Platform API (Application Programming Interface)
1111 Portal service application 1112 Scan service application 1113 Print service application 1121 Authentication / authorization unit 1122 Tenant management unit 1123 User management unit 1124 Client management unit 1125 License management unit 1126 Device management unit 1127 Temporary image storage unit 1128 Log collection unit 1130 Image processing workflow Control unit 1131 Message queue 1132 Worker 1141 Log information storage unit 1142 Tenant information storage unit 1143 User information storage unit 1144 License information storage unit 1145 Device information storage unit 1146 Temporary image storage unit 1147 Job information storage unit 1148 Client information storage unit 1150 Application specific Setting information storage unit B bus FW firewall N1 to N2 network

Special table 2015-518198 gazette

Claims (12)

An information processing device that issues qualification information for the terminal device to use the service,
The organization that has received the authentication request including the organization information, the domain information, and the account information in the on-premises environment from the terminal device, and the organization management information that associates the organization information with the domain information is included in the authentication request. If the information and the domain information are associated with each other, an authentication unit that searches for user belonging to the organization identified by the organization information from the user management information by the account information in the on-premises environment;
Qualification information issuing means for issuing the qualification information to the searched user;
An information processing apparatus. When the authentication unit cannot retrieve a user belonging to the organization identified by the organization information from the user management information based on the account information in the on-premises environment, the user management information includes account information in the on-premises environment. User information setting means for creating information on the user corresponding to
Further comprising
The information processing apparatus according to claim 1, wherein the qualification information issuing unit issues the qualification information to the user for which the user information is created. The user information setting means includes
The account in the on-premises environment that was included in the authentication request when the authentication means can search the user management information by the account information in the on-premises environment for users belonging to the organization identified by the organization information. The information processing apparatus according to claim 2, wherein the information on the user in the user management information is updated based on the information. Service usage authority setting means for setting, in authority management information, the service usage authority of the user for which the user information has been created,
The information processing apparatus according to claim 1, further comprising: The authentication unit receives an authentication request including organization information, domain information, application information, and account information in an on-premises environment from the terminal device, performs authentication based on the application information, and fails to authenticate the application information. 5. The information processing apparatus according to claim 1, wherein the qualification information is not issued by the qualification information issuing unit. The authentication means performs authentication based on the organization information included in the authentication request, and if the authentication of the organization information fails, the qualification information issuing means does not issue the qualification information. The information processing apparatus according to any one of claims 1 to 5. A terminal device that uses a service provided by the information processing device using qualification information issued by the information processing device,
An authentication request including organization information, domain information, and account information in an on-premises environment is made to the information processing apparatus, and the organization management information that associates the organization information with the domain information is included in the authentication request If the organization information and the domain information are associated with each other, authentication request means for acquiring the qualification information issued by the information processing device;
Service using means for using the service provided by the information processing apparatus using the acquired qualification information,
If the organization information issued in association with the domain information in the information processing device is arranged in the terminal device, the authentication requesting unit may send the organization information, domain information, and on-premises information to the information processing device. A terminal device that makes an authentication request including account information in an environment. If the organization information issued in association with the domain information in the information processing device is not arranged in the terminal device, the authentication requesting unit makes an authentication request using account information in the information processing device. The terminal device according to claim 7, characterized in that: An information processing device that issues qualification information for the terminal device to use the service,
The organization that has received the authentication request including the organization information, the domain information, and the account information in the on-premises environment from the terminal device, and the organization management information that associates the organization information with the domain information is included in the authentication request. If the information and the domain information are associated with each other, an authentication means for retrieving a user belonging to the organization identified by the organization information from the user management information based on the account information in the on-premises environment;
Qualification information issuing means for issuing the qualification information to the searched user;
Program to function as. A terminal device that uses a service provided by the information processing device using qualification information issued by the information processing device,
An authentication request including organization information, domain information, and account information in an on-premises environment is made to the information processing apparatus, and the organization management information that associates the organization information with the domain information is included in the authentication request If the organization information and the domain information are associated with each other, an authentication request means for acquiring the qualification information issued by the information processing apparatus,
Using the acquired qualification information to function as a service using means for using a service provided by the information processing apparatus,
If the organization information issued in association with the domain information in the information processing device is arranged in the terminal device, the authentication requesting unit may send the organization information, domain information, and on-premises information to the information processing device. A program characterized by making an authentication request including account information in the environment. An information processing system including one or more information processing devices,
Application means for providing a service to a terminal device that has requested and specified qualification information for using the service;
The organization that has received the authentication request including the organization information, the domain information, and the account information in the on-premises environment from the terminal device, and the organization management information that associates the organization information with the domain information is included in the authentication request. If the information and the domain information are associated with each other, an authentication unit that searches for user belonging to the organization identified by the organization information from the user management information by the account information in the on-premises environment;
Qualification information issuing means for issuing the qualification information to the searched user;
An information processing system having An information processing system including one or more information processing devices and a terminal device that uses a service provided by the information processing device using qualification information issued by the information processing device,
Service using means for using the service provided by the information processing apparatus using the qualification information;
Application means for providing a service to the terminal device that has made a request by specifying qualification information for using the service;
Authentication request means for making an authentication request including organization information, domain information, and account information in an on-premises environment to the information processing apparatus;
The organization that has received the authentication request including the organization information, the domain information, and the account information in the on-premises environment from the terminal device, and the organization management information that associates the organization information with the domain information is included in the authentication request. If the information and the domain information are associated with each other, an authentication unit that searches for user belonging to the organization identified by the organization information from the user management information by the account information in the on-premises environment;
Qualification information issuing means for issuing the qualification information to the searched user;
An information processing system having

Images