JP2019175400A - Information processing device, system, and authentication method - Google Patents

Abstract

To provide a system capable of reducing the necessity that a user is aware of a public network.SOLUTION: An information processing device 50 for providing an apparatus 30 connected to a network N1 with a service includes: apparatus communication means 72 for acquiring apparatus authentication information for authenticating the apparatus, and first user authentication information for authenticating the user of the apparatus; first authentication processing means 76 for determining that first authentication is successful if the apparatus authentication information acquired by the apparatus communication means exists in apparatus management information registering the apparatus authentication information; second authentication processing means 71 for determining that second authentication is successful if the first authentication information acquired by the apparatus communication means exists in user management information registering the first user authentication information in the case that the first authentication is successful; and service providing means 51 for providing a service if the first authentication and the second authentication are successful.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an information processing device, a system, and an authentication method.

  There is a widespread use of using servers on public networks such as cloud services without using servers on private networks such as corporate networks. In such a usage mode, it is assumed that an unspecified number of users and companies use a server on a public network.

  For this reason, when an unspecified number of users and companies use a server on a public network, user authentication is generally performed from the viewpoint of information security. User authentication is performed, for example, on a private network such as a corporate network and on a public network such as a cloud service.

  For example, it is not preferable in terms of information security to use common authentication information for user authentication performed on a private network and a public network. On the other hand, if separate authentication information is used for user authentication performed on a private network and a public network, and authentication information is input for each function or service to be used, user convenience is impaired.

  Therefore, a technique has been devised that allows user authentication performed on different networks to be linked while maintaining information security (see, for example, Patent Document 1). Patent Document 1 discloses a system that seamlessly cooperates while maintaining security between authentication on a cloud and authentication in a company.

  However, the conventional technique has a problem in that a user needs to use a device in consideration of a public network. For example, in Patent Document 1, a user has to input a company code related to a public network. However, since it is difficult for a user to distinguish between a service on the cloud and a service in the company, the user should be able to use the device without being aware of it.

  In view of the above problems, an object of the present invention is to provide a system that can reduce the necessity for a user to be aware of a public network.

  In view of the above problems, the present invention provides an information processing apparatus that provides a service to a device connected to a network, the device authentication information for authenticating the device, and the user for authenticating the user of the device If the device authentication information acquired by the device communication means exists in the device communication means for acquiring the first user authentication information and the device management information in which the device authentication information is registered, the first authentication is successful. And the first user acquired by the device communication unit in the user management information in which the first user authentication information is registered when the first authentication is successful. A second authentication processing means for determining that the second authentication is successful if the authentication information is present; a service providing means for providing a service if the first authentication and the second authentication are successful; Have That.

  It is possible to provide a system that can reduce the necessity for the user to be aware of the public network.

It is a block diagram of an example of the system which concerns on this embodiment. It is a hardware block diagram of an example of the computer system which concerns on this embodiment. It is a processing block diagram of an example of the office equipment concerning this embodiment. It is a processing block diagram of an example of an authentication device concerning this embodiment. It is a block diagram of an example of the authentication information which an authentication information storage part memorize | stores. It is a process block diagram of an example of the service provision system which concerns on this embodiment. It is a block diagram of an example of company management information. It is a block diagram of an example of user management information. It is a block diagram of an example of apparatus management information. It is an image figure of an example of the login setting screen to a service provision system. FIG. 10 is a screen transition diagram of an example when a login setting “not linked with in-house authentication” is selected. FIG. 11 is a screen transition diagram of an example when a login setting “in cooperation with in-house authentication” is selected. It is a flowchart of an example showing the process of the service provision system which received the login request from the terminal device. 6 is a flowchart illustrating an example of processing of a service providing system that receives a login request from an image forming apparatus. FIG. 3 is a sequence diagram illustrating an example of processing of a system that receives a login request from an image forming apparatus. It is a sequence diagram of an example of the process which acquires a data list and a job from a service provision system. 6 is a diagram illustrating an example of an authentication method setting screen displayed by the image forming apparatus. FIG. 6 is a flowchart illustrating an example of processing of a service providing system that receives a login request from an image forming apparatus.

  Hereinafter, a system and an authentication method performed by this system will be described as an example for carrying out the present invention.

<System configuration>
FIG. 1 is a configuration diagram of an example of a system according to the present embodiment. The system 1 in FIG. 1 includes a private network N1 such as an intra-office network, a public network N2 represented by a cloud service, and a network N3 such as the Internet.

  The network N1 and the network N3 are connected by a firewall FW on the network N1 side. The firewall FW is installed at the contact point between the network N1 and the network N3, and relays access from the network N1 to the network N3.

  The network N2 and the network N3 are connected by an access control device 21 on the network N2 side. The network N2 is protected by the access control device 21.

  The network N1 is a private network inside the firewall FW. Connected to the network N1 are a client terminal 11, a portable terminal 12, a print control device 13 such as a print server, an image forming device 14 such as a multifunction peripheral, a projector 15, other devices 16, and an authentication device 17 such as an authentication server. .

  In FIG. 1, the client terminal 11, the portable terminal 12, the print control device 13, the image forming device 14, the projector 15, and the other devices 16 are office devices 30 in the sense that they are often in the office. Of course, these may be installed outside the office (factories, research institutes, public institutions, etc.).

  The client terminal 11 is an example of a terminal device. The client terminal 11 can be realized by an information processing apparatus (computer system) equipped with a general OS or the like. The client terminal 11 includes a wireless communication unit or a wired communication unit. The client terminal 11 is a terminal that can be operated by the user, such as a tablet PC or a notebook PC.

  The mobile terminal 12 is an example of a terminal device. The portable terminal 12 has a wireless communication means or a wired communication means. The mobile terminal 12 is a terminal that can be carried by the user, such as a smartphone, a mobile phone, a tablet PC, or a notebook PC.

  The print control apparatus 13 can be realized by an information processing apparatus (computer system) on which a general server OS or the like is mounted. The print control apparatus 13 includes a wireless communication unit or a wired communication unit. The print control apparatus 13 stores and provides print data, for example.

  The image forming apparatus 14 is an apparatus having an image forming function such as a multifunction peripheral. The image forming apparatus 14 includes a wireless communication unit or a wired communication unit. The image forming apparatus 14 is an apparatus that performs processing related to image formation, such as a multifunction peripheral, a copier, a scanner, a printer, or a laser printer. The projector 15 is a device that projects an image. The projector 15 includes a wireless communication unit or a wired communication unit.

  The client terminal 11, the portable terminal 12, the print control device 13, the image forming device 14, the projector 15, and other devices 16 are examples of devices that are authenticated by the authentication device 17 when used.

  The authentication device 17 can be realized by an information processing device (computer system) equipped with a general server OS or the like. The authentication device 17 includes a wireless communication unit or a wired communication unit. The authentication device 17 provides a user authentication function such as an authentication server.

  FIG. 1 shows an example in which the client terminal 11, the mobile terminal 12, the print control device 13, the image forming device 14, the projector 15, the other device 16, and the authentication device 17 are each one. It may be.

  The network N2 is connected to a network N3 such as the Internet by an access control device 21. An access control device 21, a print service providing device 22, a scan service providing device 23, and another service providing device 24 are connected to the network N2. In the system 1 of FIG. 1, an access control device 21, a print service providing device 22, a scan service providing device 23, and another service providing device 24 realize a service providing system 50.

The access control device 21 controls logging in to each service such as a print service provided by the print service providing device 22 and a scan service provided by the scan service providing device 23. The access control device 21, the print service providing device 22, the scan service providing device 23, and the other service providing device 24 are realized by one or more information processing devices (computer systems).

  The print service providing device 22, the scan service providing device 23, and the other service providing device 24 of the system 1 in FIG. 1 may be integrated into a single computer, or may be realized by being distributed to a plurality of computers. May be.

<Terminology>
The device may be any useful device that is used after authenticating the user. In the present embodiment, the term “office equipment 30” will be used.

  A service is some kind of information processing that performs processing useful for the user or provides data.

<Hardware configuration>
The client terminal 11, the mobile terminal 12, the print control device 13, the authentication device 17, the access control device 21, the print service providing device 22, the scan service providing device 23, and the other service providing device 24 shown in FIG. It is realized by a computer system having a hardware configuration. FIG. 2 is a hardware configuration diagram of an example of a computer system according to the present embodiment.

  A computer system 100 shown in FIG. 2 includes an input device 101, a display device 102, an external I / F 103, a RAM (Random Access Memory) 104, a ROM (Read Only Memory) 105, a CPU (Central Processing Unit) 106, a communication I / O. F107, HDD (Hard Disk Drive) 108, etc. are provided, and each is connected to each other via a bus B.

  The input device 101 includes a keyboard, a mouse, a touch panel, and the like, and is used by a user to input each operation signal. The display device 102 includes a display and the like, and displays a processing result by the computer system 100.

  The communication I / F 107 is an interface that connects the computer system 100 to the network N1 or N2. Thereby, the computer system 100 can perform data communication via the communication I / F 107.

The HDD 108 is a nonvolatile storage device that stores programs and data. The stored programs and data include, for example, an OS (Operating System) that is basic software for controlling the entire computer system 100, and application software that provides various functions on the OS. The HDD 108 manages stored programs and data by a predetermined file system and / or DB (database).

The external I / F 103 is an interface with an external device. The external device includes a recording medium 103a. Thereby, the computer system 100 can read and / or write the recording medium 103a via the external I / F 103. The recording medium 103a includes a flexible disk, a CD (Compact Disk), a DVD (Digital Versatile Disk), an SD memory card (SD Memory card), a USB memory (Universal Serial Bus memo).
y).

  The ROM 105 is a nonvolatile semiconductor memory (storage device) that can retain programs and data even when the power is turned off. The ROM 105 stores programs and data such as BIOS (Basic Input / Output System), OS settings, and network settings that are executed when the computer system 100 is started. The RAM 104 is a volatile semiconductor memory (storage device) that temporarily stores programs and data.

  The CPU 106 is an arithmetic device that realizes control and functions of the entire computer system 100 by reading a program and data from a storage device such as the ROM 105 and the HDD 108 onto the RAM 104 and executing processing.

  The client terminal 11, the mobile terminal 12, the print control apparatus 13, the authentication apparatus 17, the access control apparatus 21, the print service providing apparatus 22, the scan service providing apparatus 23, and the other service providing apparatus 24 of FIG. With the hardware configuration of 100, various processes as described later can be realized.

<Software configuration>
<< Office equipment >>
The office device 30 such as the client terminal 11 according to the present embodiment is realized by, for example, the processing blocks illustrated in FIG. FIG. 3 is a processing block diagram of an example of an office device according to the present embodiment.

  By executing the program, the office device 30 executes an input reception unit 31, an authentication request unit 32, a function processing unit 33, a service login request unit 34, a registration request unit 35, a login setting unit 36, a service use request unit 37, and A display control unit 38 is realized.

  The input receiving unit 31 receives an input by a user operation such as a touch panel touch operation or a keyboard input operation. The authentication request unit 32 transmits authentication information to the authentication device 17 and requests authentication. The function processing unit 33 executes processing using hardware and application programs (applications) provided in the office device 30 and provides functions provided in the office device 30.

  The service login request unit 34, the registration request unit 35, the login setting unit 36, and the service use request unit 37 are realized by, for example, a service use application. The service login request unit 34 transmits authentication information to the service providing system and requests login. The registration request unit 35 requests the service providing system to register a part (for example, a user name) or all of the authentication information authenticated by the authentication device 17.

  The login setting unit 36 sets authentication information used for logging in to the service providing system. The service use request unit 37 requests use of a service provided by the service providing system. The display control unit 38 displays various screens serving as a user interface on the display device 102.

<< Authentication device >>
The authentication device 17 according to the present embodiment is realized by, for example, the processing block illustrated in FIG. FIG. 4 is a processing block diagram of an example of the authentication apparatus according to the present embodiment. The authentication device 17 implements an authentication processing unit 41 and an authentication information storage unit 42 by executing a program.

  The authentication processing unit 41 performs authentication in a private network based on an authentication request from the office device 30. The authentication information storage unit 42 stores authentication information used when determining the result of authentication (authentication success, authentication failure) of the received authentication information.

  The authentication information storage unit 42 stores authentication information as shown in FIG. 5, for example. FIG. 5 is a configuration diagram of an example of authentication information stored in the authentication information storage unit 42. FIG. 5A shows authentication information including user identification information such as a user name and a password. FIG. 5B shows authentication information including user identification information, a password, and card identification information (such as a card ID) such as an IC card. The authentication information is not limited to the example of FIG. 5, for example, even if the device identification information (machine number or the like) of the office device 30 is used, the user's biometric information (fingerprint, vein, retina, etc.) is used. Also good.

<< Service provision system >>
The service providing system according to the present embodiment is realized by, for example, the processing blocks shown in FIG. FIG. 6 is a processing block diagram of an example of the service providing system according to the present embodiment. The service providing system 50 in FIG. 6 implements a service application 51, a platform 52, a management data storage unit 53, and a platform API (Application Programming Interface) 54 by executing a program.

  The service application 51 in FIG. 6 includes a print service application 61, a scan service application 62, and one or more other service applications 63 as an example. The print service application 61 is an application that provides a print service. The scan service application 62 is an application that provides a scan service. The service application 63 is an application that provides some service.

  The platform API 54 is an interface for the service application 51 such as the print service application 61, the scan service application 62, and other service applications 63 to use the platform 52. The platform API 54 is a predefined interface provided for the platform 52 to receive a request from the service application 51, and is configured by a function, a class, or the like, for example. When the service providing system 50 is configured to be distributed among a plurality of information processing apparatuses, for example, a web API that can be used via a network can be used as the platform API 54.

  6 includes an authentication processing unit 71, a device communication unit 72, a user information registration unit 73, a session management unit 74, a data processing unit 75, a company / device authentication unit 76, and a data management unit 77 as an example. Have. The authentication processing unit 71 performs authentication in a public network based on a login request from the office device 30.

  The device communication unit 72 executes communication with the office device 30. The user information registration unit 73 receives a registration request for part or all of the authentication information authenticated by the authentication device 17 from a terminal device such as the client terminal 11 and registers the authentication information in user management information described later. The session management unit 74 manages a session with the office device 30. The data processing unit 75 executes data processing based on a request from the service application 51.

  The company / device authentication unit 76 determines whether the device authentication information included in the authentication request received via the networks N1 and N3 exists in the device management information stored in the device management information storage unit 83. Executes company / device authentication judgment. The data management unit 77 manages data such as jobs in the data management information storage unit 84.

  The management data storage unit 53 includes a company management information storage unit 81, a user management information storage unit 82, a device management information storage unit 83, a data management information storage unit 84, and a data storage 85 as an example. The company management information storage unit 81 stores company management information described later. The user management information storage unit 82 stores user management information described later. The device management information storage unit 83 stores device management information described later. The data management information storage unit 84 stores a job ID, a status (printed and incomplete), a registered user, a print setting, a job storage location, and the like for each job. The data storage 85 stores other data such as job data.

  FIG. 7 is a configuration diagram of an example of company management information. The company management information in FIG. 7 has a company code, a company name, a country, a language, and the like as data items. The company code is information for identifying a group such as a company or an organization. A group is a collection of people and things that have something in common.

  The company code is information that identifies one or more users and a set of one or more office devices 30. Note that the present embodiment is not limited to the word “company”, and may be, for example, identification information for identifying a contract for a set of users or office devices 30. The company code is unique.

  FIG. 8 is a configuration diagram of an example of user management information. The user management information in FIG. 8 has data items such as a company code, user name, password, role, address information, output setting, and office authentication information. User management information is managed in units of company codes. The user name and password are information for identifying the user on the service providing system 50 side. The user name may be a user ID, for example. A password is not required.

  Furthermore, the user name may use an electronic medium (for example, an IC card) possessed by the user or information for identifying the office device 30 (card ID, serial ID of the office device 30, telephone number, etc.) instead, or in combination. It may be used. The user name and password associated with the company code are unique, but may be duplicated if the company code is different.

  The office authentication information is user specifying information included in the authentication information on the private network N1 side. The user identification information on the network N1 side registered as office authentication information is user identification information that has been authenticated on the private network N1 side. The office authentication information is registered by the user information registration unit 73. The user management information associates the user specifying information (user name) on the private network N1 side with the user name on the public network N2 side.

  Based on the user management information, the system 1 according to the present embodiment can link authentication on the private network N1 side and authentication on the public network N2 side while maintaining information security.

  FIG. 8A shows user management information in which the office authentication information of the user name “Kobayashi” is not registered. The user management information in FIG. 8A represents an example in which authentication on the private network N1 side and authentication on the public network N2 side are not linked.

FIG. 8B shows user management information in which the office authentication information “Koba” with the user name “Kobayashi” has been registered. The user management information in FIG. 8B represents an example in which authentication on the private network N1 side and authentication on the public network N2 side are linked.

  FIG. 9 is a configuration diagram of an example of device management information. The device management information in FIG. 9 includes data items such as a company code, device authentication information, business office information, and capabilities. Device management information is managed for each company code. The device authentication information is information for device authentication that determines that the office device 30 belonging to the company of the company code has a specific condition. The device authentication information may be an ID (application identification information) indicating that a specific application is installed in the office device 30, or a device number indicating that the device is a specific device.

<Details of processing>
Below, the detail of the process of the system 1 which concerns on this embodiment is demonstrated.

<< Login settings >>
FIG. 10 is an image diagram of an example of a login setting screen for the service providing system. The login setting screen 1000 of FIG. 10 is displayed on the office device 30 by the service use application of the office device 30. The login setting screen 1000 has a “link with in-house authentication” login setting indicating that the authentication on the private network N1 side and the authentication on the public network N2 side are linked, and “do not link with in-house authentication” indicating no linkage. It is a screen which makes a user select login setting.

<< Login processing >>
For example, FIG. 11 shows a screen transition when the login setting “not linked with in-house authentication” is selected. FIG. 11 is a screen transition diagram of an example when the login setting “not linked with in-house authentication” is selected.

  For example, the office device 30 displays an application selection screen 1010 and allows the user to select an application. When the service use application selection button 1011 is pressed by the user, the service use application of the office device 30 displays a login screen 1020. The user inputs a user name and password on the login screen 1020. The user name and password are examples of authentication information on the public network N2 side.

  After entering the authentication information on the login screen 1020, the user presses the login button 1021. When the login button 1021 is pressed, the service login request unit 34 of the office device 30 transmits authentication information to the service providing system 50 to request login.

  If the login is successful, the service use application of the office device 30 displays a service list selection screen 1030. The service list selection screen 1030 is a screen that allows the user to select a service provided by the service providing system. The user selects a service to be used from the service list selection screen 1030. For example, when the user presses the “print service” button, the service use request unit 37 of the office device 30 requests the service providing system 50 to use the “print service”.

  For example, FIG. 12 shows a screen transition when the login setting “in cooperation with in-house authentication” is selected. FIG. 12 is a screen transition diagram of an example when the login setting “in cooperation with in-house authentication” is selected.

  For example, the office device 30 displays one of authentication login screens 1040, 1050, and 1060 on the private network N1 side. The login screen 1040 is a screen for inputting a user name and password, which is an example of user authentication information. The login screen 1040 is a screen that allows the user to hold the IC card and input card identification information (card ID) of an IC card, which is an example of authentication information. The login screen 1060 is a screen for inputting a user's biometric information (fingerprint) as an example of authentication information by holding the finger over the user.

  When the authentication information is input, the authentication request unit 32 of the office device 30 transmits the authentication information to the authentication device 17 and requests authentication. If the authentication is successful, the office device 30 displays an application selection screen 1010 and allows the user to select an application.

  When the service use application selection button 1011 is pressed by the user, the service use application of the office device 30 transmits the user name authenticated on the private network N1 side as authentication information to the service providing system as described later, and logs in. Request. When device authentication information is set in the office device 30, the device authentication information is included in the authentication information.

  If the user identification information (user name) authenticated on the private network N1 side and the user name on the public network N2 side are associated with the user management information, the login is successful. If the login is successful, the service use application of the office device 30 displays a service list selection screen 1030.

If the user name authenticated on the private network N1 side and the user name on the public network N2 side are not associated with the user management information, login fails. If the login fails, the service use application of the office device 30 displays a login screen 1020 and allows the user to input authentication information on the public network N2 side. Then, the service login request unit 34 of the office device 30 transmits the public network N2 side authentication information input by the user to the service providing system 50 and requests login.

  When the user name authenticated on the private network N1 side and the user name on the public network N2 side are associated with the user management information, the user inputs the authentication information on the public network N2 side on the login screen 1020 Without doing so, a service to be used can be selected from the service list selection screen 1030 and the service provided by the service providing system 50 can be used.

  FIG. 13 is a flowchart illustrating an example of processing performed by the service providing system that has received the login request from the image forming apparatus 14. FIG. 13 shows an example in which the login setting “not linked with in-house authentication” is selected.

  In step S <b> 11, the authentication processing unit 71 of the service providing system 50 receives a login request from the image forming apparatus 14 using the device authentication information, the public network N2 side user name and password as authentication information.

  In step S12, the company / device authentication unit 76 performs a company / device authentication determination for determining whether the device authentication information included in the authentication information exists in the device management information shown in FIG. If the device authentication information included in the authentication information exists in the device management information, the company / device authentication unit 76 determines that the company / device authentication is successful (authentication OK), and performs the process of step S13. In the case of authentication OK, the company / device authentication unit 76 specifies the company code associated with the device authentication information from the device management information.

  In step S13, the authentication processing unit 71 includes, in the user management information shown in FIG. 8, the user name and password included in the authentication information in the user management information associated with the company code identified from the device management information. The user authentication is determined to determine whether or not there exists.

  If the user name and password included in the authentication information exist, the authentication processing unit 71 determines that the user authentication is successful (authentication OK) and performs the process of step S15. In step S15, the authentication processing unit 71 determines that the authentication result for the login request from the image forming apparatus 14 is successful (authentication OK).

  If the company code associated with the device authentication information included in the authentication information does not exist in the device management information shown in FIG. 9 in step S12, the company / device authentication unit 76 determines that the image forming apparatus in step S14. 14 determines that the authentication result for the login request from 14 is a failure (authentication NG).

  Similarly, in step S13, if the user name and password included in the authentication information do not exist in the user management information associated with the company code specified from the device management information, the authentication processing unit 71 performs step S14. The authentication result for the login request from the image forming apparatus 14 is determined as failure (authentication NG).

  FIG. 14 is a flowchart illustrating an example of login processing of the system according to the present embodiment. FIG. 14 shows an example in which the login setting “cooperating with in-house authentication” is selected.

  In step S21, the image forming apparatus 14 displays a login screen 1050 in FIG. 12, for example. The image forming apparatus 14 receives an authentication request by inputting a card ID of an IC card, which is an example of authentication information, from a user.

  In step S22, the authentication request unit 32 of the image forming apparatus 14 transmits authentication information to the authentication apparatus 17 and requests authentication. Note that the authentication information transmitted in step S22 may be a card ID, or a user name and password associated with the card ID.

  In step S23, the authentication processing unit 41 of the authentication device 17 performs user authentication to determine whether the user name and password included in the authentication information from the image forming device 14 exist in the authentication information shown in FIG. If the user name and password included in the authentication information exist in the authentication information shown in FIG. 5, the authentication processing unit 41 determines that the user authentication is successful (authentication OK), and performs the process of step S25. In step S <b> 25, the authentication processing unit 41 notifies the authentication request unit 32 of the image forming apparatus 14 that the user authentication is successful.

  If the user name and password included in the authentication information do not exist in the authentication information shown in FIG. 5, the authentication processing unit 41 determines that the user authentication has failed (authentication NG), and performs the process of step S24. In step S24, the authentication processing unit 41 notifies the authentication request unit 32 of the image forming apparatus 14 of the user authentication failure, and the processing of the flowchart of FIG.

  In step S26, the image forming apparatus 14 notified of the successful user authentication displays an application selection screen 1010 as shown in FIG. 12, and allows the user to select an application. For example, when the service use application selection button 1011 on the application selection screen 1010 is pressed by the user, the image forming apparatus 14 receives a login request from the user to the service providing system.

  In step S <b> 27, the service login request unit 34 of the image forming apparatus 14 determines whether the login setting “do not cooperate with in-house authentication” is selected. If the login setting “not linked with in-house authentication” is selected, the service login request unit 34 displays, for example, a login screen 1020 shown in FIG. 11 in step S28, and displays the company code, user name and password on the public network N2 side. To be input by the user. After the process of step S28, the image forming apparatus 14 is logged in to the service providing system 50 by the process of the flowchart shown in FIG.

  In step S27, the service login request unit 34 performs the process of step S29 if the login setting “in cooperation with in-house authentication” is selected. In step S29, the service login request unit 34 transmits device authentication information and a user name (Koba) as authentication information to the service providing system, and requests login.

  The user name (Koba) is an example of a user name on the private network N1 side as shown in FIG. In step S30, the company / device authentication unit 76 of the service providing system 50 performs the same company / device authentication determination as in step S12. If the company / device authentication unit 76 determines that the company / device authentication is successful (authentication OK), it performs the process of step S32.

  If the company / device authentication unit 76 determines that the company / device authentication has failed (authentication NG) in step S30, the authentication result for the login request from the image forming apparatus 14 is determined to be failure (authentication NG) in step S31.

  In step S32, the authentication processing unit 71 includes the user management information shown in FIG. 8 on the private network N1 side included in the authentication information in the user management information associated with the authenticated company code. User authentication determination is performed to determine whether the user name (Koba) exists.

  If the user name (Koba) on the private network N1 side included in the authentication information exists, the authentication processing unit 71 determines that the user authentication is successful (authentication OK) and performs the process of step S33. In step S33, the authentication processing unit 71 obtains the public network N2 side user name (Kobaashi) corresponding to the private network N1 side user name (Koba) from the user management information of FIG. In step S34, the authentication processing unit 71 determines that the authentication result for the login request from the image forming apparatus 14 is successful (authentication OK).

  If the user name (Koba) on the private network N1 side included in the authentication information does not exist in step S32, the authentication processing unit 71 determines that the user authentication has failed (authentication NG), and the process in step S35. I do.

  In step S35, since the service use application of the image forming apparatus 14 has failed to log in to the service providing system 50, a login screen 1020 as shown in FIG. 12 is displayed.

  In step S <b> 36, the service use application of the image forming apparatus 14 causes the user to input a user name (Kobayashi) and a password as an example of authentication information on the public network N <b> 2 side from the login screen 1020.

  In step S37, as a response to the request from the service providing system 50, the registration request unit 35 of the image forming apparatus 14 requests the service providing system 50 to register the user name (Koba) authenticated on the private network N1 side. . The registration request in step S37 includes a user name (Koba), device authentication information, a public network N2 side user name (Kobaashi), and a password.

  In step S38, the company / device authentication unit 76 of the service providing system 50 performs the same company / device authentication determination as in step S12. If the company / device authentication unit 76 determines that the company / device authentication is successful (authentication OK), the company / device authentication unit 76 performs the process of step S39.

  In step S39, the authentication processing unit 71 performs the same user authentication determination as in step S13. If the authentication processing unit 71 determines that the user authentication is successful (authentication OK), the processing of step S41 is performed.

  In step S41, the user information registration unit 73 associates the user name (Koba) authenticated on the network N1 side with the user name (Kobaashi) on the public network N2 side, and registers it as office authentication information of the user management information.

<< Authentication sequence >>
FIG. 15 is a sequence diagram illustrating an example of processing of the system 1 that has received a login request from the image forming apparatus 14. Note that the sequence diagram of FIG. 15 is an example in a case where the login setting “link with in-house authentication” is selected.

  S101: As described in step S21 in FIG. 14, the input receiving unit 31 of the image forming apparatus 14 receives an authentication request from the user, and transmits the card ID of an IC card, which is authentication information in a private network, to the authentication apparatus 17, for example. To do.

  S102: The authentication processing unit 41 of the authentication device 17 makes an authentication determination based on whether or not the card ID is stored in the authentication information storage unit 42 shown in FIG. Here, it is assumed that the authentication is OK.

  S103: The authentication processing unit 41 of the authentication device 17 transmits an authentication result (OK) to the image forming device 14.

  S104: The service login request unit 34 of the image forming apparatus 14 transmits device authentication information and a user name (Koba) in the private network as authentication information to the service providing system, and requests login.

  S105: The login request is relayed by the access control device 21 and transmitted to the service providing system 50 as a user registration confirmation request.

  S106: The company / device authentication unit 76 of the service providing system 50 performs the same company / device authentication determination as in step S30 of FIG. 14, and the authentication processing unit 71 performs the same process as in step S32 to register the user. Confirm.

  If the user is registered, steps S107 and S108 are executed.

  S107: When the user is registered, the device communication unit 72 of the service providing system 50 transmits a confirmation result (OK) to the access control device 21.

  S108: The access control apparatus 21 returns a login OK to the image forming apparatus 14.

  If the user is not registered, steps S109 to S119 are executed.

  S109: When the user is not registered, the device communication unit 72 of the service providing system 50 transmits a confirmation result (NG) to the access control device 21.

  S110: The access control apparatus 21 returns a login screen display request to the image forming apparatus 14.

  S111: The service use application of the image forming apparatus 14 displays a login screen 1020. The input receiving unit 31 receives a user with a user name (Kobaashi) and a password in a public network.

  S112, S113: The registration request unit 35 of the image forming apparatus 14 requests the service providing system 50 to register the user name (Koba) authenticated on the private network N1 side. The registration request includes a user name (Koba), device authentication information, a public network N2 side user name (Kobaashi), and a password.

  S114: The company / device authentication unit 76 of the service providing system performs the same company / device authentication determination as in step S38 in FIG. 14, and the authentication processing unit 71 performs the same process as in step S39 to determine the user authentication. Do.

  S115: If the authentication is successful, the user information registration unit 73 of the service providing system 50 associates the user name (Koba) authenticated on the network N1 side with the user name (Kobaashi) on the public network N2 side, and manages the user management information. Register as office authentication information.

  S116: The device communication unit 72 of the service providing system 50 transmits a registration completion notification to the access control device 21.

  S117: The access control device 21 transmits a registration completion notification to the image forming device 14.

  S118: In the case of authentication failure, the device communication unit 72 of the service providing system 50 transmits an authentication result (NG) to the access control device 21.

  S119: The access control apparatus 21 transmits an error to the image forming apparatus 14.

<< Job execution >>
FIG. 16 is a sequence diagram illustrating an example of processing for acquiring a data list and a job from the service providing system 50. The processing in steps S201 to S208 is the same as the processing in steps S101 to S108 in FIG.

  S209: The service use request unit 37 of the image forming apparatus 14 transmits a job list request to the access control apparatus 21. The job list request includes, for example, a public network N2 user name (Kobaashi).

  S210: The access control device 21 transmits a job list request to the data management unit 77.

  S211 and S212: The data management unit 77 acquires the job associated with the user name (Kobaashi) included in the job list request from the data management information storage unit 84.

  S213: The data management unit 77 transmits a job list relating to one or more jobs to the access control apparatus 21.

  S214: The access control device 21 transmits the job list to the image forming device 14.

  S215: The service use request unit 37 of the image forming apparatus 14 receives the job list, and the display control unit 38 displays the job list. Subsequently, the input receiving unit 31 receives a job selection.

  S216: The service use request unit 37 of the image forming apparatus 14 transmits a job data acquisition request to the access control apparatus 21. The job data acquisition request includes, for example, a job ID.

  S217: The access control device 21 transmits a job data acquisition request to the data management unit 77.

  S218, S219: The data management unit 77 acquires the storage location of the job associated with the job ID included in the job data acquisition request in the data management information storage unit 84, and acquires job data from the data storage 85.

  S220: The data management unit 77 transmits one or more job data to the access control device 21.

  S221: The access control apparatus 21 transmits job data to the image forming apparatus 14.

  S222: The function processing unit 33 of the image forming apparatus 14 executes a job using the job data.

<Summary>
As described above, in the system 1 according to the present embodiment, since the company code is not input on the office device side, it is not necessary to design the cloud service on the office device side, and the user only inputs private authentication information. You can receive the service. Further, since it is not necessary to input a company code, it is possible to reduce a user's trouble.

<Modification>
In this embodiment, the service of the public service providing system can be used by inputting the private authentication information without the user inputting the company code. However, some companies may want to improve security as an operation that allows the user to enter a company code.

  Therefore, as shown in FIG. 17, in this embodiment, an authentication method setting screen 2000 for setting an authentication method may be prepared. FIG. 17 shows an example of an authentication method setting screen 2000 displayed by the image forming apparatus 14. On the authentication method setting screen 2000, a check box 2001 is arranged in each of the descriptions “enter company code” and “do not input company code”. The administrator or the like can check the check box 2001 and select “enter company code” or “do not enter company code”. As a result, the image forming apparatus 14 can accept the setting of whether or not it is necessary to input the company code.

  This setting is stored in the image forming apparatus 14 and is transmitted to the service providing system 50 and stored in association with device authentication information and the like. Accordingly, the service providing system 50 can switch between the authentication method “entering the company code” or the authentication method “do not input the company code” in accordance with this setting.

  For reference, the authentication procedure of the “enter company code” authentication method is explained.

  FIG. 18 is a flowchart illustrating an example of processing of the service providing system 50 that has received a login request from the image forming apparatus 14. FIG. 18 shows an example in which the login setting “not linked with in-house authentication” is selected.

  In step S <b> 1011, the authentication processing unit 71 of the service providing system 50 receives a login request from the image forming apparatus 14 using the company code, device authentication information, public network N2 side user name and password as authentication information.

  In step S1012, the authentication processing unit 71 performs a company authentication determination to determine whether the company code included in the authentication information exists in the company management information illustrated in FIG. If the company code included in the authentication information exists in the company management information, the authentication processing unit 71 determines that the company authentication is successful (authentication OK), and performs the process of step S1013.

  In step S1013, the authentication processing unit 71 determines whether the device authentication information included in the authentication information is present in the device management information associated with the authenticated company code among the device management information illustrated in FIG. The device authentication judgment is performed. If the device authentication information included in the authentication information exists, the authentication processing unit 71 determines that the device authentication is successful (authentication OK) and performs the process of step S1014.

  In step S1014, the authentication processing unit 71 determines whether the user name and password included in the authentication information exist in the user management information associated with the authenticated company code among the user management information shown in FIG. The user authentication judgment is performed.

  If the user name and password included in the authentication information exist, the authentication processing unit 71 determines that the user authentication is successful (authentication OK) and performs the process of step S1016. In step S1016, the authentication processing unit 71 determines that the authentication result for the login request from the image forming apparatus 14 is successful (authentication OK).

  If the company code included in the authentication information does not exist in the company management information shown in FIG. 7 in step S1012, the authentication processing unit 71 fails the authentication result for the login request from the image forming apparatus 14 in step S1015 ( Authentication NG).

  Similarly, in step S1013, if the device authentication information included in the authentication information does not exist in the device management information associated with the authenticated company code, the authentication processing unit 71 determines that the image forming apparatus in step S1015. 14 determines that the authentication result for the login request from 14 is a failure (authentication NG).

  Similarly, in step S1014, if the user name and password included in the authentication information do not exist in the user management information associated with the authenticated company code, the authentication processing unit 71 performs image formation in step S1015. The authentication result for the login request from the device 14 is determined as failure (authentication NG).

<Other application examples>
The best mode for carrying out the present invention has been described above with reference to the embodiments. However, the present invention is not limited to these embodiments, and various modifications can be made without departing from the scope of the present invention. And substitutions can be added.

  For example, as shown in FIG. 1, the authentication method of the present embodiment can be applied to the office device 30 as long as the device requires authentication, such as an electronic blackboard, a video conference terminal, and digital signage.

  Authentication refers to determining the validity of a user's identity at the start of use of the system or computer. The authentication information is information for determining the validity of the user's identity, and different information is used for each user. For example, there are a card ID, a user name (user ID) and password, an account ID, and the like. Note that ID is an abbreviation of Identification and means an identifier or identification information. ID refers to a name, a code, a character string, a numerical value, or a combination of one or more of these used to uniquely distinguish a specific target from a plurality of targets.

  Further, the configuration example in FIG. 6 and the like is divided according to main functions in order to facilitate understanding of processing by the service providing system 50. The present invention is not limited by the way of dividing the processing unit or the name. The processing of the service providing system 50 can be divided into more processing units according to the processing content. Moreover, it can also divide | segment so that one process unit may contain many processes.

  The service providing system 50 is an example of an information processing apparatus as claimed, the company / device authentication unit 76 is an example of a first authentication processing unit, and the company / device authentication determination is an example of a first authentication. The first user authentication information is an example of user authentication information in a public network, and the second user authentication information is an example of user authentication information in a private network.

  The authentication processing unit 71 is an example of a second authentication processing unit, the user authentication is an example of a second authentication, the device communication unit 72 is an example of a communication unit, and the device authentication information is an example of device authentication information. Yes, the company code is an example of group identification information, the company management information is an example of group management information, the user information registration unit 73 is an example of registration means, and the display control unit 38 is an example of display control means. The service application 51 is an example of a service providing unit, the device communication unit 72 is an example of a device communication unit, and the authentication request unit 32 is an example of an authentication request unit.

DESCRIPTION OF SYMBOLS 1 System 11 Client terminal 12 Portable terminal 13 Print control apparatus 14 Image forming apparatus 15 Projector 16 Equipment 17 Authentication apparatus 21 Access control apparatus 22 Print service provision apparatus 23 Scan service provision apparatus 24 Other service provision apparatus 30 Office apparatus 50 Service provision system 100 Computer system

Japanese Patent No. 59602354

Claims (10)

An information processing apparatus that provides services to devices connected to a network,
Device communication means for acquiring device authentication information for authenticating the device, and first user authentication information for authenticating a user of the device;
If the device authentication information acquired by the device communication means is present in the device management information in which the device authentication information is registered, first authentication processing means that determines that the first authentication has succeeded;
When the first authentication is successful, if the first user authentication information acquired by the device communication unit is present in the user management information in which the first user authentication information is registered, the second authentication is performed. A second authentication processing means for determining that has succeeded;
An information processing apparatus comprising: a service providing unit that provides a service when the first authentication and the second authentication are successful.   The information processing apparatus according to claim 1, wherein the device authentication information is identification information for identifying an application installed in the device. The device management information is associated with the device authentication information and identification information of a group to which the device belongs,
The said 1st authentication process means acquires the identification information of the said group matched with the said apparatus authentication information which the said apparatus communication means acquired from the said apparatus management information, The Claim 1 or 2 characterized by the above-mentioned. The information processing apparatus described. In the user management information, the first user authentication information is registered in association with the identification information of the group,
In the user management information, the second authentication processing means includes the group identification information acquired from the device management information by the first authentication processing means and the first information acquired from the device by the device communication means. 4. The information processing according to claim 3, wherein whether or not the first user authentication information exists in the user management information is determined based on whether or not the user authentication information is registered in association with each other. apparatus. Based on the device authentication information, the first authentication processing means determined that the first authentication was successful,
When the second authentication processing unit determines that the user identification information included in the second user authentication information for authenticating the user of the device acquired from the device is not registered in the user management information ,
If the first user authentication information input by the user as a response to the request to the device is present in the user management information, the second authentication processing means uses the first user authentication information to identify the user identification information. The information processing apparatus according to claim 1, further comprising: a registration unit that registers the user management information in association with information. Based on the device authentication information acquired from the device that has authenticated the user by the second user authentication information, the first authentication processing means determines that the first authentication is successful,
When the identification information of the user included in the second user authentication information acquired from the device that has authenticated the user by the second user authentication information is registered in the user management information, the second authentication processing means 6. The information processing apparatus according to claim 5, wherein if it is determined, the authentication by the information processing apparatus is determined to be successful. The device and the information processing apparatus exist in different networks,
The first user authentication information is used for user authentication in a network in which the information processing apparatus exists,
The information processing apparatus according to claim 5, wherein the second user authentication information is used for user authentication in a network in which the device exists. An information processing apparatus that provides services to devices connected to a network,
Device identification means for acquiring group identification information for authenticating the group to which the user belongs, and first user authentication information for authenticating the user;
A first authentication processing unit that determines that the first authentication is successful if the group identification information acquired by the device communication unit is present in the group management information in which the group identification information is registered;
When the first authentication is successful, the first user authentication information acquired by the device communication unit is present in the user management information in which user information is registered in association with the authenticated identification information of the group. A second authentication processing means for determining that the second authentication is successful;
An information processing apparatus comprising: a service providing unit that provides a service when the first authentication and the second authentication are successful. A system in which a device that uses a service and an information processing device that provides the service to the device are connected via a network,
The information processing apparatus includes:
Device communication means for acquiring device authentication information for authenticating the device, and first user authentication information for authenticating a user of the device;
If the device authentication information acquired by the device communication means is present in the device management information in which the device authentication information is registered, first authentication processing means that determines that the first authentication has succeeded;
When the first authentication is successful, if the first user authentication information acquired by the device communication unit is present in the user management information in which the first user authentication information is registered, the second authentication is performed. A second authentication processing means for determining that has succeeded;
Service providing means for providing a service when the first authentication and the second authentication are successful, and
The equipment is
A system having authentication request means for transmitting the device authentication information and the first user authentication information to the information processing apparatus; An authentication method performed by an information processing apparatus that provides a service to a device connected to a network,
A device communication means for acquiring device authentication information for authenticating the device and first user authentication information for authenticating a user of the device;
The first authentication processing means determines that the first authentication is successful if the device authentication information acquired by the device communication means is present in the device management information in which the device authentication information is registered;
When the first authentication is successful, the second authentication processing unit includes the first user authentication information acquired by the device communication unit in the user management information in which the first user authentication information is registered. If present, determining that the second authentication was successful;
An authentication method comprising: a service providing unit providing a service when the first authentication and the second authentication are successful.

Images