JP2020064660A - Information processing apparatus, terminal device, program, and information processing system - Google Patents

Abstract

To provide an information processing apparatus that easily realizes ID cooperation using account information in an on-premises environment.SOLUTION: An information processing apparatus issues qualification information for a terminal device to use a service, and the information processing apparatus comprises: authentication means that receives, from the terminal device, an authentication request including organization information, domain information, and account information in an on-premises environment, and when the organization information and the domain information included in the authentication request are associated with organization management information associating the organization information with the domain information, searches for a user belonging to an organization identified by the organization information in user management information with the account information in the on-premises environment; and qualification information issuing means that issues qualification information to the user searched for.SELECTED DRAWING: Figure 12

Description

  The present invention relates to an information processing device, a terminal device, a program, and an information processing system.

  In recent years, there is a demand for using a cloud service by using account information managed by AD (Active Directory) of a user environment. ID cooperation using ADFS (Active Directory Federation Service) or ADFS Proxy is already known.

  Methods for establishing a single ID / single sign-on, for example on a cloud computing platform, are known in the art. Conventional methods validate the user credentials associated with the computer and receive from the computer the identity of the domain in which the single ID will be established.

  The conventional method then configures a directory service on the cloud computing platform for sign-on from users of the domain in response to verifying the user credentials. The conventional method is responsive to a decision by the directory service to approve the credentials associated with the login to decide to allow the login to the second computer.

  Further, in the conventional method, in response to the determination that the directory service approves, the credentials associated with the login are approved so as to access the software service provided on the cloud computing platform (for example, Patent Document 1). reference).

  However, the ID federation using ADFS or ADFS Proxy has a problem that specialized knowledge and cost such as preparation and construction of a server environment for operating ADFS or ADFS Proxy and operation after construction are required.

  An embodiment of the present invention has been made in view of the above points, and an object thereof is to provide an information processing device that can easily realize ID federation using account information in an on-premises environment.

  In order to achieve the above-mentioned subject, claim 1 of the present application is an information processing device which issues qualification information for a terminal device to use a service, and the organization information, domain information, and on-premises environment are provided from the terminal device. If an authentication request including account information is accepted, and the organization information and the domain information included in the authentication request are associated with the organization management information that associates the organization information with the domain information, An authentication means for searching the user management information for the user belonging to the organization identified by the organization information based on the account information in the on-premises environment, and a qualification information issuing means for issuing the qualification information to the searched user. Is characterized by.

  According to the embodiment of the present invention, ID cooperation using account information in an on-premises environment can be easily realized.

It is a block diagram of an example of the information processing system which concerns on 1st Embodiment. It is a hardware block diagram of an example of a computer. 1 is a hardware configuration diagram of an example of an image forming apparatus according to a first exemplary embodiment. It is a processing block diagram of an example of the service provision system which concerns on 1st Embodiment. It is a processing block diagram of an example of an authentication / authorization unit. It is a processing block diagram of an example of a client terminal. It is a block diagram of an example of client information managed by a client management unit. It is a block diagram of an example of tenant information which a tenant information storage part memorizes. It is a block diagram of an example of user information stored in a user information storage unit. It is a block diagram of an example of the license information stored in the license information storage unit. It is explanatory drawing which shows an example of preparation for simple directory authentication. FIG. 9 is a sequence diagram showing an example of a print job registration process using simple directory authentication. It is an explanatory view of an example of a request of simple directory attestation. 9 is a flowchart of an example of a simple directory authentication process in an authentication / authorization unit. FIG. 8 is a sequence diagram showing an example of a print job execution process using simple directory authentication. FIG. 11 is a sequence diagram showing another example of preparation for simple directory authentication. It is an image figure of an example of a service setting screen. It is a block diagram of an example of a file of a tenant authentication key. It is a sequence diagram of an example of a process of setting a tenant authentication key. FIG. 13 is a sequence diagram showing another example of print job registration processing using simple directory authentication. It is an image figure of an example of a user setting screen.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
[First Embodiment]
<System configuration>
FIG. 1 is a block diagram of an example of an information processing system according to the first embodiment. The information processing system 1000 in FIG. 1 includes a network N1 in an on-premises environment such as an in-office network and a network N2 in a cloud computing environment such as the Internet.

  The network N1 is a private network inside the firewall FW. The firewall FW is installed at the contact point between the network N1 and the network N2, and detects and blocks unauthorized access. A client terminal 1011, an AD (active directory) server device 1012, and an image forming apparatus 1013 such as a multifunction peripheral are connected to the network N1.

  The client terminal 1011 is an example of a terminal device. The client terminal 1011 can be realized by an information processing device equipped with a general OS or the like. The client terminal 1011 has a wireless communication means or a wired communication means. The client terminal 1011 is a user-operable terminal such as a desktop PC, a notebook PC, a smartphone, a mobile phone, or a tablet PC.

  The AD server device 1012 performs processing relating to the active directory. The AD server device 1012 centrally manages various resources existing on the network N1, user information and authority, and the like. For example, the AD server device 1012 can centrally manage information such as account information of users who use various resources existing on the network N1 and access authority to each resource. The AD server device 1012 manages, for each domain, users who use various resources existing on the network N1.

  The image forming apparatus 1013 is an apparatus having an image forming function such as a multifunction peripheral. The image forming apparatus 1013 is also an example of a terminal device. The image forming apparatus 1013 has a wireless communication unit or a wired communication unit. The image forming apparatus 1013 is an apparatus that performs processing related to image formation, such as a multifunction peripheral, a copier, a scanner, a printer, a laser printer, a projector, and an electronic blackboard. Although FIG. 1 shows an example in which each of the client terminal 1011, the AD server device 1012, and the image forming device 1013 is one, it may be plural.

  A service providing system 1014 is connected to the network N2. The service providing system 1014 is realized by one or more information processing devices. The service providing system 1014 is an example of a system that provides some service to the client terminal 1011 and the image forming apparatus 1013. In the information processing system 1000 according to the first embodiment, as will be described later, the AD server device 1012 and the service providing system 1014 perform ID cooperation using the account information of the user managed by the AD server device 1012 in the on-premises environment. To do. The details of the service providing system 1014 will be described later.

<Hardware configuration>
The client terminal 1011 and the AD server device 1012 in FIG. 1 are realized by a computer having a hardware configuration as shown in FIG. 2, for example. Further, one or more information processing devices that realize the service providing system 1014 are also realized by a computer having the hardware configuration shown in FIG.

  FIG. 2 is a hardware configuration diagram of an example of a computer. The computer 100 of FIG. 2 includes an input device 101, a display device 102, an external I / F 103, a RAM 104, a ROM 105, a CPU 106, a communication I / F 107, an HDD 108, and the like, which are interconnected by a bus B.

  The input device 101 includes a keyboard, a mouse, a touch panel, etc., and is used by the user to input each operation signal. The display device 102 includes a display and the like, and displays the processing result by the computer 100. The input device 101 and the display device 102 may be connected and used when necessary.

  The communication I / F 107 is an interface that connects the computer 100 to the networks N1 and N2. As a result, the computer 100 can perform data communication via the communication I / F 107.

  The HDD 108 is a non-volatile storage device that stores programs and data. The stored programs and data include, for example, an OS that is basic software that controls the entire computer 100 and application software that provides various functions on the OS. The computer 100 may use a drive device (for example, a solid state drive: SSD) that uses a flash memory as a storage medium instead of the HDD 108.

  The external I / F 103 is an interface with an external device. The external device includes a recording medium 103a and the like. This allows the computer 100 to read and / or write to the recording medium 103a via the external I / F 103. The recording medium 103a includes a flexible disk, CD, DVD, SD memory card, USB memory and the like.

  The ROM 105 is a non-volatile semiconductor memory (storage device) that can retain programs and data even when the power is turned off. The ROM 105 stores programs and data such as a BIOS executed when the computer 100 is started up, OS settings, and network settings. The RAM 104 is a volatile semiconductor memory (storage device) that temporarily holds programs and data.

  The CPU 106 is an arithmetic device that realizes control and functions of the entire computer 100 by reading programs and data from a storage device such as the ROM 105 and the HDD 108 onto the RAM 104 and executing processing.

  The client terminal 1011 and the AD server device 1012 shown in FIG. 1 can realize various types of processing to be described later by the hardware configuration of the computer 100. Further, one or more information processing devices that implement the service providing system 1014 can also implement various types of processing to be described later by the hardware configuration of the computer 100.

  FIG. 3 is a hardware configuration diagram of an example of the image forming apparatus according to the first embodiment. The image forming apparatus 1013 illustrated in FIG. 3 includes a controller 201, an operation panel 202, an external I / F 203, a communication I / F 204, a printer 205, a scanner 206, and the like.

  The controller 201 includes a CPU 211, a RAM 212, a ROM 213, an NVRAM 214, an HDD 215 and the like. The ROM 213 stores various programs and data. The RAM 212 temporarily holds programs and data. The NVRAM 214 stores, for example, setting information and the like. Further, the HDD 215 stores various programs and data.

  The CPU 211 realizes control and functions of the entire image forming apparatus 1013 by reading programs, data, setting information and the like from the ROM 213, NVRAM 214, HDD 215, etc. onto the RAM 212 and executing processing.

  The operation panel 202 includes an input unit that receives an input from a user and a display unit that displays. The external I / F 203 is an interface with an external device. The external device includes a recording medium 203a and the like. Accordingly, the image forming apparatus 1013 can read and / or write the recording medium 203a via the external I / F 203. The recording medium 203a includes an IC card, flexible disk, CD, DVD, SD memory card, USB memory, and the like.

  The communication I / F 204 is an interface that connects the image forming apparatus 1013 to the network N2. As a result, the image forming apparatus 1013 can perform data communication via the communication I / F 204.

  The printer 205 is a printing device for printing print data on an object to be conveyed. For example, the transported object is not limited to paper such as paper, coated paper, cardboard, OHP, plastic film, prepreg, and copper foil. The scanner 206 is a reading device for reading image data (electronic data) from a document and generating an image file (electronic file).

  The image forming apparatus 1013 according to the present embodiment can realize various types of processing to be described later with the above hardware configuration. The description of the hardware configuration of the firewall FW is omitted.

<Software configuration>
<Service provision system>
The service providing system 1014 according to the first embodiment is realized by the processing blocks shown in FIG. 4, for example. FIG. 4 is a processing block diagram of an example of the service providing system according to the first embodiment. The service providing system 1014 realizes a processing block as shown in FIG. 4 by executing the program.

  The service providing system 1014 of FIG. 4 realizes an application 1101, a common service 1102, a database (DB) 1103, a management 1104, a business 1105, and a platform API 1106.

  The application 1101 has a portal service application 1111, a scan service application 1112, and a print service application 1113 as an example.

  The portal service application 1111 is an application that provides a portal service. The portal service provides a service serving as an entrance for using the service providing system 1014. The scan service application 1112 is an application that provides a scan service. The print service application 1113 is an application that provides a print service. The application 1101 may include other service applications.

  The platform API 1106 is an interface for the portal service application 1111, the scan service application 1112, the print service application 1113, and the like to use the common service 1102. The platform API 1106 is a predefined interface provided for the common service 1102 to receive a request from the application 1101 and is composed of, for example, a function and a class.

  The platform API 1106 can be realized by, for example, a Web API that can be used via a network when the service providing system 1014 includes a plurality of information processing devices.

  The common service 1102 includes an authentication / authorization unit 1121, a tenant management unit 1122, a user management unit 1123, a client management unit 1124, a license management unit 1125, a device management unit 1126, a temporary image storage unit 1127, a log collection unit 1128, an image processing workflow. It has a controller 1130.

  The image processing workflow control unit 1130 has a message queue 1131 and one or more workers (Workers) 1132. The worker 1132 realizes functions such as image conversion and image transmission.

  The authentication / authorization unit 1121 executes authentication / authorization based on an authentication request from an office device such as the client terminal 1011 or the image forming apparatus 1013. The office equipment is a generic term for the client terminal 1011 and the image forming apparatus 1013. The authentication / authorization unit 1121 accesses, for example, the database 1103 to authenticate / authorize the user.

  Further, the authentication / authorization unit 1121 accesses the database 1103 to authenticate the image forming apparatus 1013. Further, the authentication / authorization unit 1121 accesses the database 1103 and performs simple directory authentication described later.

  The tenant management unit 1122 manages tenant information stored in the tenant information storage unit 1142 described below. A tenant is a unit of a group such as a company or a department. The user management unit 1123 manages user information stored in a user information storage unit 1143 described later. The client management unit 1124 manages client information described below.

  The license management unit 1125 manages license information stored in a license information storage unit 1144 described later. The device management unit 1126 manages device information stored in the device information storage unit 1145 described later. The temporary image storage unit 1127 stores a temporary image in the temporary image storage unit 1146, which will be described later, and acquires the temporary image from the temporary image storage unit 1146. The log collection unit 1128 manages the log information stored in the log information storage unit 1141 described later.

  The image processing workflow control unit 1130 controls a workflow related to image processing based on a request from the application 1101. The message queue 1131 has a queue corresponding to the type of processing. The image processing workflow control unit 1130 puts a request message relating to a process (job) in a queue corresponding to the type of the job.

  The worker 1132 is monitoring the corresponding queue. When a message is put into the queue, the worker 1132 performs processing such as image conversion and image transmission according to the type of corresponding job. The message put in the queue may be read by the worker 1132 independently (Pull) or may be provided from the queue to the worker 1132 (Push).

  The database 1103 in FIG. 4 includes a log information storage unit 1141, a tenant information storage unit 1142, a user information storage unit 1143, a license information storage unit 1144, a device information storage unit 1145, a temporary image storage unit 1146, a job information storage unit 1147, and a client. It has an information storage unit 1148 and an application-specific setting information storage unit 1150.

  The log information storage unit 1141 stores log information. The tenant information storage unit 1142 stores tenant information. The user information storage unit 1143 stores user information. The license information storage unit 1144 stores license information. The device information storage unit 1145 also stores device information.

  The temporary image storage unit 1146 stores a temporary image. The temporary image is, for example, a file or data such as a scan image processed by the worker 1132. The job information storage unit 1147 stores request information (job information) related to processing (job). The client information storage unit 1148 stores client information described later. The application-specific setting information storage unit 1150 stores setting information unique to the application 1101.

  The management 1104 in FIG. 4 has a monitoring unit, a deployment unit, a server account management unit, and a server login management unit as an example. Further, the job 1105 in FIG. 4 has a customer information management unit, a contract management unit, a sales management unit, a license management unit, and a development environment unit as an example.

  The service providing system 1014 functions as an integrated platform that provides common services such as a workflow related to authentication / authorization and image processing, and a service group that provides application services such as a scan service and a print service using the functions of the integrated platform. .

  The integrated platform is composed of, for example, a common service 1102, a DB 1103, a management 1104, a business 1105, and a platform API 1106. The service group is composed of, for example, the application 1101. The service providing system 1014 shown in FIG. 4 can easily develop the application 1101 that uses the platform API 1106 by the configuration in which the service group and the integrated base are separated.

  The classification form of the processing blocks of the service providing system 1014 shown in FIG. 4 is an example, and the application 1101, the common service 1102, the DB 1103, the management 1104, and the work 1105 are classified in a hierarchy as shown in FIG. Is not essential. As long as the processing of the service providing system 1014 according to the first embodiment can be performed, the hierarchical relationship shown in FIG. 4 is not limited to a particular one.

  FIG. 5 is a processing block diagram of an example of the authentication / authorization unit. The authentication / authorization unit 1121 of FIG. 5 has a configuration including a simple directory authentication processing unit 11, a user information setting unit 12, a service use authority setting unit 13, a ticket issuing unit 14, and a normal authentication processing unit 15.

  The simple directory authentication processing unit 11 uses the account information in the on-premises environment managed by the AD server device 1012 to perform simple directory authentication described later. The user information setting unit 12 performs processing related to setting user information. The service use authority setting unit 13 performs processing related to setting service use authority. The ticket issuing unit 14 performs processing related to issuing an authentication ticket necessary to use the application 1101 such as the print service application 1113. The normal authentication processing unit 15 performs normal authentication using the account information in the service providing system 1014.

  FIG. 6 is a processing block diagram of an example of a client terminal. The client terminal 1011 in FIG. 6 has an OS (operating system) 20 and a client application 30 installed therein. The client terminal 1011 implements the logon processing unit 21 and the AD authentication request unit 22 by executing the OS 20. Further, the client terminal 1011 implements the print job registration processing unit 31 and the simple directory authentication request unit 32 by executing the client application 30.

  The logon processing unit 21 performs processing relating to user logon. The AD authentication request unit 22 requests the AD server device 1012 to authenticate with account information in the on-premises environment. Hereinafter, authentication based on account information in the on-premises environment is called AD authentication.

  The print job registration processing unit 31 uses the authentication ticket issued by the authentication / authorization unit 1121 to register the print job in the application 1101 such as the print service application 1113. The simple directory authentication request unit 32 makes a simple directory authentication request, which will be described later, using the account information in the on-premises environment, to the authentication / authorization unit 1121.

  FIG. 7 is a block diagram of an example of client information managed by the client management unit. The client information of FIG. 7 has an internal ID, a client ID, a client key, and a provided service as items.

  The internal ID is a primal key (primary key) in the database 1103 and is for internal management. The client ID is an ID that identifies the client application 30. The client key is a secret key for authenticating the client application 30. The provided service is information indicating the service provided by the client application 30.

  In addition, FIG. 8 is a configuration diagram of an example of tenant information stored in the tenant information storage unit. The tenant information of FIG. 8 has an internal ID, a tenant ID, a tenant authentication key, and a domain as items. The internal ID is a primal key (primary key) in the database 1103 and is for internal management. The tenant ID is an ID that identifies the tenant. The tenant authentication key is a secret key for authenticating the tenant. The domain is the domain name of a directory service such as Active Directory.

  Further, FIG. 9 is a configuration diagram of an example of user information stored in the user information storage unit. The user information shown in FIG. 9 has an internal ID, a tenant ID, a user ID, a family name, a first name, a mail address, and an on-premises ID as items. The internal ID is a primal key (primary key) in the database 1103 and is for internal management. The tenant ID is the tenant ID of the tenant to which the user belongs.

  The user ID is an ID that identifies a user in the service providing system 1014. The surname is the user's surname. First Name is the user's first name. The email address is the user's email address. The on-premises ID is an ID that identifies a user in the on-premises environment (hereinafter referred to as an AD user ID).

  FIG. 10 is a configuration diagram of an example of license information stored in the license information storage unit. The license information in FIG. 10 has an internal ID, a service type, the number of licenses, a tenant ID, and a user as items. The internal ID is a primal key (primary key) in the database 1103 and is for internal management.

  The service type represents the service type of the license. The number of licenses represents the number of users who can use the service. The tenant ID is the ID of the tenant who owns the license. The user is the user ID of the user who can use the service.

<Details of processing>
The details of the processing of the information processing system 1000 according to the first embodiment will be described below. In the first embodiment, as an example, a process of printing a print job registered in the service providing system 1014 by the image forming apparatus 1013 will be described.

《Preparation》
FIG. 11 is an explanatory diagram showing an example of preparation for simple directory authentication. For example, the tenant administrator prepares for simple directory authentication according to the procedure shown in FIG. In step S11, the tenant administrator logs in to the service providing system 1014 with an administrator account. In step S12, the administrator requests the service providing system 1014 to issue a tenant authentication key for simple directory authentication and register a domain name.

  In step S13, the service providing system 1014 registers the domain name in the tenant information item “domain” in FIG. 8 and issues a tenant authentication key. The service providing system 1014 registers the issued tenant authentication key in the tenant information of FIG. By the process of step S13, the tenant information illustrated in FIG. 8 is in a state in which the tenant authentication key and the domain are saved. The service providing system 1014 causes the client terminal 1011 to display the file of the tenant authentication key and the download screen of the client application 30.

  In step S14, the tenant administrator downloads the tenant authentication key file to the client terminal 1011. In step S15, the tenant administrator downloads the client application 30 to the client terminal 1011. In step S16, the tenant administrator distributes the tenant authentication key file and the client application 30 to the client terminal 1011 of the user who uses the simple directory authentication. The preparations for simple directory authentication are completed by the processing up to step S16.

<Print job registration>
FIG. 12 is a sequence diagram showing an example of a print job registration process using simple directory authentication. In step S21, the user operates the client terminal 1011 participating in the domain to request the OS 20 to log on by designating the AD user ID and password. The logon processing unit 21 of the client terminal 1011 receives a logon request from the user. In step S22, the AD authentication requesting unit 22 of the OS 20 requests the AD authentication by designating the AD user ID and the password.

  If the combination of the AD user ID and password designated for AD authentication is registered, the AD server device 1012 returns the authentication result of successful logon to the AD authentication request unit 22 of the OS 20. Here, the description will be continued assuming that the logon is successful. In step S23, the logon processing unit 21 of the OS 20 notifies the user of successful logon by, for example, displaying a screen.

  In step S24, the user operates the client terminal 1011 to request the print job registration processing unit 31 of the client application 30 to execute registration of a print job. In step S25, the simple directory authentication request unit 32 of the client application 30 requests the OS 20 to acquire logon information. The simple directory authentication request unit 32 of the client application 30 acquires a domain and an AD user ID as logon information. Although the sequence diagram of FIG. 12 shows an example in which the logon information is acquired from the OS 20, it may be acquired from the AD server device 1012.

  Further, in step S26, the simple directory authentication request unit 32 of the client application 30 requests the AD server device 1012 to acquire AD user information, and acquires the family name, first name, and mail address associated with the AD user ID.

  Then, in step S27, the simple directory authentication requesting unit 32 requests simple directory authentication from the authentication / authorization unit 1121 of the service providing system 1014. The argument of the simple directory authentication includes a client ID, a client key, a tenant authentication key, a domain, an AD user ID, a user ID, a family name, a first name, a mail address, and the like.

  For example, the client ID and client key that are embedded in the client application 30 can be used. Further, the tenant authentication key can be read from the file of the tenant authentication key distributed in step S16. The domain and the AD user ID can be obtained from the OS 20 in step S25. Also, the family name, first name, and email address obtained in step S26 can be used.

  The user ID is an ID that identifies a user in the service providing system 1014. The same user ID as the argument of the simple directory authentication can be used as the AD user ID, but it is necessary to set an appropriate value in the processing when, for example, the prohibited character of the authentication / authorization unit 1121 is included. The authentication / authorization unit 1121 may set an appropriate value.

  The request for the simple directory authentication in step S27 is made by a request as shown in FIG. 13, for example. FIG. 13 is an explanatory diagram of an example of a request for simple directory authentication.

  The request for the simple directory authentication shown in FIG. 13 represents the client ID “clientA” and the client key “Poehjfkdng712FssfFsA” as the information of the client application 30.

  A tenant ID “123456789” and a tenant authentication key “dHJZPLbv8otCTGAyrIwm” are represented as tenant information. The domain “ad.example.com” and the AD user ID “ad_userA” are represented as the information of the user logged on to the OS 20. As user information in the service providing system 1014, a user ID “userA”, a mail address “ad_userA@example.com”, a family name “Yamada”, and a name “Taro” are shown. As service information, the service type “CloudPrint” is shown.

  Returning to FIG. 12, the simple directory authentication processing unit 11 of the authentication / authorization unit 1121 performs the process of step S28 if the request for the simple directory authentication of step S27 includes the user parameter. In step S28, the user information setting unit 12 of the authentication / authorization unit 1121 creates a new user or updates the user information based on the user parameter included in the request for the simple directory authentication in step S27.

  The new user is created by adding a record of user information based on the user parameter included in the request for simple directory authentication in step S27. If the simple directory authentication processing unit 11 of the authentication / authorization unit 1121 includes the service parameter in the request for the simple directory authentication of step S27, the simple directory authentication processing unit 11 performs the process of step S29. In step S29, the service use authority setting unit 13 of the authentication / authorization unit 1121 grants the service use authority based on the service parameter included in the request for the simple directory authentication in step S27.

  In step S30, the ticket issuing unit 14 of the authentication / authorization unit 1121 issues an authentication ticket for using the print service application 1113. In step S31, the authentication / authorization unit 1121 returns the authentication ticket to the client application 30.

  In step S32, the print job registration processing unit 31 of the client application 30 attaches the issued authentication ticket and requests the print service application 1113 to register the print job. The print service application 1113 registers the print job in association with the authentication ticket. The print service application 1113 returns the print job registration result to the print job registration processing unit 31 of the client application 30. In step S33, the print job registration processing unit 31 of the client application 30 notifies the user of the completion of print job registration, for example, by displaying a screen.

  In the sequence diagram of FIG. 12, the authentication / authorization unit 1121 performs simple directory authentication as shown in FIG. 14, for example. FIG. 14 is a flowchart of an example of the simple directory authentication process in the authentication / authorization unit.

  In step S51, the simple directory authentication processing unit 11 of the authentication / authorization unit 1121 refers to the client information shown in FIG. 7 and performs application authentication. In the application authentication, the client ID and the client key of the client information are checked and the registered client application 30 is authenticated.

  If it is the registered client application 30, the process proceeds to step S52, and the simple directory authentication processing unit 11 refers to the tenant information shown in FIG. 8 and performs tenant authentication. Tenant authentication checks the tenant authentication key of the tenant information and authenticates whether the tenant authentication key is the tenant authentication key of any tenant.

  If the tenant authentication key is the tenant authentication key of any tenant, the simple directory authentication processing unit 11 proceeds to step S53, refers to the tenant information, and checks the domain parameter. The domain parameter check is to confirm whether the domain of tenant information matches the domain of the corresponding tenant.

  If the domain of the tenant information matches the domain of the corresponding tenant, the simple directory authentication processing unit 11 proceeds to step S54 and searches for a user by the on-premises ID. The user search by the on-premises ID refers to the user information in FIG. 9, and searches for a user who belongs to the corresponding tenant and has the same on-premises ID (AD user ID).

  If a user who belongs to the corresponding tenant and has a matching on-premises ID is not found, the simple directory authentication processing unit 11 proceeds to step S55 and checks the parameter of the user ID of the user information.

  If the parameter of the user ID of the user information is specified, the simple directory authentication processing unit 11 proceeds to step S56 and checks the user parameter. If the user parameter is OK, the user information setting unit 12 creates a new user in step S57.

  If a user who belongs to the relevant tenant and has a matching on-premises ID is searched for, the simple directory authentication processing unit 11 proceeds to step S58 and confirms whether or not there is a user parameter. If there is a user parameter, the simple directory authentication processing unit 11 proceeds to step S59 and checks the user parameter. If the user parameter is OK, the user information setting unit 12 updates the user information in step S60. For example, updating the user information is a process of updating the family name, first name, and email address in the user information of FIG.

  In step S61, the simple directory authentication processing unit 11 confirms the presence / absence of a service parameter. If there is a service parameter, the simple directory authentication processing unit 11 proceeds to step S62 and checks the service parameter. If the service parameter check is OK, the simple directory authentication processing unit 11 proceeds to step S63 and refers to the license information in FIG. 10 to set the service use authority. To set the service use authority, the license information of the corresponding service type is searched from the license information of FIG. 10, and the user ID is added to the item of the using user. At this time, the simple directory authentication processing unit 11 also refers to the client information in FIG. 7 and returns an error if the service is not provided by the corresponding client application 30. In step S64, the ticket issuing unit 14 issues an authentication ticket and returns the authentication ticket to the client application 30 as a success response.

  If the client application 30 is not the registered client application 30 in step S51, or if the tenant authentication key is not the tenant authentication key of any tenant in step S52, the simple directory authentication processing unit 11 returns a failure response.

  If the domain of the tenant information does not match the domain of the corresponding tenant in step S53, or if the parameter of the user ID of the user information is not specified in step S55, the simple directory authentication processing unit 11 returns a failure response. .

  If the user parameter is not OK in step S56, the user parameter is not OK in step S59, or the service parameter check is not OK in step S62, the simple directory authentication processing unit 11 returns a failure response.

《Print job execution》
FIG. 15 is a sequence diagram showing an example of a print job execution process using simple directory authentication. For example, a user who has registered a print job causes the image forming apparatus 1013 to execute the print job according to the procedure shown in FIG.

  In step S81, the user logs in to the image forming apparatus 1013 using, for example, an IC card. In step S82, the image forming apparatus 1013 acquires the AD user ID associated with the IC card from the AD server apparatus 1012. In step S83, the image forming apparatus 1013 makes a job list acquisition request by the AD user ID to the service providing system 1014.

  In step S84, the service providing system 1014 returns the authentication ticket by the AD user ID and the job list to the image forming apparatus 1013. The image forming apparatus 1013 displays a job list and receives a print instruction designating a print job from the user. In step S85, the image forming apparatus 1013 requests the service providing system 1014 for the print job designated by the user. In step S86, the service providing system 1014 returns the requested print job data to the image forming apparatus 1013. Then, the image forming apparatus 1013 prints based on the returned print job data.

(Summary)
As illustrated in the sequence diagram of FIG. 12, the information processing system 1000 according to the first embodiment automatically generates user information in the service providing system 1014 based on account information in the on-premises environment. Further, the information processing system 1000 according to the first embodiment enables the login to the service providing system 1014 by the automatically generated user information. Therefore, the information processing system 1000 according to the first embodiment can easily realize ID federation using account information in an on-premises environment without using ADFS or ADFS Proxy. According to the first embodiment, the user can use the service provided by the service providing system 1014 by inputting the account information in the on-premises environment.
[Second Embodiment]
The second embodiment is the same as the above-described first embodiment except for a part, and thus the description thereof will be appropriately omitted.

<Details of processing>
The details of the processing of the information processing system 1000 according to the second embodiment will be described below. In the second embodiment, as an example, a process of printing a print job registered in the service providing system 1014 by the image forming apparatus 1013 will be described.

《Preparation》
FIG. 16 is a sequence diagram showing another example of preparation for simple directory authentication. For example, the tenant administrator prepares for simple directory authentication according to the procedure shown in FIG. The sequence diagram of FIG. 16 includes a procedure for issuing a tenant authentication key and a procedure for distributing a tenant authentication key.

  In the sequence diagram of FIG. 16, the service providing system 1014 issues a tenant authentication key. The tenant authentication key is used for authentication when registering a print job from the client application 30 to the service providing system 1014. The sequence diagram of FIG. 16 shows a procedure in which the tenant administrator issues and distributes the tenant authentication key in advance. The user and the administrator shown in FIG. 16 are the client terminals 1011 operated by the user and the administrator.

  In step S101, the tenant administrator requests the login to the portal service application 1111 of the service providing system 1014 using the administrator account. The portal service application 1111 proceeds to step S102, and requests the authentication / authorization unit 1121 to log in using the administrator account requested by the administrator to log in.

  In step S103, the authentication / authorization unit 1121 verifies the administrator account requested to log in, and returns the verification result to the portal service application 1111. Here, it is assumed that the OK verification result is returned to the portal service application 1111. In step S104, the portal service application 1111 displays a service setting screen on the client terminal 1011 of the administrator.

  In the first procedure shown in steps S101 to S104, the tenant administrator logs in to the service providing system 1014 using the administrator account registered in the service providing system 1014. By this login, the service providing system 1014 can determine the tenant to issue the tenant authentication key.

  FIG. 17 is an image diagram of an example of the service setting screen. The service setting screen of FIG. 17 includes a field for setting a tenant domain name and a “download file” button for requesting issuance of a tenant authentication key. The service setting screen of FIG. 17 is displayed by using a browser, for example. As the domain name of the tenant, for example, the domain used by the AD server device 1012 is registered.

  In step S105, the administrator can set a domain name on the service setting screen of FIG. 17 and request the service providing system 1014 to issue a tenant authentication key for simple directory authentication. The client terminal 1011 of the administrator specifies the domain name and requests the issuance of the tenant authentication key.

  The portal service application 1111 proceeds to step S106 to request the authentication / authorization unit 1121 to issue a tenant authentication key by designating a domain name. In step S107, the authentication / authorization unit 1121 issues a tenant authentication key associated with the tenant of the administrator.

  In step S108, the authentication / authorization unit 1121 registers the set domain name and the issued tenant authentication key in the tenant information of FIG. The tenant information shown in FIG. 8 is in a state in which the tenant authentication key and the domain are saved. The authentication / authorization unit 1121 notifies the portal service application 1111 of the issued tenant authentication key.

  In step S109, the portal service application 1111 downloads the tenant authentication key file to the client terminal 1011 of the administrator. The form in which the tenant authentication key is provided to the client terminal 1011 of the administrator may be a download of a file of the tenant authentication key, or the text of the tenant authentication key may be displayed on the browser.

  In the second procedure shown in steps S105 to S109, the tenant administrator specifies the domain name and requests the service providing system 1014 to issue a tenant authentication key, and acquires the tenant authentication key file of the tenant. .

  FIG. 18 is a configuration diagram of an example of a tenant authentication key file. The tenant authentication key in the file may be encrypted. Further, the file of the tenant authentication key may be downloaded from the service providing system 1014 to the client terminal 1011 of the administrator in the form enclosed with the client application 30.

  In step S110, the tenant administrator distributes the tenant authentication key file to the user's client terminal 1011. In the third procedure shown in step S110, the tenant authentication key is distributed to the client terminals 1011 of users in the tenant.

  The user to whom the tenant authentication key is distributed sets the tenant authentication key in the user's client terminal 1011 in the procedure shown in FIG. 19, for example. FIG. 19 is a sequence diagram of an example of processing for setting a tenant authentication key.

  In step S121, the user places the distributed tenant authentication key in the OS 20 of the client terminal 1011 of the user. The location of the tenant authentication key may be the same file storage location (folder or the like) as the installer of the client application 30 or the file storage location selected when the client application 30 is installed. If the file of the tenant authentication key is distributed to the user's client terminal 1011 while being bundled with the client application 30, the process of step S121 is unnecessary.

  In step S122, the user operates the client terminal 1011 to install the client application 30. In step S123, the installed client application 30 acquires the tenant authentication key from the tenant authentication key file arranged in the OS 20.

  In step S124, the client application 30 sets the acquired tenant authentication key in the OS 20. In step S125, the OS 20 writes and stores the tenant authentication key in the registry. If the tenant authentication key is encrypted, the client application 30 sets the decrypted tenant authentication key in the OS 20. With the processing up to this point, the preparation for simple directory authentication is completed.

<Print job registration>
FIG. 20 is a sequence diagram showing another example of the print job registration process using the simple directory authentication. The user registers the print job in the service providing system 1014 according to the procedure shown in FIG. The sequence diagram of FIG. 20 includes a procedure of logging on, a procedure of preparing for printing, and a procedure of registering a print job.

  In step S131, the user operates the client terminal 1011 participating in the domain, requests the OS 20 to log on to the client terminal 1011 by designating the AD user ID and password. The OS 20 receives a logon request from the user.

  In step S132, the OS 20 requests the AD server device 1012 for AD authentication by designating the AD user ID and password. If the combination of the AD user ID and password designated for AD authentication is registered, the AD server device 1012 returns the authentication result of successful logon to the OS 20. Here, the description will be continued assuming that the logon is successful.

  In step S133, the OS 20 notifies the user of successful logon by displaying a screen, for example. In the first procedure shown in steps S131 to S133, the user is logged on to the client terminal 1011 by the authentication by the AD server device 1012.

  In step S134, the user gives a print instruction to the existing document creation software 40 to display a printer list. In step S135, the user operates the client terminal 1011 to select a printer. In the second procedure shown in steps S134 to S135, a printer for printing is selected as a preparation for printing.

  In step S136, the user operates the client terminal 1011 to instruct the document creation software 40 to execute printing. The document creation software 40 instructed to execute the printing inputs the document to the client application 30 in step S137. In step S138, the client application 30 acquires the tenant authentication key stored in the registry from the OS 20.

  If the tenant authentication key can be acquired from the OS 20, the client application 30 displays the user setting screen shown in FIG. 21, for example, on the user's client terminal 1011 and requests user information in step S139.

  FIG. 21 is an image diagram of an example of the user setting screen. The user setting screen of FIG. 21 is provided with a selection field (for example, a check box) for allowing the user to select whether to use the simple directory authentication. In step S140, the user selects whether to use simple directory authentication. Here, it is assumed that the use of simple directory authentication (AD cooperation) is selected. If simple directory authentication is used but is not selected, the user name and password registered in advance in the service providing system 1014 are input to perform normal authentication, and the print service application 1113 is used.

  In step S141, the user client terminal 1011 notifies the client application 30 that simple directory authentication is used (AD cooperation is performed). In step S142, the client application 30 requests the OS 20 to acquire logon information. The client application 30 acquires a domain and an AD user ID as logon information.

  Further, in step S143, the client application 30 requests the AD server device 1012 to acquire AD user information, and acquires the family name, first name, and mail address associated with the AD user ID. If the user information is unnecessary, the inquiry to the AD server device 1012 may not be made.

  Then, in step S144, the client application 30 requests the authentication / authorization unit 1121 of the service providing system 1014 for simple directory authentication. The argument of the simple directory authentication includes a client ID, a client key, a tenant authentication key, a domain, an AD user ID, a user ID, a family name, a first name, a mail address, and the like.

  The request for the simple directory authentication in step S144 is made by a request as shown in FIG. 13, for example. The authentication / authorization unit 1121 performs the simple directory authentication process shown in FIG. 14, issues an authentication ticket for using the print service application 1113, and returns it to the client application 30. The client application 30 can use the API of the print service application 1113 by acquiring the authentication ticket. The authentication ticket is authentication information (information indicating that authentication is permitted) required when using the API of the print service application 1113.

  When issuing the authentication ticket, the authentication / authorization unit 1121 verifies the domain and the tenant authentication key registered in advance. The issued authentication ticket is stored as a cache in the client application 30 and is used when the print job is registered for the second time and thereafter. Further, the client application 30 uses the authentication ticket to convert the document into a printable state by the print service application 1113.

  In step S145, the client application 30 attaches the issued authentication ticket and requests the print service application 1113 to register a print job. The print service application 1113 registers the print job in association with the authentication ticket. The print service application 1113 returns the registration result of the print job to the client application 30. In step S146, the client application 30 notifies the user of print job registration completion, for example, by displaying a screen.

《Print job execution》
The print job execution process using the simple directory authentication is the same as that in the first embodiment, and thus the description thereof is omitted.

(Summary)
As shown in the sequence diagram of FIG. 20, the information processing system 1000 according to the second embodiment automatically generates the user information in the service providing system 1014 based on the account information in the on-premises environment. In addition, the information processing system 1000 according to the second embodiment enables login to the service providing system 1014 by automatically generating user information. Therefore, the information processing system 1000 according to the second embodiment can easily realize ID federation using account information in an on-premises environment without using ADFS or ADFS Proxy.

  As described above, according to the second embodiment, the tenant authentication key issued by the service providing system 1014 can be set in the client application 30, and the tenant authentication key can be used when using the service providing system 1014.

  The present invention is not limited to the above specifically disclosed embodiments, and various modifications and changes can be made without departing from the scope of the claims. The client terminal 1011 is an example of a terminal device. The authentication ticket is an example of credential information. The simple directory authentication processing unit 11 is an example of an authentication unit. The ticket issuing unit 14 is an example of qualification information issuing means. The user information setting unit 12 is an example of a user information setting unit. The service use authority setting unit 13 is an example of service use authority setting means.

11 simple directory authentication processing unit 12 user information setting unit 13 service usage authority setting unit 14 ticket issuing unit 20 OS (operating system)
21 Logon Processing Section 22 AD (Active Directory) Authentication Request Section 30 Client Application 31 Print Job Registration Processing Section 32 Simple Directory Authentication Request Section 40 Document Creation Software 100 Computer 101 Input Device 102 Display Device 103 External I / F
103a, 203a Recording medium 104 RAM
105 ROM
106 CPU
107 Communication I / F
108 HDD
201 controller 202 operation panel 203 external I / F
204 Communication I / F
205 printer 206 scanner 211 CPU
212 RAM
213 ROM
214 NVRAM
215 HDD
1000 Information processing system 1011 Client terminal 1012 AD (Active Directory) server device 1013 Image forming device 1014 Service providing system 1101 Application 1102 Common service 1103 Database 1104 Management 1105 Business 1106 Platform API (Application Programming Interface)
1111 Portal service application 1112 Scan service application 1113 Print service application 1121 Authentication / Authorization section 1122 Tenant management section 1123 User management section 1124 Client management section 1125 License management section 1126 Device management section 1127 Temporary image storage section 1128 Log collection section 1130 Image processing workflow Control unit 1131 Message queue 1132 Worker 1141 Log information storage unit 1142 Tenant information storage unit 1143 User information storage unit 1144 License information storage unit 1145 Device information storage unit 1146 Temporary image storage unit 1147 Job information storage unit 1148 Client information storage unit 1150 Application specific Setting information storage unit B bus FW firewall N1 to N2 network

Japanese Patent Publication No. 2015-518198

The claims 1 to achieve the aforementioned problems is an information processing apparatus to which the terminal issues the credentials to use the service, organization information from the terminal device,及 Beauty, account information in premises environment receiving an authentication request including the user belonging to more identified the tissue to the tissue information contained in prior Symbol authentication request, and authentication means for retrieving from the user management information by the previous Kia count information, search And a qualification information issuing means for issuing the qualification information to the user.

Claims (12)

An information processing device that issues qualification information for a terminal device to use a service,
The organization information, domain information, and an authentication request including the account information in the on-premises environment are accepted from the terminal device, and the organization management information that associates the organization information with the domain information includes the organization included in the authentication request. If information and the domain information are associated with each other, an authentication unit that searches a user belonging to an organization identified by the organization information from user management information by account information in the on-premises environment,
Credential issuing means for issuing the credential to the searched user,
Information processing device having a. When the authentication unit cannot retrieve the user belonging to the organization identified by the organization information from the user management information by the account information in the on-premises environment, the user management information includes the account information in the on-premises environment. User information setting means for creating information of the user corresponding to
Further has
The information processing apparatus according to claim 1, wherein the qualification information issuing means issues the qualification information to the user for whom the information of the user has been created. The user information setting means,
The account in the on-premises environment included in the authentication request, when the authentication unit can retrieve the user belonging to the organization identified by the organization information from the user management information by the account information in the on-premises environment. The information processing apparatus according to claim 2, wherein the information of the user in the user management information is updated based on the information. Service usage authority setting means for setting the service usage authority of the user for which the user information is created in the authority management information,
The information processing apparatus according to claim 1, further comprising: The authentication unit receives an authentication request including organization information, domain information, application information, and account information in an on-premises environment from the terminal device, performs authentication based on the application information, and fails authentication of the application information. The information processing apparatus according to any one of claims 1 to 4, wherein the qualification information issuing unit does not cause the qualification information to be issued. The authentication means authenticates based on the organization information included in the authentication request, and when the authentication of the organization information fails, the qualification information issuing means is not allowed to issue the qualification information. The information processing apparatus according to claim 1. A terminal device that uses a service provided by the information processing device by using the qualification information issued by the information processing device,
The organization information, the domain information, and the authentication request including the account information in the on-premises environment are issued to the information processing apparatus, and the organization management information that associates the organization information with the domain information is included in the authentication request. If the organization information and the domain information are associated with each other, authentication request means for acquiring the qualification information issued by the information processing device,
Service using means for using the service provided by the information processing device by using the acquired qualification information,
If the organization information issued in association with the domain information in the information processing device is arranged in the terminal device, the authentication requesting unit is provided with the organization information, domain information, and on-premise in the information processing device. A terminal device characterized by making an authentication request including account information in the environment. If the organization information issued in association with the domain information in the information processing device is not arranged in the terminal device, the authentication requesting means makes an authentication request using account information in the information processing device. The terminal device according to claim 7, wherein the terminal device is a terminal device. An information processing device that issues qualification information for the terminal device to use the service,
The organization information, domain information, and an authentication request including the account information in the on-premises environment are accepted from the terminal device, and the organization management information that associates the organization information with the domain information includes the organization included in the authentication request. If information and the domain information are associated with each other, authentication means for searching a user belonging to an organization identified by the organization information from the user management information by account information in the on-premises environment,
Credential issuing means for issuing the credential to the searched user,
Program to function as. A terminal device that uses the service provided by the information processing device by using the qualification information issued by the information processing device,
The organization information, the domain information, and the authentication request including the account information in the on-premises environment are issued to the information processing apparatus, and the organization management information that associates the organization information with the domain information is included in the authentication request. If the organization information and the domain information are associated with each other, authentication request means for acquiring the qualification information issued by the information processing device,
Using the acquired qualification information as a service using means for using the service provided by the information processing device,
If the organization information issued in association with the domain information in the information processing device is arranged in the terminal device, the authentication requesting unit is provided with the organization information, domain information, and on-premise in the information processing device. A program characterized by making an authentication request including account information in the environment. An information processing system including one or more information processing devices,
Application means for providing a service to the terminal device that has made a request by specifying qualification information for using the service,
The organization information, domain information, and an authentication request including the account information in the on-premises environment are accepted from the terminal device, and the organization management information that associates the organization information with the domain information includes the organization included in the authentication request. If information and the domain information are associated with each other, an authentication unit that searches a user belonging to an organization identified by the organization information from user management information by account information in the on-premises environment,
Credential issuing means for issuing the credential to the searched user,
Information processing system having. An information processing system including one or more information processing devices and a terminal device that uses a service provided by the information processing device by using qualification information issued by the information processing device,
Service using means for using the service provided by the information processing device by using the qualification information;
Application means for providing a service to the terminal device that has made a request by specifying qualification information for using the service,
Authentication request means for making an authentication request to the information processing device, including organization information, domain information, and account information in an on-premises environment,
The organization information, domain information, and an authentication request including the account information in the on-premises environment are accepted from the terminal device, and the organization management information that associates the organization information with the domain information includes the organization included in the authentication request. If information and the domain information are associated with each other, an authentication unit that searches a user belonging to an organization identified by the organization information from user management information by account information in the on-premises environment,
Credential issuing means for issuing the credential to the searched user,
Information processing system having.

Images