JP2023115743A - Network system and single sign-on processing method - Google Patents

Abstract

To provide a network system capable of achieving single sign-on with high security and a single sign-on processing method.SOLUTION: A client device 14 transmits a generation request of a one-time PW (OPW) to a SSO authentication server 10 according to an input request of a login account LCN from a Web server 12, and transmits the one-time PW (OPW) acquired from the SSO authentication server 10 to the Web server 12 as a login PW. The SSO authentication server 10 generates a one-time PW (OPW) according to the generation request of the one-time PW from the client device 14, updates the login PW registered in a login DB of a resource server 11 with the generated one-time PW (OPW), and transmits the generated one-time PW (OPW) to the client device 14.SELECTED DRAWING: Figure 3A

Description

The present invention relates to a network system and a single sign-on (abbreviated as SSO in this specification) processing method.

Patent Literature 1 discloses an authentication system capable of providing a service user with a service according to information before SSO after SSO. Specifically, when an SP (Service Provider) server receives SSO access from a user terminal, it stores pre-SSO communication session information of the user terminal as pre-SSO information in an information holding unit, and transfers the user terminal to the IdP ( Identify Provider) redirect to the server. The IdP server performs SSO authentication by referring to the SSO authentication DB using the authentication information input from the user terminal, and redirects the user terminal to the SP server if the SSO authentication is successful. After the SSO authentication is successful, the SP server acquires the pre-SSO information from the information holding unit, and provides the user terminal with a service according to the contents of the pre-SSO information.

JP 2016-118930 A

For example, SSO technology as described in Patent Document 1 is known. In addition to the method disclosed in Patent Document 1, there are various methods for realizing SSO. As one of them, for example, each login account for a plurality of server devices is stored in the web browser of the client device, and when logging in to each server device, the corresponding login account is automatically input to the web browser. method.

When logging into an individual server device using such a method, the client device provides a login account including a login ID (IDentifier) and a login password (the password is abbreviated as PW in the specification) to the server device. Send automatically. In addition, when a resource server such as an LDAP (Lightweight Directory Access Protocol) server is provided, the server device transmits the login account from the client device to the resource server, thereby allowing the resource server to determine login permission/login refusal.

However, in this case, the login account may be leaked on the communication path between the client device and the server device or on the communication path between the server device and the resource server. Unauthorized use of the leaked login account may lead to deterioration of security. As a method for improving security, a method using a one-time password is known. However, in this case, the server device or resource server must have a mechanism for handling one-time passwords.

The present invention has been made in view of the above, and one of its objects is to provide a network system and a single sign-on processing method capable of realizing single sign-on with high security. It is in.

The above and other objects and novel features of the present invention will become apparent from the description of the specification and the accompanying drawings.

A brief outline of representative embodiments of the invention disclosed in the present application is as follows.

A network system according to one embodiment has a client device, a server device, a resource server, and an SSO authentication server. A client device is used by a client. The server device provides a predetermined service to the client when the login account including the login PW permits login. The resource server maintains a login database in which login accounts permitting login to the server device are registered, and in response to a login judgment request including the login account from the server device, the login is permitted by checking with the login database. Or, determine login refusal. When the SSO authentication server receives an authentication request for an authentication account for SSO from the client device and determines that the authentication is permitted, the SSO authentication server implements SSO in cooperation with the client device and the resource server. Here, the client device transmits a one-time PW generation request to the SSO authentication server in response to a login account input request from the server device, and the server device uses the one-time PW acquired from the SSO authentication server as the login PW. Send to The SSO authentication server generates a one-time PW in response to a one-time PW generation request from the client device, updates the login PW registered in the login database of the resource server with the generated one-time PW, and generates the generated one-time PW. Send the time PW to the client device.

Briefly describing the effects obtained by representative embodiments of the invention disclosed in the present application, it is possible to achieve single sign-on with high security.

1 is a schematic diagram showing a configuration example and a prerequisite operation example of a network system according to Embodiment 1; FIG. 2 is a diagram showing an example of a login account input screen displayed on a client device in the network system of FIG. 1; FIG. 2 is a sequence diagram showing an example of an SSO processing method in the network system shown in FIG. 1; FIG. FIG. 3B is a sequence diagram showing an example of a processing method following FIG. 3A; 2 is a schematic diagram showing a configuration example of a main part of the client device in FIG. 1; FIG. FIG. 5 is a schematic diagram showing a configuration example of an SSO processing unit realized by a processor executing an SSO processing program in the client device shown in FIG. 4; FIG. 2 is a schematic diagram showing a configuration example of the main part of the SSO authentication server in FIG. 1; FIG. 7 is a schematic diagram showing a configuration example of an authentication database in FIG. 6;

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. In principle, the same members are denoted by the same reference numerals in all the drawings for describing the embodiments, and repeated description thereof will be omitted.

<Outline of network system>
FIG. 1 is a schematic diagram showing a configuration example and a prerequisite operation example of a network system according to a first embodiment. A network system shown in FIG. , and a client device 14 . The client device 14 is used here by a client 16 having an authentication account "ACN1" for SSO. A client device 14 is connected to the network 15 via the L2 switch 13 .

The Web servers 12[1] and 12[2] are servers equipped with HTTP (Hypertext Transfer Protocol) processing functions. Each of the web servers 12[1] and 12[2] provides a predetermined service to the client 16 when the login account LCN including the login ID (LID) and login PW (LPW) permits login. Here, the URIs (Uniform Resource Identifiers) of the Web servers 12[1] and 12[2] are respectively "URI1" and "URI2".

Note that the Web servers 12[1] and 12[2] may be other server devices such as application servers and file servers. That is, the server device is not limited to a web server, and may be any device that provides a predetermined service to the client 16 when the login account LCN permits login.

The resource server 11 is a direct server such as an LDAP server, and is a server that manages logins to the Web servers (server devices) 12[1] and 12[2]. The resource server 11 includes a memory 25, and stores a login database (abbreviated as DB in the specification) 26 in which a login account LCN that permits login to the Web servers 12[1] and 12[2] is registered. Hold at 25. In this example, the login DB 26 stores "LID11" and "LPW11" as the login ID (LID) and login PW (LPW), respectively, for the Web server 12[1] having "URI1". is registered.

Similarly, "LID12" and "LPW12" are registered in the login DB 26 for the Web server 12[2] having "URI2". Note that "LID12" and "LPW12" may be the same as "LID11" and "LPW11", respectively. The resource server 11 checks with the login DB 26 in response to a login determination request including the login account LCN from the Web servers 12[1] and 12[2] to determine login permission or login refusal.

The SSO authentication server 10 is a device that provides an SSO function. The SSO authentication server 10 has a memory 20, and holds an authentication DB 21 representing correspondence between authentication accounts ACN that permit SSO authentication and login accounts LCN to the Web servers 12[1] and 12[2]. do.

In this example, "ACN1" is registered in the authentication DB 21 as an authentication account ACN that permits SSO authentication. The authentication account ACN may specifically include, for example, an authentication ID and an authentication PW in the same manner as the login account LCN, but is not particularly limited to this. In the authentication DB 21, "URI1" corresponding to "ACN1", that is, "LID11" and "LPW11" are registered as the login ID (LID) and login PW (LPW) for the Web server 12[1], respectively. be done.

Similarly, in the authentication DB 21, "URI2" corresponding to "ACN1", that is, "LID12" and "LPW12" are stored as login ID (LID) and login PW (LPW) to Web server 12[2], respectively. be registered. "URI1", "URI2", . The SSO authentication server 10 determines authentication permission or authentication refusal based on the authentication DB 21 in response to an authentication request for the authentication account ACN from the client device 14 . When the SSO authentication server 10 determines that the authentication is permitted, the SSO authentication server 10 implements SSO in cooperation with the client device 14 and the like, as described below.

Next, in the network system shown in FIG. 1, an example of the SSO processing method, which is a prerequisite, will be described. The client 16 causes the SSO authentication server 10 to authenticate the authentication account "ACN1" for SSO via the client device 14 (steps S101 and S102). Specifically, the client device 14 transmits an authentication request for the authentication account "ACN1" to the SSO authentication server 10 (step S101). The SSO authentication server 10 determines whether or not the authentication account "ACN1" is authenticated based on the authentication DB 21. In this example, the authentication is permitted. The SSO authentication server 10 transmits to the client device 14 an authentication response indicating authentication permission/authentication refusal, in this example, authentication permission (step S102).

Subsequently, the client 16 accesses the web server 12[1] for the first time via the web browser of the client device 14 (step S103). In response, the web server 12[1] transmits a login account LCN input request to the client device 14 (step S104). FIG. 2 is a diagram showing an example of a login account input screen displayed on a client device in the network system of FIG. In response to step S104, the web browser of the client device 14 displays a login account entry screen 18 requesting entry of a login ID (LID) and a login PW (LPW), as shown in FIG. 2, for example. .

The client device 14 transmits a login account LCN acquisition request to the SSO authentication server 10 in response to the login account LCN input request from the web server 12[1] in step S104 (step S105). The acquisition request for the login account LCN includes, for example, information on the authentication account "ACN1" and information on "URI1" of the web server 12[1]. The SSO authentication server 10 determines the login ID “LID11” and login PW “LPW11” corresponding to “ACN1” and “URI1” based on the authentication DB 21, and determines the login account LCN including “LID11” and “LPW11”. An acquisition response is transmitted to the client device 14 (step S106).

The client device 14 receives the acquisition response of the login account LCN from the SSO authentication server 10 in step S106, and transmits the login request for the login account LCN, that is, the login ID "LID11" and the login PW "LPW11" to the web server 12[1]. ] (step S107). Specifically, the client device 14 logs into the web server 12[1] by automatically entering the login account LCN obtained from the SSO authentication server 10 on the login account input screen 18 as shown in FIG. Submit your request.

In response to the login request for the login account LCN from the client device 14, the web server 12[1] transmits a login determination request for the login account LCN, that is, the login ID "LID11" and the login PW "LPW11" to the resource server 11. (step S108). The resource server 11 compares the login account LCN with the login DB 26 to determine login permission or login refusal for "LID11" and "LPW11", login permission in this example. Then, the resource server 11 transmits a login determination response including a login determination result representing login permission to the Web server 12[1] (step S109).

As a result, the client device 14 is logged into the web server 12[1], and can use the services provided by the web server 12[1]. After that, when the client device 14 accesses the Web server 12[2] for the first time, the same processing as in steps S103 to S109 is performed. As a result, the client device 14 is logged in to the web server 12[2], and can use the services provided by the web server 12[2]. In this way, the client 16 receives authentication permission from the SSO authentication server 10 in steps S101 and S102, and thereafter individually accesses the Web servers 12[1] and 12[2] to which SSO is applied. This eliminates the need to input the login account LCN.

However, in such a method, the login account may be leaked. For example, the login account LCN may be leaked when the login is requested in step S107 or when the login determination is requested in step S108. If the login account LCN is leaked, there is a risk of unauthorized access to the Web servers 12[1] and 12[2] using the leaked login account LCN. As a result of such unauthorized access, there is a risk that security will be lowered. Therefore, it is beneficial to use the SSO processing method described below.

<SSO Processing Method (Embodiment)>
3A is a sequence diagram showing an example of the SSO processing method in the network system shown in FIG. 1, and FIG. 3B is a sequence diagram showing an example of the processing method following FIG. 3A. In steps S101, S101-1, S102, and S102-1 (authentication step) shown in FIG. 3A, the client device 14 causes the SSO authentication server 10 to authenticate the authentication account ACN for SSO.

Specifically, as described in FIG. 1, the client device 14 transmits an authentication request for the authentication account ACN to the SSO authentication server 10 (step S101). In response to this, the SSO authentication server 10 determines whether authentication is permitted or rejected based on the authentication DB 21 (step S101-1), and in this example, transmits an authentication response representing authentication permission to the client device 14 (step S102). Further, when the SSO authentication server 10 determines that the authentication is permitted in step S101-1, the SSO authentication server 10 transmits to the client device 14, for example, application destination list data 22 defining the URI of the server device to which SSO is applied. (Step S102-1). The client device 14 stores the destination list data 22 in memory.

After that, as described with reference to FIG. 1, the client device 14 first accesses the web server 12 (step S103), and receives a login account LCN input request from the web server 12 (step S104). In response, the client device 14 executes the processes of steps S104-1 and S105a (account acquisition request step).

Specifically, the client device 14 determines whether or not the Web server 12 that has transmitted the login account LCN input request in step S104 is the application destination based on the application destination list data 22 obtained in step S102-1. (step S104-1). Then, when the client device 14 determines to be the application destination, the client device 14 transmits a login account LCN acquisition request including a one-time PW (OPW) generation request to the SSO authentication server 10 (step S105a). The login account LCN acquisition request also includes information on the authentication account ACN and information on the URI of the web server 12 . On the other hand, the client device 14 does not transmit the acquisition request to the SSO authentication server 10 when it is determined to be a non-application destination in step S104-1.

In response to the login account LCN acquisition request from the client device 14, the SSO authentication server 10 performs steps S201 and S202 (account determination step), step S203 (login DB update step), and step S106a (account acquisition response step). Specifically, the SSO authentication server 10 determines in step S201 whether the authentication account ACN included in the login account LCN acquisition request has been authenticated, that is, the authentication account ACN determined to be authenticated in step 101-1. Check whether or not

When the authentication account ACN has been authenticated in step S201, the SSO authentication server 10 generates a one-time PW (OPW), and creates a login PW (LPW) corresponding to the login ID (LID) obtained based on the authentication DB 21. , to the generated one-time PW (OPW) (step S202). For example, when the login account LCN acquisition request includes the information of the authentication account “ACN1” and the information of “URI1”, the SSO authentication server 10 sets the login PW (LPW) corresponding to the login ID “LID11” to Defined in the generated one-time PW ("OPW11").

Subsequently, the SSO authentication server 10 transmits a PW update command to the resource server 11, thereby updating the login DB 26 of the resource server 11 with the login ID (for example, "LID11") determined in step S202 and the one-time PW (for example, , "OPW11") (step S203). Specifically, the resource server 11 updates the login PW (LPW) corresponding to “LID11” in the login DB 26 to “OPW11”, for example, in response to a PW update command including “LID11” and “OPW11”. (step S204).

When the PW update is completed, the resource server 11 transmits a PW update completion notification to the SSO authentication server 10 (step S205). 1, the SSO authentication server 10 sends the login ID (LID) and the one-time PW (OPW) determined in step S202 to the client device 14 as an acquisition response to the acquisition request in step S105a. (step S106a). However, unlike the case of FIG. 1, the login PW (LPW) is a one-time PW (OPW).

Thereafter, as described with reference to FIG. 1, the client device 14 sends the login request including the login ID (LID) and the one-time PW (OPW) acquired in step S106a to the web as a response to the input request in step S104. It is transmitted to the server 12 (step S107 (login processing step)). In response, as shown in FIG. 3B, the web server 12 transmits a login determination request for the login account LCN including the login ID (LID) and the one-time PW (OPW) to the resource server 11 (step S108). ).

In response to the login determination request, the resource server 11 checks the login account LCN with the login DB 26 to determine login permission or login refusal (step S108-1). At this time, since the predetermined login PW (LPW) in the login DB 26 has already been updated with the one-time PW (OPW) in step S204, it is determined that login is permitted in step S108-1.

The resource server 11 transmits a login determination response representing login permission to the web server 12 (step S109). In response, the web server 12 also transmits a login response indicating login permission to the client device 14 (step S110). As a result, the client 16 and the client device 14 enter a login state and can use the services provided by the web server 12 (step S111).

Here, an expiration date is set in the one-time PW (OPW) generated in step S202. The SSO authentication server 10 invalidates the expired one-time PW (OPW) in steps S301 and S302 (PW invalidation step). Specifically, the SSO authentication server 10 monitors the expiration date of the one-time PW (OPW). Then, when the SSO authentication server 10 detects that the one-time PW (OPW) has expired (step S301), it transmits a PW invalidation command to the resource server 11 (step S302). PW (OPW) is invalidated on login DB26.

Specifically, the resource server 11, for example, in response to a PW invalidation instruction including the target login ID (LID) and one-time PW (OPW), login PW corresponding to the login ID (LID) in the login DB 26 (LPW) is invalidated (step S303). At this time, the PW invalidation instruction may be a PW update instruction similar to that in step S203. That is, when the resource server 11 does not have a function to invalidate the PW, in step S302 the SSO authentication server 10 generates a new one-time PW (OPW) and includes the new one-time PW (OPW). However, it is only necessary to send a PW update command to the resource server 11 .

In this way, when the one-time PW (OPW) expires, the one-time PW (OPW) is invalidated on the resource server 11, so that the one-time PW (OPW) expires. can be managed correctly. That is, for example, when the resource server 11 receives a login determination request including an expired one-time PW (OPW), it can determine that the login is rejected. This makes it possible to construct an environment in which login is not possible with an expired one-time PW (OPW).

As a result, for example, even if the login account LCN is illegally obtained by intercepting the login request in step S107 or the login determination request in step S108, the period during which login is possible with the login account LCN is limited to one time. Limited to the PW (OPW) expiration date. From this point of view, it is desirable that the expiration date of the one-time PW (OPW) is sufficiently short. Specifically, the validity period of the one-time PW (OPW) is at least the period from when the one-time PW (OPW) is generated in step S202 to when the resource server 11 performs login determination in step S108-1. Based on this period, it may be as short as several seconds to several tens of seconds.

When the client 16 transmits a logout request to the web server 12 in use via the client device 14 (step S401), the web server 12 transmits a logout response to the client device 14 (step S402). As a result, the login account LCN is logged out. As a result, the client 16 cannot use the service provided by the web server 12 via the client device 14 (step S403).

After that, when the client 16 accesses the web server 12 again, the process moves to step S103, and login to the web server 12 is performed using the newly generated one-time PW (OPW) in subsequent step S202. . Note that the logout from the Web server 12 is performed not only when a logout request is transmitted as in step S401, but also when the client 16 closes the Web browser, when the expiration date of the session or when the session management cookie is valid. It can also occur when the time limit has passed.

As described above, when the SSO authentication server 10 receives an authentication request for the authentication account ACN for SSO from the client device 14 and determines that authentication is permitted, the SSO authentication server 10 cooperates with the client device 14 and the resource server 11 to perform one-time Implement SSO using PW (OPW). Schematically, the client device 14 transmits a one-time PW (OPW) generation request to the SSO authentication server 10 in response to a login account LCN input request from the web server 12 (steps S104, S105a). The client device 14 then transmits the one-time PW (OPW) acquired from the SSO authentication server 10 to the web server 12 (steps S106a, S107).

On the other hand, the SSO authentication server 10 generates a one-time PW (OPW) in response to the one-time PW (OPW) generation request from the client device 14 (steps S105a, S202). Then, the SSO authentication server 10 updates the login PW (LPW) registered in the login DB 26 of the resource server 11 with the generated one-time PW (OPW) (step S203), and transmits the generated one-time PW (OPW) to the client It is transmitted to the device 14 (step S106a).

By providing such a one-time PW (OPW) mechanism, it becomes possible to improve security. Specifically, by such a one-time PW (OPW) mechanism, the login PW (LPW) is successively changed at least each time the user logs into the Web server 12 . Therefore, even if the login PW (LPW) is leaked, the period during which the login PW (LPW) can be used is limited.

Furthermore, when the one-time PW (OPW) generated in step S202 expires, the SSO authentication server 10 stores the expired one-time PW (OPW) on the login DB 26 of the resource server 11. Invalidate (steps S301 and S302). In this way, by correctly managing the expiration date of the one-time PW (OPW), even if the login PW (LPW) is leaked, the period during which the login PW (LPW) can be used is shortened. is limited to , a further improvement in security can be realized.

As shown in FIG. 1, when a plurality of web servers 12[1] and 12[2] are provided, each time each web server is accessed for the first time, the processing after step S103 is performed. become. Along with this, the resource server 11 updates the login PW (LPW) corresponding to "URI1" on the login DB 26 with a one-time PW (OPW) when the Web server 12[1] is accessed for the first time. (step S204). Similarly, when the Web server 12[2] is accessed for the first time, the resource server 11 updates the login PW (LPW) corresponding to "URI2" on the login DB 26 with a one-time PW (OPW). (Step S204).

However, the web server 12[1] and the web server 12[2] may use a common login account LCN, that is, a common login ID (LID) and login PW (LPW). For example, assume that the client device 14 accesses the web server 12[2] for the first time while logging in to the web server 12[1] using the common login account LCN. In this case, login to the Web server 12[2] is permitted after the common login PW (LPW) is updated with the one-time PW (OPW). On the other hand, the state of being logged in to the Web server 12[1] is maintained, for example, until the expiration of the session with respect to the Web server 12[1].

<Details of the client device>
FIG. 4 is a schematic diagram showing a configuration example of the main part of the client device in FIG. The client device 14 shown in FIG. 4 includes, for example, an input device 30, a display device 31, a processor 32, a network interface (network IF) 33, a memory 34, and the like. The input device 30 is a keyboard, mouse or the like, and the display device 31 is a liquid crystal display or the like. The network IF 33 is an Ethernet (registered trademark) network card or the like, and includes a connector to the L2 switch 13 .

The memory 34 is composed of a combination of RAM (Random Access Memory), ROM (Read Only Memory), HDD (Hard Disk Drive), SSD (Solid State Drive), and the like. It holds the processing program 37 and the like. The processor 32 functions as an SSO processing unit, which will be described later, by executing the SSO processing program 37 held in the memory 34 .

FIG. 5 is a schematic diagram showing a configuration example of an SSO processing unit implemented by a processor executing an SSO processing program in the client device shown in FIG. The SSO processing unit 37 a shown in FIG. 5 includes an authentication requesting unit 45 , a login processing unit 46 , and a login account acquisition requesting unit 47 . Of these, the login processing unit 46 and the login account acquisition request unit 47 are implemented by, for example, add-on programs that perform add-on functions (also called plug-in functions or extension functions) for the web browser 36 shown in FIG.

The authentication requesting unit 45 is mainly responsible for processing related to steps S101, S102, and S102-1 in FIG. 3A. Specifically, the authentication requesting unit 45 transmits an authentication request to the SSO authentication server 10 in response to the input of the authentication account ACN for SSO from the client 16 . Also, the authentication requesting unit 45 receives an authentication response from the SSO authentication server 10 . Furthermore, the authentication requesting unit 45 also receives the destination list data 22 when it receives an authentication response representing authentication permission from the SSO authentication server 10 . The authentication requesting unit 45 stores the received destination list data 22 in the memory 34 .

The login processing unit 46 is mainly responsible for processing related to steps S104 and S107 in FIG. 3A. Specifically, the login processing unit 46 causes the login account acquisition request unit 47 to acquire the login account LCN in response to the login account LCN input request from the web server 12 . Then, the login processing unit 46 transmits to the web server 12 a login request including the login account LCN acquired by the login account acquisition request unit 47, that is, the login ID (LID) and the one-time PW (OPW).

The login account acquisition requesting unit 47 is mainly responsible for processing related to S104-1, S105a, and S106a in FIG. 3A. Specifically, the login account acquisition request unit 47 sends a one-time PW (OPW ) is transmitted.

Also, at this time, the login account acquisition request unit 47 determines whether or not the Web server 12 that has transmitted the input request for the login account LCN is the application destination based on the application destination list data 22 held in the memory 34 . judge. Then, the login account acquisition request unit 47 transmits an acquisition request for the login account LCN to the SSO authentication server 10 when it is determined to be an application destination, and transmits the acquisition request when it is determined to be a non-application destination. The login processing unit 46 is notified to that effect. The login account acquisition request unit 47 acquires the login ID (LID) and the one-time PW (OPW) from the acquisition response from the SSO authentication server 10 when the login account LCN acquisition request is transmitted.

<Details of SSO authentication server>
FIG. 6 is a schematic diagram showing a configuration example of the main part of the SSO authentication server in FIG. FIG. 7 is a schematic diagram showing a configuration example of the authentication database in FIG. The SSO authentication server 10 shown in FIG. 6 includes, for example, an authentication determination unit 50, a login account acquisition response unit 51, a login account A determination unit 52 and a login DB update instruction unit 53 are provided.

The authentication determination unit 50 is mainly responsible for processing steps S101, S101-1, S102, and S102-1 in FIG. 3A. Specifically, the authentication determination unit 50 receives an authentication request for the authentication account ACN for SSO from the client device 14 and determines authentication permission or authentication refusal based on the authentication DB 21 a held in the memory 20 . The authentication determination unit 50 then transmits an authentication response including the authentication determination result to the client device 14 . Further, when the authentication determination unit 50 determines that the authentication is permitted, the authentication determination unit 50 transmits the destination list data 22 held in the memory 20 to the client device 14 .

The login account acquisition response unit 51 is mainly responsible for the processing of steps S105a and S106a in FIG. 3A. Specifically, the login account acquisition response unit 51 causes the login account determination unit 52 to determine the login account LCN in response to the login account LCN acquisition request from the client device 14 . In addition, the login account acquisition response unit 51 sends the login account LCN determined by the login account determination unit 52, that is, the login ID (LID) and the one-time PW (OPW) to the client device as an acquisition response to the login account LCN acquisition request. 14.

The login account determining unit 52 is mainly responsible for the processing of steps S201 and S202 in FIG. 3A. Specifically, in response to a login account LCN acquisition request from the client device 14, more specifically, a notification from the login account acquisition response unit 51, the login account determination unit 52 determines that the authentication account ACN included in the acquisition request is Whether or not the user has been authenticated is confirmed based on, for example, the authentication DB 21a.

The authentication DB 21a has a configuration as shown in FIG. 7, for example. The authentication DB 21a shown in FIG. 7 differs from the authentication DB 21 shown in FIG. 1 in the following three points. As a first point of difference, for example, an expiration date 23a is provided for each authentication account ACN. The validity period 23a is set by the authentication determination unit 50, for example, when the authentication determination unit 50 determines that the authentication is permitted. If the expiration date 23a is not set, it means that the authentication account ACN has not been authenticated, that is, has not been determined to be authenticated.

A second difference is that the login PW (LPW) is a one-time PW (OPW). In this example, the login PW (LPW) corresponding to "URI1" is "OPW11", and the login PW (LPW) corresponding to "URI2" is "OPW12". As a third point of difference, an expiration date 23b is set for each one-time PW (OPW).

Returning to FIG. 6, the login account determining unit 52 checks whether or not the authentication account ACN included in the acquisition request for the login account LCN has been authenticated, for example, based on the expiration date 23a of the authentication DB 21a. The login account determination unit 52 also includes a one-time PW generation unit 55 . In response to a login account LCN acquisition request from the client device 14, the login account determination unit 52 uses the one-time PW generation unit 55 to generate a one-time account if the authentication account ACN included in the acquisition request has been authenticated. Generate time PW (OPW).

Further, the login account determining unit 52 refers to the authentication DB 21a using the information of the authentication account ACN and the information of the URI of the web server 12 included in the acquisition request for the login account LCN. Then, the login account determination unit 52 sets the login PW (LPW) corresponding to the login ID (LID) obtained based on the authentication DB 21a to the one-time PW (OPW) generated by the one-time PW generation unit 55. Determine the login account LCN. The login account determination unit 52 registers the generated one-time PW (OPW) in the authentication DB 21a and also sets the expiration date 23b.

The login account determination unit 52 then transmits the determined login account LCN to the login DB update instruction unit 53 and the login account acquisition response unit 51 . Although illustration is omitted, transmission to the login account acquisition response unit 51 is performed after receiving the PW update completion notification in step S205, as shown in FIG. 3A, for example. Alternatively, the login account acquisition response unit 51 waits for the transmission of the login account LCN acquisition response until receiving the PW update completion notification.

The login DB update instruction unit 53 is mainly responsible for processing steps S203 and S205 in FIG. 3A and steps S301 and S302 in FIG. 3B. Specifically, the login DB update instruction unit 53 includes an update instruction transmission unit 56 and an invalidation instruction transmission unit 57 . The update command transmission unit 56 transmits a PW update command including the login account LCN from the login account determination unit 52 to the resource server 11 .

The update command transmission unit 56 updates the login DB 26 of the resource server 11 with the login ID (LID) and the one-time PW (OPW) determined by the login account determination unit 52 by transmitting the PW update command. Although not shown, the update command transmission unit 56 receives a PW update completion notification from the resource server 11 in response to the PW update command.

The invalidation command transmission unit 57 monitors the expiration date of the one-time PW (OPW) determined by the login account determination unit 52 based on the expiration date 23b in the authentication DB 21a shown in FIG. Then, when the expiration of the expiration date is detected, the invalidation command transmission unit 57 transmits a PW invalidation command including the expired one-time PW (OPW) and the corresponding login ID (LID) to the resource server 11. do. As a result, the invalidation command transmission unit 57 invalidates the expired one-time PW (OPW) on the login DB 26 . As described above, the invalidation command transmission unit 57 transmits a PW update command including the new one-time PW (OPW) generated by the one-time PW generation unit 55 as one of the PW invalidation commands. good too.

<Regarding authentication account for SSO>
Since the SSO authentication server 10 normally has high security, interception of the authentication account ACN for SSO is unlikely to occur, for example, at the time of the authentication request (step S101) in FIG. 3A. However, if a key logger is set up for the input device 30 of the client device 14, the authentication account ACN may be leaked. Therefore, as a countermeasure against key loggers, the authentication account ACN for SSO is not limited to the authentication ID and authentication PW, and may be biometric authentication or the like. Also, the SSO authentication server 10 may apply, for example, a one-time PW (OPW) based on a challenge-response method to the authentication PW.

<Main effects of the embodiment>
As described above, when the method of the embodiment is used, the cooperation between the SSO authentication server 10 and the client device 14 makes it possible to realize single sign-on with high security. Also, by causing the SSO authentication server 10 to generate a one-time PW (OPW) and linking the SSO authentication server 10 and the resource server 11, it is possible to apply the one-time PW (OPW) to login to the server device. become. Furthermore, by correctly managing the validity period of the one-time PW (OPW), in addition to resistance to communication interception, resistance to key loggers can also be obtained. As a result, improved security becomes feasible.

Although the invention made by the present inventor has been specifically described based on the embodiment, the invention is not limited to the embodiment, and can be variously modified without departing from the gist of the invention. For example, the embodiments described above have been described in detail in order to explain the present invention in an easy-to-understand manner, and are not necessarily limited to those having all the configurations described. Also, part of the configuration of one embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of one embodiment. . Moreover, it is possible to add, delete, or replace a part of the configuration of each embodiment with another configuration.

For example, the various programs described above may be stored in a non-temporary tangible computer-readable recording medium and then supplied to the computer device. Examples of such recording media include magnetic recording media such as hard disk drives, optical recording media such as DVDs (Digital Versatile Discs) and Blu-ray discs, and semiconductor memories such as flash memories. be done.

10... SSO authentication server, 11... resource server, 12... Web server (server device), 13... L2 switch, 14... client device, 15... network, 16... client, 18... login account input screen, 20, 25, 34 Memory 21, 21a Authentication DB 22 Application list data 23a, 23b Expiration date 26 Login DB 30 Input device 31 Display device 32 Processor 33 Network interface 35 OS 36 Web browser 37 SSO processing program 37a SSO processing unit 45 Authentication request unit 46 Login processing unit 47 Login account acquisition request unit 50 Authentication determination unit 51 Login account acquisition Response unit 52 Login account determination unit 53 Login DB update instruction unit 55 One-time PW generation unit 56 Update instruction transmission unit 57 Invalidation instruction transmission unit ACN Authentication account LCN Login account LID: login ID, LPW: login password, OPW: one-time password

Claims (9)

a client device used by a client;
a server device that provides a predetermined service to the client when a login account including a login password permits login;
A login database in which the login account that permits login to the server device is registered is held, and login is performed by checking the login database in response to a login determination request including the login account from the server device. a resource server that determines permission or login denial;
a single sign-on authentication server that realizes single sign-on in cooperation with the client device and the resource server when an authentication request for an authentication account for single sign-on is received from the client device and authentication is determined to be permitted;
has
The client device transmits a one-time password generation request to the single sign-on authentication server in response to the login account input request from the server device, and the one-time password acquired from the single sign-on authentication server. sending a password to the server device as the login password;
The single sign-on authentication server generates the one-time password in response to the one-time password generation request from the client device, and registers the generated one-time password in the login database of the resource server. updating the generated login password and transmitting the generated one-time password to the client device;
network system. The network system according to claim 1,
The login account includes the login password and login ID,
The client device
transmitting a login account acquisition request including the one-time password generation request to the single sign-on authentication server in response to the login account input request from the server device, and performing the single sign-on authentication a login account acquisition request unit that acquires the login ID and the one-time password from a server;
a login processing unit that transmits a login request including the login ID and the one-time password acquired by the login account acquisition request unit to the server device as a response to the login account input request from the server device; ,
with
The single sign-on authentication server,
a memory holding an authentication database representing a correspondence relationship between the authentication account that permits single sign-on authentication and the login ID to the server device;
an authentication determination unit that determines whether the authentication is permitted or rejected based on the authentication database in response to the authentication request for the authentication account from the client device;
generating the one-time password in response to the acquisition request for the login account from the client device, and replacing the login password corresponding to the login ID obtained based on the authentication database with the generated one-time password a login account determining unit that determines the login account by determining;
a login database update instruction unit that updates the login database of the resource server with the login ID and the one-time password determined by the login account determination unit by transmitting a password update instruction to the resource server;
a login account acquisition response unit that transmits the login ID and the one-time password determined by the login account determination unit to the client device as an acquisition response to the acquisition request for the login account;
comprising
network system. In the network system according to claim 2,
The single sign-on authentication server holds application destination list data that defines the URI (Uniform Resource Identifier) of the server device to which single sign-on is applied, and responds to the authentication request for the authentication account from the client device If it is determined that the authentication is permitted according to the above, the destination list data is transmitted to the client device,
The login account acquisition request unit of the client device determines whether or not the server device that has transmitted the input request for the login account is an application destination based on the application destination list data, and determines that it is an application destination. In this case, the acquisition request for the login account is transmitted to the single sign-on authentication server, and if it is determined to be a non-applicable destination, the acquisition request for the login account is not transmitted.
network system. In the network system according to claim 2,
The login database update instruction unit of the single sign-on authentication server monitors the expiration date of the one-time password determined by the login account determination unit, and if the expiration date is detected, the password is invalidated by the resource server. invalidate the expired one-time password on the login database by sending an instruction;
network system. In the network system according to claim 2,
The server device is a web server capable of executing HTTP (Hypertext Transfer Protocol) protocol processing,
The login account acquisition request unit and the login processing unit of the client device are realized by an add-on program of the web browser of the client device,
network system. a client device used by a client;
a server device that provides a predetermined service to the client when a login account including a login ID and a login password permits login;
A login database in which the login account that permits login to the server device is registered is held, and login is performed by checking the login database in response to a login determination request including the login account from the server device. a resource server that determines permission or login denial;
holding an authentication database representing a correspondence relationship between an authentication account that permits single sign-on authentication and the login ID to the server device, and based on the authentication database in response to an authentication request for the authentication account from the client device a single sign-on authentication server that determines authentication permission or authentication refusal, and realizes single sign-on in cooperation with the client device and the resource server when it is determined that the authentication is permitted;
A single sign-on processing method in a network system comprising:
an authentication step in which the client device authenticates the authentication account with the single sign-on authentication server;
an account acquisition request step in which the client device transmits a login account acquisition request including a one-time password generation request to the single sign-on authentication server in response to the login account input request from the server device; and,
The single sign-on authentication server generates a one-time password in response to the acquisition request for the login account, and generates the login password corresponding to the login ID obtained based on the authentication database. an account determination step set forth in
A login in which the single sign-on authentication server sends a password update command to the resource server to update the login database of the resource server with the login ID and the one-time password determined in the account determination step. a database update step;
an account acquisition response step in which the single sign-on authentication server transmits the login ID and the one-time password determined in the account determination step to the client device as an acquisition response to the account acquisition request step of the login account; ,
The client device transmits a login request including the login ID and the one-time password acquired in the account acquisition response step to the server device as a response to the login account input request from the server device. a login processing step;
How to handle single sign-on. The single sign-on processing method according to claim 6,
The single sign-on authentication server holds application destination list data defining URIs (Uniform Resource Identifiers) of the server devices to which single sign-on is applied, and in the authentication step, the authentication request from the client device. if it is determined that the authentication is permitted according to the above, the destination list data is transmitted to the client device,
In the account acquisition request step, the client device determines whether or not the server device that has transmitted the input request for the login account is an application destination based on the application destination list data, and determines that the application destination is In this case, the acquisition request for the login account is transmitted to the single sign-on authentication server, and if it is determined to be a non-applicable destination, the acquisition request for the login account is not transmitted.
How to handle single sign-on. The single sign-on processing method according to claim 6,
The single sign-on authentication server monitors the expiration date of the one-time password determined in the account determination step, and when the expiration date is detected, sends a password invalidation instruction to the resource server. further comprising a password invalidation step of invalidating the expired one-time password on the login database;
How to handle single sign-on. The single sign-on processing method according to claim 8,
The expiration date of the one-time password is the period required from the generation of the one-time password in the account determination step until the resource server determines the login permission or the login refusal according to the login processing step. determined based on
How to handle single sign-on.

Images