JP4551369B2 - Service system and service system control method - Google Patents

Service system and service system control method Download PDF

Info

Publication number
JP4551369B2
JP4551369B2 JP2006188493A JP2006188493A JP4551369B2 JP 4551369 B2 JP4551369 B2 JP 4551369B2 JP 2006188493 A JP2006188493 A JP 2006188493A JP 2006188493 A JP2006188493 A JP 2006188493A JP 4551369 B2 JP4551369 B2 JP 4551369B2
Authority
JP
Japan
Prior art keywords
user
service provider
information
user authentication
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
JP2006188493A
Other languages
Japanese (ja)
Other versions
JP2008015936A (en
Inventor
哲志 八木
健一 大戸
裕彦 黒川
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to JP2006188493A priority Critical patent/JP4551369B2/en
Publication of JP2008015936A publication Critical patent/JP2008015936A/en
Application granted granted Critical
Publication of JP4551369B2 publication Critical patent/JP4551369B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Description

  The present invention relates to a service system and a service system control method in which a network operator device for controlling network connection by a user device and a service operator device for controlling site access by the user device are connected via a network. About.

  Service providers (SP: Service Provider) have provided various application services (e-mail, music content, video content, shopping, auctions, etc.) to users with the spread of the Internet and higher line speeds. is doing. In order for the service provider to provide such various application services to the user, it is premised that the network operator first performs user registration of the user. Here, the network operator is, for example, an operator that provides an access service using a fixed network such as xDSL (x Digital Subscriber Line) or an optical fiber, an operator that provides an access service using a wireless local area network (LAN), or the like. An ISP (Internet Services Provider) that provides an access service to the Internet.

  Specifically describing the user registration performed by the network operator, the network operator can provide user information (eg, user name, address, It is usual to obtain a credit card number, etc., verify the identity of the user by identification card, register the user, and pay out the user account and password. When the user registration is completed in this manner, the network operator enables the user to use a network such as the Internet by performing user authentication of the account and password transmitted from the user.

  Next, in order for the service provider to provide users with various application services, user registration by the network operator as described above has been completed, and the user can use the network such as the Internet. The service provider must perform user registration (or user authentication) for the user. Specifically describing user registration performed by the service provider, the service provider transmits user information (for example, the user's name, address, credit card number, etc.) online from the user. The user registration is performed based on the acquired user information.

  For example, in Patent Document 1, an authentication server having a role as a third party certification organization different from a service provider performs user registration (or user authentication) and provides the result to the service provider. Thus, a method in which a service provider provides various application services to users is disclosed.

JP 2004-355073 A

  By the way, as described below, the above-described conventional technology has a problem that it is impossible to realize highly reliable site access control (for example, user registration, user authentication, etc.) in the service provider apparatus. . In other words, regarding user registration in a service provider, which is one of the site access controls, a service provider can use a driver's license, etc. on an authentication server that serves as a service provider device or a third-party certification body. Since the user registration is not performed after verifying the identity of the user based on the user information presented offline by the user together with the ID of the High user registration cannot be realized.

  Accordingly, the present invention has been made to solve the above-described problems of the prior art, and a service system and a service system control method capable of realizing highly reliable site access control in a service provider apparatus. The purpose is to provide.

In order to solve the above-described problems and achieve the object, the present invention provides a network provider device that controls network connection by a user device and a service provider device that controls site access by the user device. The network operator device corresponds to the user information related to the user of the user device permitted to connect to the network with the line information related to the line to which the user device is connected. The user information storage means for storing the user information, and when the user authentication request for requesting the user authentication of the user device is received from the service provider device through the redirect communication via the user device, Line information acquisition means for acquiring line information relating to the line to which the user device is connected; The user information associated with the line information acquired by the means is acquired from the user information storage means, and the user authentication result obtained by performing the user authentication using the user information is used as the user information. User authentication result transmitting means for transmitting to the service provider device by redirect communication via the user device, and when the service provider device accepts a site access request from the user device, the user device User authentication request transmitting means for transmitting a user authentication request for requesting user authentication of the user device to the network operator device by redirect communication via the network device, and the user device from the network operator device. When the user authentication result of the user device is received through the redirected communication, the user authentication result is used. Characterized by comprising a an access control means for controlling the site access Te.

Further, the present invention is the above invention, wherein the user authentication result transmitting means sends the user authentication result obtained by performing the user authentication using the line information in addition to the user information to the service. It transmits to a provider apparatus.

Further, the present invention is the above invention, wherein the user authentication request transmission means is configured to provide a user authentication request for requesting user authentication of the user device, and between the user device and the service provider device. When the contract information request is received from the service provider device, the user information storage means associates the user information with the user information and transmits the contract management request. The contract information regarding the contract between the service provider device and the service provider device is stored.

Also, in the present invention according to the above invention, the user authentication result transmitting unit transmits, to the service provider apparatus, expiration date information indicating an expiration date of the user authentication result in addition to the user authentication result. When the access control means receives the expiration date information in addition to the user authentication result from the network operator device, the access control means satisfies the expiration date indicated in the expiration date information, on the condition The site access is controlled using a user authentication result.

Further, the present invention is the above invention, wherein the user authentication result transmitting means transmits an electronic signature signed by the network operator device to the service operator device in addition to the user authentication result, When the access control means receives the electronic signature in addition to the user authentication result from the network operator device, the access control means uses the user authentication result on the condition that the electronic signature is valid. It is characterized by controlling access.

Further, the present invention is the above invention, wherein the user authentication result transmitting unit receives an electronic signature signed by the service provider device in addition to the user authentication request from the service provider device. The user authentication result is transmitted to the service provider device on the condition that the electronic signature is valid, and the user authentication request transmitting means transmits the electronic signature in addition to the user authentication request. It transmits to the said network provider apparatus, It is characterized by the above-mentioned.

The present invention also controls a service system in which a network operator device that controls network connection by a user device and a service operator device that controls site access by the user device are connected via a network. In the service system control method, the network operator apparatus stores user information related to a user of the user apparatus permitted to connect to the network in association with line information related to a line to which the user apparatus is connected. The user information storage step, and when receiving a user authentication request for requesting user authentication of the user device from the service provider device by redirect communication via the user device, A line information acquisition step for acquiring line information relating to a connected line; User information associated with the line information acquired in the step is acquired from the user information storage step, and the user authentication result obtained by performing the user authentication using the user information is used as the user information. A user authentication result transmitting step of transmitting to the service provider device by redirect communication via the user device, and when the service provider device accepts a site access request from the user device, the user device A user authentication request transmission step for transmitting a user authentication request for requesting user authentication of the user device to the network operator device by redirect communication via the network device, and the user device from the network operator device. When the user authentication result of the user device is received through the redirected communication, the user authentication result is used. Characterized in that it contains, and the access controlling process of controlling the site access Te.

According to the present invention, the network operator device stores the user information related to the user of the user device permitted to connect to the network in association with the line information related to the line to which the user device is connected. When a user authentication request for requesting user authentication of the user device is received from the user device by redirect communication via the user device, line information relating to the line to which the user device is connected is acquired, The service provider obtains user information associated with the acquired line information, performs user authentication using the user information, and transmits the user authentication result by redirect communication via the user device. When a service provider device receives a request for site access from a user device, the service provider device transmits a redirect request via the user device. The user authentication request for requesting user authentication of the user device is transmitted to the network operator device by the target communication, and the user authentication of the user device is performed by the redirect communication from the network operator device via the user device. When the result is received, the site access is controlled using the user authentication result, so that it is possible to realize highly reliable site access control in the service provider apparatus.

  Further, as a result of performing the authentication process by the network operator, it is not necessary to perform the authentication process by the service provider device, and the processing load on the service provider device can be reduced. Furthermore, since it is not necessary to manage user information (for example, contract information) in the service provider device, it is possible to reduce costs and processing load related to user information management in the service provider device.

Further, according to the present invention, in addition to the user authentication information, the user authentication result obtained by performing user authentication using the line information is transmitted to the service provider apparatus, so only the user information is used. Compared to the technique for controlling site access, highly reliable site access control can be realized in the service provider device.

  In other words, the location and line speed to which the user device is connected can be specified using line information related to the line to which the user device is connected. For example, site access is permitted depending on the location and line speed to which the user device is connected It is possible to realize highly reliable site access control in the service provider apparatus such as determining / rejection or selecting a service to be provided according to the location and the line speed. Specifically, when the connection location to the network specified by the line information is a place other than “home”, the provision of the auction service is not permitted, or the connection information is specified by the line information. When the line speed is high, it is possible to provide a high-resolution video content service.

In addition, according to the present invention, a user authentication request for requesting user authentication of the user device is transmitted together with a contract management request for requesting contract management between the user device and the service provider device, When the contract management request is received from the provider device, the contract information related to the contract between the user device and the service provider device is stored in association with the user information, so the processing load on the service provider device Can be further reduced, and the cost and processing load related to user information management in the service provider apparatus can be further reduced.

According to the present invention, in addition to the user authentication result, the expiration date information indicating the expiration date of the user authentication result is transmitted to the service provider device, and the network operator device adds the user authentication result to the user authentication result. When the expiration date information is received, the site access is controlled using the user authentication result on the condition that the expiration date indicated in the expiration date information is satisfied, so the user information is transmitted to the service provider device. In comparison with a method that does not transmit the expiration date information, it is possible to safely implement highly reliable site access control in the service provider apparatus.

  That is, when the user information is transmitted to the service provider device, the method in which the expiration date information is not transmitted is used. For example, in redirect communication via the user device, the user device illegally uses the user information or other control information. There is a possibility that the user device that has obtained the information and illegally obtained the information may illegally access the site, but transmits the expiration date information (for example, the expiration date is set in the order of several seconds or several tens of seconds). Thus, since these fears can be avoided, highly reliable site access control can be safely realized in the service provider apparatus.

Further, according to the present invention, in addition to the user authentication result, an electronic signature signed by the network operator is transmitted to the service provider device, and the electronic signature is received from the network operator device in addition to the user authentication result. In this case, since the site access is controlled using the user authentication result on the condition that the electronic signature is valid, the service is compared with the case where the network operator device does not transmit the electronic signature together with the user authentication request. It is possible to more securely realize highly reliable site access control in the provider device. For example, if an electronic signature is not transmitted, it cannot be determined whether or not the request is a user authentication request transmitted by a truly valid network operator device. It can be determined whether or not it is a transmitted user authentication request.

Further, according to the present invention, when an electronic signature signed by the service provider device is received in addition to a user authentication request from the service provider device, it is used on condition that the electronic signature is valid. When the service provider device does not transmit the electronic signature together with the user authentication request, the user authentication result is transmitted to the service provider device and the electronic signature is transmitted to the network provider device in addition to the user authentication request. In comparison, it is possible to more securely realize highly reliable site access control in the service provider device. For example, if an electronic signature is not transmitted, it cannot be determined whether or not the request is a user authentication request transmitted by a truly valid service provider device. However, if an electronic signature is transmitted, It can be determined whether or not it is a transmitted user authentication request.

  Embodiments of a service system according to the present invention will be described below in detail with reference to the accompanying drawings. The main terms used in the following embodiments, the outline and features of the service system according to the first embodiment, the configuration and processing procedure of the service system according to the first embodiment, and the effects of the first embodiment will be described in order. Another embodiment will be described.

[Explanation of terms]
First, main terms used in the following examples will be described. A “user device” is a device configured by a personal computer, a mobile phone, or the like and operated by a user. Specifically, the “user device” is connected to a network such as the Internet and receives information on various application services (for example, e-mail, music content, video content, shopping, auction, etc.) published on the network. By receiving from other computers on the network and outputting to a monitor or speaker, etc., or sending information input by the user to other computers on the network, various application services can be provided to the user. provide.

  By the way, in order for this “user device” to send and receive information on various application services on the network to and from other computers, the “network operator device” controls the network connection and the “service operator” It is necessary that the site access be controlled by the “device”.

  More specifically, the “network operator device” is a device configured by a general-purpose computer or the like and operated by the network operator. A network operator is an operator that provides a line for connecting to a network such as the Internet for a “user device” operated by a registered user. For example, a network operator is an operator that provides an access service using a fixed network such as xDSL (x Digital Subscriber Line) or optical fiber, an operator that provides an access service using a wireless local area network (LAN), or other Internet access. It is a provider (ISP: Internet Services Provider) etc. that provides an access service, and a “user device” is first registered as a user in a “network operator device” operated by a network operator, and then the network By controlling the connection (by allowing connection to a line for connecting to a network such as the Internet), it becomes possible to connect to a network such as the Internet. There are a large number of network operators on the network, and there are a large number of “network operator devices”. However, the “user device” has a network connection controlled by an arbitrary “network operator device”. To connect to a network such as the Internet.

  In this way, the “user device” that can be connected to the network such as the Internet by controlling the network connection by the “network provider device” next receives the provision of various application services. User registration (or user authentication) must be performed on the “service provider device”. The “service provider device” is a device configured by a general-purpose computer or the like and operated by a service provider. A service provider is a provider that provides various application services to a “user device” operated by a user who has registered (or authenticated) a user. For example, a service provider is a provider that provides various application services (for example, e-mail, music content, video content, shopping, auctions, etc.) on a network. By registering a user (or user authentication) in a “service provider device” operated by a service provider and controlling site access, it is possible to receive various application services. As with “Network operator equipment”, there are many service providers on the network, and there are many “Service provider equipment”. However, “User equipment” is an arbitrary “Service business equipment”. The site access is controlled by the “user device” to receive provision of an arbitrary application service.

  Here, “site access” is, for example, used in a “service provider device” when a “user device” operated by a user who is not registered as a user is connected to a “service provider device”. User registration, providing application services to the "user device" by using user authentication when a "user device" operated by the registered user connects, When a “user device” operated by a user who is not registered is connected, application authentication is provided to the “user device” by performing user authentication in one time without performing user registration. This is a general term. The content of control for controlling “site access” varies depending on the type of application service provided by the “service provider device” and the usage situation.

  In this way, a system in which the “network provider device” controls network connection by the “user device” and the “service provider device” controls site access by the “user device” is referred to as a “service system”. In the “service system”, there are various threats such as impersonation and misuse of credit card numbers. For this reason, in the “service system”, how to achieve highly reliable site access control is particularly important.

[Outline and Features of Service System According to Embodiment 1]
Next, the outline and features of the service system according to the first embodiment will be described with reference to FIG. FIG. 1 is a diagram for explaining the outline and features of the service system according to the first embodiment. In the following embodiment, network connection by one “user device” is controlled by one “network operator device”, and site access by one “user device” is controlled by one “service provider”. The configuration controlled by the “device” will be described, but the present invention is not limited to this, and one or a plurality of “network provider devices” control network connection by one or a plurality of “user devices”. The present invention can be similarly applied to a configuration in which one or a plurality of “service provider devices” controls site access by one or a plurality of “user devices”. It is assumed that the service provider device according to the first embodiment provides one application service.

  As described above, the service system according to the first embodiment connects the network operator device that controls the network connection by the user device and the service operator device that controls the site access by the user device via the network. The main feature is to realize highly reliable site access control in the service provider device.

  Briefly describing this main feature, it is assumed that the network operator device in the first embodiment has previously registered the user of the user device and has permitted the network connection of the user device. That is, as shown in FIG. 1, the network operator device receives user information (for example, a contractor name, an address, a credit card number, etc.) regarding the user of the user device that is permitted to connect to the network. Is stored in the user management database unit (user management DB) in association with the line information (for example, line identifier, line accommodation position, line type, line speed, etc.) related to the line to which is connected. For example, in FIG. 1, user information relating to the user account AAA (“AAA user information”) is stored in the user management DB in association with the line information (“AAA line information”). .

  On the other hand, it is assumed that the service provider device according to the first embodiment does not register the user of the user device. That is, the user device cannot receive the application service provided by the service provider device. In the first embodiment, the application service provided by the service provider apparatus is a type of application service that can be provided by “single sign-on” that allows temporary use without creating a user account. The present invention is not limited to this, and can also be applied to a type of application service that can be used permanently by performing user registration.

  Further, between the network operator apparatus and the service provider apparatus in the first embodiment, an agreement has been made in advance about “the network operator apparatus performs user authentication on behalf of the service provider apparatus”. To do. Furthermore, it is assumed that a trust relationship is established in advance between the network operator device and the service operator device. That is, the network operator apparatus manages public key information (such as an electronic certificate of the service provider apparatus) for verifying that the electronic signature signed by the service provider apparatus is valid, and the service provider apparatus It is assumed that public key information (such as an electronic certificate of a network operator device) for verifying that an electronic signature signed by the network operator device is valid is managed. In the first embodiment, a technique for managing each other's public key information in the network operator device and the service operator device will be described. However, the present invention is not limited to this, and a trusted third party. Any method for verifying that an electronic signature is valid, such as a method for verifying that an electronic signature is valid using public key information issued by an institution, may be used. Further, it is not always necessary to transmit an electronic signature.

  Under such a configuration, the network operator apparatus according to the first embodiment first receives a network connection request from the user apparatus (see (1) in FIG. 1). Specifically, the network operator device receives line authentication information (for example, a user account, a password, etc.) as a network connection request from the user device. For example, in FIG. 1, a user account AAA and a password are received. An electronic signature or the like may be received from the user device as the line authentication information.

  Next, the network operator device performs an authentication process in the network operator device (see (2) in FIG. 1). Specifically, the network operator device collates the line authentication information received from the user device with the line authentication information (eg, user account, password, etc.) managed in the user management DB, and the user device Authenticate. For example, in FIG. 1, the user account AAA managed in the user management DB is compared with a password (not shown) to authenticate the user device.

  Then, the network operator device transmits a network connection response to the user device (see (3) in FIG. 1). Specifically, the network operator device provides the user device with an access path to a line (access network) for connecting to a network such as the Internet by PPPoE (Point to Point Protocol over Ethernet (registered trademark)). The IP address is issued and sent to the user device. The network operator device stores the IP address assigned to the user device in the user management DB.

  As a result, the user device is connected to a network such as the Internet, and then the service provider device receives an SP site access request from the user device (see (4) in FIG. 1). Specifically, the service provider device receives, from the user device, an SP site URL (Uniform Resource Locator) or the like of an application service provided by the service provider device as an SP site access request.

  Then, the service provider device transmits an SP site access response to the user device (see (5) in FIG. 1). Specifically, the service provider device acquires a Web page and transmits the Web page as an SP site access response. Here, the Web page transmitted from the service provider apparatus according to the first embodiment is a Web page that prompts a single sign-on request for the user of the user apparatus to use the application service with single sign-on.

  Next, the service provider device receives a single sign-on request from the user device (see (6) in FIG. 1). Specifically, the user apparatus receives the single sign-on request by one-clicking on a web page icon (such as “single sign-on request”) that prompts the single sign-on request.

  Subsequently, when the service provider device receives a site access request (single sign-on request) from the user device, the service provider device requests user authentication of the user device by redirect communication via the user device. A user authentication request is transmitted to the network operator device (see (7) and (8) in FIG. 1).

  Then, the network operator apparatus according to the first embodiment acquires line information regarding the line to which the user apparatus is connected (see (9) in FIG. 1). Specifically, when the network operator apparatus receives a user authentication request for requesting user authentication of the user apparatus from the service provider apparatus by redirect communication via the user apparatus, the user apparatus The line information is acquired by specifying the line to which is connected.

  Subsequently, the network operator device acquires user information associated with the acquired line information, and performs user authentication using the user information, and obtains the user authentication result as the user device. Is transmitted to the service provider device by redirect communication via (see (10) and (11) in FIG. 1). More specifically, in the above example, the network operator device uses user information (“tarou, 123, # A500, light,...) Associated with the acquired line information“ line identifier (123) ”. ) And “pass authentication” as a user authentication result based on the fact that the user information is a user device registered by the network operator device, and redirected communication via the user device. Sent to the operator device.

  That is, here, the network operator device performs user authentication depending on whether or not the acquired line information is user information stored in the network operator device, and determines the authentication result (for example, authentication pass or Authentication failure) is transmitted to the service provider device by redirect communication via the user device.

  Then, when the service provider device receives the user authentication result of the user device from the network provider device by the redirect communication via the user device, the service provider device controls the site access using the user authentication result. (Refer to (12) in FIG. 1). More specifically, when the service provider device receives “authentication pass” from the network provider device by redirect communication via the user device, the service provider device permits site access by single sign-on and A Web page to start providing is transmitted. When “authentication reject” is received, site access by single sign-on is rejected.

  For this reason, it is possible to realize highly reliable site access control in the service provider device as described above. Further, as a result of performing the authentication process by the network operator, it is not necessary to perform the authentication process by the service provider device, and the processing load on the service provider device can be reduced. Furthermore, since it is not necessary to manage user information (for example, contract information) for user authentication in the service provider device, it is possible to reduce costs and processing load related to user information management in the service provider device. Is possible.

[Configuration of Service System According to Embodiment 1]
Next, the configuration of the service system according to the first embodiment will be described with reference to FIGS. FIG. 2 is a block diagram illustrating the configuration of the service system according to the first embodiment, and FIGS. 3 and 4 are diagrams for explaining Web pages transmitted from the service provider device to the user device. 5 to 9 are diagrams for explaining the user management database unit in the network operator apparatus.

  As illustrated in FIG. 2, the service system according to the first embodiment includes a network operator device 100 that controls network connection by the user device 300 and a service operator device 200 that controls site access by the user device 300. Composed. Below, the network provider apparatus 100 and the service provider apparatus 200 are demonstrated in order.

[Network operator apparatus 100]
The network operator device 100 according to the first embodiment is configured by a general-purpose computer or the like, and as particularly closely related to the present invention, as shown in FIG. 2, a communication control I / F unit 110, a storage unit, 120 and a control unit 130.

  The communication control I / F unit 110 controls communication related to various types of information exchanged with the user device 300 and the service provider device 200. Specifically, a user authentication request for receiving a network connection request from the user device 300 or requesting user authentication of the user device by redirect communication from the service provider device 200 via the user device 300 is issued. To receive.

  The storage unit 120 stores data used for various controls in the control unit 130, and particularly as closely related to the present invention, as shown in FIG. 2, a user management database unit 121, service provider management, and the like. A database unit 122. The user management database unit 121 corresponds to “user information storage unit” recited in the claims.

  The user management database unit 121 stores user information related to the user of the user device 300 that is permitted to connect to the network. Specifically, the user management database unit 121 stores user information related to the user of the user device 300 that is permitted to connect to the network in association with line information related to the line to which the user device 300 is connected, The stored user information and line information are used for processing by an authentication processing unit 131, a line information acquisition unit 132, and a user authentication result unit 133, which will be described later. In the first embodiment, the user management database unit 121 stores user accounts and IP addresses in association with each other, and stores user accounts and user information in association with each other as described below. The user account and the line information are stored in association with each other, the user account and the SP ID are stored in association with each other, and an RDBMS (Relational DataBase Management System) program or the like is operated to use the user device 300. However, the present invention is not limited to this, and any database construction method can be used as long as the user information is stored in association with the line information. But you can.

  For example, as shown in FIG. 5, the user management database unit 121 according to the first embodiment includes a user account (see “NW user account” column) and an IP address (see “IP address” column). Are stored in association with each other. Here, the IP address stored in association with the user account refers to the user device 300 when the network operator device 100 transmits a network connection response to the user device 300 in the authentication processing unit 131 described later. In response to this, an access path to a line (access network) for connecting to a network such as the Internet is set by PPPoE (Point to Point Protocol over Ethernet (registered trademark)) and paid out to the user device 300. IP address. The user management database unit 121 stores the IP address issued by the authentication processing unit 131.

  As shown in the first line of FIG. 5, for example, the user management database unit 121 stores the user accounts “tarou” and “192.168.x.x” in association with each other. In the embodiment, for convenience of explanation, the IP address is described by combining a specific number and alphabet such as “192.168.xx”. It is an IP address, and there is no special meaning to the combination or selection of specific numbers and alphabets.

  Further, for example, as shown in FIG. 6, the user management database unit 121 according to the first embodiment includes a user account (see the column “NW user account”) and user information (“contractor name”, “Address (Billing address)”, “Credit card number” and “Payment / non-payment of communication charges” columns are stored in association with each other. Here, the user information stored in association with the user account is obtained by registering the user information presented offline by the network operator apparatus 100 as a user. In other words, the network operator device 100 according to the first embodiment is premised on performing user registration in advance for the user of the user device 300. This user registration is performed using an identification card such as a driver's license. At the same time, the user information presented offline by the user is highly reliable information registered by the network operator after confirming the identity of the user by the identification card. The user management database unit 121 stores in advance user information input to the network operator device 100 by an operator who operates the network operator device 100 or the like.

  As shown in the first line of FIG. 6, for example, the user management database unit 121 includes a user account “tarou”, a contractor name “patent Taro”, an address “Tokyo,. The card number “1111-1111-1111-1111” and the presence / absence of “payment” of communication fee are stored in association with each other. In the embodiment, the case where the contractor name, the address, the credit card number, and the presence / absence of payment of the communication fee are stored as the user information has been described, but the present invention is not limited to this, Any information may be used as long as it includes user information necessary for the network operator device and the service operator device, such as when information such as age is further stored, or when the payment of communication charges is not stored.

  Further, for example, as shown in FIG. 7, the user management database unit 121 according to the first embodiment includes a user account (see the column “NW user account”) and line information (“line identifier”, “line identifier”, “ “Line accommodation position”, “line type”, “line speed”, and “line authentication information (password etc.)” column) are stored in association with each other. Here, the line information stored in association with the user account is information obtained by the network operator apparatus 100 registering the user information and the line information collected by the network operator. . That is, the network operator apparatus 100 according to the first embodiment is premised on performing user registration in advance for the user of the user apparatus 300, but at the time of this user registration (or before and after user registration). In addition, the line information of the user device 300 operated by the registered user is also registered. Since the line information is information collected by the network operator that operates the network operator device 100, the line information is highly reliable information. The user management database unit 121 stores in advance line information input to the network operator device 100 by an operator who operates the network operator device 100 or the like.

  As shown in the first line of FIG. 7, for example, the user management database unit 121 includes a user account “tarou”, a line identifier “123”, a line accommodation position “# A500”, and a line type “ “Light”, line speed “100 Mbps / 100 Mbps”, and line authentication information “******” are stored in association with each other. In the embodiment, the case where the line identifier, the line accommodation position, the line type, the line speed, and the line authentication information are stored as the line information has been described, but the present invention is not limited to this, Any case may be used as long as it includes the line information necessary for the network provider apparatus and the service provider, such as when the accommodation position of the line is not stored. Also, in the embodiment, notation is combined with specific numbers and symbols for convenience of explanation, such as line identifiers and line accommodation positions, but in actuality, it is information prescribed in the network operator device, Numbers and symbols have no special meaning.

  Further, for example, as shown in FIG. 8, the user management database unit 121 according to the first embodiment includes a user account (see “NW user account” column) and an SP ID (“SP ID” column). Reference) is stored in association with each other. Here, the SP ID is an identifier for identifying the service provider apparatus 200 in the network provider apparatus 100. As shown in the first line of FIG. 8, for example, the user management database unit 121 stores a user account “tarou” and SP IDs “1” and “3” in association with each other. Here, the user management database unit 121 stores the user account “tarou” and a plurality of SP IDs in association with each other with respect to a plurality of service provider apparatuses 200 for one user account. , It shows that it is possible to maintain account correspondence. Therefore, when the user management database unit 121 stores one SP ID in association with one user account, or stores three or more SP IDs in association with one user account. In this case, the present invention can be similarly applied.

  Further, as illustrated in the fourth line of FIG. 8, for example, the user management database unit 121 stores the user account “ichiro” and the SP ID “2” in association with each other. In this case, it is indicated that the service provider device 200 whose site access is controlled by the user device 300 operated by the user account “ichiro” is the service provider device 200 identified by the SP ID “2”. ing.

  The service provider management database unit 122 stores information regarding the service provider device 200. Specifically, the service provider management database unit 122 stores SP ID and public key information (such as an electronic certificate of the service provider device 200) in association with each other as information related to the service provider device 200. The SP ID and public key information to be used are used for processing by the line information acquisition unit 132 described later. Here, in the first embodiment, the public key information means that a trust relationship is established in advance between the network operator device 100 and the service operator device 200. This is public key information for verifying that the electronic signature signed by the service provider apparatus 200 is valid.

  In the first embodiment, as shown in FIG. 9, the case where the service provider management database unit 122 stores public key information has been described. However, the present invention is not limited to this, and for example, trusted. In the method of verifying that the electronic signature is valid using the public key information issued by the third party organization, the service provider management database unit 122 does not need to store the public key information. In the first embodiment, the service provider management database unit 122 stores the SP ID and the public key information in association with each other by operating the RDBMS program. However, the present invention is not limited to this. As long as an identifier for identifying the service provider device 200 is stored, any database construction method may be used.

  The control unit 130 performs various controls in the network operator apparatus 100, and particularly those closely related to the present invention include an authentication processing unit 131, a line information acquisition unit 132, and a user as shown in FIG. An authentication result transmission unit 133. The line information acquisition unit 132 corresponds to the “line information acquisition unit” described in the claims, and the user authentication result transmission unit 133 corresponds to the “user authentication result transmission unit” described in the claims. Corresponding to

  The authentication processing unit 131 performs authentication processing of the user device 300 and controls network connection by the user device 300. Specifically, the authentication processing unit 131 receives a network connection request from the user device 300 together with the line authentication information, and receives the line authentication information received and the line authentication information stored in the user management database unit 121 (for example, use The user device is authenticated by checking the user account, password, etc., and a network connection response is transmitted to the user device 300 according to the authentication result.

  Further, when transmitting a network connection response to the user apparatus 300, the authentication processing unit 131 sets an access path to a line for connecting to the Internet to the user apparatus 300 using PPPoE or the like. An IP address is issued to the device 300, and the issued IP address is transmitted to the user device 300 and stored in the user management database unit 121. For example, the authentication processing unit 131 pays out the IP address “192.168.x.x” to the user device 300 when transmitting a network connection response to the user account “tarou” of the user device 300.

  The line information acquisition unit 132 acquires line information regarding the line to which the user device 300 is connected. Specifically, when the line information acquisition unit 132 receives a user information acquisition request for requesting acquisition of user information of the user device 300 from the service provider device 200 through redirect communication via the user device 300. In addition, line information related to the line to which the user apparatus 300 is connected is acquired, and the acquired line information is transmitted to the user authentication result transmission unit 133.

  For example, the line information acquisition unit 132 acquires line information associated with the line information acquired by specifying the line to which the user device 300 is connected from the user management database unit 121. That is, when the line information acquisition unit 132 specifies the line to which the user device 300 is connected, and the identifier of the line to which the user device 300 is connected is “123”, the user management database As the line information, for example, the line identifier “123”, the line accommodation position “# A500”, the line type “light”, the line speed “100 Mbps / 100 Mbps”, and the like are acquired from the unit 121. In the first embodiment, the method of transmitting the line information acquired from the user management database unit 121 to the service provider apparatus 200 has been described, but the present invention is not limited to this, and the user apparatus 300 The present invention can be similarly applied to a method of transmitting line information acquired by specifying a line to be connected to the service provider apparatus 200.

  The user authentication result transmission unit 133 acquires user information associated with the line information acquired by the line information acquisition unit 132 from the user management database unit 121, and performs user authentication using the user information. The user authentication result obtained is transmitted to the service provider apparatus 200 by redirect communication via the user apparatus 300. As a specific example, the line information “123” is acquired by the line information acquisition unit 132, and the line information “tarou, 123, # A500, optical, 100 Mbps / 100 Mbps, ** corresponding to the line identifier“ 123 ”. **** "is acquired from the user management database unit 121, the user authentication result transmission unit 133 includes the line information (line identifier: 123) acquired by the line information acquisition unit 132 and the line information. Based on the fact that the associated user information (tarou, 123, # A500, light, 100 Mbps / 100 Mbps, ******) is stored in the user management database unit 121, a valid user device The authentication result (authentication pass) of 300 is transmitted to the service provider apparatus 200 by redirect communication via the user apparatus 300.

  On the other hand, the line identifier “123” is acquired by the line information acquisition unit 132, and the line information “tarou, 123, # A500, optical, 100 Mbps / 100 Mbps, ******” corresponding to the line identifier “123” is obtained. If the user authentication database cannot be obtained from the user management database unit 121, the user authentication result transmission unit 133 is illegal based on the fact that the user information associated with the line information is not stored in the user management database unit 121. An authentication result (authentication refusal) indicating that the device is the user device 300 is transmitted to the service provider device 200 by redirect communication via the user device 300.

[Service provider device 200]
The service provider apparatus 200 according to the first embodiment is configured by a general-purpose computer or the like, and as particularly closely related to the present invention, as shown in FIG. 2, a communication control I / F unit 210, a storage unit, 220 and a control unit 230.

  The storage unit 220 stores data and programs necessary for various processes performed by the control unit 230. To give a specific example, the service provider apparatus 200 that temporarily stores the user authentication result and site access request received by the communication control I / F unit 31 or is transmitted by the SP site access response unit 231. Stores the web screen provided by.

  The control unit 230 has a control program such as an OS (Operating System), a program that defines various processing procedures, and an internal memory for storing necessary data, and is particularly used as closely related to the present invention. A user authentication request transmission unit 232 and an access control unit 233 are provided, and various processes are executed by the user. The user authentication request transmission unit 232 corresponds to “user authentication request transmission unit” described in the claims, and the access control unit 233 similarly corresponds to “access control unit”.

  When receiving a request for site access by single sign-on from the user device 300, the user authentication request transmission unit 232 performs user authentication of the user device 300 by redirect communication via the user device 300. The requested user authentication request is transmitted to the network operator apparatus 100. As a specific example, as shown in FIG. 3, a single sign can be obtained by one-clicking a web page icon (such as “single sign on request”) that prompts a single sign on request on the user device. When receiving the ON request, the user authentication request transmission unit 232 sends a user authentication request for requesting user authentication of the user device 300 to the network operator device 100 by redirect communication via the user device 300. Send.

  When the access control unit 233 receives the user authentication result of the user device 300 from the network operator device 100 by the redirect communication via the user device 300, the access control unit 233 controls the site access using the user authentication result. To do. To give a specific example, when the authentication pass (authentication permission) is received from the network operator device 100 by the redirect communication via the user device 300, the access control unit 233 displays the site as shown in FIG. The user apparatus 300 is permitted to use the application service corresponding to the access. On the other hand, when receiving the authentication rejection, the access control unit 233 rejects the user device 300 from using the application service corresponding to the site access.

[Procedure for Processing by Service System According to First Embodiment]
Next, a processing procedure by the service system according to the first embodiment will be described with reference to FIG. FIG. 10 is a sequence diagram illustrating a processing procedure performed by the service system according to the first embodiment. Here, it is assumed that the network operator device 100 according to the first embodiment has previously registered the user of the user device 300 and permits the network connection of the user device 300. On the other hand, it is assumed that the service provider device 200 according to the first embodiment does not perform user registration for the user of the user device 300. That is, the user device 300 is in a state where it cannot receive the application service provided by the service provider device 200. In the following, a process in which the user device 300 connects to the network (see (1) in FIG. 10), a process in which the user device 300 accesses the SP site (see (2) in FIG. 10), User authentication processing (see (3) in FIG. 10) in which the network operator device 100 authenticates the user device 300 will be described in order.

[(1) Network connection]
First, the authentication processing unit 131 in the network operator device 100 receives a network connection request from the user device 300 (step S1). Specifically, the authentication processing unit 131 in the network operator device 100 receives line authentication information (for example, a user account, a password, etc.) from the user device 300 as a network connection request.

  Next, the authentication processing unit 131 in the network operator device 100 performs authentication processing of the user device 300 (step S2). Specifically, the authentication processing unit 131 in the network operator device 100 receives the line authentication information received from the user device 300 and the line authentication information managed by the user management database unit 121 (for example, user account, password, etc.). ) And the user device 300 is authenticated.

  Then, the authentication processing unit 131 in the network operator device 100 transmits a network connection response to the user device 300 (step S3). Specifically, the authentication processing unit 131 in the network operator device 100 gives the user device 300 an access path to a line (access network) for connecting to the Internet using PPPoE (Point to Point Protocol over Ethernet). Registered IP)), the IP address is paid out, and transmitted to the user apparatus 300. Further, the authentication processing unit 131 in the network operator device 100 stores the IP address paid out to the user device 300 in the user management database unit 121.

[(2) Access to SP site]
Subsequently, the user device 300 connects to the Internet, and the SP site access response unit 231 in the service provider device 200 receives an SP site access request from the user device 300 (step S4). Specifically, the SP site access response unit 231 in the service provider device 200 receives an SP site URL (Uniform Resource Locator) or the like from the user device 300 as an SP site access request.

  Then, the SP site access response unit 231 in the service provider device 200 acquires a Web page (step S5). Specifically, the SP site access response unit 231 in the service provider device 200 acquires a Web page that prompts the user device 300 for a single sign-on request based on the received URL.

  Then, the SP site access response unit 231 in the service provider device 200 transmits an SP site access response to the user device 300 (step S6). Specifically, the SP site access response unit 231 in the service provider device 200 transmits a Web page that prompts the user device 300 to request a single sign-on.

[(3) User authentication]
Next, the user apparatus 300 transmits a single sign-on request using the NW function to the service provider apparatus 200 (step S7). Then, the user authentication request transmission unit 232 in the service provider apparatus 200 transmits a user authentication request for requesting user authentication of the user apparatus 300 to the network provider apparatus 100 (step S8). Specifically, the user authentication request transmission unit 232 in the service provider device 200 sends the user authentication request to the network operator device 100 together with the SP ID and the electronic signature by redirect communication via the user device 300. Send.

  Then, the line information acquisition unit 132 in the network operator apparatus 100 identifies the line to which the user apparatus 300 is connected, and acquires line information (step S9).

  Next, the user authentication result transmission unit 133 in the network operator device 100 acquires user information associated with the line information acquired by specifying the line from the user management database unit 121, and the user Authentication is performed (step S10), and the authentication result is transmitted to the service provider apparatus 200 (step S11). Specifically, the user authentication result transmission unit 133 in the network operator device 100 uses the user information associated with the line information in the user management database unit 121 based on the use. The user device 300 is determined to be a valid user device, and “authentication passed (permitted)” is transmitted to the service provider device 200 as an authentication result.

  And the access control part 233 in the service provider apparatus 200 controls site access based on the received authentication result (step S12). Specifically, the access control unit 233 in the service provider device 200 permits the site access of the user device 300 when receiving the authentication pass (permission), and rejects the site access when receiving the authentication rejection.

  In the first embodiment, the user authentication request transmission unit 232 in the service provider device 200 sends a user authentication request to the network operator along with the SP ID and the electronic signature by redirect communication via the user device 300. Although the case of transmitting to the apparatus 100 has been described, the present invention is not limited to this, and only the user authentication request and the SP ID may be transmitted.

[Effect of Example 1]
As described above, according to the first embodiment, the network operator device associates the user information related to the user of the user device permitted to connect to the network with the line information related to the line to which the user device is connected. And when the user authentication acquisition request for requesting user authentication of the user device is received from the service provider device by redirect communication via the user device, the line to which the user device is connected The user information associated with the acquired line information, and the user authentication result obtained by performing user authentication using the user information via the user device To the service provider device through the redirect communication, and when the service provider device accepts a site access request from the user device, the user A user authentication request for requesting user authentication of the user device is transmitted to the network operator device by redirect communication via a device, and the user device is transmitted from the network operator device by redirect communication via the user device. When the user authentication result is received, the site access is controlled using the user authentication result, so that it is possible to realize highly reliable site access control in the service provider apparatus.

  Further, according to the first embodiment, as a result of performing the authentication process by the network operator, it is not necessary to perform the authentication process by the service provider device, and the processing load on the service provider device can be reduced. Furthermore, since it is not necessary to manage user information (for example, contract information) for user authentication in the service provider device, it is possible to reduce costs and processing load related to user information management in the service provider device. Is possible.

  Further, according to the first embodiment, in addition to the user authentication request from the service provider device, when the electronic signature signed by the service provider device is received, on condition that the electronic signature is valid, When the user authentication result is transmitted to the service provider device and the electronic signature is transmitted to the network operator device in addition to the user authentication request, the service provider device does not transmit the electronic signature together with the user authentication request. Compared to the above, in the service provider apparatus, it is possible to more securely realize highly reliable site access control. For example, if an electronic signature is not sent, it cannot be determined whether or not the user authentication request is actually sent by a legitimate service provider. However, if an electronic signature is sent, the legitimate service provider sends it. It can be determined whether or not the user authentication request has been made.

  By the way, in the first embodiment, only the case where the user apparatus uses the service provided by the service provider apparatus has been described. However, the present invention is not limited to this, and the service provider apparatus includes a plurality of services. The present invention may also be applied when a new contract or an additional contract is made for each service.

  Therefore, in the second embodiment, a case where the user device makes a new contract or an additional contract for the service provided by the service provider device will be described with reference to FIGS. 11 and 12. FIG. 11 is a diagram for explaining the outline and features of the service system according to the second embodiment, and FIG. 12 is a diagram for explaining the user management database unit in the network operator device according to the second embodiment. is there.

  As shown in FIG. 11, the service system according to the second embodiment includes a network operator device, a service operator device, and a user device, as in the first embodiment, and the user device and the network operator. The device is connected via an access network, and the network operator device and the service operator device are connected via a network such as the Internet.

  The network operator apparatus in the second embodiment stores the user information in association with the line information in the user management database unit (user management DB) as in the first embodiment. 12, the contract management information includes “NW user account that uniquely identifies the user device”, “SP ID” that uniquely identifies the service provider device, and the name of the contracted service. It differs from the first embodiment in that “tarou, 3, mail / music / video”, “hana, 3, mail”, etc. are stored as “service name”.

  In such a configuration, as in the first embodiment, the user device is authenticated by the network operator device and connected to the Internet, and the service operator device receives the SP site access request from the user device (FIG. 11 (1) to (4)), the SP site access response is transmitted, and the user apparatus acquires the SP Web page (see (5) in FIG. 11).

  Next, the service provider device receives a service addition request from the user device (see (6) in FIG. 11). Specifically, the user device receives the service addition request by one-clicking on a web page icon (such as “service addition request”) prompting the service addition request.

  Then, the service provider device sends a contract management request for requesting contract management between the user device and the service provider device together with a user authentication request for requesting user authentication of the user device to the user device. The data is transmitted to the network operator device by the redirect communication that passes (see (7) and (8) in FIG. 11). To give a specific example, the service provider device sends a “process type” indicating contract processing and a “service name” to be processed to the network provider device as a contract management request together with a user authentication request. To do. An example of a contract management request is “contract addition, map search service”.

  Subsequently, the network operator apparatus that has received the contract management request together with the user authentication request acquires line information related to the line to which the user apparatus is connected ((9 in FIG. 11). )), User authentication is performed (see (10) in FIG. 11), and when the authentication result is passed, the user management DB is updated based on the received contract management request ((11 in FIG. 11). )) And the authentication result (authentication pass) is transmitted to the service provider device (see (12) in FIG. 11).

  Specifically, if the result of user authentication is “passed authentication (success)” and the received contract management request is “processing type = add, service name = map search service”, it corresponds to the acquired line information. The “map search service” is added to the user management DB, and the authentication result (authentication pass) is transmitted to the service provider device. On the other hand, if the result of user authentication is “authentication refusal (failure)” and the received contract management request is “processing type = add, service name = map search service”, no addition to the user management DB is performed. The authentication result (authentication refusal) is transmitted to the service provider apparatus.

  Then, as in the first embodiment, the service provider device performs access control based on the received authentication result (see (13) in FIG. 11). Specifically, when the authentication pass (authentication permission) is received, the service provider device permits the user device to use the application service corresponding to the site access. On the other hand, when receiving the authentication refusal, the service provider device rejects the user device from using the application service corresponding to the site access.

  Thus, according to the second embodiment, a contract management request for requesting contract management between the user device and the service provider device is further transmitted together with a user authentication request for requesting user authentication of the user device. When a contract management request is received from the service provider device, the contract information related to the contract between the user device and the service provider device is stored in association with the user information. As a result of being able to implement it together with user authentication without having to prepare another function or storage unit for making a contract, it is possible to further reduce the processing load on the service provider device, and to It is possible to further reduce the cost and processing load related to user information management in the apparatus.

  In the first and second embodiments of the present invention, user authentication has been described so far. However, the present invention may be implemented in various different forms other than the above-described embodiments. Therefore, as shown below, (1) user authentication using line information, (2) obtaining a user authentication result with an expiration date, and (3) obtaining a user authentication result with an electronic signature, respectively. Different embodiments will be described.

(1) User Authentication Using Line Information For example, in the first and second embodiments, the case where user authentication is performed using user information associated with acquired line information has been described. The present invention is not limited to this, and user authentication may be performed using line information in addition to user authentication information.

  Specifically, referring to FIG. 2, for example, the line information “123” is acquired by the line information acquisition unit 132, and the line information “tarou, 123, When “# A500, HIKARI, 100 Mbps / 100 Mbps, ******” is acquired from the user management database unit 121, the user authentication result transmission unit 133 transmits the line information acquired by the line information acquisition unit 132 ( Line identifier: 123) and user information (tarou, 123, # A500, light, 100Mbps / 100Mbps, ******) associated with the line information are stored in the user management database unit 121. Based on the fact that the user is authenticated as a legitimate user device 300, the acquired line information “tarou, 123, # A500, Hikari, 100Mbps / 100Mbps, ******” Using the location and line speed of the user device that can be identified It may be used for authentication.

  Thus, for example, in service provider devices such as determining whether to allow or deny site access depending on the location and line speed to which the user device is connected, or selecting a service to be provided according to the location and line speed. Highly reliable site access control can be realized. Specifically, when the connection location to the network specified by the line information is a place other than “home”, the provision of the auction service is not permitted, or the connection information is specified by the line information. When the line speed is high, it is possible to provide a high-resolution video content service. In addition, by performing user authentication using both user information and line information in this way, it is possible to further restrict access to the user. For example, users of “children” can be prohibited from browsing “midnight sites”, “adult sites”, and “high-priced shopping sites”.

  Note that the network operator apparatus may receive a specific item indicating which information is used for user authentication among the line information managed in the user management DB together with the user authentication request from the service provider apparatus. Well, an arrangement may be made in advance.

(2) Acquire user authentication result with expiration date In the first and second embodiments, the user authentication result obtained by performing user authentication using user information is transmitted to the service provider device. Although described, the present invention is not limited to this, and in addition to the user authentication result, expiration date information indicating the expiration date of the user authentication result may be transmitted to the service provider apparatus.

  Specifically, the network operator device transmits the expiration date information (for example, the expiration date is set in the order of several days, seconds, tens of seconds) to the service operator device in addition to the user authentication result. When the service provider device receives the expiration date information in addition to the user authentication result from the network operator device, the service provider device sets the user authentication result on condition that the expiration date indicated in the expiration date information is satisfied. To control site access. For example, in the method of not transmitting expiration date information when transmitting user information to a service provider device, the user device transmits user information and other control information in redirect communication via the user device. There is a possibility that a user device that has illegally acquired information and illegally obtained information may illegally access the site, but the expiration date information (for example, the expiration date is set in the order of several days, several seconds, several tens of seconds) ) Can be avoided, so that it is possible to safely implement highly reliable site access control in the service provider apparatus.

(3) Obtaining a User Authentication Result with an Electronic Signature In the first embodiment, the service provider device transmits a user authentication request and an electronic signature to the network operator device, and the network operator device is the user. Although the case where the authentication result is transmitted to the service provider apparatus has been described, the present invention is not limited to this, and the network provider apparatus also transmits the user authentication result and the electronic signature to the service provider apparatus. It may be.

  Specifically, compared to a case where the network operator device does not transmit an electronic signature together with a user authentication request, it is possible to more securely realize highly reliable site access control in the service operator device. For example, if an electronic signature is not transmitted, it cannot be determined whether or not the request is a user authentication request transmitted by a truly valid network operator device. It can be determined whether or not it is a transmitted user authentication request.

  Now, in the first to third embodiments of the present invention, it has been described that single sign-on is performed without creating a user account. However, the present invention is not limited to this, and a service provider apparatus. The user account may be created and managed by the user.

  Therefore, in the following, with reference to FIGS. 13 to 15, the network operator apparatus performs user authentication on behalf of the service provider apparatus, and creates and stores a user account in the service provider apparatus. This will be described as Example 4. FIG. 13 is a diagram for explaining the outline and features of the service system according to the fourth embodiment. FIGS. 14 and 15 are diagrams for explaining the user management database unit in the network operator device according to the fourth embodiment. FIG.

  As shown in FIG. 13, the network operator device in the fourth embodiment stores user information in the user management database unit (user management DB) in association with the line information, as in the first embodiment. Yes. The service provider apparatus according to the fourth embodiment is different from the first embodiment in that the user account of the user apparatus that uses the service provided by the service provider apparatus is stored in the user management DB.

  Further, in the fourth embodiment, unlike the case where each service provider apparatus provides one application service described in the first embodiment, each service provider apparatus provides a plurality of services. User management is performed for each service.

  On the other hand, it is assumed that the service provider device according to the fourth embodiment does not register the user of the user device. That is, the user device cannot receive the application service provided by the service provider device. In the fourth embodiment, the application service provided by the service provider device is a type of application service that can be used permanently (or temporarily) by performing user registration.

  Under such a configuration, as in the first embodiment, the network operator device in the fourth embodiment first receives a network connection request from the user device and performs authentication processing. When the service provider device receives the SP site access request from the user device (see (1) to (4) in FIG. 13), the service provider device transmits an SP site access response. An SP Web page is acquired (see (5) in FIG. 13).

  Next, the service provider device receives a user registration request from the user device (see (6) in FIG. 13). Specifically, the user registration request is received by, for example, one-clicking on a web page icon (such as “user registration request”) that prompts the user registration request in the user device.

  When receiving the user registration request, the service provider device creates a user account (see (7) in FIG. 13). For example, in FIG. 13, the service provider device creates a user account BBB. The user account BBB is a permanent (or temporary) user account.

  Subsequently, the service provider device transmits a user authentication request for requesting user authentication of the user device to the network operator device by redirect communication via the user device ((8) in FIG. 13). reference).

  Then, the network operator apparatus according to the fourth embodiment acquires line information regarding the line to which the user apparatus is connected (see (9) in FIG. 13), and user information associated with the acquired line information. Is obtained, user authentication is performed using the user information (see (10) in FIG. 13), and the obtained user authentication result is transmitted to the service provider device by redirect communication via the user device. (Refer to (11) in FIG. 13). Specifically, as in the first embodiment, the user device is determined to be a valid user device based on the fact that the network operator device stores the user information associated with the line information. Then, “authentication passed (permitted)” is transmitted to the service provider apparatus as the authentication result.

  Then, when the service provider device receives the user authentication result of the user device from the network provider device by the redirect communication via the user device, the service provider device controls the site access using the user authentication result. (See (12) in FIG. 13). Specifically, when “authentication passed” is received as an authentication result, the service provider device registers the user account BBB in its own user management DB and permits the use of the service. On the other hand, when “authentication refusal” is received as an authentication result, the user account BBB is not registered in the user management DB of itself and the use of the service is rejected.

  Incidentally, in the fourth embodiment, the case has been described in which the service provider device manages only the user account created in the user management DB. However, the present invention is not limited to this, for example, the user account The line information and user information may be managed. In this case, the network operator device transmits user information and line information together with the user authentication result. The network operator apparatus may transmit a transmission item specified by the service provider apparatus for a specific transmission item to be transmitted to the service provider apparatus, or a specific transmission to be transmitted to the service provider apparatus. Any item arrangement or designation timing may be used.

  Then, when the network operator device transmits user information and line information together with the user authentication result, in the service operator device, the user management DB of the service operator device is used as shown in FIG. As user information, “User account that uniquely identifies the user”, “Contractor” that indicates the user name, “Address” that indicates the user's address, “Credit card number” that pays the usage fee, and communication charges “Tarou, patent Taro, Tokyo ..., 1111-1111-1111-1111, yes” etc. are stored as “communication fee payment presence / absence” indicating the presence / absence of payment, as shown in FIG. Line information includes “user account that uniquely identifies the user”, “line identifier” that uniquely identifies the line, “line accommodation position” that indicates the location of the line, and “line type” that indicates the type of the contracted line. , Contracted line Indicating the degree "line speed", "natsu, 798 as" line authentication information "," indicating the authentication information of the line, # C900, xDSL, stores 47Mbps~5Mbps, ********* "and the like.

  As described above, according to the fourth embodiment, the user account can be managed while reducing the processing load caused by the user authentication in the service provider device by managing the user account in the service provider device. It is.

  Although the embodiments of the present invention have been described so far, the present invention may be implemented in various different forms other than the embodiments described above. Therefore, different embodiments will be described below.

[Line information]
For example, in the first to third embodiments described above, the method using the line identifier, the line accommodation position, the line type, the line speed, and the line authentication information as the line information has been described. It is not limited, and it is related to the line such as a method using a logical number (telephone number, IP address, etc.) given to the line as a line information, a method using a line installation location (address, latitude / longitude, etc.) Any method using information may be used.

[System configuration, etc.]
In addition, among the processes described in the present embodiment, all or a part of the processes described as being automatically performed (for example, transmission of an electronic signature) is manually performed (for example, an electronic signature is transmitted). For example, a confirmation screen of whether or not it is output to a monitor or the like, a confirmation consent is input by the operator, and an electronic signature is transmitted). In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the document and drawings (for example, the user management database unit 121 and the service provider management database unit 122) Can be arbitrarily changed unless otherwise specified.

  Each component of each illustrated device is functionally conceptual and does not necessarily need to be physically configured as illustrated. That is, the specific form of distribution / integration of each device is not limited to the one shown in the figure (for example, FIG. 2), and all or a part thereof can function in arbitrary units according to various loads and usage conditions. (For example, the user management database unit 121 and the service provider management database unit 122 are constructed with a single database). Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

  The processing of each functional unit described in the present embodiment (for example, the processing shown in FIG. 10) can be realized by executing a program prepared in advance on a computer such as a personal computer or a workstation. . This program can be distributed via a network such as the Internet. The program can also be executed by being recorded on a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM, an MO, and a DVD and being read from the recording medium by the computer.

  As described above, the service system and the service system control method according to the present invention include a network operator device that controls network connection by a user device, and a service operator device that controls site access by the user device. It is useful for being connected via a network, and is particularly suitable for realizing highly reliable site access control in a service provider apparatus.

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a diagram for explaining an overview and features of a service system according to a first embodiment. 1 is a block diagram illustrating a configuration of a service system according to Embodiment 1. FIG. It is a figure for demonstrating the web page which a service provider apparatus transmits to a user apparatus. It is a figure for demonstrating the web page which a service provider apparatus transmits to a user apparatus. It is a figure for demonstrating the user management database part in a network provider apparatus. It is a figure for demonstrating the user management database part in a network provider apparatus. It is a figure for demonstrating the user management database part in a network provider apparatus. It is a figure for demonstrating the user management database part in a network provider apparatus. It is a figure for demonstrating the user management database part in a network provider apparatus. It is a sequence diagram which shows the procedure of the process by the service system which concerns on Example 1. FIG. It is a figure for demonstrating the outline | summary and the characteristic of the service system which concerns on Example 2. FIG. It is a figure for demonstrating the user management database part in the network provider apparatus which concerns on Example 2. FIG. It is a figure for demonstrating the outline | summary and characteristic of the service system which concerns on Example 4. FIG. It is a figure for demonstrating the user management database part in the network provider apparatus which concerns on Example 4. FIG. It is a figure for demonstrating the user management database part in the network provider apparatus which concerns on Example 4. FIG.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 Network provider apparatus 110 Communication control I / F part 120 Storage part 121 User management database part 122 Service provider management database part 130 Control part 131 Authentication processing part 132 Line information acquisition part 133 User authentication result transmission part 200 Service business User device 210 Communication control I / F unit 220 Storage unit 230 Control unit 231 SP site access response unit 232 User authentication request transmission unit 233 Access control unit 300 User device

Claims (7)

  1. A service system in which a network operator device that controls network connection by a user device and a service operator device that controls site access by the user device are connected via a network,
    The network operator device is:
    User information storage means for storing user information related to a user of a user device that has permitted network connection after performing user registration in association with line information related to a line to which the user device is connected;
    Line information related to the line to which the user device is connected when a user authentication request for requesting user authentication of the user device is received from the service provider device by redirect communication via the user device. Line information acquisition means for acquiring
    User authentication result obtained by acquiring user information associated with the line information acquired by the line information acquisition means from the user information storage means and performing the user authentication using the user information A user authentication result transmitting means for transmitting to the service provider device by redirect communication via the user device;
    The service provider device is:
    When the site access request is received from the user device, the use via the network operator device that allows the user device to connect to the network and stores the user information and the line information in association with each other. User authentication request transmitting means for transmitting a user authentication request for requesting user authentication of the user device to the network operator device by redirect communication via the user device;
    An access control means for controlling the site access using the user authentication result when the user authentication result of the user device is received from the network operator device by redirect communication via the user device;
    A service system characterized by comprising:
  2.   The user authentication result transmission means transmits a user authentication result obtained by performing the user authentication using the line information to the service provider device in addition to the user information. The service system according to claim 1.
  3. The user authentication request transmission means further includes a contract management request for requesting contract management between the user device and the service provider device together with a user authentication request for requesting user authentication of the user device. Send
    When receiving the contract management request from the service provider device, the user information storage means relates to a contract between the user device and the service provider device in association with the user information. The service system according to claim 1, wherein contract information is stored.
  4. The user authentication result transmitting means transmits, in addition to the user authentication result, expiration date information indicating an expiration date of the user authentication result to the service provider device,
    When the access control means receives the expiration date information in addition to the user authentication result from the network operator device, the access control means satisfies the expiration date indicated in the expiration date information and satisfies the expiration date. The service system according to claim 1, wherein the site access is controlled using a result.
  5. The user authentication result transmitting means transmits, in addition to the user authentication result, an electronic signature signed by the network operator device to the service operator device,
    When the electronic control is received from the network operator device in addition to the user authentication result, the access control means uses the user authentication result on the condition that the electronic signature is valid. The service system according to claim 1, wherein site access is controlled.
  6. The user authentication result transmitting means is provided that, in addition to the user authentication request from the service provider device, when the electronic signature signed by the service provider device is received, the electronic signature is valid. And sending the user authentication result to the service provider device,
    The service system according to claim 1, wherein the user authentication request transmission unit transmits the electronic signature to the network operator device in addition to the user authentication request.
  7. A service system control method for controlling a service system in which a network operator device that controls network connection by a user device and a service operator device that controls site access by the user device are connected via a network. And
    The network operator device is:
    A user information storage step of storing user information related to a user of a user device permitted to connect to the network after performing user registration in association with line information related to a line to which the user device is connected;
    Line information related to the line to which the user device is connected when a user authentication request for requesting user authentication of the user device is received from the service provider device by redirect communication via the user device. Line information acquisition process to acquire,
    User authentication result obtained by acquiring user information associated with the line information acquired by the line information acquisition step from the user information storage step, and performing the user authentication using the user information A user authentication result transmission step for transmitting to the service provider device by redirect communication via the user device;
    The service provider device is:
    When the site access request is received from the user device, the use via the network operator device that allows the user device to connect to the network and stores the user information and the line information in association with each other. A user authentication request transmitting step of transmitting a user authentication request for requesting user authentication of the user device to the network operator device by redirect communication via the user device;
    An access control step of controlling the site access using the user authentication result when the user authentication result of the user device is received from the network operator device by redirect communication via the user device;
    A service system control method comprising:
JP2006188493A 2006-07-07 2006-07-07 Service system and service system control method Active JP4551369B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2006188493A JP4551369B2 (en) 2006-07-07 2006-07-07 Service system and service system control method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2006188493A JP4551369B2 (en) 2006-07-07 2006-07-07 Service system and service system control method

Publications (2)

Publication Number Publication Date
JP2008015936A JP2008015936A (en) 2008-01-24
JP4551369B2 true JP4551369B2 (en) 2010-09-29

Family

ID=39072859

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2006188493A Active JP4551369B2 (en) 2006-07-07 2006-07-07 Service system and service system control method

Country Status (1)

Country Link
JP (1) JP4551369B2 (en)

Families Citing this family (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8713623B2 (en) 2001-09-20 2014-04-29 Time Warner Cable Enterprises, LLC Technique for effectively providing program material in a cable television system
US8312267B2 (en) 2004-07-20 2012-11-13 Time Warner Cable Inc. Technique for securely communicating programming content
US8266429B2 (en) 2004-07-20 2012-09-11 Time Warner Cable, Inc. Technique for securely communicating and storing programming material in a trusted domain
US8520850B2 (en) 2006-10-20 2013-08-27 Time Warner Cable Enterprises Llc Downloadable security and protection methods and apparatus
US8732854B2 (en) 2006-11-01 2014-05-20 Time Warner Cable Enterprises Llc Methods and apparatus for premises content distribution
US8621540B2 (en) 2007-01-24 2013-12-31 Time Warner Cable Enterprises Llc Apparatus and methods for provisioning in a download-enabled system
US9357247B2 (en) 2008-11-24 2016-05-31 Time Warner Cable Enterprises Llc Apparatus and methods for content delivery and message exchange across multiple content delivery networks
US9215423B2 (en) 2009-03-30 2015-12-15 Time Warner Cable Enterprises Llc Recommendation engine apparatus and methods
JP5192439B2 (en) * 2009-05-12 2013-05-08 日本電信電話株式会社 User authentication system, proxy device, user authentication method and program
US9602864B2 (en) 2009-06-08 2017-03-21 Time Warner Cable Enterprises Llc Media bridge apparatus and methods
US9237381B2 (en) 2009-08-06 2016-01-12 Time Warner Cable Enterprises Llc Methods and apparatus for local channel insertion in an all-digital content distribution network
US8396055B2 (en) 2009-10-20 2013-03-12 Time Warner Cable Inc. Methods and apparatus for enabling media functionality in a content-based network
US10264029B2 (en) 2009-10-30 2019-04-16 Time Warner Cable Enterprises Llc Methods and apparatus for packetized content delivery over a content delivery network
US9635421B2 (en) 2009-11-11 2017-04-25 Time Warner Cable Enterprises Llc Methods and apparatus for audience data collection and analysis in a content delivery network
US9519728B2 (en) 2009-12-04 2016-12-13 Time Warner Cable Enterprises Llc Apparatus and methods for monitoring and optimizing delivery of content in a network
US9342661B2 (en) 2010-03-02 2016-05-17 Time Warner Cable Enterprises Llc Apparatus and methods for rights-managed content and data delivery
JP5521736B2 (en) * 2010-04-23 2014-06-18 富士ゼロックス株式会社 Communication control device, communication control program, and communication control system
US9300445B2 (en) 2010-05-27 2016-03-29 Time Warner Cable Enterprise LLC Digital domain content processing and distribution apparatus and methods
US9906838B2 (en) * 2010-07-12 2018-02-27 Time Warner Cable Enterprises Llc Apparatus and methods for content delivery and message exchange across multiple content delivery networks
US8997136B2 (en) 2010-07-22 2015-03-31 Time Warner Cable Enterprises Llc Apparatus and methods for packetized content delivery over a bandwidth-efficient network
US9185341B2 (en) 2010-09-03 2015-11-10 Time Warner Cable Enterprises Llc Digital domain content processing and distribution apparatus and methods
US10148623B2 (en) 2010-11-12 2018-12-04 Time Warner Cable Enterprises Llc Apparatus and methods ensuring data privacy in a content distribution network
US9467723B2 (en) 2012-04-04 2016-10-11 Time Warner Cable Enterprises Llc Apparatus and methods for automated highlight reel creation in a content delivery network
US9565472B2 (en) 2012-12-10 2017-02-07 Time Warner Cable Enterprises Llc Apparatus and methods for content transfer protection
US9313568B2 (en) 2013-07-23 2016-04-12 Chicago Custom Acoustics, Inc. Custom earphone with dome in the canal
US9935833B2 (en) 2014-11-05 2018-04-03 Time Warner Cable Enterprises Llc Methods and apparatus for determining an optimized wireless interface installation configuration
US10116676B2 (en) 2015-02-13 2018-10-30 Time Warner Cable Enterprises Llc Apparatus and methods for data collection, analysis and service modification based on online activity
US9986578B2 (en) 2015-12-04 2018-05-29 Time Warner Cable Enterprises Llc Apparatus and methods for selective data network access
US9918345B2 (en) 2016-01-20 2018-03-13 Time Warner Cable Enterprises Llc Apparatus and method for wireless network services in moving vehicles
US10404758B2 (en) 2016-02-26 2019-09-03 Time Warner Cable Enterprises Llc Apparatus and methods for centralized message exchange in a user premises device
US10492034B2 (en) 2016-03-07 2019-11-26 Time Warner Cable Enterprises Llc Apparatus and methods for dynamic open-access networks
US10164858B2 (en) 2016-06-15 2018-12-25 Time Warner Cable Enterprises Llc Apparatus and methods for monitoring and diagnosing a wireless network
US10645547B2 (en) 2017-06-02 2020-05-05 Charter Communications Operating, Llc Apparatus and methods for providing wireless service in a venue
US10638361B2 (en) 2017-06-06 2020-04-28 Charter Communications Operating, Llc Methods and apparatus for dynamic control of connections to co-existing radio access networks
US10368255B2 (en) 2017-07-25 2019-07-30 Time Warner Cable Enterprises Llc Methods and apparatus for client-based dynamic control of connections to co-existing radio access networks

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005339093A (en) * 2004-05-26 2005-12-08 Nippon Telegr & Teleph Corp <Ntt> Authentication method, authentication system, authentication proxy server, network access authenticating server, program, and storage medium

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005339093A (en) * 2004-05-26 2005-12-08 Nippon Telegr & Teleph Corp <Ntt> Authentication method, authentication system, authentication proxy server, network access authenticating server, program, and storage medium

Also Published As

Publication number Publication date
JP2008015936A (en) 2008-01-24

Similar Documents

Publication Publication Date Title
US10389755B2 (en) Distributed secure content delivery
US20180060761A1 (en) Digital rights management (drm)-enabled policy management for an identity provider in a federated environment
JP6033990B2 (en) Multiple resource servers with a single flexible and pluggable OAuth server, OAuth protected REST OAuth permission management service, and OAuth service for mobile application single sign-on
US9800586B2 (en) Secure identity federation for non-federated systems
US10146948B2 (en) Secure network access
US20160119352A1 (en) Method and system for account management
US9985969B1 (en) Controlling use of computing-related resources by multiple independent parties
US8677451B1 (en) Enabling seamless access to a domain of an enterprise
US10673985B2 (en) Router-host logging
CN102597981B (en) Modular device authentication framework
JP5567011B2 (en) Method and service integration platform system for providing Internet services
US8386776B2 (en) Certificate generating/distributing system, certificate generating/distributing method and certificate generating/distributing program
JP4301997B2 (en) Authentication method for information appliances using mobile phones
JP5052523B2 (en) Authenticating principals in a federation
US8793759B2 (en) Authentication collaboration system and ID provider device
US7444519B2 (en) Access control for federated identities
US7849204B2 (en) Distributed network identity
US6789193B1 (en) Method and system for authenticating a network user
US8635679B2 (en) Networked identity framework
DE69633564T2 (en) Access control and monitoring system for internet servers
US7475146B2 (en) Method and system for accessing internet resources through a proxy using the form-based authentication
KR100464755B1 (en) User authentication method using user&#39;s e-mail address and hardware information
EP1530860B1 (en) Method and system for user-determined authentication and single-sign-on in a federated environment
US8122138B2 (en) Method and system for user-determined attribute storage in a federated environment
EP2106087B1 (en) Method and apparatus for handling security level of device on network

Legal Events

Date Code Title Description
A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20100427

A521 Written amendment

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20100621

TRDD Decision of grant or rejection written
A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

Effective date: 20100706

A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

A61 First payment of annual fees (during grant procedure)

Free format text: JAPANESE INTERMEDIATE CODE: A61

Effective date: 20100709

R150 Certificate of patent or registration of utility model

Ref document number: 4551369

Country of ref document: JP

Free format text: JAPANESE INTERMEDIATE CODE: R150

Free format text: JAPANESE INTERMEDIATE CODE: R150

FPAY Renewal fee payment (event date is renewal date of database)

Free format text: PAYMENT UNTIL: 20130716

Year of fee payment: 3

S531 Written request for registration of change of domicile

Free format text: JAPANESE INTERMEDIATE CODE: R313531

R350 Written notification of registration of transfer

Free format text: JAPANESE INTERMEDIATE CODE: R350