JP4897503B2 - Account linking system, account linking method, linkage server device - Google Patents

Description

  The present invention relates to a technique for linking IDs when a plurality of different server devices pay out their IDs to the same user. More specifically, it relates to account linking.

While various services such as net banking are online, security damage such as phishing and ID theft is also increasing. In particular, when using a service that requires authentication via a fixed network, user authentication using a password is generally used. User authentication based on passwords can be introduced relatively easily because the introduction cost is low, but it is exposed to threats such as impersonation and eavesdropping.
On the other hand, in the mobile network, a highly secure authentication framework such as an authentication method using a tamper-resistant SIM card and PKI is being prepared.

Against this background, multi-channel authentication technology that can separate a channel that uses a service and an authentication channel necessary to use the service and perform authentication in a more reliable manner has attracted attention. . For example, Patent Document 1 discloses a technique for using an online service in a fixed network by authentication using a mobile terminal via a mobile network. In this technique, a communication terminal that does not have authentication information such as an electronic certificate performs authentication (authentication cooperation) using authentication information of another communication terminal.
JP 2006-174320 A

  In order to realize such authentication cooperation, different user accounts assigned to different communication terminals (hereinafter also referred to as IDs). ] (ID collaboration) is required. The life cycle of ID linkage is (1) account linking, (2) SSO (Single Sign-On), (3) linkage information change, (4) SLO (Single Log-Out), (5) account linking cancellation, and so on. Become. The aforementioned multi-channel authentication technology is a technology related to SSO, that is, a portion that makes it possible to use a desired service by using authentication using a mobile terminal such as a mobile phone for user authentication for receiving a desired service. There are currently no account linking (creating an environment where Single Sign-On can be performed by ID linkage) system that is required in advance.

  In short, multi-channel authentication technology separates the channel that uses the service (service channel) and the channel that performs the authentication necessary to use the service (authentication channel), so authentication is required to actually provide the service. However, the preconditions for performing multi-channel authentication, that is, a method for realizing account linking has not been studied.

Note that SAML v2.0 (see Reference 1) is a standard technology related to ID linkage, but this method transmits information between server devices via the same Web browser. Cooperation processing needs to be performed via the same Web browser. For this reason, when it is necessary to access the server device from the different communication terminals (client devices) via the respective communication networks, the standard SAML technology cannot be applied as it is to perform ID linkage.
(References)
OASIS (Organization for the Advancement of Structured Information Standards), "Security Assertion Markup Language (SAML) v2.0", [Searched on January 19, 2007], Internet <URL: http: //www.oasis-open. org / specs / index.php # samlv2.0>

  In the SAML account linking method, the user is authenticated by the service provider (SP) and the identity provider (IDP) with their respective IDs, and the account linking is requested from the SP to the IDP. At this time, since these series of processes are performed via the same Web browser, for example, the IDP requested by the cookie function of the Web browser can be identified to which (authenticated) ID. Accordingly, account linking can be performed without exchanging the real ID between the SP and the IDP. That is, the account linking method using SAML is established on the assumption that the SP and the IDP communicate via the same browser. On the other hand, multi-channel authentication also plans an authentication path between different networks, a fixed network and a mobile network, and the communication terminals for accessing each authentication server device during authentication processing are different. The series of processes cannot be performed via the same Web browser. That is, SAML, which is a standard technology for ID collaboration, cannot be applied as it is to a model for realizing multi-channel authentication.

  By the way, as a method for establishing ID linkage by pseudonyms, a method of distributing a pseudonym identifier between communication devices is conceivable. However, since the kana identifier is information managed in the database for a long time, it is not desirable that this kana identifier is leaked. Therefore, a method of transmitting / receiving information that is more temporary than the kana identifier between communication devices is desirable.

The present invention, by the discovery of the problem, and an object account linking system for implementing the ID federation, account linking process, to provide a link server equipment.

  In order to solve the above-described problem, in the present invention, the account linking system includes at least a first cooperation server device, a second cooperation server device, a first client device, and a second client device. Thus, at least one of the first cooperation server device and the second cooperation server device is common to the account of the first client device (first user information) and the account of the second client device (second user information). And a transmission means A1 capable of providing the cooperation information to the outside of its own cooperation server device, as well as the cooperation information generation means and the transmission means A1. The cooperation server device (receiving device) of the other party of the cooperation server device (supplying device) acquires the cooperation information. Comprises signal means R1. The first cooperation server device includes reference information generation means for generating reference information that is information corresponding to the cooperation information, and transmission means A2 capable of providing the reference information to the outside of the first cooperation server device. , A first user information management database, and a first DB management means capable of registering at least the linkage information in the first user information management database. The first client device includes a receiving unit R2 capable of acquiring the reference information and a providing unit A3 capable of providing the acquired reference information to at least the second client device. The second client device includes: The acquisition means R3 capable of acquiring the reference information and the transmission means A4 capable of providing the acquired reference information to at least the second cooperation server device. Further, the second cooperation server device includes a receiving means R4 capable of acquiring the reference information, a second user information management database, and a second DB management means capable of registering at least the cooperation information in the second user information management database. With. In this system, the receiving side device acquires the cooperation information corresponding to the reference information generated by the supply side device, and the first DB management means stores the cooperation information in the first user information management. The second DB management means registers the linkage information in the second user information management database in association with the second user information in association with the first user information.

  In the account linking method of the present invention, in the above-described account linking system, the cooperation information generation unit generates the cooperation information generation step, and the transmission unit A1 transmits the cooperation information to the supply side device. A reference to the transmission step A1 provided to the outside, the reception step R1 in which the reception means R1 acquires the cooperation information, and the reference information generation means of the first cooperation server device is information corresponding to the cooperation information A reference information generation step for generating information; a transmission step A2 for providing the reference information to the outside of the first cooperation server device; and a reception means for the first client device. R2 receives the reference information R2 and the first client device providing means A3 acquires the reference information. The providing step A3 for providing the reference information to at least the second client device, the obtaining step R3 for obtaining the reference information by the obtaining means R3 for the second client device, and the transmitting means A4 for the second client device A transmission step A4 for providing the acquired reference information to at least the second cooperation server device; a reception step R4 for the reception means R4 of the second cooperation server device to acquire the reference information; and the first cooperation server. A first registration step in which the first DB management means of the device registers the linkage information in the first user information management database of the first linkage server device in association with the first user information; and the second linkage server The second DB management means of the device transfers the linkage information to the second user information management database of the second linkage server device. Account linking method and a second registration step of registering in association with the serial second user information are (hereinafter referred to as the basic method.).

  In short, according to the present invention, the reference information is distributed among the devices constituting the account linking system via the first client device and the second client device as appropriate, and one linked server device uses the reference information as a clue. The generated linkage information is passed to the other linkage server device. Therefore, the first cooperation server device registers the cooperation information in association with the account of the first client device (first user information), and the second cooperation server device stores the cooperation information as the account of the second client device (second User information). That is, the first linkage server device and the second linkage server device are linked using linkage information as a trap. In addition, you may make it discriminate | determine which cooperation server apparatus is cooperated by cooperation destination server information (information which shows the cooperation server apparatus of a cooperation destination).

Regarding the above basic method, assuming that the supply side device is the first cooperation server device, the reception side device is the second cooperation server device, the transmission step A4 is performed by the second client device. The transmission means A4 provides the reference information to the second cooperation server device by transmitting request information that is information including the reference information, and the reception step R4 includes the second cooperation server device. The receiving means R4 receives the request information to acquire the reference information, and the transmission means A5 of the second cooperation server device sends the request information to the first cooperation server device. A transmitting step A5 for transmitting, and a receiving step R5 for receiving the request information from the second cooperative server device by the receiving means R5 of the first cooperative server device. In the transmission step A1, when the transmission unit A1 of the first cooperation server device receives the request information, the cooperation information corresponding to the reference information included in the request information is provided to the second cooperation server device. The receiving step R1 is an account linking method characterized in that the receiving means R1 of the second linkage server device acquires the linkage information from the first linkage server device. Good.
This is a method in which the second cooperation server device acquires the cooperation information from the first cooperation server device without passing through the first client device and the second client device. That is, exchange of linkage information is performed under a two-party communication structure of the first linkage server device and the second linkage server device, and a conventional communication protocol such as SAML can be used.

In addition, regarding the above-described basic method, assuming that the supply side device is the first cooperation server device, the reception side device is the second cooperation server device, and the transmission step A4 is performed by the second client. The transmission means A4 of the device provides the reference information to the second cooperation server device by transmitting first request information that is information including the reference information, and the reception step R4 includes the first request information. The receiving means R4 of the two cooperation server devices acquires the reference information by receiving the first request information, and the transmission means A6 of the second cooperation server device includes the reference information. The transmission step A6 for transmitting the second request information, which is information, to the second client device and the transfer means T1 of the second client device from the second cooperative server device The transfer step T1 for transferring the received second request information to the first cooperation server device, and the transfer means T2 of the second client device use the first cooperation server device for the cooperation information provided by the first cooperation server device. A transfer step T2 for transferring to the two cooperative server devices, and a receiving step R6 for receiving the second request information from the second client device by the receiving means R6 of the first cooperative server device, and the transmitting step When the transmission unit A1 of the first cooperation server device receives the second request information from the second client device, A1 sends the cooperation information corresponding to the reference information included in the second request information to the first information. The receiving step R1 is performed by the receiving means R1 of the second cooperation server device in the second client device. May account linking method, wherein a from and acquires the cooperation information.
This is a method in which the second cooperation server device acquires the cooperation information from the first cooperation server device via the second client device. That is, the exchange of cooperation information is performed under the three-party communication structure of the first cooperation server apparatus and the second cooperation server apparatus through the second client apparatus, and a conventional communication protocol such as SAML is used. it can.

Further, in the above basic method, the supply side device is the second cooperation server device, the reception side device is the first cooperation server device, and further the transmission means of the first client device A7 transmits the first request information which is information including the reference information to the first cooperation server device, and the reception means R7 of the first cooperation server device receives the first request from the first client device. Receiving step R7 for receiving 1 request information, transmitting step A8 for transmitting the second request information, which is information including the reference information, by the transmitting means A8 of the first cooperation server device, A transfer unit T3 of the first client device transfers the second request information transmitted from the first cooperation server device to the second cooperation server device. Transfer step T4 in which the transfer means T4 of the first client device transfers the cooperation information provided from the second cooperation server device to the first cooperation server device, and the second cooperation server device. The receiving means R7 has a receiving step R7 for receiving the second request information from the first client device, and the transmitting step A1 is performed by the transmitting means A1 of the second cooperative server device. When the second request information is received from the client device, the cooperation information corresponding to the reference information included in the second request information is provided to the first client device, and the reception step R1 includes the first request information. The account link characterized in that the receiving means R1 of the cooperation server device acquires the cooperation information from the first client device. Ring method (hereinafter, referred to as method 3.) It may be.
This is a method in which the first cooperation server device acquires the cooperation information from the second cooperation server device via the first client device. That is, exchange of linkage information is performed under a three-party communication structure of the first linkage server device and the second linkage server device via the first client device, and a conventional communication protocol such as SAML is used. it can.

In addition, regarding the basic method described above, assuming that the supply side device is the second linkage server device, the receiving side device is the first linkage server device, and the transmission step A2 is the first linkage server. The transmission unit A2 of the server device transmits first request information that is information including the reference information to the first client device, and the transfer unit T5 of the first client device further includes the first cooperation. Transfer step T5 for transferring the first request information transmitted from the server device to the second cooperation server device, and transfer means T6 of the first client device include the cooperation information provided from the second cooperation server device. Is transferred to the first cooperation server device, and the reception step R6 of the second cooperation server device receives the first request information. 8 and transmission step A9 in which the transmission means A9 of the second cooperation server device provides the first client device with the reference information included in the received first request information, and the reception step R2 The receiving means R2 of the first client device acquires the reference information from the second cooperation server device, and the transmission means A10 of the first client device is information including the reference information. A transmission step A10 for transmitting certain second request information to the second cooperation server device, and a reception step R9 for receiving the second request information by the receiving means R9 of the second cooperation server device, When the transmission means A1 of the second cooperation server device receives the second request information from the first client device, the transmission step A1 is performed when the second request information is received. The cooperation information corresponding to the reference information included in the first client device is provided to the first client device. In the reception step R1, the reception unit R1 of the first cooperation server device receives the first client device from the first client device. An account linking method (hereinafter referred to as “method 4”) characterized in that it obtains linkage information.
This is a method in which the first cooperation server device acquires the cooperation information from the second cooperation server device via the first client device. That is, exchange of linkage information is performed under a three-party communication structure of the first linkage server device and the second linkage server device via the first client device, and a conventional communication protocol such as SAML is used. it can. The method 4 differs from the method 3 depending on whether the account linking initiative is performed by the first client device or the first cooperation server device.

  In any of the above methods, in the first registration step, the first DB management unit of the first cooperation server device stores the cooperation information in the first user information management database of the first cooperation server device. It is a step of registering in association with cooperation destination server information, which is information indicating the cooperation server device of the first cooperation server device, and the second registration step is a second DB management means of the second cooperation server device However, the cooperation information is also registered in the second user information management database of the second cooperation server device in association with the cooperation destination server information that is information indicating the cooperation server device of the second cooperation server device. It is possible to provide an account linking method characterized by the step of

The account linking system of the present invention includes the following cooperative server device and client device.
First, as a linkage server device that can be a component of the account linking system of the present invention, an account (user information a) of a client device (client device a) and an account of a client device (client device b) different from the client device a ( Cooperation information generation means for generating cooperation information that is common information to user information b), transmission means A1 that can provide the cooperation information to the outside, and reference for generating reference information that is information corresponding to the cooperation information Information generating means, transmitting means A2 capable of providing the reference information to the outside, user information management database a in which at least the user information a is registered, the user information management database a, and the cooperation with the user information a A linkage server device provided with DB management means a capable of registering information in association with each other That.

  Alternatively, receiving means for acquiring cooperation information that is information common to an account (user information a) of a client device (client device a) and an account (user information b) of a client device (client device b) different from the client device a R1, reference information generating means for generating reference information that is information corresponding to the linkage information, transmission means A2 capable of providing the reference information to the outside, and a user information management database in which at least the user information a is registered There is a cooperation server device provided with a and DB management means a capable of registering the cooperation information in association with the user information a in the user information management database a.

  Alternatively, linkage information for generating linkage information that is information common to an account (user information a) of a client device (client device a) and an account (user information b) of a client device (client device b) different from the client device a A generating unit; a transmitting unit A1 that can provide the cooperation information to the outside; a receiving unit R4 that is able to acquire reference information that is generated by another cooperation server device and corresponds to the cooperation information; There is a cooperation server device provided with a user information management database b in which user information b is registered, a DB management means b capable of registering the user information b in association with the user information b in the user information management database b. .

  Alternatively, receiving means for acquiring cooperation information that is information common to an account (user information a) of a client device (client device a) and an account (user information b) of a client device (client device b) different from the client device a R1, a receiving means R4 that is generated by another cooperation server device and can acquire reference information that is information corresponding to the cooperation information, a user information management database b in which at least the user information b is registered, and the above In the user information management database b, there is a cooperation server device provided with DB management means b capable of registering the cooperation information in association with the user information b.

Next, as a client device that can be a component of the account linking system of the present invention, a receiving unit R2 that can acquire reference information that is information corresponding to cooperation information that is common information among the cooperation server devices, There is a client device provided with providing means A3 capable of providing the reference information to at least another client device.
Furthermore, acquisition means R3 that can acquire reference information that is information corresponding to cooperation information that is common information among the cooperation server apparatuses, and transmission means A4 that can provide the acquired reference information to at least the cooperation server apparatus. There is a client device provided.

  In each of the above-described devices, the transmitting unit and the receiving unit are separately represented according to information to be transmitted / received, but the present invention is not limited to realizing each of the different physical units. When these means are realized as hardware resources, each device can be realized by the same communication means.

  According to the present invention, it is possible to distribute reference information among the devices constituting the account linking system, and to pass the link information generated by one link server device to the other link server device using the reference information as a clue. The first cooperation server device registers the cooperation information in association with the account of the first client device (first user information), and the second cooperation server device stores the cooperation information as the account of the second client device ( Registered in association with the second user information). Therefore, it is understood that the user corresponding to the first user information and the user corresponding to the second user information are the same by setting the common information common to the first user information and the second user information as the first user information. ID linkage is realized between the linkage server device and the second linkage server device.

Embodiments of the present invention will be described with reference to the drawings.
In the present invention, “information” is data that can be handled by a computer.

  The account linking system (1) of the present invention includes at least a first cooperation server device (100), a second cooperation server device (200), a first client device (10), and a second client device (20). (See FIG. 1).

  Among these devices, at least between the first cooperation server device (100) and the first client device (10), between the second cooperation server device (200) and the second client device (20), the first It is assumed that the client device (10) and the second client device (20) can communicate with each other. A communication method between these devices may be based on a conventional method.

  For example, a first client device (10) that is communicably connected to the first access network (31) is connected to a first cooperative server device (100) that is communicably connected to a first access network (31) that is a fixed network. ). Then, the user information (which may include a password corresponding to the ID, for example) representing a user account (ID) is transmitted from the first client device (10) to the first cooperation server device (100), for example, for authentication processing. Is done.

  Similarly, the second client connected to the second access network (32) so as to be communicable with the second cooperation server device (200) connected to the second access network (32), which is a mobile network, for example. Accessible from the device (20). Then, for example, user information (which may include a password corresponding to the ID) representing the user account (ID) is transmitted from the second client device (20) to the second authentication server device (200), thereby performing an authentication process. Etc. are performed.

  Further, although not shown in FIG. 1, the first client device (10) and the second client device (20) can communicate with each other by, for example, wireless communication or infrared communication. The first client device (10) and the second client device (20) are owned or occupied by the same user X.

The first authentication server device (100) and the second authentication server device (200) issue user information to the user X independently of each other. Specifically, the user account (ID) of the first client device (10) that can access the first cooperation server device (100) is, for example, Joe, and the second account that can access the second cooperation server device (200). The user account (ID) of the client device (20) is, for example, Joseph.
The first authentication server device (100) holds the first user information management database (101), and the user information issued by the first authentication server device (100) is stored in the first user information management database (101). Registered. Similarly, the second authentication server device (200) holds a second user information management database (201), and user information issued by the second authentication server device (200) is stored in the second user information management database (201). Is registered with.
For this reason, the user X is in a state of holding an independent user account (ID) for each authentication domain. In the following description, user information registered in the first user information management database (101) is referred to as first user information. Similarly, user information registered in the second user information management database (201) is referred to as second user information.

  In order to construct an ID linkage in such a situation, it is necessary to associate user accounts (IDs) independent for each authentication domain. Specifically, the first user information and the second user information may be associated with each other as being related to the same user between the first cooperation server device (100) and the second cooperation server device (200). In the present invention, cooperation information that is information common to the first user information and the second user information is generated, and the cooperation information is assumed to be a trap. That is, in the first user information management database (101), cooperation information is registered in association with the first user information, and in the second user information management database (201), the same cooperation information is registered in association with the second user information. Then, this cooperation information becomes a trap, and the first user information and the second user information are related to the same user between the first cooperation server device (100) and the second cooperation server device (200). Associated.

  Therefore, how to share the cooperation information between the first cooperation server device (100) and the second cooperation server device (200) becomes a problem. In the present invention, reference information, which is information associated with cooperation information, is used as a first cooperation server device (100), a second cooperation server device (200), a first client device (10), and a second client device. The link information is shared between the first link server device (100) and the second link server device (200) using the reference information as a clue. This account linking method will be clarified in each embodiment described later together with details of the account linking system of the present invention.

  In each embodiment, there are two linked server devices. However, when there are three or more linked server devices that are linked candidates, linked information alone is not sufficient, and a linked server device is linked to which linked server device. An index is needed to identify what to do. Therefore, as such an index, it is only necessary to use cooperation destination server information that is information indicating a cooperation destination cooperation server device. In this case, it is assumed that cooperation information and cooperation destination server information are registered in association with the first user information in the first user information management database (101). Similarly, in the second user information management database (201), the second information The link information and link destination server information are registered in association with the user information.

Prior to the description of each embodiment, an example of a database configuration of each user information management database realized by executing the account linking method of the present invention will be shown.
FIG. 2A shows an example of the database configuration of the first user information management database (101) held by the first authentication server device (100) realized by executing the account linking method of the present invention. . FIG. 2B shows an example of the database configuration of the second user information management database (201) held by the second authentication server device (200), which is realized by executing the account linking method of the present invention. ing.

  In the first user information management database (101), user information, related information, and cooperation destination server information are registered in association with each other. In the example illustrated in FIG. 2A, the account information (ID), which is user information, is registered in association with Joe in association information abc123 and cooperation destination server information IDP2.

  On the other hand, in the second user information management database (201), user information, related information, and cooperation destination server information are registered in association with each other. In the example shown in FIG. 2B, the account (ID), which is user information, is registered in association with Joseph in association information abc123 and cooperation destination server information IDP1.

  Here, an example is shown in which each account is for the same user X, and the account is properly used for each client device connected to a different access network. Of course, this does not prevent you from having the same account. The account ID is not intended to be limited to alphabets, and symbols and characters such as numbers and hiragana can be used, or a combination thereof. Needless to say, the ID is recorded as information (data) recognizable by the computer.

  The account linking method of the present invention can be applied to any communication protocol. In each embodiment to be described later, description will be made assuming that the account linking method of the present invention is realized in accordance with SAML v2.0 which is a standard technology.

  Each embodiment is an execution sequence for constructing ID federation. When executed in accordance with any of the following embodiments, the first cooperation server device (100) or the second cooperation server device (200) issues the cooperation information to the first user information or the second user information. And the link destination server information are registered in association with each other, and the link information is transmitted to the other link server device. Upon receiving the cooperation information, the other cooperation server device registers the cooperation information and the cooperation destination server information in association with the user information in the other cooperation server device.

  According to such a mechanism, it is assumed that the first linkage server device and the second linkage server device each independently hold a user information management database, and that each linkage server device independently issues user information. Thus, it is possible to construct an ID linkage capable of SSO without exchanging the actual account (real ID) itself (while maintaining the privacy of each linkage server device).

  In the description of each embodiment, “authentication information” is SAML v2.0 Assertion. The “reference information” is SAML v2.0 Artifact in the first embodiment, and is a request ID such as SAML v2.0 RelayState and AuthenRequest in the second, third, and fourth embodiments. The reference information is not limited to the information exemplified here, and is not particularly limited as long as it is information (session information) indicating a session between parties. As shown in FIG. 2, “cooperation information” is a random character string / symbol string that is shared between cooperation server apparatuses that establish ID cooperation. The “message including reference information” is information that is transmitted and received between devices in order to establish an ID linkage, and a specific form thereof can be different depending on message transmission means. Generally, information (data) representing a character string / symbol string such as text may be used, but image information such as a two-dimensional code may also be used. In this case, a message is provided by displaying a two-dimensional code including reference information on a display device such as a display. Then, the displayed two-dimensional code is read by a two-dimensional code reading means such as a camera, for example, and a message included in the two-dimensional code is acquired.

<< First Embodiment >>
In the first embodiment, the first cooperation server device (100) and the second cooperation server device (200) are mutually connected via the first access network (31), the second access network (32), and the Internet (33). It is assumed that communication is possible.

  FIG. 3 shows an example of an execution sequence in the first embodiment of the present invention. FIG. 4 shows an example of a system configuration for executing this execution sequence and a functional configuration necessary for each apparatus. FIG. 5 shows information managed by the user information management database held by each of the first linkage server device (100) and the second linkage server device (200) and the database configuration when executing this execution sequence. Yes. The authentication information and the reference information are information that needs to be managed temporarily in the user information management database at least when executing this execution sequence, and other information indicates information stored in the user information management database for a long time. In the first embodiment, the first cooperation server device (100) issues cooperation information.

  First, the user X inputs a user account (ID) and a password by the input means (11) exemplified by the keyboard of the first client device (10). This user account is specific to the first client device (10). The communication unit (13) of the first client device (10) is controlled by the control unit (12) of the first client device (10), and the input user account (ID) and password are first linked. It transmits to the server apparatus (100) (step S101).

  Next, when the communication unit (102) of the first cooperation server device (100) receives the user account (ID) and password transmitted in the process of step S101, the control unit (100) of the first cooperation server device (100) ( 103), the authentication unit (104) of the first cooperation server device (100) performs authentication using the received user account (ID) and password (step S102). The authentication here is so-called identity authentication (qualification authentication).

  Subsequently, the user X accesses the desired ID linkage destination linkage server device, in this case, another second client device (20) of the user X, by the input means (11) of the first client device (10). The ID link destination is specified by inputting the IP address or domain name of the possible second link server device (200) (hereinafter referred to as link destination server information). The control unit (12) of the first client device (10) controls the communication unit (13) of the first client device (10) to request ID linkage with the designated ID linkage destination <SAML request protocol < Request> is executed (step S103). In this request protocol, the input cooperation destination server information is transmitted to the first cooperation server device (100).

  Next, when the communication unit (102) of the first cooperation server device (100) receives the cooperation destination server information transmitted in the process of step S103, the control unit (103) of the first cooperation server device (100) Under the control, the cooperation information generation unit (105) of the first cooperation server device (100) generates the cooperation information (step S104).

  Next, the authentication information generation unit (106) of the first cooperation server device (100) generates authentication information (Assertion of SAML v2.0) (step S105). Here, the authentication information includes the cooperation information generated in the process of step S104.

  Further, the reference information generation unit (107) of the first cooperation server device (100) generates reference information (Artifact of SAML v2.0) that is information corresponding to the cooperation information generated in the process of step S104 ( Step S106). Since the linkage information is included in the authentication information, the reference information can be said to be information corresponding to the authentication information. Note that the reference information is information that circulates frequently in the account linking system (1), so that the information is smaller in capacity than the linkage information.

  And the message production | generation part (108) of a 1st cooperation server apparatus (100) produces | generates the message containing the reference information produced | generated by the process of step S106 (step S107).

  After this stage, the DB management unit (109) of the first cooperation server device (100) is authenticated in the first user information management database (101) as shown in FIG. 5 (a). User information (ID), linkage information, linkage destination server information (IDP2), authentication information, and reference information are registered in association with each other (step S107a). The authentication information and reference information are registered as temporary information.

  The communication unit (102) of the first linkage server device (100) receives control of the control unit (103) of the first linkage server device (100), and sends the message generated in the process of step S107 to the first client device. (10) (step S108). This is a SAML response protocol <Response> to the SAML request protocol <Request>.

Then, when the communication unit (13) of the first client device (10) receives the message transmitted in the process of step S108, the first client device (10) receives the control by the control unit (12) of the first client device (10), and first The communication unit (13) of the client device (10) transmits the message received in step S108 to the second client device (20) (step S109). The communication unit (23) of the second client device (20) receives this message.
The first client device (10) can also provide a message as a two-dimensional code to the second client device (20). In this case, the two-dimensional code generation means (not shown) of the first client device (10) generates a two-dimensional code representing the message received from the first cooperation server device (100), and the two-dimensional code is 1 Displayed on output means (liquid crystal display or the like) of the client device (10). A message stored in the first client device (10) is transmitted to the second client device (20) by photographing the two-dimensional code by the input means (21) such as a camera of the second client device (20). Is done. From this point of view, the communication unit (13) and the communication unit (23) are understood to include the output unit and the input unit as described above. Further, the provision of the message from the first client device (10) to the second client device (20) is active from the first client device (10) to the second client device (20), for example, as a transmission process. However, the present invention is not limited to a case where the message is executed in a passive manner, and includes a case where the message is executed passively as can be seen from an example in which a message is provided via image information called a two-dimensional code. Note that the form using the two-dimensional code is merely an example, and is not limited to this, and may be implemented using another communication method such as infrared communication or wireless communication.

  Subsequently, when the communication unit (23) of the second client device (20) receives the message transmitted in step S109, the control unit (22) of the second client device (20) The communication unit (23) of (20) is controlled, and the ID linkage request source (in this case, the first linkage server device. The fact that the ID linkage request source is the first linkage server device indicates in the received message The reference information included is SAML v2.0 Artifact, which can be discriminated.The SAML v2.0 Artifact includes information indicating the creation source of the Artifact). The request protocol <Request> is executed for the second cooperation server device (200) accessible by the second client device (20) (step S110). In this request protocol, reference information extracted from the message received in step S109 is transmitted to the second cooperation server device (200). The Request is received by the communication unit (202) of the second cooperation server device (200).

  Next, the user X inputs a user account (ID) and a password by the input means (21) of the second client device (20). This user account is specific to the second client device (20). The communication unit (23) of the second client device (20) is controlled by the control unit (22) of the second client device (20), and the input user account (ID) and password are second linked. It transmits to the server apparatus (200) (step S111).

  Next, when the communication unit (202) of the second linkage server device (200) receives the user account (ID) and password transmitted in the process of step S111, the control unit (200) of the second linkage server device (200) ( 203), the authentication unit (204) of the second cooperation server device (200) performs authentication using the received user account (ID) and password (step S112). The authentication here is so-called identity authentication (qualification authentication).

  Next (when the authentication in step S112 is successful), the control unit (203) of the second cooperation server device (200) controls the communication unit (202) of the second cooperation server device (200), so that The SAML request protocol <Request> for requesting ID linkage with the ID linkage destination (in this case, the first linkage server device) that is the creation source of the reference information received in the process is executed (step S113). In this request protocol, the reference information received in the process of step S110 is included in Request (corresponding to request information that is information indicating a cooperation request) and transmitted to the first cooperation server device (100). That is, the reference information is transmitted directly (without going through the first client device or the second client device) to the first cooperation server device (100).

  And if the communication part (102) of a 1st cooperation server apparatus (100) receives SAML request protocol <Request> implemented by the process of step S113, it will be by the control part (103) of a 1st cooperation server apparatus (100). Under control, the communication unit (102) of the first cooperation server device (100) directly transmits the authentication information including the cooperation information (corresponding to the received reference information) to the second cooperation server device (200). (Step S114). This is a SAML response protocol <Response> to the SAML request protocol <Request>.

  Next, when the communication unit (202) of the second cooperation server device (200) receives the authentication information transmitted in the process of step S114, the control unit (203) of the second cooperation server device (200) performs control. In response, the DB management unit (205) of the second cooperation server device (200) stores the second user information (authenticated) in the second user information management database (201) as shown in FIG. ID), linkage information extracted from the authentication information, and linkage destination server information (IDP1) indicating the ID linkage destination determined by the reference information are registered in association with each other (step S115).

  And the control part (203) of a 2nd cooperation server apparatus (200) controls the communication part (202) of a 2nd cooperation server apparatus (200), ID cooperation is carried out with respect to a 2nd client apparatus (20). The SAML response protocol <Response> for notifying that the process has been completed is executed (step S116).

  In the first embodiment, the account linking method is described as including the authentication phase from the viewpoint of matching with the multi-channel authentication technology, but the authentication phase is not essential in the account linking itself. That is, the processes in steps S101, S102, S111, and S112 are arbitrary processes that can be performed in association with account linking. In addition to a form that does not require the processes of steps S101, S102, S111, and S112, for example, a form in which the processes of steps S101, S102, S111, and S112 are performed in advance as a preprocess for account linking is conceivable. .

  In the first embodiment, since the account linking method has been described in conformity with SAML, the cooperation server device of the cooperation destination can be determined from the reference information (Artifact of SAML v2.0). However, if the reference information does not indicate the creation source of the reference information, it is necessary to separately generate the linkage destination server information and attach it to the reference information, or generate the reference information as including the linkage destination server information. Good.

<< Second Embodiment >>
In the first embodiment, a communication environment is assumed in which the first linkage server device (100) and the second linkage server device (200) can communicate with each other. In the second embodiment, a communication environment is assumed in which the first cooperation server device (100) and the second cooperation server device (200) cannot communicate with each other. However, this does not mean that the second embodiment can be applied only when the two cannot communicate with each other. Even in an environment where both can communicate with each other, the second embodiment can be applied.
In the second embodiment, although it is not guaranteed that the first cooperation server device (100) and the second cooperation server device (200) can communicate with each other, the second client device (20) (32) It is possible to access the first linkage server device (100) via the Internet (33) and the first access network (31).

  FIG. 6 shows an example of an execution sequence in the second embodiment of the present invention. An example of the system configuration for executing this execution sequence and the functional configuration necessary for each apparatus are the same as the functional configuration example shown in FIG. FIG. 11A and FIG. 11B are managed by the user information management database held by each of the first cooperation server device (100) and the second cooperation server device (200) when executing this execution sequence. Information and its database configuration. The reference information is information that needs to be temporarily managed in the user information management database at least when executing this execution sequence, and other information indicates information stored in the user information management database for a long time. In the second embodiment, the first cooperation server device (100) issues cooperation information.

  First, each process of step S201, step S202, and step S203 is sequentially performed. However, step S201 is the same as step S101, step S202 is the same as step S102, and step S203 is the same as step S103, and thus the description thereof is omitted.

  Following the processing in step S203, when the communication unit (102) of the first cooperation server device (100) receives the cooperation destination server information (IDP2) transmitted in the processing in step S203, the first cooperation server device (100 ), The reference information generation unit (107) of the first linkage server device (100) generates reference information (such as RelayState of SAML v2.0) (step S204).

Subsequently, the message generator (108) of the first cooperation server device (100) generates a message including the reference information generated in the process of step S204 (step S205).
After this stage, the DB management unit (109) of the first linkage server device (100) is authenticated in the first user information management database (101) as shown in FIG. 11 (a). User information (ID), cooperation destination server information, and reference information are registered in association with each other. The reference information is registered as temporary information.

  Subsequent to the process of step S205, the processes of step S206 and step S207 are sequentially performed. Since step S206 is the same as step S108 and step S207 is the same as step S109, the description thereof is omitted.

  When the communication unit (23) of the second client device (20) receives the message transmitted in the process of step S207, the user X uses a user account (21) by the input means (21) of the second client device (20). ID) and password. This user account is specific to the second client device (20). Then, the communication unit (23) of the second client device (20) is controlled by the control unit (22) of the second client device (20) to input the user account (ID), password, and step S207. The reference information extracted from the message transmitted in the process is transmitted to the second cooperation server device (200) (step S208).

  Next, when the communication unit (202) of the second cooperative server device (200) receives the user account (ID), password, and reference information transmitted in the process of step S208, the second cooperative server device (200) Under the control of the control unit (203), the authentication unit (204) of the second cooperation server device (200) performs authentication using the received user account (ID) and password (step S209). The authentication here is so-called identity authentication (qualification authentication).

Subsequently, the control unit (22) of the second client device (20) controls the communication unit (23) of the second client device (20) so that the second client device (20) can access the second cooperation. A SAML request protocol <Request> for requesting ID linkage with the ID linkage request source (in this case, the first linkage server device) is executed for the server device (200) (step S210). In this request protocol, the reference information extracted from the message received in the process of step S207 is transmitted to the second cooperation server device (200).
After this stage, the DB management unit (205) of the second cooperation server device (200) is authenticated in the second user information management database (201) as shown in FIG. User information (ID), cooperation destination server information indicating an ID cooperation destination determined by reference information, and reference information are registered in association with each other. The reference information is registered as temporary information.

  When the communication unit (202) of the second cooperation server device (200) receives the Request executed in the process of step S210, the control unit (203) of the second cooperation server device (200) The communication unit (202) of (200) is controlled to execute the SAML request protocol <Request> for requesting ID cooperation with the ID cooperation request source (in this case, the second cooperation server device) (step) S211). This SAML request protocol <Request> is performed by redirecting the Web browser of the second client device (20) from the second cooperation server device (200) and requesting ID cooperation from the first cooperation server device (100). The redirection is performed via the Web browser of the second client device (20) using HTTP Redirect, GET, or POST method. At this time, the Request includes reference information.

  Next, when the communication unit (102) of the first cooperation server device (100) receives the Request transmitted in the process of step S211, the control unit (103) of the first cooperation server device (100) receives control. Then, the cooperation information generation unit (105) of the first cooperation server device (100) generates the cooperation information for the authenticated ID (first user information) corresponding to the reference information received in the process of step S211. (Step S212).

  Next, the authentication information generation unit (106) of the first cooperation server device (100) generates authentication information (step S213). Here, the authentication information is SAML v2.0 Assertion, and includes the cooperation information generated in the process of step S212.

  After this stage, the DB management unit (109) of the first linkage server device (100) is authenticated in the first user information management database (101) as shown in FIG. 11 (a). User information (ID), linkage information, linkage destination server information (IDP2), authentication information, and reference information are registered in association with each other (step S213a). The authentication information is registered as temporary information.

  Next, the control unit (103) of the first linkage server device (100) controls the communication unit (102) of the first linkage server device (100), and the authentication information generated in the process of step S213 is 2. The Web browser of the client device (20) is redirected and transmitted to the second cooperation server device (200) (step S214).

  Next, when the communication unit (202) of the second cooperation server device (200) receives the authentication information transmitted in the process of step S214, the control unit (203) of the second cooperation server device (200) performs control. In response, the DB management unit (205) of the second cooperation server device (200) stores the second user information (authenticated) in the second user information management database (201) as shown in FIG. ID), linkage information, and linkage destination server information are registered in association with each other. (Step S215).

  And the control part (203) of a 2nd cooperation server apparatus (200) controls the communication part (202) of a 2nd cooperation server apparatus (200), ID cooperation is carried out with respect to a 1st client apparatus (10). The SAML response protocol <Response> for notifying that the process has been completed is executed (step S216).

  In the process of step S111 of the first embodiment, the reference information is not sent although it is the same process as step S208 of the second embodiment, while the reference information is also sent together in the process of step S208. When it is noted that the reference information is shared between the first cooperation server device (100) and the second cooperation server device (200), the same reference information is the first user information and the second user. It needs to be associated with each piece of information. Since the first cooperation server device (100) receives the ID cooperation request from the first client device (10) and generates the reference information, there is no wrinkle in the association between the first user information and the reference information. However, since the reference information is information obtained from the outside for the second linkage server apparatus (200), it is necessary to prevent wrinkles in the association between the reference information and the second user information. Therefore, generally, reference information is provided to the second cooperative server device (200) during user authentication using the second client device (20) as in the process of step S208 of the second embodiment. Thus, no wrinkles occur in the association between the second user information and the reference information. Of course, any method can be used as long as the reference information and the second user information are not associated with each other. Therefore, when the user authentication using the second client device (20) is performed, the second cooperation server device (200) It is not limited to providing reference information. What has been described here is the same in the third and fourth embodiments described later.

In this regard, also in the first embodiment, it is conceivable to perform each processing in the order of step S111 accompanied by provision of reference information, then step S112, and then step S110. Of course, such a method may be used, but in the first embodiment, the process of step S110 for transmitting the reference information from the second client device (20) to the second cooperation server device (200) is preceded. In the process of step S111, provision of reference information is unnecessary.
Conversely, in the second embodiment as well, it is conceivable to perform each processing in the order of step S210 with provision of reference information, next step S208 without provision of reference information, and then step S209 (described later). The same applies to the third embodiment and the fourth embodiment.)

  In the second embodiment, as in the first embodiment, the account linking method is described as including the authentication phase from the viewpoint of matching with the multi-channel authentication technique, but the authentication phase is not essential in the account linking itself. That is, the processes in steps S201, S202, S208, and S209 are arbitrary processes that can be performed in association with account linking. In addition to a mode that does not require the processing of steps S201, S202, S208, and S209, for example, a mode in which the processing of steps S201, S202, S208, and S209 is performed in advance as a preprocess for account linking is conceivable. . However, in the second cooperation server device (200), when the reference information is provided from the second client device (20), the second user information management database (201) corresponds the reference information to the second user information. I'll add it. What has been described here is the same in the third and fourth embodiments described later.

  In the second embodiment, since the account linking method has been described in conformity with SAML, the cooperation server device of the cooperation destination can be determined from the reference information (such as RelayState of SAML v2.0). However, if the reference information does not indicate the creation source of the reference information, it is necessary to separately generate the linkage destination server information and attach it to the reference information, or generate the reference information as including the linkage destination server information. Good (the same applies to the third and fourth embodiments described later).

<< Third Embodiment >>
In the third embodiment, as in the second embodiment, a communication environment is assumed in which the first cooperation server device (100) and the second cooperation server device (200) are not communicable with each other. However, this third embodiment is not intended to be applied only when both cannot communicate with each other. Even in an environment where both can communicate with each other, the third embodiment can be applied.
In the third embodiment, although it is not guaranteed that the first cooperation server device (100) and the second cooperation server device (200) can communicate with each other, the first client device (10) (31) It is possible to access the second linkage server device (200) via the Internet (33) and the second access network (32).

  FIG. 7 shows an example of an execution sequence in the third embodiment of the present invention. FIG. 8 shows an example of a system configuration for executing this execution sequence and functions necessary for each device. FIG. 11 shows the information managed by the user information management database held by the first cooperation server device (100) and the second cooperation server device (200) and the database configuration when executing this execution sequence. Yes. The reference information is information that needs to be temporarily managed in the user information management database at least when executing this execution sequence, and other information indicates information stored in the user information management database for a long time. In the second embodiment, the second cooperation server device (200) issues cooperation information.

  First, each process of step S301 to step S309 is sequentially performed. Step S301 is step S201, step S302 is step S202, step S303 is step S203, step S304 is step S204, step S305 is step S205, and step S306 is step. Steps S206 and S307 are the same as step S207, step S308 is the same as step S208, and step S309 is the same as step S209.

  The control unit (12) of the first client device (10) controls the communication unit (13) of the first client device (10) so that the first client device (10) can access the first cooperation server device ( 100), the SAML request protocol <Request> for requesting ID cooperation with the ID cooperation request destination (in this case, the second cooperation server device) is executed (step S310). In this request protocol, reference information extracted from the message received in step S306 is transmitted to the first cooperation server device (100).

  After the process of step S310, the control unit (103) of the first linkage server device (100) controls the communication unit (102) of the first linkage server device (100) to obtain the ID linkage request source (in this case). The SAML request protocol <Request> for requesting ID cooperation with the first cooperation server apparatus is implemented (step S311). This SAML request protocol <Request> is performed by redirecting the Web browser of the first client device (10) from the first cooperation server device (100) and requesting ID cooperation from the second cooperation server device (200). Redirection is performed via the Web browser of the first client device (10) using HTTP Redirect, GET, and POST methods. At this time, the Request includes reference information.

  Next, when the communication unit (202) of the second cooperation server device (100) receives the Request transmitted in the process of step S311, the control unit (203) of the second cooperation server device (200) receives control. Then, the cooperation information generation unit (206) of the second cooperation server device (200) generates the cooperation information for the authenticated ID (second user information) corresponding to the reference information received in the process of step S311. (Step S312).

  After this stage, the DB management unit (205) of the second cooperation server device (200) is authenticated in the second user information management database (201) as shown in FIG. User information (ID), linkage information, and linkage destination server information and reference information as necessary are registered in association with each other (step S312a). Note that the reference information may be deleted.

  Next, the authentication information generation unit (207) of the second cooperation server device (200) generates authentication information (step S313). Here, the authentication information is SAML v2.0 Assertion and includes the cooperation information generated in the process of step S312.

  Next, the control unit (203) of the second cooperation server device (200) controls the communication unit (202) of the second cooperation server device (200), and the authentication information generated in the process of step S313 is the first. The Web browser of the client device (10) is redirected and transmitted to the first cooperation server device (100) (step S314).

  Next, when the communication unit (102) of the first cooperation server device (100) receives the authentication information transmitted in the process of step S314, the control unit (103) of the first cooperation server device (100) performs control. In response to this, the DB management unit (105) of the first cooperation server device (100) stores the first user information (FIG. 11A) in which the user is authenticated as shown in FIG. ID), linkage information, and linkage destination server information are registered in association with each other (step S315).

  And the control part (203) of a 1st cooperation server apparatus (200) controls the communication part (202) of a 2nd cooperation server apparatus (200), and is ID cooperation with respect to a 1st client apparatus (10). The SAML response protocol <Response> for notifying that the process has been completed is executed (step S316).

<< 4th Embodiment >>
In the fourth embodiment, a communication environment similar to that in the third embodiment is assumed. The fourth embodiment is a modified form of the third embodiment.

  FIG. 9 shows an example of an execution sequence in the fourth embodiment of the present invention. FIG. 10 shows an example of a system configuration for executing this execution sequence and functions necessary for each device. FIG. 11 shows the information managed by the user information management database held by the first cooperation server device (100) and the second cooperation server device (200) and the database configuration when executing this execution sequence. Yes. The reference information is information that needs to be temporarily managed in the user information management database at least when executing this execution sequence, and other information indicates information stored in the user information management database for a long time. In the second embodiment, the second cooperation server device (200) issues cooperation information.

  First, each process of step S401 to step S404 is sequentially performed. However, step S401 is the same as step S301, step S402 is the same as step S302, step S403 is the same as step S303, and step S404 is the same as step S304, and thus description thereof is omitted.

  Subsequent to the processing in step S404, the control unit (103) of the first linkage server device (100) controls the communication unit (102) of the first linkage server device (100) to obtain an ID linkage request source (in this case). Is the first cooperation server device), and executes the SAML request protocol <Request> for requesting the ID cooperation (step S405). This SAML request protocol <Request> is performed by redirecting the Web browser of the first client device (10) from the first cooperation server device (100) and requesting ID cooperation from the second cooperation server device (200). Redirection is performed via the Web browser of the first client device (10) using HTTP Redirect, GET, and POST methods. At this time, the Request includes reference information.

  Next, when the communication unit (202) of the second cooperation server device (200) receives the Request transmitted in the process of step S405, the control unit (203) of the second cooperation server device (200) receives control. Then, the message generation unit (208) of the second cooperation server device (200) generates a message including the reference information included in the received Request (Step S406).

  Next, the communication unit (202) of the second cooperation server device (200) receives the control generated by the process of step S406 in response to the control by the control unit (203) of the second cooperation server device (200). 1 is transmitted to the client device (10) (step S407).

  Steps S408 to S410 are sequentially performed. Step S408 is the same as step S307, step S409 is the same as step S308, and step S410 is the same as step S309.

  After the process of step S410, the control unit (12) of the first client device (10) controls the communication unit (13) of the first client device (10) to the second cooperation server device (200). Then, the SAML request protocol <Request> for requesting ID cooperation with the ID cooperation request source (in this case, the first cooperation server device) is executed (step S411). At this time, the Request includes the reference information generated in step S404.

  Subsequent to step S411, steps S412 to S416 are sequentially performed. Step S412 is step S311, step S413 is step S312, step S414 is step S313, step S415 is step S314, and step S416 is step. Since it is the same as S315, description is abbreviate | omitted.

  In the present invention, the access network is not limited to a fixed network or a mobile network, and may be a wireless network, for example.

  In each of the embodiments described above, the ID linkage is performed between the two linkage server devices. However, by repeating the ID linkage between two different linkage server devices, a plurality of linkage server devices can be obtained. ID linkage between the linked server devices is realized. In this case, in the user information management database held in each cooperation server device, the client device account (user information) corresponding to each cooperation server device includes cooperation information common to all cooperation server devices and its own cooperation server. The link destination server information indicating each link server device excluding the device may be managed in association with each other.

  As described in each of the embodiments, the present invention can realize the ID collaboration between the different first cooperation server device and the second cooperation server device, and can use the standard technology SAML. It is one of the features.

  Furthermore, in the present invention, ID linkage can be realized while maintaining anonymity between the linked server devices without exchanging the IDs paid out by each linked server device between the linked server devices, and the privacy of the user is maintained.

  In addition to the above embodiments, the account linking system / method according to the present invention is not limited to the above-described embodiments, and can be appropriately changed without departing from the spirit of the present invention. Further, the processing procedure of the account linking method described in each embodiment is not limited to the order as described. The processing procedure may be switched as appropriate in addition to the processing contents that cannot be switched before and after the processing, and parallel processing may be performed if possible.

  As the client device, a personal computer, an information home appliance terminal, a mobile phone, a mobile PC, a PDA, or the like can be used. As exemplified in these, the client device is basically a storage device (for example, volatile memory, nonvolatile memory, hard disk), an arithmetic processing device (for example, CPU), an input / output device (for example, a keyboard, a pointing device, a display), It can be realized by a computer (see FIG. 12 as an example) provided with a communication device (for example, a LAN card, a modem, a communication cable, an infrared communication device, a wireless communication device). Further, the first cooperation server device and the second cooperation server device can also be realized by the computer as described above.

In this case, the computer stores the program and data necessary for the processing of the program in a storage device, and the arithmetic processing unit reads the program and interprets and executes the program as necessary, so that each unit and each means (control) Function of the authentication unit, authentication unit, linkage information generation unit, authentication information generation unit, reference information generation unit, message generation unit, DB management unit). In other words, for example, when a computer is caused to function as the first client device (10), the arithmetic processing device interprets and executes a program necessary for realizing the function of the control unit (12), etc. Functions are realized. The same applies to the second client device (20). As described in the above embodiments, when the standard technology SAML v2.0 is used, a Web browser function is required. Therefore, the first client device (10) and the second client device (20) The arithmetic processing unit interprets and executes a program necessary for realizing the Web browser function, thereby realizing the Web browser function. Furthermore, at least a part of the functions of the units and units of the first client device (10) described in the above embodiments may be realized by a Web browser function. The same applies to the second client device (20).
Further, for example, when the computer is caused to function as the first cooperation server device (100), the arithmetic processing device interprets programs necessary for realizing the functions such as the authentication unit (104) and the reference information generation unit (107). By executing, the above-described functions are realized. The same applies to the second cooperation server device (200). Note that the user information management database is stored in the storage device of the cooperation server device.

When the processing function of each device constituting the account linking system is realized by a computer, the processing content of the function that each device should have is described by a program.
The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used. Specifically, for example, as a magnetic recording device, a hard disk device, a flexible disk, a magnetic tape or the like, and as an optical disk, a DVD (Digital Versatile Disc), a DVD-RAM (Random Access Memory), a CD-ROM (Compact Disc Read Only). Memory), CD-R (Recordable) / RW (ReWritable), etc., magneto-optical recording medium, MO (Magneto-Optical disc), etc., semiconductor memory, EEP-ROM (Electronically Erasable and Programmable-Read Only Memory), etc. Can be used.

  The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, the computer reads a program stored in its own recording medium and executes a process according to the read program. As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  Each of the above devices may be configured by executing a predetermined program on a computer, but at least a part of the processing contents may be realized in hardware.

According to the present invention, since ID linkage which is a premise for performing SSO is realized, for example, service use by multi-channel authentication (for example, an authentication function of a mobile phone is used as an authentication means when using a service of a fixed network) .) Is useful.
For example, when the client device W1 for receiving a desired online service is different from the client device W2 for authentication, the client device W1 can access the server device Z1, and the client device W2 is a server. If the service is to be used by multi-channel authentication in an environment where access to the device Z2 is possible, the client device W1 is the first client device, the client device W2 is the second client device, and the server device Z1 is the first device. Account linking which is a precondition for multi-channel authentication is realized by the present invention by regarding the linked server device and the server device Z2 as the second linked server device.

The figure which shows the structural example of the account linking system concerning each embodiment of this invention. (A) The figure which shows the database structural example of the 1st user information management database (DB) implement | achieved by this invention. (B) The figure which shows the database structural example of the 2nd user information management database (DB) implement | achieved by this invention. The processing flow of 1st Embodiment of the account linking method which is this invention. The figure which shows the system configuration | structure and functional structure in 1st Embodiment. (A) The figure explaining the example of a database structure of the 1st user information management database (DB) in a 1st embodiment. (B) The figure explaining the database structural example of the 2nd user information management database (DB) in 1st Embodiment. The processing flow of 2nd Embodiment of the account linking method which is this invention. The processing flow of 3rd Embodiment of the account linking method which is this invention. The figure which shows the system configuration | structure and functional structure in 3rd Embodiment. The processing flow of 4th Embodiment of the account linking method which is this invention. The figure which shows the system configuration | structure and functional structure in 4th Embodiment. (A) The figure explaining the database structural example of the 1st user information management database (DB) in 2nd, 3rd, 4th embodiment. (B) The figure explaining the database structural example of the 2nd user information management database (DB) in 2nd, 3rd, 4th embodiment. The figure which shows the hardware structural example of a computer in the case of implement | achieving a 1st client apparatus, a 1st cooperation server apparatus, a 2nd client apparatus, and a 2nd cooperation server apparatus with a computer.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 1st access network 2 2nd access network 3 Internet 10 1st client apparatus 20 2nd client apparatus 100 1st cooperation server apparatus 200 2nd cooperation server apparatus 101 1st user information management database 201 2nd user information management database

Claims (16)

An account linking system,
The account linking system includes at least a first cooperation server device, a second cooperation server device, a first client device, and a second client device,
At least one of the first cooperation server device and the second cooperation server device is information common to the account of the first client device (first user information) and the account of the second client device (second user information). A link information generating unit that generates link information and a transmission unit A1 that can provide the link information to the outside of the link server device, and a link that includes the link information generation unit and the transmission unit A1. The partner server device (receiver device) of the other party of the server device (supply device) is provided with a receiving means R1 for acquiring the link information,
The first cooperation server device includes reference information generation means for generating reference information that is information corresponding to the cooperation information, transmission means A2 capable of providing the reference information to the outside of the first cooperation server device, 1 user information management database, and a first DB management means capable of registering at least the linkage information in the first user information management database,
The first client device comprises receiving means R2 capable of acquiring the reference information, and providing means A3 capable of providing the acquired reference information to at least the second client device,
The second client device includes an acquisition unit R3 that can acquire the reference information, and a transmission unit A4 that can provide the acquired reference information to at least the second cooperation server device.
The second cooperation server device includes a receiving means R4 capable of acquiring the reference information, a second user information management database, and a second DB management means capable of registering at least the cooperation information in the second user information management database. Prepared,
The receiving device acquires the cooperation information corresponding to the reference information generated by the supplying device,
The first DB management means registers the linkage information in the first user information management database in association with the first user information,
The account linking system, wherein the second DB management means registers the linkage information in the second user information management database in association with the second user information. The supply side device is the first cooperation server device,
Assuming that the receiving side device is the second cooperative server device,
The transmission means A4 of the second client device provides the reference information to the second cooperative server device by transmitting request information that is information including the reference information.
The receiving means R4 of the second cooperation server device acquires the reference information by receiving the request information,
The second cooperation server device further includes transmission means A5 for transmitting the request information to the first cooperation server device,
The first cooperation server device further includes receiving means R5 for receiving the request information from the second cooperation server device,
Upon receiving the request information, the transmission means A1 of the first linkage server device provides the linkage information corresponding to the reference information included in the request information to the second linkage server device.
2. The account linking system according to claim 1, wherein the receiving unit R <b> 1 of the second linkage server device acquires the linkage information from the first linkage server device. The supply side device is the first cooperation server device,
Assuming that the receiving side device is the second cooperative server device,
The transmission means A4 of the second client device provides the reference information to the second cooperation server device by transmitting first request information that is information including the reference information.
The receiving means R4 of the second cooperation server device acquires the reference information by receiving the first request information,
The second cooperation server device further includes transmission means A6 for transmitting second request information, which is information including the reference information, to the second client device,
The second client device further includes transfer means T1 for transferring the second request information transmitted from the second cooperative server device to the first cooperative server device, and the above-mentioned provided from the first cooperative server device. Transfer means T2 for transferring cooperation information to the second cooperation server device,
The first cooperation server device further includes receiving means R6 for receiving the second request information from the second client device,
When the transmission means A1 of the first cooperation server device receives the second request information from the second client device, the transmission means A1 sends the cooperation information corresponding to the reference information included in the second request information to the second client device. Is to provide
2. The account linking system according to claim 1, wherein the receiving unit R <b> 1 of the second linkage server device acquires the linkage information from the second client device. The supply side device is the second cooperation server device,
Assuming that the receiving device is the first cooperation server device,
The first client device further includes transmission means A7 for transmitting first request information that is information including the reference information to the first cooperation server device,
The first cooperation server device further transmits, to the first client device, receiving means R7 that receives the first request information from the first client device, and second request information that is information including the reference information. A transmission means A8,
The first client device further includes transfer means T3 for transferring the second request information transmitted from the first cooperation server device to the second cooperation server device, and the above-mentioned provided from the second cooperation server device. Transfer means T4 for transferring cooperation information to the first cooperation server device,
The second cooperation server device further includes receiving means R7 for receiving the second request information from the first client device,
When the transmission means A1 of the second cooperation server device receives the second request information from the first client device, the transmission means A1 sends the cooperation information corresponding to the reference information included in the second request information to the first client device. Is to provide
2. The account linking system according to claim 1, wherein the receiving unit R <b> 1 of the first linkage server device acquires the linkage information from the first client device. The supply side device is the second cooperation server device,
Assuming that the receiving device is the first cooperation server device,
The transmission means A2 of the first cooperation server device transmits first request information that is information including the reference information to the first client device,
The first client device further includes transfer means T5 for transferring the first request information transmitted from the first cooperation server device to the second cooperation server device, and the above-mentioned provided from the second cooperation server device. Transfer means T6 for transferring cooperation information to the first cooperation server device,
The second cooperation server device further includes a receiving unit R8 for receiving the first request information, a transmitting unit A9 for providing the reference information included in the received first request information to the first client device, With
The receiving means R2 of the first client device acquires the reference information from the second cooperation server device,
The first client device further includes transmission means A10 for transmitting second request information, which is information including the reference information, to the second cooperation server device,
The second cooperation server device further includes receiving means R9 for receiving the second request information,
When the transmission means A1 of the second cooperation server device receives the second request information from the first client device, the transmission means A1 sends the cooperation information corresponding to the reference information included in the second request information to the first client device. Is to provide
2. The account linking system according to claim 1, wherein the receiving unit R <b> 1 of the first linkage server device acquires the linkage information from the first client device. The first DB management means registers the cooperation information in the first user information management database in association with the cooperation destination server information that is information indicating the cooperation server device of the first cooperation server device. ,
The second DB management unit registers the cooperation information in the second user information management database in association with the cooperation destination server information that is information indicating the cooperation server device of the second cooperation server device. The account linking system according to any one of claims 1 to 5, characterized in that: An account linking method in an account linking system,
The account linking system includes at least a first cooperation server device, a second cooperation server device, a first client device, and a second client device,
At least one of the first cooperation server device and the second cooperation server device is information common to the account of the first client device (first user information) and the account of the second client device (second user information). A link information generating unit that generates link information and a transmission unit A1 that can provide the link information to the outside of the link server device, and a link that includes the link information generation unit and the transmission unit A1. The partner server device (receiver device) of the other party of the server device (supply device) is provided with a receiving means R1 for acquiring the link information,
A linkage information generating step in which the linkage information generating means generates the linkage information;
The transmission unit A1 provides the cooperation information to the outside of the supply side device, a transmission step A1;
A receiving step R1 in which the receiving means R1 acquires the cooperation information;
A reference information generating step in which the reference information generating means of the first link server device generates reference information that is information corresponding to the link information;
A transmission step A2 in which the transmission means A2 of the first cooperation server device provides the reference information to the outside of the first cooperation server device;
A receiving step R2 in which the receiving means R2 of the first client device acquires the reference information;
A providing step A3 in which the providing means A3 of the first client device provides the acquired reference information to at least the second client device;
An acquisition step R3 in which the acquisition means R3 of the second client device acquires the reference information;
A transmission step A4 in which the transmission means A4 of the second client device provides the acquired reference information to at least the second cooperation server device;
A receiving step R4 in which the receiving means R4 of the second cooperative server device acquires the reference information;
A first registration step in which the first DB management means of the first linkage server device registers the linkage information in the first user information management database of the first linkage server device in association with the first user information;
A second registration step in which the second DB management means of the second linkage server device registers the linkage information in the second user information management database of the second linkage server device in association with the second user information; Have account linking method. The supply side device is the first cooperation server device,
Assuming that the receiving side device is the second cooperative server device,
In the transmission step A4, the transmission means A4 of the second client device provides the reference information to the second cooperation server device by transmitting request information that is information including the reference information.
In the receiving step R4, the receiving means R4 of the second cooperation server device acquires the reference information by receiving the request information,
Further, a transmission step A5 in which the transmission means A5 of the second cooperation server device transmits the request information to the first cooperation server device;
The receiving means R5 of the first cooperation server device has a reception step R5 for receiving the request information from the second cooperation server device,
In the transmission step A1, when the transmission unit A1 of the first cooperation server device receives the request information, the transmission step A1 provides the cooperation information corresponding to the reference information included in the request information to the second cooperation server device. Is,
8. The account linking method according to claim 7, wherein in the reception step R1, the reception unit R1 of the second cooperation server device acquires the cooperation information from the first cooperation server device. The supply side device is the first cooperation server device,
Assuming that the receiving side device is the second cooperative server device,
In the transmission step A4, the transmission means A4 of the second client device provides the reference information to the second cooperation server device by transmitting first request information that is information including the reference information. Yes,
In the receiving step R4, the receiving means R4 of the second cooperation server device acquires the reference information by receiving the first request information.
Further, a transmission step A6 in which the transmission means A6 of the second cooperation server device transmits second request information, which is information including the reference information, to the second client device;
A transfer step T1 in which the transfer means T1 of the second client device transfers the second request information transmitted from the second cooperative server device to the first cooperative server device;
A transfer step T2 in which the transfer means T2 of the second client device transfers the link information provided from the first link server device to the second link server device;
The receiving means R6 of the first cooperation server device has a receiving step R6 for receiving the second request information from the second client device,
In the transmission step A1, when the transmission unit A1 of the first cooperation server device receives the second request information from the second client device, the cooperation information corresponding to the reference information included in the second request information Is provided to the second client device,
8. The account linking method according to claim 7, wherein in the reception step R1, the reception unit R1 of the second cooperation server device acquires the cooperation information from the second client device. The supply side device is the second cooperation server device,
Assuming that the receiving device is the first cooperation server device,
Further, a transmission step A7 in which the transmission means A7 of the first client device transmits first request information that is information including the reference information to the first cooperation server device;
A receiving step R7 in which the receiving means R7 of the first cooperation server device receives the first request information from the first client device;
A transmission step A8 in which the transmission means A8 of the first cooperation server device transmits second request information, which is information including the reference information, to the first client device;
A transfer step T3 in which the transfer means T3 of the first client device transfers the second request information transmitted from the first cooperation server device to the second cooperation server device;
A transfer step T4 in which the transfer means T4 of the first client device transfers the cooperation information provided from the second cooperation server device to the first cooperation server device;
The receiving means R7 of the second cooperation server device has a receiving step R7 for receiving the second request information from the first client device,
In the transmission step A1, when the transmission unit A1 of the second cooperation server device receives the second request information from the first client device, the cooperation information corresponding to the reference information included in the second request information To the first client device,
8. The account linking method according to claim 7, wherein in the reception step R1, the reception unit R1 of the first cooperation server device acquires the cooperation information from the first client device. The supply side device is the second cooperation server device,
Assuming that the receiving device is the first cooperation server device,
In the transmission step A2, the transmission means A2 of the first cooperation server device transmits first request information that is information including the reference information to the first client device,
Furthermore, the transfer means T5 of the first client device transfers the first request information transmitted from the first cooperation server device to the second cooperation server device;
A transfer step T6 in which the transfer means T6 of the first client device transfers the linkage information provided from the second linkage server device to the first linkage server device;
A receiving step R8 in which the receiving means R8 of the second cooperative server device receives the first request information;
The transmission means A9 of the second cooperation server device includes a transmission step A9 for providing the first client device with the reference information included in the received first request information,
In the receiving step R2, the receiving means R2 of the first client device acquires the reference information from the second cooperation server device,
Further, a transmission step A10 in which the transmission means A10 of the first client device transmits second request information that is information including the reference information to the second cooperation server device;
The receiving means R9 of the second cooperation server device has a receiving step R9 for receiving the second request information,
In the transmission step A1, when the transmission unit A1 of the second cooperation server device receives the second request information from the first client device, the cooperation information corresponding to the reference information included in the second request information To the first client device,
8. The account linking method according to claim 7, wherein in the reception step R1, the reception unit R1 of the first cooperation server device acquires the cooperation information from the first client device. In the first registration step, the first DB management unit of the first cooperation server device stores the cooperation information in the first user information management database of the first cooperation server device and the cooperation destination of the first cooperation server device. It is a step of registering in association with cooperation destination server information that is information indicating the cooperation server device,
In the second registration step, the second DB management means of the second cooperation server device stores the cooperation information in the second user information management database of the second cooperation server device and the cooperation destination of the second cooperation server device. The account linking method according to any one of claims 7 to 11, wherein the account linking method is a step of registering in association with cooperation destination server information which is information indicating the cooperation server device. Cooperation information generating means for generating cooperation information that is information common to an account (user information a) of a client apparatus (client apparatus a) and an account (user information b) of a client apparatus (client apparatus b) different from the client apparatus a When,
A transmission means A1 capable of providing the cooperation information to the outside;
Reference information generating means for generating reference information which is information corresponding to the linkage information;
A transmission means A2 capable of providing the reference information to the outside;
A user information management database a in which at least the user information a is registered;
A linkage server apparatus comprising DB management means a capable of registering the user information management database a in association with the linkage information in association with the user information a. Receiving means R1 for acquiring cooperative information which is information common to an account (user information a) of a client device (client device a) and an account (user information b) of a client device (client device b) different from the client device a; ,
Reference information generating means for generating reference information which is information corresponding to the linkage information;
A transmission means A2 capable of providing the reference information to the outside;
A user information management database a in which at least the user information a is registered;
A linkage server apparatus comprising DB management means a capable of registering the user information management database a in association with the linkage information in association with the user information a. Cooperation information generating means for generating cooperation information that is information common to an account (user information a) of a client apparatus (client apparatus a) and an account (user information b) of a client apparatus (client apparatus b) different from the client apparatus a When,
A transmission means A1 capable of providing the cooperation information to the outside;
Receiving means R4 that can acquire reference information that is information corresponding to the cooperation information generated by another cooperation server device;
A user information management database b in which at least the user information b is registered;
A cooperation server device comprising DB management means b capable of registering the user information management database b in association with the cooperation information in association with the user information b. Receiving means R1 for acquiring cooperative information which is information common to an account (user information a) of a client device (client device a) and an account (user information b) of a client device (client device b) different from the client device a; ,
Receiving means R4 that can acquire reference information that is information corresponding to the cooperation information generated by another cooperation server device;
A user information management database b in which at least the user information b is registered;
A cooperation server device comprising DB management means b capable of registering the user information management database b in association with the cooperation information in association with the user information b.

Images