JP5252721B2 - Information providing server - Google Patents

Description

  The present invention relates to an information providing server that provides a service in response to a service provision request from a user terminal.

  An information providing server that provides various web services via a network receives authentication information such as a user ID and a password registered in advance from a user terminal, authenticates the identity of the user, and services when authentication is successful. Is provided. Here, if different authentication information is created for each web service, the authentication information may be confused or forgotten, and management of the authentication information becomes complicated for the user. Also, when acquiring an account by registering authentication information for each web service, it takes time for the user to enter personal information, etc., so it may be cumbersome to create an account and hesitate to use the service. . Therefore, in recent years, distributed authentication systems that allow a plurality of web services to be used with a single account are becoming widespread in order to improve convenience for users and increase the number of new users acquired for web service providers.

  In such a distributed authentication system, an authentication server constructed separately from the information providing server performs user authentication. An information providing server that provides a service via a network inquires an authentication server in response to an authentication request from a user terminal. The information providing server provides a service according to the authentication result received from the authentication server. Thereby, the user can use the service without taking the trouble of creating an account for each information providing server. On the other hand, the provider of the service provided by the information providing server can expect to acquire new users by eliminating the need to spend time creating accounts, and the cost of managing user accounts and the risk of leaking account information Can be avoided. Such a distributed authentication system is spreading as an open standard technology whose specifications are publicized, and an authentication server is constructed by various business operators and the user ID is issued and authenticated.

By the way, in Patent Document 1 shown below, an attribute providing device that accepts account registration in accordance with information transmitted from a user, the information transmitted from the user at the time of registration is based on the presentation of a public certificate or the like. The reliability of the account is stored in accordance with whether the information is based on a declaration from the user, etc., and the information providing server provides a service corresponding to the reliability of the account stored in the attribute providing device. The technology to be provided is described.
Patent Document 2 or Patent Document 3 describes a technique for improving the reliability of authentication by performing authentication based on information that identifies a line through which a service request is transmitted or information that is physically unique such as a mobile phone terminal. Has been.

JP 2007-241554 A JP 2007-172053 A JP 2008-15936 A

  However, since the distributed authentication system as described above is an open standard technology, anyone can construct an authentication server. For this reason, it is conceivable that a malicious person constructs an authentication server and uses a web service corresponding to the distributed authentication system using a user ID issued by the authentication server. That is, for an information providing server that provides a web service corresponding to a distributed authentication system, even if user authentication by an authentication server constructed by a third party is successful, the authentication server may not be reliable. Conceivable. Therefore, for example, it can be considered that only authentication by a predetermined authentication server is handled as effective authentication. However, in this case, anyone can construct an effective authentication server, and the information providing server has no trust relationship. The advantage of the distributed authentication system that provides a service based on the result of the authentication performed by the user cannot be utilized.

  The technique described in Patent Literature 1 is premised on the existence of a trust relationship between the information providing server and the attribute providing apparatus that performs user authentication, and the attribute providing apparatus is malicious for the information providing server. It is not assumed that it is a third party. Since the technique described in Patent Document 2 or Patent Document 3 stores in advance physical unique information of the user terminal in the authentication side device, it is also between the authentication side device and the user terminal. It is assumed that the relationship has been established in advance.

  The present invention has been made in view of such circumstances, and provides an information providing server that provides a service in accordance with the reliability of an authentication server that generates an authentication result by a distributed authentication system.

In order to solve the above-described problem, the present invention is connected to a plurality of authentication servers that authenticate user terminals connected via a network, and provides information according to the authentication result of the user terminals by the authentication server. An evaluation value storage unit that is stored in advance in association with an evaluation value that indicates the degree of reliability of the authentication server for each authentication server, and a service for each of a plurality of services provided by the information providing server And a service provision threshold value storage unit in which a threshold value of an evaluation value indicating whether or not to provide information is stored, and authentication for receiving an authentication request from a user terminal to any one of a plurality of authentication servers According to the request receiving unit, the authentication request transferring unit that transfers the authentication request received by the authentication request receiving unit to the corresponding authentication server, and the authentication request transferred by the authentication request transferring unit, An authentication result receiving unit that receives an authentication result indicating whether or not the user terminal has been authenticated from the certificate server, and an evaluation value storage when the authentication result received by the authentication result receiving unit indicates that the user terminal has been authenticated An evaluation value calculation unit that reads an evaluation value associated with the authentication server that is the transmission source of the authentication result, an evaluation value calculated by the evaluation value calculation unit, and a threshold value stored in the service provision threshold value storage unit The service providing unit that provides the user terminal with a service associated with a threshold value that is equal to or less than the evaluation value, and an authentication server upper limit that stores the upper limit value of the number of authentication servers for which the authentication result by the authentication server is valid A number storage unit, wherein the evaluation value calculation unit calculates a total value of the authentication results received from a number of the authentication servers equal to or less than the upper limit value .

  In the present invention, the authentication request receiving unit receives authentication requests from the user terminal to the plurality of authentication servers, and the authentication result receiving unit authenticates the user terminal from the authentication server corresponding to the plurality of authentication requests. And the evaluation value calculation unit receives the authentication result indicating whether or not the user terminal is authenticated among the plurality of authentication results received by the authentication result receiving unit. The evaluation value associated with is read from the evaluation value storage unit, and the total value of the read evaluation values is calculated.

  In the present invention, the evaluation value storage unit is associated with an evaluation value for each URL corresponding to the authentication server, and the URL is a host domain represented by a character string from the upper domain to the lower domain. It is indicated by either a name or a domain name represented by a character string of only the upper domain.

  As described above, according to the present invention, the information providing server indicates the degree of reliability of the authentication server for each of the plurality of authentication servers that authenticate the user terminals connected via the network. An evaluation value is stored in advance in association with each other, a threshold value of an evaluation value indicating whether or not to provide a service is stored in association with each of a plurality of services to be provided, and any one of a plurality of authentication servers is authenticated from the user terminal When the authentication request to the server is received, the received authentication request is transferred to the authentication server, and the authentication result received from the authentication server in response to the transferred authentication request indicates that the user terminal has been authenticated, the authentication result Since the evaluation value associated with the authentication server that is the transmission source is compared with the threshold value, and the service associated with the threshold value that is less than or equal to the evaluation value is provided to the user terminal, Of testimony server, based on the authentication result by the authentication server selected by the user, it is possible to provide a service corresponding to the reliability of the authentication server.

It is a figure which shows the outline | summary of the information communication system by one Embodiment of this invention. It is a figure which shows the data example of the evaluation value information memorize | stored in the evaluation value memory | storage part by one Embodiment of this invention. It is a figure which shows the example of data of the session information memorize | stored in the session information storage part by one Embodiment of this invention. It is a figure which shows the data example of the service provision threshold value information memorize | stored in the service provision threshold value memory | storage part by one Embodiment of this invention. It is a sequence diagram which shows the operation example of the information communication system by one Embodiment of this invention. It is a figure which shows the outline | summary of the information communication system by one Embodiment of this invention. It is a figure which shows the example of data of the authentication server upper limit number information by one Embodiment of this invention.

Hereinafter, an embodiment of the present invention will be described with reference to the drawings.
FIG. 1 is a block diagram showing the configuration of the information communication system 1 according to the present embodiment. The information communication system 1 includes a user terminal 10, an information providing server 20, and a plurality of authentication servers 30-N (authentication server 30-1, authentication server 30-2, authentication server 30-3,...). Each computer device is connected via a network. Here, one user terminal 10 and one information providing server 20 are illustrated and described, but a plurality of each may be provided in the information communication system 1. The plurality of authentication servers 30-N are operated by different operators and the like, and issue and authenticate user IDs based on the distributed authentication system. However, since they have the same configuration, there is no need to distinguish between them. Will be described as an authentication server 30.

  A description will be given assuming that a system called OpenID is applied to the distributed authentication system in the present embodiment. Here, the user selects an authentication server 30 operated by an operator or the like that he trusts from among a plurality of authentication servers 30. The user terminal 10 transmits personal information and authentication information input from the user to the selected authentication server 30. The authentication server 30 creates a unique user ID based on the received personal information, and creates an authentication page describing user account information on a site managed by the authentication server 30. The URL (Uniform Resource Locator) of the created authentication page is widely disclosed on the Internet. In this distributed authentication system, this URL is used as a user ID. An information providing server that provides a web service that requires authentication authenticates the identity of a user by accessing a published user authentication page. By creating an account in such an authentication server, the user can use the web service without inputting authentication information each time when using the web service corresponding to the distributed authentication system.

  In response to the authentication request transmitted from the user terminal 10, the information providing server 20 that provides the service transfers the authentication request to the corresponding authentication server 30 and provides the service according to the authentication result transmitted from the authentication server 30. To do. The authentication URL of the authentication server 30-1 is “http://example1.com”, the authentication URL of the authentication server 30-2 is “http://example2.com”, and the authentication URL of the authentication server 30-3 Is “http://example3.com”.

The user terminal 10 is a computer terminal including an input unit that receives input from a user, a display unit that displays information, a calculation unit, and the like. For example, a PC (Personal Computer) can be applied to the user terminal 10. The user terminal 10 has a web browser function.
The information providing server 20 is a computer device that provides a service in response to a service provision request from the user terminal 10, and includes an authentication request receiving unit 21, an authentication request transfer unit 22, an authentication result receiving unit 23, and an evaluation value storage. Unit 24, session information storage unit 25, evaluation value calculation unit 26, service provision threshold storage unit 27, and service provision unit 28.

  The authentication request receiving unit 21 receives an authentication request transmitted from the user terminal 10. Here, the authentication request receiving unit 21 transmits to the user terminal 10 a web page that accepts an input of an authentication URL whose authentication target is one of the plurality of authentication servers 30. The authentication request receiving unit 21 receives the authentication URL of the authentication server 30 input to the user terminal 10 by a user operation as an authentication request. For example, an authentication URL “http://example1.com” is included in the authentication request for authenticating the authentication server 30-1. Further, the authentication request receiving unit 21 may receive an authentication request that targets a plurality of authentication servers 30 as authentication targets. In this case, for example, after the authentication processing for one authentication target is completed, the authentication request receiving unit 21 receives an authentication request for the other authentication server 30 as an authentication target.

The authentication request transfer unit 22 transfers the authentication request received by the authentication request reception unit 21 to the authentication server 30 to be authenticated with the authentication URL indicated in the authentication request as a destination.
The authentication result receiving unit 23 receives an authentication result indicating whether or not the user terminal has been authenticated from the authentication server 30 in response to the authentication request transferred to the authentication server 30 by the authentication request transfer unit 22.

  The evaluation value storage unit 24 stores evaluation value information in which an evaluation value of the authentication server 30 based on the domain name is associated with each host domain name or domain name corresponding to the authentication server 30. FIG. 2 is a diagram illustrating a data example of evaluation value information stored in the evaluation value storage unit 24. The evaluation value information includes an evaluation value in the URL (for example, “http://example1.com”, “http://example2.com”) represented by a character string from the upper domain to the lower domain (host domain). A domain in which an evaluation value is associated with a host domain list (FIG. 2 (a)) that is associated with and a part of the domain name (for example, only upper domains such as “.ac.jp” and “.jp”) A list (FIG. 2B) is stored. In this way, the administrator of the information providing server 20 stores the domain name of only the upper domain such as “.ac.jp”, “.jp”, “.com” in the evaluation value storage unit 24. Thus, an evaluation value corresponding to the authentication result by the authentication server 30 corresponding to the unknown authentication URL can be calculated.

  The session information storage unit 25 stores information related to a session with the user terminal 10 connected via a network. FIG. 3 is a diagram illustrating a data example of session information stored in the session information storage unit 24. The session information storage unit 24 stores a session ID, an authentication URL of the authentication server 30 that is an authentication target, an authentication result from the authentication server, and a total evaluation value. The session ID is information for identifying a session with the user terminal 10 connected via the network. For example, a WWW (World Wide Web) session ID can be applied to the session ID. The authentication URL and the authentication result are stored in association with the authentication URL included in the authentication request transmitted from the user terminal 10 and the authentication result received from the authentication server 30 corresponding to the authentication URL. For example, “OK” is stored in the authentication result when the authentication is successful, and “NG” is stored when the authentication fails. Here, when an authentication request is transferred to the plurality of authentication servers 30 by the authentication request transfer unit 22 and the authentication result receiving unit 23 receives a plurality of authentication results, a plurality of authentication URLs, authentication results, Is stored.

  The total evaluation value is information indicating a total value of a plurality of authentication results corresponding to the session ID. For example, the authentication result from the authentication server 30-1 (http://example1.com) and the authentication result from the authentication server 30-2 (http://example2.com) are both “OK”. If the authentication result from the authentication server 30 is NG or does not exist, the evaluation value of the authentication server 30-1 is “10” and the evaluation value of the authentication server 30-2 is “30” from the example of FIG. Therefore, the total evaluation value is “40”.

  The evaluation value calculation unit 26 evaluates the evaluation value corresponding to the authentication result corresponding to the user terminal 10 based on the evaluation value information stored in the evaluation value storage unit 24 and the session information stored in the session information storage unit 25. The total evaluation value is calculated and stored in the session information storage unit 25. First, the evaluation value calculation unit 26 reads the corresponding evaluation value from the session information storage unit 25 when the authentication result corresponding to the authentication server stored in the session information storage unit 25 is “OK”. Here, when the domain name corresponding to the authentication URL corresponds to both the host domain list and the domain list stored in the session information storage unit 25, the evaluation value calculation unit 26 associates the domain name with the host domain list. The selected evaluation value is selected and read.

  For example, when the authentication URL “http://example4.jp” is stored in the host domain list and the domain name “.jp” is stored in the domain list, the authentication URL “http://example4.jp” is stored. Corresponds to both the host domain list and the domain list, but the evaluation value calculation unit 26 selects and reads the evaluation value associated with the host domain list. In this way, the evaluation value calculation unit 26 can read, for example, an evaluation value corresponding to an unknown authentication server 30 in the “.jp” domain, and authentication with particularly high reliability in the “.jp” domain. By storing an evaluation value corresponding to the authentication URL corresponding to the server 30 or the authentication server 30 having low reliability in the evaluation value storage unit 24, an evaluation value that is an index for service provision determination is flexibly calculated. be able to.

  The service provision threshold storage unit 27 stores a threshold of a total evaluation value for service provision determination for each service provided by the information providing server 20. FIG. 4 is a diagram illustrating a data example of service provision threshold information stored in the service provision threshold storage unit 27. In the service provision threshold information, a provision service name and an evaluation value threshold are stored in association with each other. The provided service name is information for identifying a service provided by the information providing server 20. For example, the information providing server 20 provides services such as an online storage service, a blog service, and an SNS (Social Networking Service). The evaluation value is information indicating a lower limit threshold value of the total evaluation value necessary for providing the corresponding provided service. Here, for example, a high function and high load service can be set to a high threshold, and a low function and low load service can be set to a low threshold. In this way, a service with a relatively low function is provided to the user terminal 10 in which only the authentication from the authentication server 30 with a low evaluation value is successful, and the authentication from the authentication server 30 with a high evaluation value is performed. A relatively high-function service can be provided to the user terminal 10 that has succeeded. For example, when an online storage service is provided, the online storage service can be set to be provided at a download speed corresponding to the evaluation value. For example, the threshold value of the online storage service with a download speed of 20 Kbps can be set higher than the threshold value of the online storage service with a download speed of 10 Kbps and stored. Thereby, even if it is the same kind of service, it is possible to provide a higher-function service to the user terminal 10 that has been successfully authenticated from the authentication server 30 having a higher evaluation value.

  The service providing unit 28 provides a service to the user terminal 10 according to the total evaluation value corresponding to the user terminal 10. The service providing unit 28 is calculated by the evaluation value calculating unit 26 and stored in the service providing threshold storage unit 27 and the total evaluation value of the authentication result corresponding to the session of the user terminal 10 stored in the session information storage unit 25. The service provision determination process is performed by comparing the evaluation value threshold. The service providing unit 28 provides the user terminal 10 with a service in which the total evaluation value stored in the session information storage unit 25 is equal to or greater than the threshold stored in the service provision threshold storage unit 27 among a plurality of services provided by the service providing unit 28 To do. For example, the service providing unit 28 has an authentication result total evaluation value “40”, an online storage service service provision threshold value “30”, a blog service service provision threshold value “40”, and an SNS service provision threshold value. In the case of “50”, it is determined that the online storage service and the blog service are provided, and the SNS is not provided.

  The authentication server 30 performs authentication processing of the user terminal 10 in response to the authentication request transferred from the information providing server 20. Upon receiving an authentication request for a predetermined authentication URL, the authentication server 30 requests the user terminal 10 to input user ID and password authentication information. Upon receiving the authentication information input to the user terminal 10 by the user, the authentication server 30 performs a process of authenticating the identity between the received authentication information and the account information stored in advance. Here, if the authentication server 30 determines that the authentication information received from the user terminal 10 corresponds to the account information stored in advance, the authentication server 30 generates an authentication result indicating that the user authentication is successful, If it is determined that the user authentication is not to be performed, an authentication result indicating that the user authentication has failed is generated. The authentication server 30 transmits the generated authentication result to the information providing server 20. Here, an example in which the authentication server 30 performs authentication using a password has been described. However, the authentication server 30 may perform authentication processing using other authentication information such as an IC (integrated circuit) card.

Next, an operation example in which the information communication system 1 according to the present embodiment performs information communication will be described with reference to FIG.
First, the user terminal 10 accesses the information providing server 20 in response to an operation request input from the user, and transmits a service providing request (step S1). When the information providing server 20 transmits a web page requesting input of an authentication URL to the user terminal 10, the user terminal 10 transmits the authentication URL published by the authentication server 30 to the information providing server 20 as an authentication request ( Step S2). When the authentication request receiving unit 21 of the information providing server 20 receives the authentication request transmitted from the user terminal 10, the authentication request transfer unit 22 uses the authentication URL included in the authentication request as a destination and receives an authentication request from the user terminal 10. Is transferred (step S3). In response to the authentication request from the user terminal 10 transferred by the information providing server 20, the authentication server 30 transmits a web page including an input field for authentication information such as a user ID and a password to the user terminal 10. The user terminal 10 transmits authentication information input by the user to the authentication server 30 (step S4).

  The authentication server 30 performs an authentication process based on the authentication information transmitted from the user terminal 10 (step S5), and transmits an authentication result to the information providing server 20 (step S6). When receiving the authentication result transmitted from the authentication server 30, the authentication result receiving unit 23 of the information providing server 20 stores the received authentication result in the session information storage unit 25. Based on the authentication result associated with the session information stored in the session information storage unit 25, the evaluation value calculation unit 26 determines the evaluation value associated with the authentication server 30 that is the transmission source of the authentication result as the evaluation value storage unit. 24, the total value of the evaluation values associated with the session ID corresponding to the user terminal 10 is calculated and stored in the session information storage unit 25 (step S7).

  The service providing unit 28 compares the total value of the evaluation values corresponding to the user terminal 10 stored in the session information storage unit 25 with the service provision threshold stored in the service provision threshold storage unit 27 to obtain the user terminal The service provided to 10 is determined, and the service name of the service determined to be available is transmitted to the user terminal 10 (step S8). Thereafter, the information providing server 20 provides the requested service in response to the service providing request for the service transmitted as available to the user terminal 10 in step S8. In addition, when the user wants to use a service other than the service that can be provided transmitted to the user terminal 10 in step S8 or to upgrade the service provided, the user terminal 10 is input from the user. Authentication request is accepted (step S9: YES). In this case, the user terminal 10 transmits an authentication request for authentication of another authentication server 30 to the information providing server 20, and the information communication system 1 repeats the processing up to step S8. When an authentication request is not input from the user in step S9, the user terminal 10 uses a service among the available services transmitted in step S8 (step S9: NO).

  Here, the information providing server 20 determines the services that can be provided to the user terminal 10 according to the evaluation values based on the authentication results of the plurality of authentication servers 30, but the number of authentication servers 30 that can be authenticated is unlimited. For example, a case where the authentication result is obtained from a large number of authentication servers 30 having a low evaluation value, exceeds a certain total evaluation value, and the service provided by the information providing server 20 is provided. In order to prevent such a case, the information communication system 1 may set an upper limit on the number of authentication servers 30 that can be authenticated.

  FIG. 6 is a diagram showing a configuration of the information communication system 1 that performs authentication processing by determining the upper limit value of the information providing server 20 that can be authenticated in this way. Here, the information providing server 20 includes an authentication server upper limit number storage unit 29. The authentication server upper limit number storage unit 29 stores an upper limit value for the number of authentication servers 30 that are allowed to be simultaneously authenticated by the same session ID for each domain name. FIG. 7 is a diagram illustrating a data example of authentication server upper limit number information stored in the authentication server upper limit number storage unit 29. In the authentication server upper limit number information, the domain name and the authentication server upper limit number are stored in association with each other. The domain name is information indicating the domain of the authentication URL that limits the number of authentication servers 30. The domain name may be established only for the upper domain. The upper limit number of authentication servers is the upper limit number of authentication servers 30 that validate the authentication result by the authentication server 30 of the authentication URL including the corresponding domain name.

  As described above, when the authentication server upper limit number information is stored in the authentication server upper limit number storage unit 29, the authentication request transfer unit 22 includes the authentication URL included in the authentication request received by the authentication request receiving unit 21, and the authentication server. Whether to transfer the authentication request to the authentication server 30 is determined based on the authentication server upper limit number information stored in the upper limit number storage unit 29 and the session information stored in the session information storage unit 25. Here, the authentication request transfer unit 22 is associated with the domain name included in the authentication URL of the authentication request received by the authentication request receiving unit 21 and stored in the authentication server upper limit number storage unit 29. Is read. Further, the authentication request transfer unit 22 calculates the number of authentication results included in the session information corresponding to the user terminal 10 that is the transmission source of the authentication request received by the authentication request receiving unit 21. The authentication request transfer unit 22 compares the read authentication server upper limit number with the number of authentication results included in the session information, and when the number of authentication results included in the session information is less than the authentication server upper limit number, The authentication request is transferred to the authentication server 30. If the number of authentication results included in the session information is greater than or equal to the upper limit number of authentication servers, the authentication request is not transferred to the authentication server 30.

  Here, the authentication request transfer unit 22 performs the determination process of the authentication server upper limit number by determining whether or not to transfer the authentication request according to the authentication server upper limit number. The upper limit number of authentication servers may be controlled. For example, the authentication request transfer unit 22 transfers the authentication request to the authentication server 30 regardless of the authentication server upper limit number, and the authentication result receiving unit 23 that has received the authentication result performs the determination process of the authentication server upper limit number, and the authentication server Authentication results exceeding the upper limit number may be discarded and not stored in the session information storage unit 25. Alternatively, the evaluation value calculation unit 26 performs a determination process of the authentication server upper limit number, calculates the total value of the evaluation values based only on the authentication result equal to or less than the authentication server upper limit number, and stores the total value in the session information storage unit 25. May be.

  As described above, according to the present embodiment, in the information communication system 1 to which authentication by the distributed authentication system is applied, it is possible to provide a safe service while taking advantage of the distributed authentication system. That is, the distributed authentication system is spreading as one feature that anyone can construct the authentication server 30. Conventionally, in order to create an account for each of the information providing servers 20 that provide services, it has been necessary to transmit personal information such as name and address to the information providing server 20. However, the user wants to use the service provided by the information providing server 20, but sometimes hesitates to send personal information to the information providing server 20. Therefore, according to the distributed authentication system as described in the present embodiment, anyone can construct the authentication server 30, and the user uses the service of the information providing server 20 by being authenticated by the authentication server 30. be able to. As a result, the user selects the information providing server 20 that he believes can be trusted from among the plurality of authentication servers 30, transmits the personal information, and uses the service provided by the information providing server 20 using the created account. There is an advantage that you can.

  Here, as a response to using the authentication result generated by the authentication server 30 whose reliability is unknown to the information providing server 20, the information providing server 20 stores a so-called white list in advance, and the authentication server 30 that has been permitted in advance. If only the authentication result generated by the above is validated, the advantages of the distributed authentication system as described above are impaired. That is, the service can be used if the authentication server 30 used by the user is included in the white list, but not all services can be used if the authentication server 30 is not included in the white list. On the other hand, it is conceivable that the authentication by the authentication server that is not malicious for the service provider is blocked, and the opportunity for acquiring a new user is reduced.

  Therefore, according to the present embodiment, the information providing server 20 associates an evaluation value threshold for each service to be provided, and provides a service according to the evaluation value of the authentication server 30 that generated the authentication result of the user terminal 10. Therefore, even if the authentication result is generated by the third-party information providing server 20 having no trust relationship, the service can be provided according to the evaluation value. When the information providing server 20 receives an authentication result generated by any one of the plurality of authentication servers 30 constructed by a third party, the information providing server 20 calculates an evaluation value corresponding to the authentication server 30. Since the service corresponding to the calculated evaluation value is provided, for example, when authentication by only the authentication server 30 having a low evaluation value is successful, a relatively low-function service is provided, and the evaluation value When the authentication by the high authentication server 30 is successful, or when the authentication by the plurality of information providing servers 20 is successful, it is possible to perform control to provide a relatively high-function service.

  That is, it is possible to provide a service according to the evaluation value of the authentication server 30 that generated the authentication result, not depending on the alternative determination of whether or not the authentication by the authentication server 30 is successful. , The service to be provided can be flexibly controlled. For example, only the calendar function service is provided to the user terminal 10 using the authentication server 30 having a relatively low evaluation value, and the user terminal 10 using the authentication server 30 having a relatively high evaluation value is used. Can be controlled to provide a calendar function and a mail function.

  Moreover, since the evaluation value stored in the evaluation value storage unit 24 can be stored in association with only the higher domain name, the evaluation value corresponding to all the authentication servers 30 constructed on the network. Can be calculated in the evaluation value storage unit 24, the reliability evaluation value of the authentication server 30 belonging to the designated higher domain can be calculated.

  Note that each functional unit that performs authentication evaluation according to the present embodiment may be provided in the information providing server 20 that provides a service, as described in the present embodiment, but the functional unit that calculates an evaluation value of the authentication server 30. The evaluation value calculation server including only the server is constructed, and the plurality of information providing servers 20 determine the service to be provided based on the evaluation value of the authentication server 30 acquired by making an inquiry to the evaluation value calculation server. good.

  Note that a program for realizing the function of the processing unit in the present invention is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read into a computer system and executed to perform authentication processing. May be. Here, the “computer system” includes an OS and hardware such as peripheral devices. The “computer system” includes a WWW system having a homepage providing environment (or display environment). The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, what is called a difference file (difference program) may be sufficient.

DESCRIPTION OF SYMBOLS 1 Information communication system 10 User terminal 20 Information provision server 21 Authentication request reception part 22 Authentication request transfer part 23 Authentication result reception part 24 Evaluation value memory | storage part 25 Session information memory | storage part 26 Evaluation value calculation part 27 Service provision threshold value memory | storage part 28 Service provision Part 29 Authentication server upper limit number storage part 30 Authentication server

Claims (3)

An information providing server that is connected to a plurality of authentication servers that authenticate user terminals connected via a network, and that provides services according to the authentication result of the user terminals by the authentication server,
For each authentication server, an evaluation value storage unit that is stored in advance in association with an evaluation value indicating the degree of reliability of the authentication server;
For each of a plurality of services provided by the information providing server, a service provision threshold value storage unit that stores a threshold value of the evaluation value indicating whether or not to provide the service;
An authentication request receiving unit that receives an authentication request to any one of the plurality of authentication servers from the user terminal;
An authentication request transfer unit that transfers the authentication request received by the authentication request reception unit to the corresponding authentication server;
An authentication result receiving unit that receives an authentication result indicating whether or not the user terminal has been authenticated from the authentication server in response to the authentication request transferred by the authentication request transfer unit;
When the authentication result received by the authentication result receiving unit indicates that the user terminal has been authenticated, the evaluation value associated with the authentication server that is the transmission source of the authentication result from the evaluation value storage unit An evaluation value calculation unit for reading
The evaluation value calculated by the evaluation value calculation unit is compared with the threshold value stored in the service provision threshold value storage unit, and the service associated with the threshold value equal to or less than the evaluation value is transmitted to the user terminal. A service provider to provide,
An authentication server upper limit number storage unit in which an upper limit value of the number of authentication servers for which an authentication result by the authentication server is valid is stored ;
The evaluation value calculating unit calculates a total value of the authentication results received from a number of the authentication servers equal to or less than the upper limit value . The authentication request receiving unit receives authentication requests from the user terminal to the plurality of authentication servers,
The authentication result receiving unit receives an authentication result indicating whether or not the user terminal has been authenticated from the authentication server corresponding to the plurality of authentication requests;
The evaluation value calculation unit includes the evaluation associated with the authentication server that is a transmission source of an authentication result indicating that the user terminal has been authenticated among a plurality of authentication results received by the authentication result receiving unit. The information providing server according to claim 1, wherein a value is read from the evaluation value storage unit, and a total value of the read evaluation values is calculated. In the evaluation value storage unit, an evaluation value is associated with each URL corresponding to the authentication server, and the URL includes a host domain name represented by a character string from an upper domain to a lower domain, and an upper domain The information providing server according to claim 1 , wherein the information providing server is indicated by any one of a domain name represented by only a character string.

Images