JP6266049B1 - Information processing system, information processing method, information processing apparatus, and program - Google Patents

Abstract

An automatic single sign-on process is suitably performed. An information processing system according to an aspect of the present invention includes a first apparatus that provides a communication service to a user terminal, and a second apparatus that provides a Web service authentication process to the user terminal. A third device for storing data, a fourth device for communicating with the first device, the second device and the third device, and a fifth device for communicating with the user terminal and the third device. An information processing system comprising: a reception unit configured to receive authentication permission information of the Web service related to the user terminal from the second device; and 3, and the fifth device has a control unit that performs control for acquiring the authentication permission information from the third device and transmitting the authentication permission information to the user terminal. It is characterized by that. [Selection] Figure 4

Description

  The present invention relates to an information processing system, an information processing method, an information processing apparatus, and a program related to authentication of a Web service.

  Web services (cloud services) provided via a network have become widespread. An example of a cloud service is SaaS (Software as a Service). By using a cloud service, a business system or the like can be transferred to the Web, and rich functions can be provided to communication terminals connected to the network.

  Cloud services are usually provided only to authorized users and require user authentication. For example, a communication terminal that has transmitted an appropriate user identifier and password can pass user authentication. If users using many cloud services input authentication information (authentication information) for each cloud service, it is not convenient.

  For this reason, a technique called Single Sign On (SSO) that enables a plurality of systems to be used with a single user authentication has been widely studied. As an SSO method, there are a method using a reverse proxy, a method based on SAML (Security Assertion Markup Language), a method based on OpenID (registered trademark) (OpenID Connect), and the like. The user can use a cloud service corresponding to SAML, for example, by logging in to the authentication server (SSO server) only once.

  However, even when SSO is used, since the user needs to sign on to the service portal system, for example, further improvement in convenience is desired. For example, a technique for realizing SSO to a cloud service by simply performing OS (Operating System) authentication of a user device has been proposed (Patent Document 1).

JP2013-8140A

  However, in the invention described in Patent Document 1, the user device needs to be connected to a specific network (for example, an in-house LAN (Local Area Network)) having a dedicated authentication cooperation device for cooperation with the SSO server. There is a problem that it is applied in a limited environment, and the degree of freedom of use is small.

  SUMMARY An advantage of some aspects of the invention is that it provides an information processing system, an information processing method, an information processing apparatus, and a program capable of suitably performing automatic SSO processing.

An information processing system according to an aspect of the present invention includes a first device that provides a communication service to a user terminal, a second device that provides a web service authentication process to the user terminal, and data. A third device to store; a fourth device in communication with the first device, a second device, and a third device; and a fifth device in communication with the user terminal and the third device. The fourth apparatus includes an authentication processing unit that performs authentication processing of the communication service related to the user terminal based on a notification from the first apparatus, and the Web related to the user terminal. A reception unit that receives service authentication permission information from the second device; and a transmission unit that transmits the authentication permission information to the third device. The fifth device includes the third device. Authentication authorization from device Acquires distribution, have a control unit for performing control to transmit to the user terminal, and the transmission unit, upon successful authentication of the communication service, to the second device, said Web Service The information necessary for the authentication process is transmitted, and the receiving unit receives the authentication permission information acquired using the information necessary for the authentication process of the Web service from the second device. To do.

  According to the present invention, automatic SSO processing can be suitably performed.

It is a figure which shows an example of the authentication system and protocol of wireless LAN service. It is a figure which shows an example of the authentication system and protocol of Web service. It is a figure which shows an example of schematic structure of the information processing system which concerns on one Embodiment of this invention. It is a figure which shows an example of the sequence of the single sign-on of wireless LAN and Web service concerning one Embodiment of this invention. It is a figure which shows an example of the more detailed sequence of step S1-S10 of FIG. It is a figure which shows an example of the more detailed sequence of step S10-S12 of FIG. It is a figure which shows an example of the sequence of the authentication session invalidation which concerns on one Embodiment of this invention. It is a figure which shows an example of the function structure of the server which concerns on one Embodiment of this invention. It is a figure which shows an example of the hardware constitutions of the server and device which concern on one Embodiment of this invention.

  As the number of wireless LANs and Web systems that can be connected to user terminals increases, it takes time to input identifiers (ID: Identifier) and passwords (PWD: Password) necessary for each login process, and increases the management load. There are challenges.

  The present inventors thought that the above-described problems could be solved if SSO between the wireless LAN service and the Web service could be realized. However, in general, SSO is targeted for Web services (Web applications) that have the same data communication method and authentication method. For this reason, in the technology for realizing the conventional SSO, the SSO between the wireless LAN service and the Web service cannot be realized because protocols such as a data communication method and an authentication method are different.

  The present inventors have noticed that it is necessary to connect to a network in order to use a Web service, and have found that it is preferable to automatically perform the SSO process as the network connection is established. For example, it is highly convenient if the Web service group that can be used by the SSO process can be switched depending on the connected network.

  Therefore, the present inventors first examined the difference between an authentication method for connecting to a network and an authentication method for a Web service.

  FIG. 1 is a diagram illustrating an example of an authentication method and protocol for a wireless LAN service. In the case of FIG. 1, between the wireless terminal and the wireless system (for example, a wireless access point (AP), a wireless LAN controller (WLC), etc.) , Communication is realized using IEEE 802.11a). Such a wireless LAN is also referred to as Wi-Fi (registered trademark).

  In addition, communication is realized between the wireless system and the authentication system using Ethernet (registered trademark), IP (Internet Protocol), UDP (User Datagram Protocol), or the like in a lower layer. In addition, although the example which connects between a radio | wireless system and an authentication system with a wire is shown, it is not restricted to this.

  The wireless terminal first accesses the wireless system and requests 802.1X authentication. The authentication protocol only needs to be supported by 802.1X authentication. For example, TLS (Transport Layer Security), PEAP (Protected Extensible Authentication Protocol), or the like can be used. The authentication protocol packet is wrapped by EAP (Extensible Authentication Protocol) and communicated as a data link layer packet by EAPoL (EAP over LAN).

  The wireless system transmits an authentication request to the authentication system. The wireless system and the authentication system are connected by a trusted network, and RADIUS (Remote Authentication Dial In User Service) is used instead of EAPoL. The authentication system (authentication server) is also called, for example, a RADIUS server.

  Upon receiving the authentication request, the authentication system returns an authentication response, and the wireless system transmits an authentication result based on the authentication response to the wireless terminal.

  FIG. 2 is a diagram illustrating an example of an authentication method and protocol for a Web service. In the case of FIG. 2, communication is realized between the wireless terminal and the wireless system using a wireless LAN of the IEEE 802.11 standard in the lower layer. In addition, communication is realized between the wireless system and the authentication system using the Ethernet of the IEEE 802.3 standard in the lower layer. In addition, although the example which connects between a radio | wireless system and an authentication system with a wire is shown, it is not restricted to this.

  For communication between the apparatuses, IP, TCP (Transmission Control Protocol), HTTP (Hypertext Transfer Protocol) / HTTPS (HTTP Secure), or the like is used. The authentication protocol may be, for example, form authentication or basic authentication. The wireless terminal transmits an authentication request to the Web server via the wireless system and receives an authentication response from the Web server.

  The wireless LAN service and Web service authentication method as described above were studied, and the present inventors conceived of realizing single sign-on of the wireless LAN service and one or more Web services. Specifically, when the user terminal succeeds in the authentication of the wireless LAN connection, the present inventors obtain an authentication session from the Web service authentication server based on the authentication information, and then bridge the authentication session. I found out.

  As a result, a user using a wireless LAN can use a Web service or a cloud service without inputting an ID and a password only by performing authentication once when the wireless LAN is connected.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the following embodiments, a case where a network used by a user device (user terminal) is a wireless LAN will be described as an example, but the present invention is not limited to this. For example, the present invention can be applied even when a wired LAN is used for the network, a telephone line is used, or another network configuration is used.

(Information processing system)
First, an information processing system to which the present invention is applied will be described. FIG. 3 is a diagram illustrating an example of a schematic configuration of an information processing system according to an embodiment of the present invention. The information processing system 1 shown in FIG. 3 includes a user terminal 10, a wireless system 20, an authentication server (RADIUS server) 30, an SSO server (IdP (Identity Provider) server) 40, and a database (DB) 50. , An authentication cooperation server (portal server) 60, and a cloud service provider (SP) server / SSO protection target server 70 (hereinafter, they are simply referred to as “SP server 70” without being distinguished from each other). .

  The user terminal 10 is an information processing apparatus that executes an application such as a browser by user operation and communicates with various servers. The user terminal 10 has a wireless communication function and performs wireless communication with the wireless system 20. The user terminal 10 may be a mobile terminal (mobile communication terminal) such as a mobile phone, a smartphone, or a tablet terminal, or may be a fixed communication terminal such as a personal computer (PC).

  The wireless system 20 includes an AP that realizes wireless communication with the user terminal 10, a WLC that performs control (for example, control of the AP) regarding wireless communication of the user terminal 10, and the like. The AP may be a router, for example, and the WLC may be called a wireless LAN switch. Further, the AP and the WLC may be connected by wire or wirelessly. The AP and WLC may be realized with a single device. Hereinafter, the wireless system 20 is also simply referred to as WLC 20 in this specification.

  The WLC 20 (first device) is an information processing device (for example, a wireless controller) that supports a predetermined authentication method (for example, 802.1X authentication, RADIUS authentication, etc., as shown in FIG. 1). The WLC 20 provides a predetermined communication service (for example, wireless communication) to the user terminal 10 that has been successfully authenticated. The WLC 20 may provide a wired communication service when connected to the user terminal 10 by wire.

  The RADIUS server 30 (a fourth device that communicates with the first device, the second device, and the third device) is an information processing device that provides RADIUS authentication to the user terminal 10. The RADIUS server 30 can request the SSO server 40 to perform SSO authentication for the user terminal 10 and acquire session information.

  The SSO server 40 (second device) is an information processing device that provides Web service authentication processing to the user terminal 10. For example, the SSO server 40 provides SSO processing related to the SP server 70. SSO to Web applications and cloud services can be realized using, for example, OpenAM (registered trademark).

  The DB 50 (third device) is an information processing device that stores various data. For example, the DB 50 stores session information indicating that SSO authentication has been completed. The DB 50 may be called a file, a directory, a user store, or the like.

  The portal server 60 (a fifth device that communicates with the user terminal 10 and the third device) is an information processing device that acquires SSO session information corresponding to the user terminal 10 from the DB 50 and transmits the session information to the user terminal 10. Further, the portal server 60 can notify the user terminal 10 of information for performing web authentication.

  The SP server 70 is an information processing apparatus that provides a service to the SSO-authenticated user terminal 10. When there is one SP server 70 that requires sign-on, or when the SP server 70 is the same as the SSO server 40, the SSO server 40 is a Web server that performs sign-on instead of SSO. May be.

  An example of the functional configuration and hardware configuration of each device such as the RADIUS server 30 will be described later.

  Note that the system configuration is an example, and the present invention is not limited to this. For example, each device is configured to include one device in FIG. 1, but the number of devices is not limited to this, and a plurality of devices may exist. Further, the information processing system 1 may be configured such that a function of a predetermined device is realized by a plurality of devices. For example, the SP server 70 may be composed of a plurality of servers.

  A plurality of devices may be realized by one device. For example, at least two of the RADIUS server 30, the DB 50, and the portal server 60 may be realized by a single device (for example, a server).

(Information processing method)
An information processing method (SSO authentication cooperation method) according to an embodiment of the present invention will be described below. Each information processing method may be applied to the information processing system described above.

  Hereinafter, a specific processing flow will be described with reference to FIG. FIG. 4 is a diagram illustrating an example of a single sign-on sequence for a wireless LAN and a Web service according to an embodiment of the present invention.

  The user terminal 10 requests connection to the WLC 20 (step S1). In the case of a wireless LAN, 802.1X authentication is started. The user inputs authentication information (for example, ID, password (PWD), etc.) to the user terminal 10, and the user terminal 10 transmits the authentication information to the WLC 20.

  Next, the WLC 20 transmits an authentication request (RADIUS / Access-Request) to the RADIUS server 30 (step S2). The RADIUS server 30 performs authentication of the user terminal 10 and executes step S3 and subsequent steps when the authentication is successful. If authentication by RADIUS fails, an authentication rejection (RADIUS / Access-Reject) indicating that authentication is rejected is transmitted to the WLC 20.

  The RADIUS server 30 that has succeeded in the authentication by RADIUS (authentication of the wireless LAN connection of the user terminal 10) transmits a web service authentication session issuance request to the SSO server 40 (step S3). Step S3 may be performed via an interface called REST (Representational State Transfer) API (Application Programming Interface), RESTful API, or the like. Specifically, in the REST API, a process request / response can be notified using HTTP GET and / or POST.

  If the user authentication is successful, the SSO server 40 generates information indicating authentication permission and transmits it to the RADIUS server 30 (step S4). This information may be called session information, authentication permission information, authentication success information, token, SSO token, Web service token, or the like. Step S4 may be referred to as a web service authentication session issuance process.

  Note that steps S2 to S4 may be implemented in another manner. For example, after step S2, the RADIUS server 30 may not perform RADIUS authentication itself. In this case, the RADIUS server 30 transmits information necessary for the RADIUS authentication process (for example, the ID and PWD of the user terminal 10) to the SSO server 40. The information may be transmitted simultaneously with the web service authentication session issuance request (step S3 '). The SSO server 40 can perform RADIUS authentication and Web service authentication, and can transmit information related to the RADIUS authentication result (for example, that authentication was successful) and a token (step S4 '). Note that the SSO server 40 may determine that both have failed if any of the authentications fails.

  The RADIUS server 30 that has received the SSO token registers the SSO token in the DB 50 (step S5). Step S5 may be referred to as a Web service authentication session registration process. Step S5 may be performed before or after step S6, or may be performed simultaneously with step S6.

  The RADIUS server 30 transmits an authentication response (RADIUS / Access-Accept) indicating that the authentication is successful to the WLC 20 (step S6). Here, the RADIUS server 30 transmits the authentication response in step S6 when both the Web service authentication and the RADIUS authentication are successful, but after step S2, the authentication response is transmitted when the RADIUS authentication is successful. May be. In this case, steps S3-S5 may be performed after transmitting the authentication response.

  The WLC 20 notifies the user terminal 10 of a response indicating that the authentication result is successful (step S7). The user terminal 10 can perform wireless communication via the WLC 20 when step S7 is completed.

  When the user terminal 10 that has completed the 802.1X authentication starts Web access (for example, Web access by HTTPS) (step S8), the WLC 20 redirects (transfers) the Web access to the portal server 60 (step S9).

  The user terminal 10 accesses the WLC 20 according to information (for example, a script) instructed from the portal server 60, performs web authentication processing with the RADIUS server 30, and then redirects to the portal server 60 again (step). S10). The web authentication process is preferably performed in the background as will be described later.

  The portal server 60 acquires a Web service authentication session (token) corresponding to the user terminal 10 that has accessed (step S11).

  The portal server 60 transmits the acquired token to the user terminal 10 as cookie information (may be called a cookie token or the like) (step S12). Cookie information may be transmitted by being embedded in a browser. For example, the portal server 60 can transmit the cookie information including the token ID. Through steps S11 and S12, whether or not the user terminal 10 is a session-authenticated terminal and delivery of a Web service authentication session to the user terminal 10 are performed.

  When the user terminal 10 receiving the token accesses the SP server 70 (step S13), the SP server 70 performs redirection to the SSO server 40 and makes an authentication inquiry (step S14). At that time, the token of the SSO server 40 is transmitted as cookie information. For example, when using SAML cooperation, the SP server 70 gives a SAML request and redirects it to the SSO server 40.

  When the SSO server 40 confirms that the user terminal 10 has been authenticated based on the token, the SSO server 40 notifies the SP server 70 that it has been authenticated (step S15). For example, when using SAML cooperation, the SSO server 40 grants a SAML assertion and redirects to the SP server 70. After step S15, since the SSO is completed, the user terminal 10 can use each cloud service.

  Further, when the SP server 70 is not a server that provides a cloud service but is an SSO protection target server 70 that individually provides a Web service, the user terminal 10 directly connects to the SSO protection target server 70 and each Web service Can be used. When the token is a token related to a predetermined Web service, the user terminal 10 can directly use the Web service by directly communicating with the Web server that provides the Web service.

  FIG. 5 is a diagram showing an example of a more detailed sequence of steps S1 to S10 in FIG. In step S1, for example, the user terminal 10 transmits a user ID (ID) and a password (PWD).

  In step S <b> 2, the WLC 20 transmits identification information for identifying the user terminal 10 to the RADIUS server 30 in addition to the ID and PWD transmitted from the user terminal 10. Here, the specific information may be at least one of, for example, a MAC (Media Access Control) address of the user terminal 10, a serial number of the user terminal 10, and a user name using the user terminal 10. Hereinafter, a case where a MAC address (indicated by “ClientMAC” in FIG. 5) is used as specific information will be described as an example, but the present invention is not limited to this. The WLC 20 can easily acquire the MAC address of the user terminal 10 that is communicating via the AP.

  In step S <b> 3, the RADIUS server 30 transmits information necessary for SSO (or Web service) authentication processing (for example, account information such as ID and PWD necessary for login) to the SSO server 40. If the wireless LAN account (RADIUS authentication account) and the SSO account (and / or Web service account) are the same, the RADIUS server 30 transmits the ID transmitted from the user terminal 10. And PWD can be transmitted.

  If the wireless LAN account and the SSO account are different, the RADIUS server 30 acquires and acquires the ID and PWD of the SSO account based on the ID and PWD pair or specific information. The ID and PWD may be transmitted to the SSO server 40.

  For example, the RADIUS server 30 may hold information (for example, a reference table) regarding a correspondence relationship between a wireless LAN account and an SSO account. In this case, the RADIUS server 30 includes the reference table, the user, Based on the information (for example, ID, PWD, etc.) regarding the wireless LAN account received from the terminal 10, the information (for example, ID, PWD, etc.) regarding the SSO account may be specified.

  After the token is issued in step S4, in step S5, the RADIUS server 30 registers the received token together with (associated with) at least one of account information (ID and PWD) and specific information for wireless LAN (in association). Register). In the example of FIG. 3, the RADIUS server 30 notifies the DB 50 of the ID, MAC address, and token (Token) for registration.

  In step S6, the RADIUS server 30 can transmit information (for example, address, URL (Uniform Resource Locator)) necessary for access to the redirect destination portal server 60 to the WLC 20 together with the authentication response. The address of the redirect destination portal server 60 may be set in the WLC 20 in advance, but it is preferable that the address can be updated by a notification from the RADIUS server 30. Further, the RADIUS server 30 may transmit user identification information (for example, ID, specific information, etc.) to the WLC 20.

  After the wireless connection is established in step S7, for example, the user of the user terminal 10 starts a browser and performs Web access (here, “www.test.com” is accessed as a Web page. Subject is not limited to this). Since the user terminal 10 has not been authenticated by the Web authentication yet, it is forcibly redirected to the URL (portal server 60) specified in Step S6 by the Web authentication redirect function of the WLC 20 (Steps S8 to S9).

  At this time, the HTTP GET request transmitted from the user terminal 10 to the portal server 60 includes, for example, specific information (client_mac), the MAC address (ap_mac) of the AP to which the user terminal 10 is connected, and the controller's qualification information. URL (switch_url (switch URL)), URL to which the user is redirected after successful authentication (redirect (redirect URL)), WLAN SSID (Service Set Identifier) (wlan) used by the user terminal 10 are included. Also good. Such information can be transmitted as a URL query character string (URL parameter).

  The portal server 60 returns information (for example, a script, a parameter, etc.) for causing the user terminal 10 to perform web authentication processing in the background. For example, a URL for Web authentication may be specified as the switch URL, and a portal server URL (URL for delivering a session) redirected after Web authentication may be included in the redirect URL.

  The user terminal 10 transmits user identification information (for example, ID, specific information, etc.) and a password to the WLC 20 for Web authentication (step S10). Here, a user name (uname) and a password (pwd) are transmitted as user identification information. A redirect URL may be transmitted.

  The WLC 20 that has started Web authentication transmits an accounting request (RADIUS / Accounting-Request) to the RADIUS server 30. The accounting request may be transmitted including the accounting status (“START” indicating “start”), the accounting target session ID (Session-ID), and specific information (for example, the MAC address of the user terminal 10).

  When the RADIUS server 30 determines that the user terminal 10 has already succeeded in the RADIUS authentication (success in the Web authentication process), information indicating the status of the accounting start to the user terminal 10 (for example, a start flag (Acct-Start- flag)) is registered (also referred to as storage or setting) in the DB 50. The RADIUS server 30 may determine the user terminal 10 that is a target for registering the start flag based on the received specific information.

  The RADIUS server 30 may transmit (register) a start flag in association with the session ID and / or the specific information to the DB 50. After successful registration, the RADIUS server 30 transmits an accounting response (RADIUS / Accounting-Response) to the WLC 20. Here, the web authentication process is completed (the status of the WLC 20 is “Run”).

  FIG. 6 is a diagram illustrating an example of a more detailed sequence of steps S10 to S12 in FIG. Since the Web authentication process is completed, the WLC 20 redirects again to the portal server 60 (step S10). The portal server 60 accesses the DB 50, selects information corresponding to the specific information, and confirms whether the start flag is set and / or the SSO status. When the start flag is set, the SSO status may be updated and registered in the DB 50 as “start”. Further, an SSO token corresponding to the specific information is acquired (step S11).

  The portal server 60 transmits the acquired token to the user terminal 10 as cookie information (step S12). The user terminal 10 that has received the token lists, for the portal server 60, a predetermined cloud service Web page, a Web service Web page, or a cloud service and / or Web service that the user terminal 10 can access. A GET request for a Web page (which may be called a portal page or userhome) may be transmitted.

  According to the embodiment of the information processing method described above, a user using a wireless LAN can use a Web service or a cloud service without inputting an ID and a password, only by performing authentication once when the wireless LAN is connected. It becomes possible.

  In particular, according to the above-described embodiment, the token acquisition process from the portal server 60 can be automatically performed using the Web authentication redirect function of the WLC 20. Since the RADIUS server 30 can set the address (URL or the like) of the redirect destination portal server 60 in the WLC 20, for example, even when the user using the user terminal 10 does not know the address of the portal server 60 in advance. Communication with an appropriate portal server 60 can be performed according to the wireless LAN service (WLC 20) to be connected.

  Also, if the user terminal is once connected to a wireless LAN capable of SSO cooperation and stores the account information of the wireless LAN, the user ID / PWD input process can be omitted. The burden can be greatly reduced.

  Note that the steps S10 to S11 in FIG. 5-6 ensure that the user terminal 10 can acquire a token at the first Web access by the browser. However, steps S10-S11 may be omitted. In this case, after step S9, the portal server 60 may acquire a token from the DB 50 using the specific information of the user terminal 10 (step S11 '). By omitting the Web authentication process, it is possible to shorten the time required for token acquisition.

  When the wireless connection of the user terminal 10 is disconnected, the SSO token may remain valid (maintain the authentication session), but it is preferable to invalidate the SSO token (discard the authentication session).

  FIG. 7 is a diagram showing an example of an authentication session invalidation sequence according to an embodiment of the present invention. The WLC 20 whose status is “Run” confirms whether the wireless communication with the user terminal 10 is maintained periodically and / or at an arbitrary timing. When the wireless LAN (Wi-Fi) is disconnected, the WLC 20 detects this.

  The WLC 20 transmits an accounting stop (RADIUS / Accounting-Request (Stop)) to the RADIUS server 30. To stop accounting, an HTTP session ID (Session-ID) may be included.

  The RADIUS server 30 instructs the SSO server 40 to log out the token corresponding to the user terminal 10 via the REST API. The SSO server 40 notifies the RADIUS server 30 that the logout has been successful.

  The RADIUS server 30 instructs the DB 50 to delete the session ID. The DB 50 notifies the RADIUS server 30 that the session ID has been successfully deleted.

  The RADIUS server 30 transmits an accounting response (RADIUS / Accounting-Response) to the WLC 20. Here, the authentication session invalidation processing is completed. Although FIG. 5 illustrates an example in which the WLC 20 proceeds with the authentication session invalidation process when the wireless LAN of the user terminal 10 is disconnected, the present invention is not limited thereto. For example, when the user terminal 10 transmits a predetermined signal to the WLC 20, the WLC 20 may perform the authentication session invalidation process of the user terminal 10.

  In the above embodiment, the user terminal 10 uses the wireless LAN. However, the present invention is not limited to this. For example, when a user terminal logs in to at least one account of a wired LAN, a telephone line, another network, and another access network, an SSO (or Web service) login process is performed based on the account. Also good. As other networks, for example, LTE (Long Term Evolution), LTE-A (LTE-Advanced), GSM (registered trademark) (Global System for Mobile communications), WCDMA (registered trademark), CDMA2000, IEEE 802.16 ( WiMAX (registered trademark)), IEEE 802.20, Bluetooth (registered trademark), other wireless communication methods and / or the next generation communication method extended based on these methods may be applied to the SSO authentication cooperation method described above. Good.

(Device configuration)
FIG. 8 is a diagram illustrating an example of a functional configuration of the RADIUS server 30 according to an embodiment of the present invention. The RADIUS server 30 includes a control unit 31, a storage unit 32, a communication unit 33, an input unit 34, and an output unit 35. In this example, the functional block of the characteristic part in this embodiment is mainly shown, and the RADIUS server 30 may also have other functional blocks necessary for other processing. Moreover, it is good also as a structure which does not include one part functional block.

  The control unit 31 controls the RADIUS server 30. The control part 31 can be comprised by the controller, control circuit, or control apparatus demonstrated based on the common recognition in the technical field which concerns on this invention.

  The control unit 31 can constitute an authentication processing unit according to an embodiment of the present invention. For example, the control unit 31 may perform control that functions as an authentication processing unit that performs authentication processing of a communication service (for example, wireless communication) related to the user terminal 10 based on a notification from the WLC 20. Moreover, the said authentication process part may perform the web authentication process of the said user terminal 10 based on the notification from the user terminal 10 (WLC20). The notification may be based on information transmitted from the portal server 60 to the user terminal 10 for performing web authentication processing.

  The storage unit 32 stores (holds) information used by the RADIUS server 30. For example, the storage unit 32 may store specific information of the user terminal 10, a token, and the like. The storage unit 32 can be constituted by, for example, a memory, a storage, a storage device, and the like described based on common recognition in the technical field according to the present invention.

  The communication unit 33 communicates various information with other devices. The communication part 33 can be comprised by the transmitter / receiver, the transmission / reception circuit, or transmission / reception apparatus demonstrated based on the common recognition in the technical field which concerns on this invention. Note that the communication unit 33 may include a transmission unit and a reception unit.

  For example, when the communication unit 33 succeeds in the authentication process of the communication service related to the user terminal 10, the communication unit 33 transmits information necessary for the authentication process of the Web service (SSO) related to the user terminal 10 to the SSO server 40. Web service (SSO) authentication permission information acquired using such information may be received.

  The communication unit 33 may transmit Web service (SSO) authentication permission information (token) to the DB 50. In addition, the communication unit 33 may transmit predetermined information (such as a URL) used to acquire a token stored in the DB 50 to the WLC 20.

  Further, the communication unit 33 receives specific information (for example, a MAC address) for specifying the user terminal 10 from the WLC 20, and transmits the token received from the SSO server 40 to the DB 50 in association with the specific information. Also good.

  Further, when the web authentication process is successful, the communication unit 33 may transmit (register) information indicating the status of accounting start to the user terminal 10 to the DB 50 in association with the specific information of the user terminal 10.

  The input unit 34 receives an input by an operation from the user. The input unit 34 may be connected to a predetermined device or storage medium and accept data input. The input unit 34 may output the input result to the control unit 31, for example.

  The input unit 34 can be configured by an input device such as a keyboard, a mouse, and a button, an input terminal, an input circuit, and the like described based on common recognition in the technical field according to the present invention. Further, the input unit 34 may have a configuration (for example, a touch panel) integrated with the display unit.

  The output unit 35 outputs various information so that the user can recognize it. For example, the output unit 35 may include a display unit that displays an image, an audio output unit that outputs audio, and the like. The display unit can be configured by, for example, a display device such as a display or a monitor described based on common recognition in the technical field according to the present invention. The audio output unit can be configured by an output device such as a speaker described based on common recognition in the technical field according to the present invention.

  The output unit 35 includes, for example, an arithmetic unit, an arithmetic circuit, an arithmetic device, a player, an image / video / audio processing circuit, an image / video / audio processing device, which are described based on common recognition in the technical field according to the present invention, An amplifier or the like can be included.

  The user terminal 10, the WLC 20, the SSO server 40, the DB 50, the portal server 60, the SP server 70, and the like may have the same configuration as that in FIG. For example, the control unit of the WLC 20 may perform control so as to perform redirection to the portal server 60 for Web access from the user terminal 10 that has succeeded in authentication processing of the communication service. Here, at the time of the redirection, the specific information of the user terminal 10 may be transmitted together. Further, the control unit of the portal server 60 may control to acquire a token from the DB 50 and transmit it to the user terminal 10 based on the redirect.

(Hardware configuration)
In addition, the block diagram used for description of the said embodiment has shown the block of the functional unit. These functional blocks (components) are realized by any combination of hardware and / or software. Further, the means for realizing each functional block is not particularly limited. That is, each functional block may be realized by one physically coupled device, or may be realized by two or more physically separated devices connected by wire or wirelessly and by a plurality of these devices. Good.

  For example, the RADIUS server 30 in one embodiment of the present invention may function as a computer that performs processing of the information communication method of the present invention. FIG. 9 is a diagram illustrating an example of a hardware configuration of the RADIUS server 30 according to an embodiment of the present invention. The RADIUS server 30 and the SSO server 40 described above may be physically configured as a computer device including a processor 1001, a memory 1002, a storage 1003, a communication device 1004, an input device 1005, an output device 1006, a bus 1007, and the like. Good.

  In the following description, the term “apparatus” can be read as a circuit, a device, a unit, or the like. The hardware configuration of the RADIUS server 30 and the SSO server 40 may be configured to include one or a plurality of the devices illustrated in the figure, or may be configured not to include some devices.

  For example, although only one processor 1001 is shown, there may be a plurality of processors. Further, the processing may be executed by one processor, or the processing may be executed by one or more processors simultaneously, sequentially, or in another manner.

  Each function in the RADIUS server 30, the SSO server 40, and the like reads predetermined software (program) on hardware such as the processor 1001 and the memory 1002, so that the processor 1001 performs computation, and communication by the communication device 1004, This is realized by controlling reading and / or writing of data in the memory 1002 and the storage 1003.

  For example, the processor 1001 controls the entire computer by operating an operating system. The processor 1001 may be configured by a central processing unit (CPU) including an interface with peripheral devices, a control device, an arithmetic device, a register, and the like. Each unit such as the control unit 11 described above may be realized by the processor 1001. The processor 1001 may be implemented by one or more chips.

  Further, the processor 1001 reads a program (program code), software module, and data from the storage 1003 and / or the communication device 1004 to the memory 1002, and executes various processes according to these. As the program, a program that causes a computer to execute at least a part of the operations described in the above embodiments is used. For example, the control unit 11 may be realized by a control program stored in the memory 1002 and operated by the processor 1001, and may be realized similarly for other functional blocks.

  The memory 1002 is a computer-readable recording medium. For example, the memory 1002 includes at least a ROM (Read Only Memory), an EPROM (Erasable Programmable ROM), an EEPROM (Electrically EPROM), a RAM (Random Access Memory), and other suitable storage media. It may be configured by one. The memory 1002 may be called a register, a cache, a main memory (main storage device), or the like. The memory 1002 can store a program (program code), a software module, and the like that can be executed to perform the information processing method according to an embodiment of the present invention.

  The storage 1003 is a computer-readable recording medium such as a flexible disk, a floppy (registered trademark) disk, a magneto-optical disk (for example, a compact disk (CD-ROM (Compact Disc ROM), etc.)), a digital versatile disk, Blu-ray (registered trademark) disk, removable disk, hard disk drive, smart card, flash memory device (eg, card, stick, key drive), magnetic stripe, database, server, or other suitable storage medium It may be constituted by. The storage 1003 may be referred to as an auxiliary storage device. Note that the above-described storage unit 12 may be realized by the memory 1002 and / or the storage 1003.

  The communication device 1004 is hardware (transmission / reception device) for performing communication between computers via a wired and / or wireless network, and is also referred to as a network device, a network controller, a network card, a communication module, or the like. Note that the communication unit 13 described above may be realized by the communication device 1004.

  The input device 1005 is an input device (for example, a keyboard, a mouse, etc.) that accepts external input. The output device 1006 is an output device (for example, a display, a speaker, etc.) that performs output to the outside. The input device 1005 and the output device 1006 may have an integrated configuration (for example, a touch panel). The input unit 14 and the output unit 15 described above may be realized by the input device 1005 and the output device 1006, respectively.

  Each device such as the processor 1001 and the memory 1002 is connected by a bus 1007 for communicating information. The bus 1007 may be configured with a single bus or may be configured with different buses between apparatuses.

  The RADIUS server 30 and the SSO server 40 include a microprocessor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a programmable logic device (PLD), a field programmable gate array (FPGA), and the like. It may be configured including hardware, and a part or all of each functional block may be realized by the hardware. For example, the processor 1001 may be implemented by at least one of these hardware.

(Modification)
Note that the terms described in this specification and / or terms necessary for understanding this specification may be replaced with terms having the same or similar meaning.

  Information, parameters, and the like described in the present specification may be represented by absolute values, may be represented by relative values from predetermined values, or may be represented by other corresponding information. In addition, names used for parameters and the like in this specification are not limited in any respect.

  Information, signals, etc. described herein may be represented using any of a variety of different technologies. For example, data, commands, commands, information, signals, bits, symbols, chips, etc. that may be referred to throughout the above description are voltages, currents, electromagnetic waves, magnetic fields or magnetic particles, light fields or photons, or any of these May be represented by a combination of

  Information, signals, and the like may be input / output via a plurality of network nodes. Input / output information, signals, and the like may be stored in a specific location (for example, a memory) or may be managed in a table. Input / output information, signals, and the like can be overwritten, updated, or added. The output information, signals, etc. may be deleted. Input information, signals, and the like may be transmitted to other devices.

  In addition, notification of predetermined information (for example, notification of “being X”) is not limited to explicitly performed, but implicitly (for example, by not performing notification of the predetermined information or another (By notification of information).

  Software, whether it is called software, firmware, middleware, microcode, hardware description language, or other names, instructions, instruction sets, codes, code segments, program codes, programs, subprograms, software modules , Applications, software applications, software packages, routines, subroutines, objects, executable files, execution threads, procedures, functions, etc. should be interpreted broadly.

  Further, software, instructions, information, and the like may be transmitted / received via a transmission medium. For example, software may use websites, servers using wired technology (coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL), etc.) and / or wireless technology (infrared, microwave, etc.) , Or other remote sources, these wired and / or wireless technologies are included within the definition of transmission media.

  As used herein, the terms “system” and “network” are used interchangeably.

  Each aspect / embodiment described in this specification may be used independently, may be used in combination, or may be switched according to execution. In addition, the order of the processing procedures, sequences, flowcharts, and the like of each aspect / embodiment described in this specification may be changed as long as there is no contradiction. For example, the methods described herein present the elements of the various steps in an exemplary order and are not limited to the specific order presented.

  As used herein, the phrase “based on” does not mean “based only on,” unless expressly specified otherwise. In other words, the phrase “based on” means both “based only on” and “based at least on.”

  Although the present invention has been described in detail above, it will be apparent to those skilled in the art that the present invention is not limited to the embodiments described herein. The present invention can be implemented as modified and changed modes without departing from the spirit and scope of the present invention defined by the description of the scope of claims. Therefore, the description of the present specification is for illustrative purposes and does not have any limiting meaning to the present invention.

1 Information processing system 10 User terminal 20 Wireless system (AP / wireless LAN controller)
30 Authentication server (RADIUS server)
40 SSO server 50 Database 60 Authentication collaboration server (portal server)
70 Cloud Service Provider Server / SSO Protection Target Server

Claims (14)

A first device that provides a communication service to a user terminal; a second device that provides a web service authentication process to the user terminal; a third device that stores data; and a first device. An information processing system comprising: a fourth device that communicates with a second device and a third device; and a fifth device that communicates with the user terminal and the third device,
The fourth device includes an authentication processing unit that performs authentication processing of the communication service related to the user terminal based on a notification from the first device;
A receiving unit that receives authentication permission information of the Web service related to the user terminal from the second device;
A transmission unit that transmits the authentication permission information to the third device,
The fifth device acquires the authentication permission information from the third device, have a control unit for performing control to transmit to the user terminal,
The transmission unit transmits information necessary for the authentication process of the Web service to the second device when the authentication process of the communication service is successful.
The information processing system , wherein the receiving unit receives, from the second device, the authentication permission information acquired using information necessary for authentication processing of the Web service . A first device that provides a communication service to a user terminal; a second device that provides a web service authentication process to the user terminal; a third device that stores data; and a first device. An information processing system comprising: a fourth device that communicates with a second device and a third device; and a fifth device that communicates with the user terminal and the third device,
The fourth device includes a receiving unit that receives authentication permission information of the Web service related to the user terminal from the second device;
A transmission unit that transmits the authentication permission information to the third device,
The fifth device includes a control unit that performs control for acquiring the authentication permission information from the third device and transmitting the acquired information to the user terminal,
The second apparatus includes an authentication processing unit that performs authentication processing of the communication service related to the user terminal,
And the transmission unit, to the second device, and information necessary for authentication processing before Symbol Web service, and information necessary for authentication processing of the communication services included in the notification from the first device, Send
The authentication processing unit performs authentication processing of the communication service related to the user terminal based on information necessary for authentication processing of the communication service,
When the authentication process of the communication service is successful in the second device, the reception unit receives the authentication permission information of the Web service acquired using information necessary for the authentication process of the Web service. The information processing system according to claim 1, wherein the information processing system is received from the second device. The first device controls to perform redirection to the fifth device for Web access from the user terminal that has succeeded in authentication processing of the communication service,
The fifth device, based on the redirection, the third acquiring the authentication permission information from the apparatus, the information processing according to claim 1 or claim 2, characterized in that transmitting to the user terminal system. And the transmission unit, information according to claim 3, characterized in that transmitting the predetermined information used to obtain the said authentication permission information stored in the third device, the first device Processing system. The predetermined information is a URL (Uniform Resource Locator) of the fifth device,
The first device of claim 4 in which the Web access from the user terminal which has succeeded in the authentication process of the communication service, and controls to redirect to a URL of said fifth device Information processing system. The receiving unit receives identification information for identifying the user terminal from the first device;
The transmitting unit transmits the authentication permission information to the third device in association with the specific information,
The first device controls to transmit the specific information to the fifth device when redirecting to the fifth device,
The fifth device, using the specific information, the information processing system according to claim 4 or claim 5, characterized in that obtaining the authentication permission information from the third device. The fifth device transmits information for causing the user terminal to perform web authentication processing,
The information processing system according to claim 6 , wherein the fourth apparatus performs the Web authentication process based on a notification transmitted according to the information. And the transmission unit, when succeeding in the Web authentication process, according to claim 7, characterized in that transmits information indicating the accounting start status to the user terminal, in association with the specific information to the third device the information processing system according to. The specific information processing system according to claim 8 claims 6, characterized in that the MAC (Media Access Control) address of the user terminal. The communication service is a wireless communication service,
The information processing system according to any one of claims 1 to 9, characterized in that the RADIUS (Remote Authentication Dial In User Service ) authentication is used as the authentication processing of the wireless communication services. The information processing system according to any one of: (Single Sign On SSO) claims 1 to 10, characterized in that the session information of the authentication permission information, single sign-on for multiple Web service. A first device that provides a communication service to a user terminal; a second device that provides a web service authentication process to the user terminal; a third device that stores data; and a first device. An information processing method using a fourth device that communicates with a second device and a third device, and a fifth device that communicates with the user terminal and the third device,
The fourth device performs an authentication process of the communication service related to the user terminal based on a notification from the first device;
A reception step of receiving authentication permission information of the Web service related to the user terminal from the second device;
A transmission step of transmitting the authentication permission information to the third device;
Have
The fifth device acquires the authentication permission information from the third device, have a step of performing control for transmitting to the user terminal,
The transmission step transmits information necessary for the authentication process of the Web service to the second device when the authentication process of the communication service is successful.
The information receiving method characterized in that the receiving step receives the authentication permission information acquired using information necessary for the authentication process of the Web service from the second apparatus . An information processing apparatus that communicates with a first apparatus that provides a communication service to a user terminal, a second apparatus that provides a web service authentication process to the user terminal, and a third apparatus that stores data Because
An authentication processing unit that performs authentication processing of the communication service related to the user terminal based on the notification from the first device;
A receiving unit that receives, from the second device, authentication permission information of the Web service related to the user terminal when the authentication process of the communication service is successful;
Have a, a transmission unit for transmitting the authentication permission information to the third device,
The transmission unit transmits information necessary for the authentication process of the Web service to the second device when the authentication process of the communication service is successful.
The information processing apparatus, wherein the receiving unit receives the authentication permission information acquired using information necessary for authentication processing of the Web service from the second apparatus. An information processing apparatus that communicates with a first apparatus that provides a communication service to a user terminal, a second apparatus that provides a web service authentication process to the user terminal, and a third apparatus that stores data On the computer
A procedure for performing authentication processing of the communication service related to the user terminal based on a notification from the first device;
A procedure for transmitting information necessary for the authentication process of the Web service to the second device when the authentication process of the communication service is successful;
A procedure for receiving, from the second device, authentication permission information of the Web service related to the user terminal obtained using information necessary for the authentication process of the Web service when the authentication process of the communication service is successful; ,
And a procedure for transmitting the authentication permission information to the third device.

Images