JP6342441B2 - Authentication processing apparatus and authentication system - Google Patents

Authentication processing apparatus and authentication system Download PDF

Info

Publication number
JP6342441B2
JP6342441B2 JP2016045105A JP2016045105A JP6342441B2 JP 6342441 B2 JP6342441 B2 JP 6342441B2 JP 2016045105 A JP2016045105 A JP 2016045105A JP 2016045105 A JP2016045105 A JP 2016045105A JP 6342441 B2 JP6342441 B2 JP 6342441B2
Authority
JP
Japan
Prior art keywords
authentication
user
account
unit
attribute
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
JP2016045105A
Other languages
Japanese (ja)
Other versions
JP2017162129A (en
Inventor
パキン オソトクラパヌン
パキン オソトクラパヌン
竜朗 池田
竜朗 池田
Original Assignee
株式会社東芝
東芝デジタルソリューションズ株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社東芝, 東芝デジタルソリューションズ株式会社 filed Critical 株式会社東芝
Priority to JP2016045105A priority Critical patent/JP6342441B2/en
Publication of JP2017162129A publication Critical patent/JP2017162129A/en
Application granted granted Critical
Publication of JP6342441B2 publication Critical patent/JP6342441B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Description

Embodiments of the present invention, the authentication processing unit that authenticates the User chromatography THE, and relates to an authentication system for implementing the account linkage between the authentication processing unit and another device.

  Normally, when a user uses a service in an information system, the service side needs to have the user's identity. This is because the identity of the user is an indispensable element for the service, such as who the user is, how much authority the user has, and what profile the user has.

  However, as the number of services used by users increases, it becomes a burden on users to register their identities in each service, which is not preferable in terms of security.

  In order to cope with this, an identity management device is used that centrally manages the user's identity and provides the identity as needed when requested by the service.

  This type of identity management apparatus has an authentication function because it is necessary to confirm that the user is the person himself, but the certainty of authentication required may vary depending on the usage scene. For example, when the user simply browses the account information, authentication with a password is sufficient, but when making a payment, biometric authentication with higher certainty is required. Although it is burdensome to deal with an authentication method with many identities, the authentication processing can be flexibly supported by entrusting the authentication function to an external authentication processing device.

  When the identity management device entrusts authentication to the authentication processing device, the user needs to register an account separately in the identity management device and the authentication processing device. At that time, the user needs to register an identity with each device. Even if the user has already registered the identity with the identity management device, it is necessary for the user to register the identity with the authentication processing device, which is troublesome for the user.

  On the authentication processing device side as well, when an identity is registered, it is necessary to check the authenticity of the registered identity and to verify whether it is valid, so that it is costly.

JP 2010-108116 A JP 2010-160709 A JP 2003-208407 A

  That is, the conventional identity management device and authentication processing device have the following problems.

  That is, in order to register a new account in the other device based on the account registered in one device between the identity management device and the authentication processing device, both devices need to have a trust relationship. .

  With regard to this, there is a technique in which a device in which a new account is registered acquires a user's login information from the original device and confirms whether or not the user is the person as in Patent Document 1. However, such a technique is not desirable in terms of security because the user's login information itself is passed to another system.

  Further, when a user creates a new account for the authentication processing apparatus, it is necessary to confirm whether the user who is performing the registration process is the person himself / herself.

  With regard to this, there is a technique of distributing an ID card storing an ID associated with a user in advance as in Patent Document 2 and performing identity verification using this ID card during registration. However, when the ID issued to the user is distributed, it is necessary to confirm that the user is correct.

  As in Patent Document 3, there is a technique in which a photograph is taken before and after a user registers an authentication factor, and the registered authentication factor is confirmed by comparing the photos. The trouble of having to shoot every time occurs.

  On the other hand, the authentication processing device manages the identity of the user when performing identity verification of the user at the time of registration. Since this identity information is often related to privacy, management costs are required.

  Therefore, there is a need for an authentication system that solves these problems by performing account linkage between the identity management device and the authentication processing device.

The problems to be solved by the present invention include an authentication processing device that authenticates a user, an authentication system that realizes account cooperation between an identity management device (first device) and an authentication processing device (second device), and Is to provide.

  The authentication processing device of the embodiment is an authentication processing device that authenticates a user while registering a user's account in response to an account registration request from another device, a communication unit, an account generation unit, an information storage unit, A credential generation unit, a user authentication unit, and an account registration response generation unit are provided.

  The communication unit receives an account registration request including guarantee information for guaranteeing that the user has been authenticated by the other device and a cooperation attribute for cooperation with the other device in the user's account information.

  The account generation unit generates a user account using the linkage attribute included in the account registration request.

  The information storage unit stores the linkage attribute in association with the generated account.

  The credential generation unit generates a credential to be used when authenticating the user, and stores the credential in association with the account in the information storage unit.

  The user authentication unit authenticates the user using the credential and generates an authentication context indicating the authentication processing content.

  The account registration response generation unit generates an account registration response including the linkage attribute and the authentication context.

The authentication system according to the embodiment includes an identity management device that manages identity information for a user who registers an account in the authentication processing device described above, and the authentication processing device described above .

It is a block diagram which shows the structural example of the authentication system of 1st Embodiment. It is a sequence diagram for demonstrating the operation example by the authentication system of 1st Embodiment (1/2). It is a sequence diagram for demonstrating the operation example by the authentication system of 1st Embodiment (2/2). FIG. 7 is a schematic diagram for explaining an operation example in the identity management apparatus of (ST1-1) to (ST1-7) in FIG. FIG. 6 is a schematic diagram for explaining an operation example in the authentication processing device of (ST1-8) to (ST1-15) in FIG. 3. It is a schematic diagram for demonstrating the operation example in the identity management apparatus of (ST1-16) thru | or (ST1-17) in FIG. It is a schematic diagram for demonstrating the example of the user account information stored in the user account information storage part in the identity management apparatus in 1st Embodiment. It is a schematic diagram for demonstrating the example of the information contained in the account registration request produced | generated in 1st Embodiment. It is a schematic diagram for demonstrating the example of the information stored in the user account information storage part in the authentication processing apparatus in 1st Embodiment. It is a schematic diagram for demonstrating the example of the information contained in the account registration response in 1st Embodiment. It is a block diagram which shows the structural example of the authentication system of 2nd Embodiment. It is a sequence diagram for demonstrating the operation example by the authentication system of 2nd Embodiment. It is a schematic diagram for demonstrating the operation example in the authentication processing apparatus to (ST2-13) in FIG. It is a schematic diagram which shows the example of the information contained in the account registration response in 2nd Embodiment. It is a schematic diagram for demonstrating the operation example in the identity management apparatus of (ST2-14) thru | or (ST2-15) in FIG. It is a schematic diagram for demonstrating the operation example in the authentication processing apparatus of (ST2-16) thru | or (ST2-17) in FIG. It is a schematic diagram for demonstrating the operation example in the identity management apparatus of (ST2-18) thru | or (ST2-19) in FIG.

  The authentication system according to each embodiment of the present invention will be described below with reference to the drawings.

(First embodiment)
An authentication system according to the first embodiment will be described with reference to FIGS.

  FIG. 1 is a block diagram illustrating a configuration example of an authentication system 10 according to the present embodiment.

  That is, the authentication system 10 of this embodiment includes an identity management device 200 and an authentication processing device 300 that are connected to each other via a network 20.

  The network 20 may be a LAN such as Ethernet (registered trademark), a public line such as the Internet, a WAN to which a plurality of LANs are connected through a dedicated communication line. In the case of a LAN, it can be composed of multiple subnets via routers as necessary. In the case of a WAN, a firewall or the like for connecting to a public line can be provided as appropriate, but illustration and detailed description thereof are omitted here.

  Further, the client device 100 is connected to the network 20. The client apparatus 100 displays a function for receiving input from a user, a function for transmitting input to the identity management apparatus 200 and the authentication processing apparatus 300, a function for receiving output from the identity management apparatus 200 and the authentication processing apparatus 300, and output. It has a function.

  The identity management apparatus 200 includes a communication unit 210, a user account information storage unit 220, a user authentication unit 230, an authentication service management unit 240, a linkage attribute generation unit 250, an authentication assertion generation unit 260, an account registration request generation unit 270, and an assertion verification unit. 280, and a linkage attribute flag management unit 290.

  The communication unit 210 has an internal communication function of the identity management device 200 and a function of communicating with the client device 100 and the authentication processing device 300 via the network 20.

  The user account information storage unit 220 stores a function for storing cooperation information for cooperation with other services of account information included in the user's identity information, and the stored information from each part in the identity management apparatus 200. And a function of delivering to the requesting part in response to the request.

  The user authentication unit 230 has a function of receiving user authentication information sent from the client device 100, a function of receiving information necessary for user authentication from the user account information storage unit 220, and user authentication using the received information. And a function of performing The information necessary for user authentication is a user identification UID1 and a credential CR1 described later, which are stored in advance in the user account information storage unit 220.

  The authentication service management unit 240 has a function of receiving user identification information and authentication service identification information sent from the client device 100, and a function of acquiring authentication service identification information of the user from the user account information storage unit 220. And a function for determining whether the authentication service of the same user has already been registered using these pieces of information.

  The linkage attribute generation unit 250 generates a linkage attribute necessary for linkage between the identity management device 200 and the authentication processing device 300 for user account information, and a function of registering the linkage attribute in the user account information storage unit 220. Have. The cooperation attribute necessary for cooperation is, for example, an ID or a random number.

  The authentication assertion generation unit 260 has a function of acquiring information related to user authentication and cooperation between the identity management device 200 and the authentication processing device 300 from the user account information storage unit 220, and the authentication processing device 300 with these pieces of information. And a function of generating assertion information for confirming that the information is transmitted by the identity management device. Note that this assertion information is preferably an authentication assertion of SAML (Security Assession Markup Language). In the SAML authentication assertion, the PKI digital signature mechanism is used. By giving the assertion issuer's digital signature, the assertion recipient can verify the assertion issuer by verifying the signature, It is also possible to confirm that the information has not been tampered with.

  The account registration request generation unit 270 has a function of receiving an authentication assertion from the authentication assertion generation unit 260 and a function of generating an account registration request for the authentication processing device 300 using this assertion.

  The assertion verification unit 280 has a function of receiving an account registration response from the authentication processing device 300 and a function of verifying that this account registration response is indeed issued by the authentication processing device 300.

  The cooperation attribute flag management unit 290 has a function of setting the user's cooperation status to “valid” / “invalid” and writing it to the user account information storage unit 220.

  The authentication processing device 300 includes a communication unit 310, a user account information storage unit 320, an assertion verification unit 330, an identity assurance information verification unit 340, a user account generation unit 350, a credential generation unit 360, a user authentication unit 370, and an authentication assertion generation unit 380. , And an account registration response generation unit 390.

  The communication unit 310 has an internal communication function of the authentication processing device 300 and a function of communicating with the client device 100 and the identity management device 200 via the network 20.

  The user account information storage unit 320 includes a function of storing a user's cooperation attribute between the identity management device 200 and the authentication processing device 300 and credential information necessary for the authentication processing, and each part in the authentication processing device 300. In response to the request, the request source part has a function of delivering to the request source part. The user account information storage unit 320 preferably has no information other than information necessary for cooperation and authentication processing between the identity management device 200 and the authentication processing device 300, but may have other account information. .

  The assertion verification unit 330 has a function of confirming the validity of the assertion information acquired from the identity management device 200. When a SAML assertion is used for this assertion, the validity of the assertion can be confirmed by verifying the attached electronic signature.

  The identity guarantee information verification unit 340 has a function of confirming whether or not the identity guarantee information is included in the assertion information. There may be a function for confirming whether the identity guarantee information is sufficient for account registration. For example, there may be a function of confirming whether the identity guarantee organization is a reliable organization.

  The user account generation unit 350 has a function of generating an account using the cooperation attribute included in the acquired assertion information and a function of registering this account in the user account information storage unit 320.

  The credential generation unit 360 has a function of generating a credential necessary for user authentication in the account generated by the user account generation unit 350 and a function of registering the credential in the user account information storage unit 320. The credentials are, for example, passwords and tokens, and may be generated internally or acquired externally.

  The user authentication unit 370 has a function of receiving information necessary for authentication such as credentials from the user, a function of acquiring information necessary for authentication from the user account information storage unit 320, and a function of performing user authentication using these information And a function of outputting an authentication context such as what authentication method and identity verification have been performed.

  The authentication assertion generation unit 380 has a function of generating an assertion using the user cooperation attribute and the authentication context output by the user authentication unit 370. This assertion is preferably a SAML authentication assertion.

  The account registration response generation unit 390 has a function of generating an account registration response using the assertion generated by the authentication assertion generation unit 380, and a function of sending the account registration response to the communication unit 310 to transmit it to the identity management device 200. Have.

  Next, an operation example of the authentication system 10 of the present embodiment configured as described above will be described.

  2 and 3 are sequence diagrams for explaining an operation example by the authentication system 10 of the present embodiment.

  FIG. 4 is a schematic diagram for explaining an operation example in the identity management apparatus 200 of (ST1-1) to (ST1-7) in FIG.

  FIG. 5 is a schematic diagram for explaining an operation example in the authentication processing apparatus 300 of (ST1-8) to (ST1-15) in FIG. 2 and FIG.

  FIG. 6 is a schematic diagram for explaining an operation example in the identity management apparatus 200 of (ST1-16) to (ST1-17) in FIG.

  According to the authentication system 10 of the present embodiment, user account information is automatically linked to the authentication processing device 300 from the user identity of the identity management device 200. This automatic cooperation process will be described below for each step in FIGS. 2 and 3. Refer to FIGS. 4 to 6 for the operation in each step.

(ST1-1)
As shown in FIGS. 2 and 4, the user sends the user identification UID1 and the credential CR1 to the identity management apparatus 200 using the client apparatus 100 for authentication. Further, the user inputs an authentication service identification ASID1 to the client device 100 in order to identify a service for which account automatic cooperation is desired. The client device 100 transmits the input authentication service identification ASID1 to the identity management device 200.

  The user identification UID1, the credential CR1, and the authentication service identification ASID1 transmitted from the client apparatus 100 are received by the communication unit 210 of the identity management apparatus 200. The communication unit 210 sends the user identification UID1 and the credential CR1 to the user authentication unit 230, and sends the user identification UID1 and the authentication service identification ASID1 to the authentication service management unit 240. Thereafter, the process proceeds to (ST1-2).

(ST1-2)
The user authentication unit 230 confirms the match between the user identification UID1 and the credential CR1 sent from the communication unit 210 and the user identification UID1 and the credential CR1 stored in the user account information storage unit 220 in advance. Authenticate. If the authentication is successful, the process proceeds to (ST1-3). If authentication is not successful, automatic account linkage is not possible.

(ST1-3)
The authentication service management unit 240 checks whether or not the authentication service identification ASID1 sent from the communication unit 210 in (ST1-1) has already been registered in the user account information storage unit 220. Then, if it is confirmed that it is registered, the identity guarantee information IDP1 is generated and stored in the user account information storage unit 220, and the process proceeds to (ST1-4). If it is not confirmed, automatic account linkage is not possible.

(ST1-4)
The cooperation attribute generation unit 250 generates a cooperation attribute FA1 using, for example, an ID or a random number, and stores it in the user account information storage unit 220 in order to perform a new cooperation with the authentication service identification ASID1. Further, the cooperation attribute flag FAF1 which is a flag indicating the valid status of the cooperation attribute FA1 is set to “invalid” and stored in the user account information storage unit 220. The cooperation attribute flag FAF1 being “invalid” indicates that the account cooperation between the identity management apparatus 200 and the authentication processing apparatus 300 is not yet completed. Thereafter, the process proceeds to (ST1-5).

  FIG. 7 is a schematic diagram for explaining an example of user account information stored in the user account information storage unit 220.

  As shown in FIG. 7, the user account information storage unit 220 includes the identity guarantee information IDP1 generated in (ST1-3), the linkage attribute FA1 and the linkage attribute flag FAF1 generated in (ST1-4). Will be stored. In particular, the cooperation attribute FA1 and the cooperation attribute flag FAF1 are stored as cooperation information with the authentication service in the user account information. Note that the user identification UID1 and credential CR1, which are other information in the user account information, and the authentication service identification ASID1 included in the cooperation information with the authentication service are stored in advance.

(ST1-5)
In order to guarantee to the authentication processing device 300 that the user has been authenticated by the identity management device 200, the authentication assertion generation unit 260 uses the linkage attribute FA1 and the identity assurance information IDP1 stored in the user account information storage unit 220. Is used to generate an authentication assertion AA1 and send it to the account registration request generator 270. That is, the authentication assertion generation unit 260 generates the authentication assertion AA1 by including the cooperation attribute FA1 for identifying the user between the identity management device 200 and the authentication processing device 300 and the identity assurance information IDP1 that guarantees the user's identity. To do. Note that SAML is preferably used to represent the authentication assertion AA1. When using SAML, a PKI electronic signature mechanism is used to ensure that the information stored in the authentication assertion AA1 is indeed stored in the user account information storage unit 220.

(ST1-6)
The account registration request generation unit 270 receives the authentication assertion AA1 generated in (ST1-5) from the authentication assertion generation unit 260. Then, in order to request the authentication processing device 300 to newly register a user account, an authentication registration assertion AA1 is used to generate an account registration request RQ1 and send it to the communication unit 210.

  FIG. 8 is a schematic diagram for explaining an example of information included in the account registration request RQ1.

  That is, the account registration request RQ1 includes an authentication assertion AA1. The authentication assertion AA1 includes a linkage attribute FA1 and identity assurance information IPD1. As described above, it is preferable to use SAML to represent the authentication assertion AA1. When SAML is used, the identity assurance information IPD1 is generated as one element in the identity statement IDS1. Therefore, in FIG. 8, as an example when SAML is used, the identity statement IDS1 is shown to include the identity guarantee information IPD1.

(ST1-7)
The communication unit 210 transmits the account registration request RQ1 sent from the account registration request generation unit 270 in (ST1-6) to the authentication processing device 300 via the network 20.

(ST1-8)
As illustrated in FIG. 5, authentication processing apparatus 300 receives account registration request RQ1 transmitted in (ST1-7) at communication unit 310. Then, the assertion verification unit 330 verifies the authentication assertion AA1. When SAML is used, the assertion verification unit 330 can verify the authentication assertion AA1 by verifying the signature attached to the authentication assertion AA1. If the verification of the authentication assertion AA1 is successful, the process proceeds to (ST1-9). If verification fails, the process ends and automatic account linkage is not possible.

(ST1-9)
In order to confirm that the identity of the user is guaranteed, the identity assurance information verification unit 340 confirms the identity assurance information IDP1 included in the authentication assertion AA1. If confirmation is made, the process proceeds to (ST1-10). If the confirmation is not made, the process ends and automatic account linkage is not possible.

(ST1-10)
The user account generation unit 350 generates a user account in the authentication processing device 300 using the cooperation attribute FA1 included in the authentication assertion AA1, and associates the generated account with the generated account in the user account information storage unit 320. Is stored. Thereafter, the process proceeds to (ST1-11).

(ST1-11)
The credential generation unit 360 generates a credential CR2 used when authenticating the user in the identity guarantee information authentication processing apparatus 300, and stores it in the user account information storage unit 320 in association with the corresponding account. Since the credential CR2 varies depending on the authentication method of the authentication processing apparatus 300, the credential generation unit 360 may generate a credential in accordance with the authentication method. For example, when the authentication processing apparatus 300 employs authentication used for a password, the credential CR2 is preferably a password.

  FIG. 9 is a schematic diagram for explaining an example of information stored in the user account information storage unit 320.

  That is, the user account information storage unit 320 stores the cooperation attribute FA1 and the credential CR2 generated by the processes in (ST1-10) and (ST1-11) as user account information.

  When the credential CR2 is stored in the user account information storage unit 320, the process proceeds to (ST-12).

(ST1-12)
The user authentication unit 370 performs user authentication using the credential CR2 stored in (ST1-11), and generates an authentication context AC2. The authentication context AC2 is information indicating how the authentication processing has been performed. The authentication context AC2 preferably uses a SAML authentication context. Thereafter, the process proceeds to (ST1-13).

(ST1-13)
The authentication assertion generation unit 380 generates an authentication assertion AA2 from the cooperation attribute FA1 and the authentication context AC2. Note that SAML is suitable for expressing the authentication assertion AA2. Thereafter, the process proceeds to (ST1-14).

(ST1-14)
Account registration response generation section 390 generates account registration response RP1 using authentication assertion AA2 generated in (ST1-13). Thereafter, the process proceeds to (ST1-15).

  FIG. 10 is a schematic diagram for explaining an example of information included in the account registration response RP1.

  The account registration response RP1 includes an authentication assertion AA2. The authentication assertion AA2 includes the cooperation attribute FA1 and the authentication context AC2. As described above, it is preferable to use SAML to represent the authentication assertion AA2. When SAML is used, the authentication context AC2 is generated as one element in the authentication statement AS2. Therefore, in FIG. 10, as an example when SAML is used, the authentication statement AS2 is shown to include the authentication context AC2.

(ST1-15)
The communication unit 310 transmits the account registration response RP1 generated in (ST1-14) to the identity management apparatus 200 via the network 20. Then, the process proceeds to (ST1-16).

(ST1-16)
As illustrated in FIG. 6, the identity management apparatus 200 receives the account registration response RP1 transmitted in (ST1-15) in the communication unit 210. The communication unit 210 sends the received account registration response RP1 to the assertion verification unit 280. Then, the assertion verification unit 280 verifies the authentication assertion AA2 included in the account registration response RP1. When SAML is used, the assertion verification unit 280 can verify the authentication assertion AA2 by verifying the signature attached to the authentication assertion AA2. If the verification of the authentication assertion AA2 is successful, the process proceeds to (ST1-17). If verification fails, the process ends.

(ST1-17)
The cooperation attribute flag management unit 290 searches for user account information stored in the user account information storage unit 220 using the cooperation attribute FA1 included in the authentication assertion AA2. Then, the cooperation attribute flag FAF1 of the corresponding user account information is set to “valid” and stored in the user account information storage unit 220. This completes the account linkage processing between the identity management device 200 and the authentication processing device 300.

  As described above, according to the authentication system 10 of the present embodiment, mutual authentication between the identity management apparatus 200 and the authentication processing apparatus 300 is performed between the identity management apparatus 200 and the authentication processing apparatus 300. Account linkage between them becomes possible.

  As a result, the information used for new account registration in the authentication system 10 becomes the linkage attribute FA1 corresponding to the identity confirmed by the identity management apparatus 200, so that the authentication processing apparatus 300 is assumed to be the identity management apparatus 200. Even in a different security domain, it is possible to link the account information for new account registration between the identity management device 200 and the authentication processing device 300 without degrading security.

  In addition, the authentication system 10 can register a new account using the cooperation attribute FA1 corresponding to the identity confirmed by the identity management device 200, so that it is necessary to confirm the identity again at the time of registration. It can be omitted.

  Furthermore, the authentication system 10 manages only the cooperative attribute FA1 associated with the identity handled by the identity management device 200 without managing the user identity itself. Since the information of the linkage attribute FA1 is not privacy information that is not directly related to the user, the management cost can be reduced without lowering the security.

(Second Embodiment)
The authentication system of the second embodiment will be further described with reference to FIGS.

  FIG. 11 is a block diagram illustrating a configuration example of the authentication system 10 ′ according to the present embodiment.

  That is, the authentication system 10 ′ of the present embodiment includes an identity management device 200 ′ and an authentication processing device 300 ′. The identity management device 200 ′ is obtained by adding an authentication request generation unit 299 to the identity management device 200 in the first embodiment, and the authentication processing device 300 ′ sends an authentication response to the authentication processing device 300 in the first embodiment. A generation unit 399 is added. Since the other constituent elements are the same as those in the first embodiment, the same reference numerals in the drawings used in the following description are given to the same parts as those in FIG.

  FIG. 12 is a sequence diagram for explaining an operation example by the authentication system 10 ′ of the present embodiment.

  FIG. 13 is a schematic diagram for explaining an operation example in the authentication processing apparatus 300 up to (ST2-13) in FIG.

  The operation of the authentication system 10 'of this embodiment is the same as (ST1-1) to (ST1-11) of the first embodiment before (ST2-12) shown in FIG. Therefore, the description of (ST1-1) to (ST1-11) is omitted in FIG. Further, (ST1-7) to (ST1-11) shown in FIG. 13 are the same as those in the first embodiment.

  Therefore, (ST2-12) to (ST2-19) will be described below.

(ST2-12)
The account registration response generation unit 390 stores the user account information including the linkage attribute FA1 and the credential CR2 as shown in FIG. 9 in (ST1-11) in the user account information storage unit 320, and then stores the user account information storage unit A user account registration response RP1 is generated using the cooperation attribute FA1 stored in 320.

  FIG. 14 is a schematic diagram illustrating an example of information included in the account registration response RP1 in the present embodiment. That is, the cooperation attribute FA1 is included in the account registration response RP1 in the present embodiment.

  When the account registration response generation unit 390 generates such an account registration response RP1, the account registration response generation unit 390 transmits the account registration response RP1 to the communication unit 310.

  FIG. 15 is a schematic diagram for explaining an operation example in the identity management apparatus 200 ′ (ST 2-14) to (ST 2-15) in FIG.

(ST2-13)
The communication unit 310 receives the account registration response RP1 sent from the account registration response generation unit 390. Then, as shown in FIG. 15, it is transmitted to the identity management apparatus 200 ′ via the network 20.

(ST2-14)
The identity management device 200 ′ receives the account registration response RP1 transmitted from the communication unit 310 in (ST2-13) in the communication unit 210. The communication unit 210 sends this account registration response RP1 to the authentication request generation unit 299. Then, the authentication request generation unit 299 confirms that the cooperation attribute FA1 included in the account registration response RP1 is the same as that stored in the user account information storage unit 220, and generates an authentication request ARQ1. Then, the authentication request ARQ1 is sent to the communication unit 210. If the identity of the cooperation attribute FA1 is not confirmed, the authentication request ARQ1 is not generated and the process ends.

(ST2-15)
The communication unit 210 transmits the authentication request ARQ1 sent from the authentication request generation unit 299 in (ST2-14) to the authentication processing device 300 ′ via the network 20. The communication unit 310 of the authentication processing device 300 ′ receives the authentication request ARQ1 transmitted from the communication unit 210.

(ST2-16)
FIG. 16 is a schematic diagram for explaining an operation example in the authentication processing apparatus 300 ′ of (ST2-16) to (ST2-17).

  As illustrated in FIG. 16, upon receiving the authentication request ARQ1, the communication unit 310 sends the authentication request ARQ1 to the user authentication unit 370. Then, the user authentication unit 370 acquires the cooperation attribute FA1 stored in the user account information storage unit 320, further performs authentication processing of the authentication request ARQ1 according to the specified authentication method, generates an authentication context AC2, and performs authentication. Send to the assertion generator 380.

  In response to this, the authentication assertion generation unit 380 generates an authentication assertion AA2 from the cooperation attribute FA1 and the authentication context AC2. Therefore, the authentication assertion AA2 includes the cooperation attribute FA1 and the authentication context AC2. The authentication assertion generation unit 380 sends such an authentication assertion AA2 to the authentication response generation unit 399.

  In response to this, the authentication response generation unit 399 generates an authentication response ARP1 using the authentication assertion AA2. Therefore, the authentication response ARP1 includes an authentication assertion AA2. The authentication response generation unit 399 sends such an authentication response ARP1 to the communication unit 310.

(ST2-17)
The communication unit 310 receives the authentication response ARP1 sent from the authentication response generation unit 399 and transmits it to the identity management device 200 ′ via the network 20.

  FIG. 17 is a schematic diagram for explaining an operation example in the identity management apparatus 200 'of (ST2-18) to (ST2-19).

(ST2-18)
As illustrated in FIG. 17, the communication unit 210 receives the authentication response ARP1 transmitted from the communication unit 310 and sends it to the assertion verification unit 280. The assertion verification unit 280 verifies the authentication assertion AA2 from the cooperation attribute FA1 and the authentication context AC2 included in the authentication assertion AA2. This is done, for example, by verifying the electronic signature. Note that SAML is suitable for expressing the authentication assertion AA2. Thereafter, when the verification is successful, the process proceeds to (ST2-19).

(ST2-19)
The cooperation attribute flag management unit 290 searches for user account information stored in the user account information storage unit 220 using the cooperation attribute FA1 included in the authentication assertion AA2. Then, the cooperation attribute flag FAF1 of the corresponding user account information is set to “valid” and stored. This completes the account linkage between the identity management device 200 ′ and the authentication processing device 300 ′.

  As described above, according to the authentication system 10 ′ of the present embodiment, unlike the authentication system 10 of the first embodiment, when the authentication processing device 300 ′ generates the user's cooperation account, the authentication assertion AA2 is set. The account registration response is communicated to the identity management device 200 ′ without generation, that is, without user authentication. Then, the identity management device 200 ′ requests the user authentication from the authentication processing device 300 ′, the user authentication processing is performed, and when an authentication success response is obtained from the authentication processing device 300 ′, the account linkage is “valid”. It is said.

  Even with such a configuration, the identity management device 200 ′ can specify the authentication processing to the authentication processing device 300 ′, and thus has the same effect as the authentication system 10 of the first embodiment. be able to.

The first information storage unit, the authentication unit, the linkage attribute generation unit, the registration request unit, the verification unit, the linkage attribute flag management unit, and the authentication request generation unit of the first device in the authentication system according to the claims are the embodiments. Corresponds to the user account information storage unit 220, the user authentication unit 230, the linkage attribute generation unit 250, the account registration request generation unit 270, the assertion verification unit 280, the linkage attribute flag management unit 290, and the authentication request generation unit 299, respectively.

  In addition, the communication unit, the account generation unit, the information storage unit, the credential generation unit, the user authentication unit, the account registration response generation unit, the authentication assertion generation unit, and the authentication response generation unit in the authentication processing device in the claims are the communication in the embodiment. Unit 310, user account generation unit 350, user account information storage unit 320, credential generation unit 360, user authentication unit 370, account registration response generation unit 390, authentication assertion generation unit 380, and authentication response generation unit 399.

  Although several embodiments of the present invention have been described, these embodiments are presented by way of example and are not intended to limit the scope of the invention. These embodiments can be implemented in various other forms, and various omissions, replacements, and changes can be made without departing from the spirit of the invention. These embodiments and their modifications are included in the scope and gist of the invention, and are also included in the invention described in the claims and the equivalents thereof.

  For example, in the embodiment, the authentication processing apparatus 300 (300 ′) has been described as an example of an apparatus that performs account cooperation with the identity management apparatus 200 (200 ′). Is not limited to the authentication processing device 300 (300 ′). In the embodiment, the authentication processing device 300 (300 ′) is used as an example of a device that cooperates with the identity management device 200 (200 ′), and the identity management device 200 (200 ′) responds accordingly. The authentication service identification ASID1 is handled as an identifier for identifying the authentication service performed by (300 ′), and an authentication service management unit 240 for managing the authentication service identification ASID1 is provided.

  Therefore, if the person who is skilled in the art is not the authentication processing device 300 (300 ′), the service identification information and the service management unit corresponding to the device to be account-linked with the identity management device 200 (200 ′) By using instead of the authentication service identification ASID1 and the authentication service management unit 240, the identity management device 200 (200 ′) can be linked with an account even with a device other than the authentication processing device 300 (300 ′). You will understand that

10, 10 ′ authentication system of this embodiment, 20 network, 100 client device, 200, 200 ′ identity management device, 210 communication unit, 220 user account information storage unit, 230 user authentication unit, 240 authentication service management unit, 250 cooperation Attribute generation unit, 260 authentication assertion generation unit, 270 account registration request generation unit, 280 assertion verification unit, 290 linkage attribute flag management unit, 299 authentication request generation unit, 300, 300 ′ authentication processing device, 310 communication unit, 320 user account Information storage unit, 330 Assertion verification unit, 340 Identity assurance information verification unit, 350 User account generation unit, 360 Credential generation unit, 370 User authentication unit, 380 Authentication assertion generation unit, 390 Und registration response generation unit, 399 authentication response generation unit.

Claims (4)

  1. In addition to registering a user account in response to an account registration request from another device, the authentication processing device authenticates the user,
    A communication unit that receives the account registration request, including guarantee information for guaranteeing that the user has been authenticated by the other device, and a cooperation attribute for cooperation of the user's account information with the other device. When,
    An account generation unit that generates an account of the user using a linkage attribute included in the account registration request;
    An information storage unit for storing the linkage attribute in association with the generated account;
    Generating a credential to be used when authenticating the user, associating it with the account, and storing it in the information storage unit;
    A user authentication unit that authenticates the user using the credentials and generates an authentication context indicating an authentication processing content;
    An account registration response generator for generating an account registration response including the linkage attribute and the authentication context;
    An authentication processing apparatus comprising:
  2. The communication unit transmits the account registration response to the other device, receives an authentication request for requesting authentication of the user generated by the other device in response to the account registration response,
    The user authentication unit acquires a cooperation attribute corresponding to the authentication request from the information storage unit, further performs authentication processing of the authentication request, and generates an authentication context.
    An authentication assertion generation unit that generates an authentication assertion from the acquired cooperative attribute and the generated authentication context;
    An authentication response generation unit that generates an authentication response using the authentication assertion;
    The authentication processing device according to claim 1 , further comprising:
  3. A first device that manages identity information for a user who registers an account with a second device; and a second device that registers a user account in response to an account registration request from the first device; An authentication system comprising:
    The first device includes:
    A first information storage unit for storing account information included in the identity information of the user and service identification information for identifying a service provided by the second device;
    An authenticating unit for authenticating the user using the stored account information;
    When the service identification information input by the authenticated user matches the stored service identification information, the cooperation attribute for cooperation with the second device of the account information, and the status of the cooperation attribute A linkage attribute flag indicating that the linkage attribute flag is set to invalid,
    A registration request unit for requesting registration of the user's account to the second device using guarantee information for guaranteeing that the user has been authenticated and the linkage attribute;
    A verification unit that verifies an account registration response including the linkage attribute generated by the second device in response to the request;
    When the account registration response is correctly verified, the account information corresponding to the linkage attribute included in the account registration response is searched from the first information storage unit, and a linkage attribute flag indicating the status of the linkage attribute is set. A linkage attribute flag management unit that enables linkage with the second device of the account information by enabling it;
    The second device includes:
    The account registration request including guarantee information for guaranteeing that the user has been authenticated by the first device, and a cooperation attribute for cooperation of the user's account information with the first device. A communication unit to receive,
    An account generation unit that generates an account of the user using a linkage attribute included in the account registration request;
    A second information storage unit for storing the linkage attribute in association with the generated account;
    A credential generation unit that generates a credential to be used when authenticating the user, stores the credential in association with the account, and stores the credential in the second information storage unit;
    A user authentication unit that authenticates the user using the credentials and generates an authentication context indicating an authentication processing content;
    An authentication system comprising: an account registration response generation unit that generates an account registration response including the linkage attribute and the authentication context.
  4. The first device includes:
    An authentication request generator for generating an authentication request for requesting authentication of the user to the second device in response to the account registration response;
    The second device includes:
    The communication unit transmits the account registration response to the first device, and receives an authentication request for requesting authentication of the user generated by the first device in response to the account registration response;
    The user authentication unit acquires a cooperation attribute corresponding to the authentication request from the second information storage unit, further performs an authentication process of the authentication request, generates an authentication context,
    The second device further includes
    An authentication assertion generation unit that generates an authentication assertion from the acquired cooperative attribute and the generated authentication context;
    The authentication system of Claim 3 provided with the authentication response production | generation part which produces | generates an authentication response using the said authentication assertion.
JP2016045105A 2016-03-09 2016-03-09 Authentication processing apparatus and authentication system Active JP6342441B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2016045105A JP6342441B2 (en) 2016-03-09 2016-03-09 Authentication processing apparatus and authentication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2016045105A JP6342441B2 (en) 2016-03-09 2016-03-09 Authentication processing apparatus and authentication system

Publications (2)

Publication Number Publication Date
JP2017162129A JP2017162129A (en) 2017-09-14
JP6342441B2 true JP6342441B2 (en) 2018-06-13

Family

ID=59853033

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2016045105A Active JP6342441B2 (en) 2016-03-09 2016-03-09 Authentication processing apparatus and authentication system

Country Status (1)

Country Link
JP (1) JP6342441B2 (en)

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9143502B2 (en) * 2004-12-10 2015-09-22 International Business Machines Corporation Method and system for secure binding register name identifier profile
KR100953092B1 (en) * 2007-11-06 2010-04-19 한국전자통신연구원 Method and system for serving single sign on
US8078870B2 (en) * 2009-05-14 2011-12-13 Microsoft Corporation HTTP-based authentication
JP5790474B2 (en) * 2011-12-14 2015-10-07 富士通株式会社 Authentication processing program, authentication processing method, and authentication processing apparatus
JP5383838B2 (en) * 2012-02-17 2014-01-08 株式会社東芝 Authentication linkage system, ID provider device, and program
JP6111186B2 (en) * 2013-12-03 2017-04-05 日本電信電話株式会社 Distributed information linkage system and data operation method and program thereof
JP5987021B2 (en) * 2014-06-06 2016-09-06 日本電信電話株式会社 Distributed information linkage system

Also Published As

Publication number Publication date
JP2017162129A (en) 2017-09-14

Similar Documents

Publication Publication Date Title
US10382427B2 (en) Single sign on with multiple authentication factors
US10587609B2 (en) Method and system for authenticated login using static or dynamic codes
US20160277383A1 (en) Binding to a user device
US10200368B2 (en) System and method for proxying federated authentication protocols
US10153907B2 (en) Methods and systems for PKI-based authentication
JP5844001B2 (en) Secure authentication in multi-party systems
WO2017042400A1 (en) Access method to an on line service by means of access tokens and secure elements restricting the use of these access tokens to their legitimate owner
US9135415B2 (en) Controlling access
EP2873192B1 (en) Methods and systems for using derived credentials to authenticate a device across multiple platforms
WO2017042375A1 (en) Access method to an on line service by means of access tokens and of a secure element restricting the use of these access tokens to their legitimate owner
US9979719B2 (en) System and method for converting one-time passcodes to app-based authentication
US9521144B2 (en) Authority delegate system, authorization server system, control method, and program
US20180254909A1 (en) Virtual Identity Credential Issuance and Verification Using Physical and Virtual Means
US10430578B2 (en) Service channel authentication token
US10187797B2 (en) Code-based authorization of mobile device
US20160065579A1 (en) Method and system for interoperable identity and interoperable credentials
US9083703B2 (en) Mobile enterprise smartcard authentication
US9166969B2 (en) Session certificates
US20130312078A1 (en) System and method for embedded authentication
US8219808B2 (en) Session-based public key infrastructure
US9390247B2 (en) Information processing system, information processing apparatus and information processing method
KR101694744B1 (en) Shared registration system multi-factor authentication
KR100872099B1 (en) Method and system for a single-sign-on access to a computer grid
US8386776B2 (en) Certificate generating/distributing system, certificate generating/distributing method and certificate generating/distributing program
US8356179B2 (en) Entity bi-directional identificator method and system based on trustable third party

Legal Events

Date Code Title Description
A711 Notification of change in applicant

Free format text: JAPANESE INTERMEDIATE CODE: A712

Effective date: 20170907

A711 Notification of change in applicant

Free format text: JAPANESE INTERMEDIATE CODE: A711

Effective date: 20170908

A977 Report on retrieval

Free format text: JAPANESE INTERMEDIATE CODE: A971007

Effective date: 20171206

A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20180206

A521 Written amendment

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20180409

TRDD Decision of grant or rejection written
A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

Effective date: 20180417

A61 First payment of annual fees (during grant procedure)

Free format text: JAPANESE INTERMEDIATE CODE: A61

Effective date: 20180516

R150 Certificate of patent or registration of utility model

Ref document number: 6342441

Country of ref document: JP

Free format text: JAPANESE INTERMEDIATE CODE: R150