JP7162405B1 - Program, information processing device, method and system - Google Patents

Abstract

An object of the present invention is to reduce the amount of identification information that a user has to enter for authentication when using a service. A program for operating an authentication server (20) comprising a processor (29) and a memory (25) causes the processor (29) to receive user identification information unique to a user, and based on the received user identification information, the terminal identified by the terminal identification information has its own management function. a step of transmitting a response request for the management function to the terminal used by the user; a step of authenticating the user possessing the terminal according to the response from the terminal based on the response request; and the step of presenting to the user. [Selection drawing] Fig. 2

Description

The present disclosure relates to programs, information processing apparatuses, methods, and systems.

The authentication server searches for the device group corresponding to the device group specified by the device identification information sent to itself, searches for the workflow, then determines whether or not there is a workflow in operation, and determines whether or not the workflow exists. In this case, there is a technique of directly issuing a device processing instruction without issuing a password input instruction (Patent Document 1).

Also, identification information for identifying this portable medium is read from the portable medium and transmitted to the authentication server device, and the authentication server device issues authentication status information based on the received identification information, and sends the issued authentication status information. There is a technology related to an authentication system that writes to a portable medium, reads authentication status information from the portable medium, and executes authentication processing based on the stored authentication status information (Patent Document 2).

JP-A-2009-53762 JP 2008-9644 A

In the techniques disclosed in Patent Documents 1 and 2, the user needs to enter identification information (for example, ID and password) into the terminal used by the user each time and be authenticated by an authentication device or the like. It took a lot of time to input the identification information.

Therefore, the present disclosure has been made to solve the above problems, and its purpose is to reduce the identification information that a user has to input for authentication when using a service.

A program for operating a computer having a processor and a memory. The program comprises, in a processor, a step of accepting user identification information unique to a user, the user identification information and terminal identification information unique to a terminal being pre-associated with each other, and based on the accepted user identification information, this user identification information the terminal identified by the terminal identification information has its own management function, sending a response request for the management function to the terminal used by the user; A step of authenticating a user possessing a terminal and a step of presenting an authentication result obtained by the authenticating step to the user are executed in response to a response from the terminal based on the request.

Advantageous Effects of Invention According to the present disclosure, it is possible to reduce identification information to be input for authentication when a user uses a service.

FIG. 4 is a diagram for explaining an overview of system operation; It is a figure which shows the structure of the whole system. It is a figure which shows the functional structure of a terminal device. FIG. 3 is a diagram showing a functional configuration of an authentication server; FIG. It is a figure which shows the functional structure of a management server. It is a figure which shows the data structure of a database. It is a figure which shows the data structure of a database. It is a figure which shows the data structure of a database. It is a figure which shows the data structure of a database. 4 is a sequence diagram showing an example of a processing flow in the system; FIG. 4 is a sequence diagram showing an example of a processing flow in the system; FIG. It is a schematic diagram showing an example of the screen displayed on a terminal device. FIG. 4 is a schematic diagram showing another example of a screen displayed on the terminal device;

Hereinafter, embodiments of the present disclosure will be described with reference to the drawings. In all the drawings for explaining the embodiments, common constituent elements are given the same reference numerals, and repeated explanations are omitted. It should be noted that the following embodiments do not unduly limit the content of the present disclosure described in the claims. Also, not all the components shown in the embodiments are essential components of the present disclosure. Each figure is a schematic diagram and is not necessarily strictly illustrated.

Also, in the following description, a "processor" is one or more processors. The at least one processor is typically a microprocessor such as a CPU (Central Processing Unit), but may be another type of processor such as a GPU (Graphics Processing Unit). At least one processor may be single-core or multi-core.

Also, at least one processor may be a broadly defined processor such as a hardware circuit (for example, FPGA (Field-Programmable Gate Array) or ASIC (Application Specific Integrated Circuit)) that performs part or all of the processing.

In the following explanation, the expression "xxx table" may be used to describe information that produces an output for an input. It may be a learning model such as a generated neural network. Therefore, the "xxx table" can be called "xxx information".

Also, in the following description, the configuration of each table is an example, and one table may be divided into two or more tables, or all or part of two or more tables may be one table. good.

Further, in the following description, the processing may be described using the term “program” as the subject. As it occurs while in use, the subject of processing may be a processor (or a device, such as a controller, having that processor).

The program may be installed in a device such as a computer, or may be, for example, in a program distribution server or a computer-readable (eg, non-temporary) recording medium. Also, in the following description, two or more programs may be implemented as one program, and one program may be implemented as two or more programs.

In the following description, identification numbers are used as identification information for various objects, but identification information of types other than identification numbers (for example, identifiers including alphabetic characters and symbols) may be employed.

In addition, in the following description, when describing the same type of elements without distinguishing between them, reference symbols (or common symbols among the reference symbols) are used, and when describing the same types of elements with different An identification number (or reference sign) may be used.

Further, in the following description, control lines and information lines indicate those considered necessary for the description, and not all control lines and information lines are necessarily indicated on the product. All configurations may be interconnected.

<0 System Overview>
FIG. 1 is a diagram outlining the operation of a system according to the present disclosure. In the system 1 of the present disclosure, an authentication server 3 that provides a single sign-on (SSO) function is accessed from a terminal device 2 that has its own management function and is registered in the management server in advance. , when using the SSO service after authentication by the authentication server 3, based on the registration information (terminal identification information and user identification information) in the management server 4, only the user ID (user identification information) is sent via the terminal device 2 This system enables authentication by an authentication server without using other identification information such as a password.

Here, the user identification information is identification information unique to the user who uses the terminal device 2, such as the user's e-mail address, but is not particularly limited as long as it is information that can uniquely identify the user. Further, the terminal identification information is identification information unique to the terminal device 2 registered in the management server 4, and there is no particular limitation on its format or the like. Also, in the management server 4, a plurality of pieces of terminal identification information may be associated with one piece of user identification information. That is, a user identified by user identification information may possess a plurality of terminal devices 2, and terminal identification information about these terminal devices 2 may be registered in the management server.

In the following description, for convenience of explanation, the authentication server 3 and the management server 4 are described as separate entities (different servers). It may be realized by one server (information processing device). Further, in the following explanation, it is assumed that the information describing the association between the user identification information and the terminal identification information is stored in the management server 4, but this information is stored in at least one of the authentication server 3 and the management server 4. should be stored in In addition, there is no particular limitation on the form in which this information is held, and it is generally held in a table or database that describes the association between user identification information and terminal identification information. Any form is acceptable as long as the association with the information can be comprehended.

The SSO function provided by the authentication server 3 is a known function provided as a single sign-on service, and one example will be described below.
・When accessing services inside and outside the system 1 from the terminal device 2 via the authentication server 3, the input of ID, PW, etc. for each service is omitted, and the service can be accessed only by authentication by the authentication server 3. Logs of services accessed by the terminal device 2 via the authentication server 3 can be acquired and managed, and can be referred to by the administrator of the authentication server 3. User identification information about the user of the terminal device 2 and user account information of the service. In addition, the company that uses the authentication server 3 (usually, the user of the terminal device 2 is an employee of this company) can cooperate with the company to centrally manage this information. When the authority to use the SSO function is lost due to reasons such as

The terminal management function provided by the management server 4 is known as a PC management function and a mobile device management (MDM) function, and one example will be described below.
A module for pre-registering information on the terminal device 2 used by the user in the management server 4 and realizing a management function by the management server 4 (illustrated as a terminal management module 6 in FIG. 1) is installed in the terminal device 2 in advance, and the management server 4 and the terminal management module 6 work together to realize the following management functions. When the terminal device 2 is no longer placed, operations such as prohibiting (locking) input operations to the terminal device 2 and erasing information stored in the terminal device 2 are performed remotely according to instructions from the management server 4 ・Authentication server 3, to prohibit or restrict the SSO function for terminals that are not registered in the management server 4 (even if the user identification information is registered in the management server 4). Including access on a service-by-service basis. In addition, even if the terminal device 2 is registered in the management server 4, the service that can be accessed is made different for each terminal device 2. ・Application installation on the terminal device 2 can be performed remotely. Detect the environment in which the terminal device 2 is currently being used (including the wireless LAN environment, place, and time), and provide the terminal device 2 with settings suitable for this environment.

An overview of the operation of the system 1 according to the present disclosure will be described with reference to FIG.

A user who owns the terminal device 2 logs in to the authentication server 3 via the browser 5 (1). When logging in, the user enters his/her own user identification information (generally, the user's email address) into the browser 5 . The terminal device 2 logs into the authentication server 3 using the user identification information input by the user.

The authentication server 3 that has received the input of the user identification information provides this user identification information to the management server 4, and if there is terminal identification information associated with the user identification information, the management server 4 authenticates this terminal identification information. Reply to server 3 (2). At this time, if there is a plurality of terminal identification information associated with the user identification information, the management server 4 returns all (that is, a plurality of) terminal identification information to the authentication server 3 .

The fact that the terminal identification information is returned from the management server 4 means that the user identified by the user identification information owns at least the terminal device 2 registered in the management server 4 . However, at this point, it is unknown whether or not the user has logged in using the terminal device 2 registered in the management server 4 . In other words, the user may have logged into the authentication server 3 using a privately owned terminal device. If it is a privately owned terminal device, this terminal device is not registered in the management server 4, and therefore the terminal management module 6 is not installed in the privately owned terminal device.

Therefore, the authentication server 3 transmits all the terminal identification information acquired from the management server 4 to the terminal device 2 in order to confirm whether or not the terminal device 2 registered in the management server 4 has logged in. A response request for the information is made (3). At this time, the authentication server 3 also transmits response request identification information unique to each response request to the terminal device 2 . In the system 1 according to the present disclosure, the authentication server 3, when accessing the management server 4 from the terminal device 2, which will be described later, is a short token called a token that proves that this access is based on the response request described above. A lexical (character string) is used as response request identification information.

The terminal device 2 that has received the terminal identification information and the response request identification information selects the terminal currently used by the user from among the terminals specified by the terminal identification information sent from the authentication server 3 (4). Since the terminal identification information is associated with the mode of management of the terminal device 2 by the management server 4, the user needs to select an appropriate terminal.

After selecting the terminal, the browser of the terminal device 2 activates the terminal management module 6 using the response request identification information sent from the authentication server 3 (5), and the terminal management module 6 uses this response request identification information to Access to the management server 4 (6). Although there is no particular limitation on the specific contents of the series of operations, as an example, when the OS of the terminal device 2 is Windows (registered trademark), the URL for activating the terminal management module 6 using the URL Scheme is set. The terminal management module 6 is presented with a token added to the end, and access is made to the management server 4 using this token.

As described above, since the terminal management module 6 is not installed in the user's private terminal device 2, the terminal management module 6 cannot respond to the activation instruction from the browser 5. Therefore, authentication is performed here. Operation fails and a series of processes ends.

The management server 4 that has accepted the token notifies the authentication server 3 of the access from the terminal device 2 together with this token. The authentication server 3 determines that the authentication of the terminal device 2 is completed by confirming that the token notified from the management server 4 is the response request identification information issued by itself (7), and sends an authentication completion notification. It transmits to the terminal device 2 (8).

After the authentication by the authentication server 3 is completed, the user can use the SSO function provided by the authentication server 3, such as accessing external services using the authenticated terminal device 2 (9).

In the system 1 according to the present disclosure, the activation instruction of the terminal management module 6 using the URL scheme and the use of the token as the response request identification information are merely examples, and the present invention is not limited to such specific examples. As an example, instead of tokens, information that is uniquely determined for each response request, such as hash tags and barcodes, may be used. Alternatively, instead of activating the terminal management module 6 by the URL scheme, a local http server may be set up temporarily in the terminal management module 6, and the URL of the management server 4 + response request identification information may be accessed by this local http server. good.

<1 Configuration diagram of the entire system>
FIG. 2 is a block diagram showing an example of the overall configuration of system 1. As shown in FIG. The system 1 shown in FIG. 2 includes, for example, a terminal device 10, an authentication server 20, and a management server 30. FIG. The terminal device 10, the authentication server 20, and the management server 30 are connected for communication via a network 80, for example.

Although FIG. 2 shows an example in which the system 1 includes one terminal device 10, the number of terminal devices 10 included in the system 1 is not limited to one. The terminal device 10 is owned by a user who uses the SSO function provided by the authentication server 20 and who uses the terminal management service provided by the management server 30 .

In this embodiment, a collection of multiple devices may serve as one authentication server 20 and management server 30 . How to distribute a plurality of functions required to realize the authentication server 20 and the management server 30 according to this embodiment for one or more pieces of hardware depends on the processing capacity of each piece of hardware and/or the authentication server 20. It can be determined as appropriate in view of required specifications and the like.

The terminal device 10 shown in FIG. 1 may be, for example, a mobile terminal such as a smart phone or tablet, a stationary PC (Personal Computer), or a laptop PC. It may also be a wearable terminal such as an HMD (Head Mount Display) or a wristwatch type terminal.

The terminal device 10 includes a communication IF (Interface) 12 , an input device 13 , an output device 14 , a memory 15 , a storage 16 and a processor 19 .

The communication IF 12 is an interface for inputting and outputting signals so that the terminal device 10 communicates with devices in the system 1 such as the authentication server 20, for example.

The input device 13 is a device (for example, a touch panel, a touch pad, a pointing device such as a mouse, a keyboard, etc.) for receiving an input operation from a user.

The output device 14 is a device (display, speaker, etc.) for presenting information to the user.

The memory 15 is for temporarily storing programs, data processed by the programs, etc., and is a volatile memory such as a DRAM (Dynamic Random Access Memory).

The storage 16 is for storing data, and is, for example, a flash memory or a HDD (Hard Disc Drive).

The processor 19 is hardware for executing an instruction set described in a program, and is composed of arithmetic units, registers, peripheral circuits, and the like.

When the authentication server 20 logs in using the user identification information (usually the user's e-mail address) registered in advance by the terminal device 10, the authentication server 20 uses this user identification information, terminal identification information and response request identification information to be described later for authentication. is performed, and if the authentication succeeds, the SSO function is provided to the terminal device 10 concerned. The authentication server 20 also functions as a so-called web server.

The authentication server 20 is realized by, for example, a computer (information processing device) connected to the network 80 . As shown in FIG. 2 , authentication server 20 includes communication IF 22 , input/output IF 23 , memory 25 , storage 26 and processor 29 .

The communication IF 22 is an interface for inputting and outputting signals for the authentication server 20 to communicate with devices in the system 1 such as the terminal device 10 .

The input/output IF 23 functions as an interface with an input device for receiving input operations from the user and an output device for presenting information to the user.

The memory 25 temporarily stores programs and data processed by the programs, and is a volatile memory such as a DRAM.

The storage 26 is for storing data, and is, for example, flash memory or HDD.

The processor 29 is hardware for executing an instruction set described in a program, and is composed of arithmetic units, registers, peripheral circuits, and the like.

The management server 30 is realized by, for example, a computer (information processing device) connected to the network 80 . Since the hardware configuration of the management server 30 is the same as that of the authentication server 20, illustration and description are omitted. The management server 30 also functions as a so-called web server.

The management server 30 cooperates with the terminal management control unit 195 (see FIG. 3), which is the terminal management module 6 pre-installed in the terminal device 10, to provide the terminal device 10 with terminal management services.

<1.1 Functional Configuration of Terminal Device>
FIG. 3 is a block diagram showing an example of the functional configuration of the terminal device 10 shown in FIG. 2. As shown in FIG. The terminal device 10 shown in FIG. 3 is realized by, for example, a PC, a mobile terminal, or a wearable terminal. As shown in FIG. 3 , the terminal device 10 includes a communication section 120 , an input device 130 , an output device 140 , a storage section 180 and a control section 190 . Each block included in the terminal device 10 is electrically connected by, for example, a bus.

The communication unit 120 performs processing such as modulation/demodulation processing for the terminal device 10 to communicate with other devices. The communication unit 120 performs transmission processing on the signal generated by the control unit 190 and transmits the signal to the outside (for example, the authentication server 20). Communication unit 120 performs reception processing on a signal received from the outside and outputs the signal to control unit 190 .

The input device 130 is a device for a user operating the terminal device 10 to input instructions or information. The input device 13 has, for example, a keyboard 131, a mouse 132, and the like. note that,
When the terminal device 10 is a mobile terminal or the like, the input device 130 is implemented by a touch sensitive device or the like that inputs instructions by touching the operation surface. Input device 130 converts an instruction input by a user into an electric signal and outputs the electric signal to control unit 190 . Note that the input device 130 may include, for example, a receiving port that receives an electrical signal input from an external input device.

The output device 140 is a device for presenting information to the user who operates the terminal device 10 . The output device 14 is implemented by, for example, the display 141 or the like. The display 141 displays data under the control of the controller 190 . The display 141 is implemented by, for example, an LCD (Liquid Crystal Display) or an organic EL (Electro-Luminescence) display.

The storage unit 180 is realized by, for example, the memory 15 and the storage 16, and stores data and programs used by the terminal device 10. FIG. The storage unit 180 stores an application program 181, a browser program 182, and a management program 183, for example.

The browser program 182 is a program for providing the terminal device 10 with a browser function. When executed, the browser program 182 functions as a browser control unit 194, which will be described later, and provides the terminal device 10 with the browser function. In the terminal device 10 of the present embodiment, the type of browser is not particularly limited, and a known browser program 182 can be preferably used.

The management program 183 is a program provided by the management server 30, and when executed, provides a function of the terminal management control section 195, which is the terminal management module 6 described later.

The control unit 190 is implemented by the processor 19 reading the application program 181, the browser program 182, and the management program 183 stored in the storage unit 180, and executing commands included in the application program 181 and the like. The control unit 190 controls operations of the terminal device 10 . The control unit 190 functions as an operation reception unit 191 , a transmission/reception unit 192 , a presentation control unit 193 , a browser control unit 194 , and a terminal management control unit 195 by operating according to programs.

The operation reception unit 191 performs processing for receiving instructions or information input from the input device 13 . Specifically, for example, the operation reception unit 191 receives information based on instructions input from the keyboard 131, the mouse 132, or the like.

The transmitting/receiving unit 192 performs processing for transmitting/receiving data between the terminal device 10 and an external device such as the authentication server 20 according to a communication protocol. Specifically, for example, the transmission/reception unit 192 transmits the content input by the user to the external device. The transmitting/receiving unit 192 also receives information about the user from the external device.

The presentation control unit 193 controls the output device 14 in order to present information generated by each functional unit of the terminal device 10 to the user. Specifically, for example, the presentation control unit 193 causes the display 141 to display information generated by each functional unit of the terminal device 10 .

The browser control unit 194 provides the terminal device 10 with a browser function. Specifically, for example, the browser control unit 194 accesses the web server specified by the URL entered by the user, etc., and makes the information transmitted from the web server visible through the display 141 (that is, screen), and when the user inputs an operation via the input device 130 to the links, buttons, etc. displayed in the screen, the operation reception unit 191 cooperates with the link described in the link, etc. A predetermined operation is performed based on the received command, etc., and operation input information is sent to the Web server. The browser is normally displayed as a specific window within the display 141, but the display mode is not particularly limited.

In particular, the browser control unit 194 in the terminal device 10 of this embodiment converts the token, which is the response request identification information sent from the user authentication module 2036 of the authentication server 20 described later, to the end of the URL for accessing the management server 30 . By sending a command to access the management server 30 to the terminal management control unit 195 using the information added to the terminal management control unit 195, the terminal management control unit 195 is activated. Any method can be used to cause the terminal management control unit 195 to access the management server 30, but one example is a method of activating the terminal management control unit 195 using a URL scheme. The URL Scheme itself is a standard function included in the OS included in the application program 181 of the terminal device 10 . Alternatively, a method is also possible in which a local http server is set up temporarily in the terminal management control unit 195, and this http server accesses the management server 30 using information added to the end of the URL for accessing the management server 30. is.

The terminal management control unit 195 cooperates with the management server 30 to provide the terminal device 10 with the terminal management function provided by the management server 30 . Since the details of the terminal management function have already been explained, the explanation is omitted here.

In particular, the terminal management control unit 195 in the terminal device 10 of this embodiment, based on the instruction from the browser control unit 194, the information sent from the browser control unit 194, that is, the URL for accessing the management server 30 The management server 30 is accessed using the information added to the end of .

<1.2 Functional Configuration of Authentication Server>
FIG. 4 is a diagram showing an example of the functional configuration of the authentication server 20. As shown in FIG. As shown in FIG. 4 , the authentication server 20 functions as a communication section 201 , a storage section 202 and a control section 203 .

The communication unit 201 performs processing for the authentication server 20 to communicate with an external device.

The storage unit 202 has, for example, an application program 2021, a user information database (DB) 2022, a token DB 2023, an SSO management information DB 2024, and the like.

The user information DB 2022 is a database for holding user identification information unique to users. Details will be described later.

The token DB 2023 is a database for holding tokens, which are response request identification information specific to response requests that request the terminal management control unit 195 of the terminal device 10 to respond to the management server 30 . Details will be described later.

The SSO management information DB 2024 is a database for holding information on sites accessible by users using the authentication server 20 . Details will be described later.

Control unit 203 is implemented by processor 29 reading application program 2021 stored in storage unit 202 and executing instructions included in application program 2021 . By operating according to the application program 2021, the control unit 203 operates a reception control module 2031, a transmission control module 2032, a login management module 2033, a terminal identification information acquisition module 2034, a token issuing module 2035, a user authentication module 2036, and an SSO management module. The function shown as 2037 is exhibited.

The reception control module 2031 controls processing for the authentication server 20 to receive a signal from an external device according to a communication protocol.

The transmission control module 2032 controls the process of transmitting signals from the authentication server 20 to external devices according to the communication protocol.

The login management module 2033 receives the user identification information sent from the terminal device 10 via the reception control module 2031 and checks it against the user identification information stored in the user information DB 2022. is registered in the authentication server 20 (accordingly, registered in the authentication server 20 itself). When the login management module 2033 determines that user identification information matching the user identification information sent from the terminal device 10 is registered in the user information DB 2022, this user identification information is sent to the terminal identification information acquisition module 2034. .

The terminal identification information acquisition module 2034 receives the user identification information sent from the login management module 2033 (this user identification information is confirmed by the login management module 2033 to be the user identification information of a user already registered in the authentication server 20). ) is sent to the management server 30, and the terminal identification information corresponding to this user identification information is received from the management server 30. FIG. At this time, if a plurality of pieces of terminal identification information associated with user identification information are registered in the management server 30, the terminal identification information acquisition module 2034 receives all of the registered terminal identification information. Receiving the terminal identification information from the management server 30 means that the user identified by the user identification information is the terminal device 10 (this terminal device 10 is the terminal device 10 currently used by the user to access the authentication server 20). is unknown at this point) is registered in the management server 30 , that is, the terminal device 10 is registered in the management server 30 .

Triggered by the terminal identification information acquisition module 2034 receiving the terminal identification information from the management server 30, the token issuing module 2035 requests the user to respond from the terminal device 10 currently in use. A token, which is response request identification information for identifying a response request, is issued. The token issuance method is arbitrary, and the number of digits, the types of characters/numbers included, and the like may be appropriately determined according to the security guarantee in the system 1 of the present embodiment, the scale of the system 1, and the like. and the token issuing module 2035; The issued token is sent to the user authentication module 2036 and stored in the token DB 2023 .

When the terminal identification information acquisition module 2034 receives the terminal identification information and the token issuance module 2035 issues a token, the user authentication module 2036 transmits the terminal identification information and the token to the logged-in terminal device 10 via the login management module 2033. to request a response from the terminal management control unit 195 of the terminal device 10 based on the terminal identification information and the token. Next, the terminal device 10 that has sent the terminal identification information or the like responds to the management server 30 by means of the terminal management control unit 195, and receives from this management server 30 the token received by the management server 30 in response to this response. Then, the user authentication module 2036 compares the token transmitted by the user authentication module 2036 itself and the token received by the management server 30, which is acquired by referring to the token DB 2023. If the tokens match, the terminal device 10 is authenticated. end the authentication operation as successful.

The SSO management module 2037 provides the SSO function to the terminal device 10 for which authentication by the user authentication module 2036 has succeeded. Since the specific content of the SSO function has already been explained, the explanation here is omitted. As an example, the SSO management module 2037 refers to the SSO management information DB 2024 and permits access to a site that is accessible by the user associated with the authenticated terminal device 10 . In the system 1 of the present embodiment, the SSO management module 2037 provides the SSO function for each user, and the terminal management module 3035 of the management server 30 provides the function for access control for each terminal device 10. ing. Of course, the SSO management module 2037 may perform access control for each terminal device 10 .

<1.3 Functional Configuration of Management Server>
FIG. 5 is a diagram showing an example of the functional configuration of the management server 30. As shown in FIG. As shown in FIG. 5 , the management server 30 functions as a communication section 301 , a storage section 302 and a control section 303 .

The communication unit 301 performs processing for the management server 30 to communicate with an external device.

The storage unit 302 has, for example, an application program 3021, a user terminal information database (DB) 3022, and the like.

The user terminal information DB 3022 is a database for holding terminal identification information unique to the terminal device 10 . Details will be described later.

The control unit 303 is implemented by the processor reading an application program 3021 stored in the storage unit 302 and executing instructions included in the application program 3021 . By operating according to the application program 3021 , the control unit 303 exhibits functions as a reception control module 3031 , a transmission control module 3032 , a user terminal information search module 3033 , a token transmission/reception module 3034 and a terminal management module 3035 .

The reception control module 3031 controls processing for the management server 30 to receive a signal from an external device according to a communication protocol.

The transmission control module 3032 controls the processing by which the management server 30 transmits signals to external devices according to the communication protocol.

Based on a request from the authentication server 20, the user terminal information search module 3033 searches the user terminal information DB 3022 for terminal identification information associated with the user ID, which is user identification information sent from the authentication server 20. If there is terminal identification information associated with the extracted user ID, all terminal identification information associated with the user ID stored in the user terminal information DB 3022 is sent to the authentication server 20 .

Token transmission/reception module 3034 extracts a token, which is response request identification information included in information transmitted from terminal device 10 , and sends the extracted token to user authentication module 2036 of authentication server 20 .

The terminal management module 3035 cooperates with the terminal management control unit 195 of the terminal device 10 to provide a terminal management function to the terminal device 10 that has been successfully authenticated by the user authentication module 2036 of the authentication server 20 . Since the details of the terminal management function provided by the terminal management module 3035 have already been explained, the explanation is omitted here.

<2 Data structure>
6 to 8 show the data structure of the database stored in the authentication server 20, and FIG. 9 shows the data structure of the database stored in the management server 30. FIG. It should be noted that FIGS. 6 to 9 are examples and do not exclude data that are not shown.

The databases shown in FIGS. 6 to 9 refer to relational databases, and are used to manage data sets called tabular tables structurally defined by rows and columns in association with each other. In a database, a table is called a table, columns of a table are called columns, and rows of a table are called records. Relational databases allow you to establish and associate relationships between tables.

Each table usually has a primary key column to uniquely identify a record, but setting a primary key to a column is not essential. The control units 203 and 303 of the authentication server 20 and management server 30 can cause the processor 29 to add, delete, and update records in specific tables stored in the storage units 202 and 302 according to various programs.

FIG. 6 is a diagram showing the data structure of the user information DB 2022. As shown in FIG. As shown in FIG. 6, each record of the user information DB 2022 includes, for example, the item "user ID" and the item "mail address". Information stored in the user information DB 2022 is input and updated by the login management module 2033 . Information stored in the user information DB 2022 can be changed or updated as appropriate.

The item “user ID” is an ID for specifying a user registered in the authentication server 20 . The item “e-mail address” is the e-mail address entered by the user identified by the user ID when registering with the authentication server 20 . A mail address is an example of user identification information unique to a user.

FIG. 7 is a diagram showing the data structure of the token DB 2023. As shown in FIG. As shown in FIG. 7, each record of the token DB 2023 includes, for example, the item "token ID", the item "user ID", the item "token", and the item "issue date and time". Information stored in the token DB 2023 is entered and modified by the token issuing module 2035 . Information stored in the token DB 2023 can be changed or updated as appropriate.

The item "token ID" is an ID for specifying a token. The item "user ID" is an ID for specifying a user registered in the authentication server 20, and is common to the item "user ID" of the user information DB 2022. FIG. The item “token” is a token specified by the token ID and issued by the token issuing module 2035 . A token is an example of response request identification information unique to a response request issued by the authentication server 20 to the terminal device 10 . The item “date and time of issue” is information related to the date and time when the token issuance module 2035 issues the token specified by the token ID.

FIG. 8 is a diagram showing the data structure of the SSO management information DB 2024. As shown in FIG. As shown in FIG. 8, each record of the SSO management information DB 2024 includes, for example, the item "user ID" and the item "accessible site URL". Information stored in the SSO management information DB 2024 is input and corrected by the SSO management module 2037 . Information stored in the SSO management information DB 2024 can be changed or updated as appropriate.

The item "user ID" is an ID for specifying a user registered in the authentication server 20, and is common to the item "user ID" of the user information DB 2022. FIG. The item “accessible site URL” is information on the URL of the site to which the user identified by the user ID is permitted to access by the SSO function provided by the authentication server 20 (especially the SSO management module 2037). Since sites include not only so-called web servers but also sites that provide web services, it can be said that the SSO function defines web services that can be used by users.

FIG. 9 is a diagram showing the data structure of the user terminal information DB 3022. As shown in FIG. As shown in FIG. 9, each record of the user terminal information DB 3022 includes, for example, the item "user ID", the item "terminal ID", the item "terminal type", and the item "terminal name". Information stored in the user terminal information DB 3022 is input and corrected by the terminal management module 3035 . Information stored in the user terminal information DB 3022 can be changed or updated as appropriate.

The item "user ID" is an ID for specifying a user registered in the authentication server 20, and is common to the item "user ID" of the user information DB 2022. FIG. The item “terminal ID” is an ID for specifying the terminal device 10 registered in the management server 30 as being used by the user specified by the user ID. The terminal ID is terminal identification information unique to the terminal device 10 . The item “terminal type” is information indicating the type of the terminal device 10 specified by the terminal ID, and is mainly information regarding the OS type of the terminal device 10 . The terminal device 10 indicated as "PC" in FIG. 9 indicates that the OS is Windows (registered trademark). The item "terminal name" is information about the name of the terminal device 10 specified by the terminal ID. The terminal name may be determined by the user of the terminal device 10 or may be determined by the terminal management module 3035 .

<3 Operation example>
An example of the operation of the system 1 will be described below.

10 and 11 are sequence diagrams showing an example of the operation of the system 1. FIG.

In step S<b>1050 , the control unit 190 of the terminal device 10 accesses the authentication server 20 based on the login instruction input to the authentication server 20 from the user of the terminal device 10 . The manner of inputting the login instruction is arbitrary, and one example is the manner of selecting the icon for logging in to the authentication server 20 displayed on the display 141 of the terminal device 10 with the mouse 132 or the like.

In step S1000, control unit 203 of authentication server 20 sends email address input screen data requesting input of an email address for login to terminal device 10 based on access from terminal device 10 in step S1050. do. Specifically, for example, the control unit 203 accesses e-mail address input screen data prepared in advance by the login management module 2033 or e-mail address input screen data generated by the login management module 2033 at that time. Send to the terminal device 10 .

FIG. 12 is a diagram showing an example of the e-mail address input screen sent from the authentication server 20 and displayed on the display 141 of the terminal device 10 in step S1000. A browser window 1201 displayed by the browser control unit 194 is displayed on a screen 1200 of the terminal device 10. In this browser window 1201, an input field 1202 for inputting the user's e-mail address and an e-mail input in the input field 1202 are displayed. A button 1203 for instructing login to the authentication server 20 using an address is displayed.

In step S1051, the user of the terminal device 10 uses the keyboard 131, the mouse 132, etc. to input his/her own mail address in the input field 1202, and similarly uses the keyboard 131, the mouse 132, etc. to perform input operations to the buttons 1203. By doing so, the terminal device 10 is instructed to log in to the authentication server 20 with this mail address. The control unit 190 of the terminal device 10 accepts the input operation signal from the user and transmits the e-mail address input by the user to the authentication server 20 .

In step S1001, the control unit 203 of the authentication server 20 accepts the e-mail address transmitted from the terminal device 10, and identifies the user ID corresponding to this e-mail address. Specifically, for example, the control unit 203 causes the login management module 2033 to search the user information DB 2022 using the accepted e-mail address, and specifies the user ID corresponding to this e-mail address.

Next, in step S1002, the control unit 203 of the authentication server 20 inquires whether or not there is terminal identification information corresponding to the user ID specified in step S1001. An instruction to send the information to the authentication server 20 is sent to the management server 30 . Specifically, for example, the control unit 203 uses the terminal identification information acquisition module 2034 to send the user ID specified in step S1001 to the management server 30, and the presence or absence of terminal identification information associated with this user ID, and If there is terminal identification information, it requests the management server 30 to transmit all of the terminal identification information.

In step S1080, control unit 303 of management server 30 searches for the presence of terminal identification information associated with the user ID sent from authentication server 20 in step S1002. 30 , all registered terminal identification information is transmitted to the authentication server 20 . Specifically, for example, the control unit 303 causes the user terminal information search module 3033 to search the user terminal information DB 3022 using the user ID sent from the authentication server 20, and retrieves the terminal identification information associated with the user ID. Extract. Then, when the terminal identification information associated with the user ID can be retrieved, the user terminal information retrieval module 3033 transmits all terminal identification information associated with the user ID to the authentication server 20 .

Moving to FIG. 11, in step S1100, the control unit 203 of the authentication server 20 issues a token that is response request identification information unique to the response request to the terminal device 10. All the terminal identification information transmitted from 30 and the URL information for accessing the management server 30 are transmitted to the terminal device 10 that made the login request, and a response from the terminal management control unit 195 of the terminal device 10 is requested. . The fact that the user terminal information search module 3033 of the management server 30 has transmitted the terminal identification information in step S1080 means that the terminal identification information associated with the user ID (that is, the terminal device 10 owned by the user) is registered in the management server 30. means that Therefore, the authentication server 20 advances the authentication work by causing the terminal management control unit 195 already installed in the terminal device 10 to respond. In addition, when the terminal management control unit 195 of the terminal device 10 has already obtained the URL information of the management server 30, the URL information of the management server 30 does not have to be sent.

Specifically, for example, the control unit 203 causes the token issuing module 2035 to issue a token, which is individual response request identification information, to the response request to the terminal device 10 . The token issue module 2035 then stores information on the issued token in the token DB 2023 . Next, for example, the control unit 203 causes the user authentication module 2036 to transmit all the terminal identification information acquired in step S1080, the token issued by the token issuing module 2035, and the URL information for accessing the management server 30, In step S1051, it is transmitted to the terminal device 10 that requested the login, and requests a response from the terminal management control unit 195 installed in this terminal device 10. FIG.

Thereafter, in step S1101, the control unit 203 of the authentication server 20 periodically polls the management server 30 using the user authentication module 2036 to check whether the management server 30 has received the token.

FIG. 13 is a diagram showing an example of a screen displaying the terminal identification information sent from the authentication server 20 in step S1100 on the display 141 of the terminal device 10. As shown in FIG. A browser window 1301 displayed by the browser control unit 194 is displayed on a screen 1300 of the terminal device 10. In this browser window 1301, a plurality of terminal devices 10 associated with the user's email address, which is user identification information, are displayed. An area 1302 in which a text notifying the existence of the terminal is written, and buttons 1303 and 1304 in which the terminal identification information sent from the authentication server 20 in step S1100 is written are displayed.

In step S1150, the user of the terminal device 10 selects the terminal identification information related to the terminal device 10 currently used by the user by performing a selection input operation on the buttons 1303 and 1304 using the keyboard 131, mouse 132, etc. do. Although it is not necessary to send the terminal identification information selected in step S1150 to the authentication server 20 and the management server 30, the terminal identification information selected in step S1150 does not affect the terminal management operation of the terminal device 10 by the terminal management control unit 195. (The terminal management operation to be performed differs for each OS.) Therefore, the terminal identification information selected in step S1150 is sent to the terminal management control section 195. FIG.

Next, in step S1151, control unit 190 of terminal device 10 activates terminal management control unit 195 using the information sent from authentication server 20 in step S1100. Specifically, for example, the control unit 190 causes the browser control unit 194 to activate the terminal management control unit 195 with information obtained by adding a token to the end of the URL for activating the terminal management control unit 195 using the URL scheme. The terminal management control unit 195 is caused to make a response request for accessing the management server 30 by the terminal management control unit 195 .

Next, in step S1152, the control unit 190 of the terminal device 10 responds to the response request from the terminal management control unit 195 by accessing the management server 30 using the token sent from the authentication server 20 in step S1100. Specifically, for example, the control unit 190 causes the terminal management control unit 195 to respond to the response request sent from the browser control unit 194 in step S1151, and causes the management server 30 to be accessed with the token-added information.

In step S1180, the control unit 303 of the management server 30 uses the token transmission/reception module 3034 to accept the access request (this access request includes the token) transmitted from the terminal device 10 in step S1152, and Extract the tokens contained in . The control unit 303 of the management server 30 then uses the token transmission/reception module 3034 to transmit a notification of receipt of the token and the transmitted token to the authentication server 20 .

In step S1102, the control unit 203 of the authentication server 20 receives the token transmitted in step S1180, and authenticates the terminal device 10 using this token. Specifically, for example, the control unit 203 causes the user authentication module 2036 to search the token DB 2023 using the token received in step S1102, and the received token is the same as the token sent to the terminal device 10 in step S1100. It is determined whether or not If these tokens are the same, the user authentication module 2036 concludes that authentication of the terminal device 10 using the token has succeeded, and terminates the authentication operation. Note that the user authentication module 2036 compares the token issue date and time by the token issue module 2035 with the token reception date and time in step S1102, and if the time interval between them is within a certain period of time, the terminal device 10 Authentication may be performed.

In step S1103, the control unit 203 of the authentication server 20 notifies the terminal device 10 that requested the login that the authentication was successful. Thereafter, the control unit 203 of the authentication server 20 uses the SSO management module 2037 to provide the SSO function to the terminal device 10 for which authentication has succeeded, and the control unit 303 of the management server 30 uses the terminal management module 3035 to perform authentication. A terminal management function is provided to the terminal device 10 for which the above has succeeded.

<4 Effect of Embodiment>
As described in detail above, according to the system 1 of the present embodiment, user-specific user identification information transmitted from the terminal device 10 and user identification information pre-registered in the management server 30 are associated with each other. The authentication operation of the terminal device 10 is performed using the terminal identification information. Thus, according to the system 1 of this embodiment, the user can be authenticated by the authentication server 20 without separately inputting information such as a password. Therefore, according to the system 1 of the present embodiment, it is possible to reduce the identification information that the user has to input for authentication when using the service.

<5 Notes>
It should be noted that the above-described embodiments describe the configurations in detail in order to explain the present disclosure in an easy-to-understand manner, and are not necessarily limited to those having all the described configurations. Also, part of the configuration of each embodiment can be added, deleted, or replaced with another configuration.

Further, each of the configurations, functions, processing units, processing means, etc. described above may be realized by hardware, for example, by designing a part or all of them using an integrated circuit. The present invention can also be implemented by software program code that implements the functions of the embodiments. In this case, a computer is provided with a storage medium recording the program code, and the processor of the computer reads the program code stored in the storage medium. In this case, the program code itself read out from the storage medium implements the functions of the above-described embodiments, and the program code itself and the storage medium storing it constitute the present invention. Storage media for supplying such program code include, for example, flexible disks, CD-ROMs, DVD-ROMs, hard disks, SSDs, optical disks, magneto-optical disks, CD-Rs, magnetic tapes, and non-volatile memory cards. , ROM and the like are used.

Also, the program code that implements the functions described in this embodiment can be implemented in a wide range of programs or script languages, such as assembler, C/C++, perl, Shell, PHP, and Java (registered trademark).

Furthermore, by distributing the program code of the software that realizes the functions of the embodiment via a network, it can be stored in storage means such as a hard disk or memory of a computer, or in a storage medium such as a CD-RW or CD-R. Alternatively, a processor provided in the computer may read and execute the program code stored in the storage means or the storage medium.

The items described in the above embodiments will be added below.

(Appendix 1)
A program (2021) for operating a computer (20) comprising a processor (29) and a memory (25), the program (2021) accepting user identification information unique to a user in the processor (29) A step (S1001) and a step ( S1080), the terminal (10) identified by the terminal identification information has its own management function, and a step of transmitting a response request for the management function to the terminal (10) used by the user (S1100); In response to a response from the terminal (10) based on the request, a step of authenticating the user possessing the terminal (10) (S1102) and a step of presenting the authentication result of the authenticating step to the user (S1103) are executed. , program (2021).
(Appendix 2)
In the step of acquiring terminal identification information (S1080), a plurality of pieces of terminal identification information are acquired based on the accepted user identification information, and in the step of transmitting a response request to the terminal (10) (S1100), the acquired 2. The program (2021) of clause 1, wherein in the step of presenting a plurality of terminal identities and authenticating the user, accepting a selection of terminal identities specific to the terminal (10) being used by the user.
(Appendix 3)
In the step of transmitting a response request to the terminal (10) (S1100), response request identification information unique to the response request is transmitted to the terminal (10), and in the step of authenticating the user (S1102), the response request identification information 3. The program (2021) according to appendix 1 or 2 for authenticating a user possessing a terminal (10) based on.
(Appendix 4)
The memory (25) stores a table (3022) in which user identification information and terminal identification information are associated with each other. 4. The program (2021) according to any one of Appendices 1 to 3, for obtaining, based on user identification information, terminal (10) identification information associated with this user identification information.
(Appendix 5)
The program (2021) further causes the processor (29) to execute a step of managing the terminal (10) in cooperation with the management function of the terminal (10) when the user is authenticated. (2021).
(Appendix 6)
6. The program (2021) according to any one of appendices 1 to 5, wherein the program (2021) further causes the processor (29), once the user is authenticated, to make available to the user a service in the other computer (30) based on this authentication. program (2021).
(Appendix 7)
An information processing device (20) comprising a processor (29) and a memory (25), wherein the processor (29) receives a step of accepting user identification information unique to a user (S1001); 10) is pre-associated with unique terminal identification information, and based on the received user identification information, a step of acquiring terminal identification information associated with this user identification information (S1080); The terminal (10) to be received has its own management function, and a step of transmitting a response request for the management function to the terminal (10) used by the user (S1100); An information processing apparatus (20) that performs a step (S1102) of authenticating a user possessing a terminal (10) and a step (S1103) of presenting an authentication result of the authenticating step to the user in response to the response.
(Appendix 8)
A method performed by a computer (20) comprising a processor (29) and a memory (25), wherein the processor (29) receives (S1001) user identification information unique to a user; and terminal identification information unique to the terminal (10) are associated in advance, and based on the received user identification information, acquiring terminal identification information associated with this user identification information (S1080); The terminal (10) identified by the information has its own management function, a step of transmitting a response request for the management function to the terminal (10) used by the user (S1100); ), authenticating the user possessing the terminal (10) (S1102) and presenting the authentication result of the authenticating step to the user (S1103).
(Appendix 9)
means (2033) for accepting user identification information unique to a user; and user identification information and terminal identification information unique to the terminal (10) are pre-associated; A means (2034) for obtaining terminal identification information associated with the terminal (10) identified by the terminal identification information has its own management function, and a response request to the management function is sent to the terminal ( 10), a means (2036) for authenticating the user possessing the terminal (10) in response to a response from the terminal (10) based on the response request, and an authentication result by the authenticating means (2036) means (2036) for presenting to a user.

1, system 2, 10, terminal device 3, 20, authentication server 4, 30, management server 5, browser 6, terminal management module 80, network 180, storage unit 190, control unit 194, browser control unit 195, terminal management control Units 202, 302, Storage Units 203, 303, Control Unit User information DB 2023, Token DB 2024, SSO management information DB 2031 to 2033, Login management module 2034, Terminal identification information acquisition module 2035, Token issuing module 2036, User authentication module 2037 , SSO management module user terminal information DB 3031, reception control module 3032, transmission control module 3033, user terminal information search module 3034, token transmission/reception module 3035, terminal management module

Claims (8)

A program for operating a computer comprising a processor and a memory,
The program causes the processor to:
accepting user identification information unique to the user;
The user identification information and terminal identification information unique to a terminal are associated in advance, and based on the received user identification information, the terminal identification information associated with the user identification information is obtained, thereby enabling the user to identifying the terminal owned by the user identified by identification information ;
the terminal identified by the terminal identification information has a management function of the terminal itself, and transmitting a response request for the management function to the identified terminal;
authenticating the user possessing the terminal in response to a response from the terminal based on the response request;
and presenting to the user an authentication result obtained by the authenticating step ;
in the step of transmitting the response request to the terminal, transmitting response request identification information associated with the user identification information and unique to the response request to the terminal;
A program for authenticating the user possessing the terminal based on the response request identification information in the step of authenticating the user . In a system having a computer and a terminal,
The computer is
means for accepting user identification information unique to a user;
The user identification information and the terminal identification information unique to the terminal are associated in advance, and based on the accepted user identification information, the terminal identification information associated with the user identification information is obtained, means for identifying the terminal owned by the user identified by user identification information;
the terminal identified by the terminal identification information has a management function of the terminal itself, means for transmitting a response request for the management function to the identified terminal;
means for authenticating the user possessing the terminal in response to a response from the terminal based on the response request;
means for presenting to the user an authentication result obtained by the authenticating step;
and
the means for acquiring the terminal identification information acquires a plurality of the terminal identification information based on the accepted user identification information;
the means for transmitting the response request to the terminal presents the acquired plurality of terminal identification information to the terminal;
The terminal accepts selection of the terminal identification information unique to the terminal used by the user from among the presented plurality of terminal identification information.
system . the memory stores a table in which the user identification information and the terminal identification information are associated;
2. The program according to claim 1, wherein in the step of acquiring the terminal identification information, the table is referred to, and based on the received user identification information, the terminal identification information associated with the user identification information is obtained. The program further instructs the processor to:
When the user is authenticated, cooperating with the management function of the terminal to perform a step of managing the terminal;
A program according to claim 1. The program further instructs the processor to:
Once the user has been authenticated, making other services available to the user based on this authentication;
A program according to claim 1. An information processing device comprising a processor and a memory,
The processor
accepting user identification information unique to the user;
The user identification information and terminal identification information unique to a terminal are associated in advance, and based on the received user identification information, the terminal identification information associated with the user identification information is obtained, thereby enabling the user to identifying the terminal owned by the user identified by identification information ;
the terminal identified by the terminal identification information has a management function of the terminal itself, and transmitting a response request for the management function to the identified terminal;
authenticating the user possessing the terminal in response to a response from the terminal based on the response request;
and presenting to the user an authentication result obtained by the authenticating step ;
in the step of transmitting the response request to the terminal, transmitting response request identification information associated with the user identification information and unique to the response request to the terminal;
The information processing apparatus , wherein in the step of authenticating the user, the user possessing the terminal is authenticated based on the response request identification information . A computer implemented method comprising a processor and memory, comprising:
The processor
accepting user identification information unique to the user;
The user identification information and terminal identification information unique to a terminal are associated in advance, and based on the received user identification information, the terminal identification information associated with the user identification information is obtained, thereby enabling the user to identifying the terminal owned by the user identified by identification information ;
the terminal identified by the terminal identification information has a management function of the terminal itself, and transmitting a response request for the management function to the identified terminal;
authenticating the user possessing the terminal in response to a response from the terminal based on the response request;
and presenting to the user an authentication result obtained by the authenticating step ;
in the step of transmitting the response request to the terminal, transmitting response request identification information associated with the user identification information and unique to the response request to the terminal;
The method of authenticating the user, authenticating the user possessing the terminal based on the response request identification information . means for accepting user identification information unique to a user;
The user identification information and terminal identification information unique to a terminal are associated in advance, and based on the received user identification information, the terminal identification information associated with the user identification information is obtained, thereby enabling the user to means for identifying the terminal owned by the user identified by identification information ;
the terminal identified by the terminal identification information has a management function of the terminal itself, means for transmitting a response request for the management function to the identified terminal;
means for authenticating the user possessing the terminal in response to a response from the terminal based on the response request;
means for presenting to the user an authentication result obtained by the authenticating means ;
sending, in the means for transmitting the response request to the terminal, response request identification information associated with the user identification information and unique to the response request to the terminal;
A system , wherein the means for authenticating the user authenticates the user possessing the terminal based on the response request identification information .

Images