WO2009107219A1 - 認証装置,認証方法およびその方法を実装した認証プログラム - Google Patents
認証装置,認証方法およびその方法を実装した認証プログラム Download PDFInfo
- Publication number
- WO2009107219A1 WO2009107219A1 PCT/JP2008/053548 JP2008053548W WO2009107219A1 WO 2009107219 A1 WO2009107219 A1 WO 2009107219A1 JP 2008053548 W JP2008053548 W JP 2008053548W WO 2009107219 A1 WO2009107219 A1 WO 2009107219A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- application
- authentication
- cooperation
- unit
- applications
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/41—User authentication where a single sign-on provides access to a plurality of computers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
Definitions
- the present invention relates to a single sign-on technique in an authentication device.
- a general HTML (HyperText Markup Language) browser can perform session management when connecting to the same site (for example, using a technology such as Cookie specified in RFC (Request for Comments) 2965). Realized). Further, when an HTML browser connects to a plurality of sites, it is necessary to execute some processing on a plurality of servers that provide the plurality of sites. For example, session management can be performed on the server side. For example, connection to a plurality of sites can be realized (for example, see Patent Document 1).
- BML Broadcast Markup Language
- HTML HyperText Markup Language
- apparatuses equipped with a plurality of browsers such as an HTML browser and a browser for a personal computer (a so-called full browser).
- the present invention has been made based on the above-described problems, and provides an authentication device that performs single sign-on between applications in a client device, an authentication method, and an authentication program that implements the method.
- the present invention provides an authentication apparatus having a client function in a network in which a plurality of applications for performing single sign-on to a server apparatus are installed, the authentication apparatus having the client function,
- the authentication apparatus includes a cooperation ID sharing means for sharing a cooperation ID indicating a connection between server apparatuses between the plurality of applications.
- single sign-on can be performed between a plurality of applications in an authentication apparatus in which a plurality of applications are installed.
- the linkage ID sharing unit is different from the SV information management unit that stores the linkage ID in an SV information storage unit and at least one application among the plurality of applications. Whether the application information included in the received cooperation ID request is stored in the AP information storage unit.
- an AP determination unit that acquires a cooperation ID from the SV information storage unit and returns the cooperation ID to the transmission source of the cooperation ID request; It is good also as having.
- the cooperation ID can be returned only to the application stored in the AP information management unit, and the applications sharing the cooperation ID can be limited.
- the SV information management unit, the AP information management unit, and the AP determination unit may be shared among the plurality of applications. Thereby, cooperation ID can be managed in a common part between several applications.
- the server device includes a single sign-on function providing unit that issues the linkage ID, and the authentication device transmits an authentication request to the single sign-on function providing unit, and the single sign-on function
- the providing unit may include means for receiving the cooperation ID from the single sign-on function providing unit when the providing unit successfully authenticates the authentication request.
- the present invention is an authentication method in which a plurality of applications are installed in a device having a client function in a network, and the plurality of installed applications perform single sign-on to a server device, and the authentication having the client function You may comprise as an authentication method which has the cooperation ID sharing step which shares cooperation ID which shows the connection between an apparatus and the said server apparatus between these said some applications.
- the linkage ID sharing step is different from the SV information management step of storing the linkage ID in an SV information storage unit and at least one application of the plurality of applications.
- AP information management step for storing connection information between applications including the application name in the AP information storage unit, and whether or not the application name included in the received cooperation ID request is stored in the AP information storage unit And when the application name is stored in the AP information storage unit, an AP determination step of acquiring a cooperation ID from the SV information storage unit and returning the cooperation ID to the transmission source of the cooperation ID request; It is good also as having.
- the SV information management step, the AP information management step, and the AP determination step may be used in common among the plurality of applications.
- the present invention can also be configured as a program that causes a computer to function as each functional unit of the authentication device.
- single sign-on can be performed between a plurality of applications in an authentication apparatus in which a plurality of applications are installed.
- single sign-on is not performed for each application, user convenience can be improved.
- the present invention can also contribute to the network service technology field.
- the block diagram of the authentication apparatus in this embodiment The figure which shows an example of the initial registration process of AP information management part in this embodiment.
- the figure which shows an example of a process until account cooperation is performed in the structure shown in FIG.
- the block diagram when the application side authentication function part in this embodiment is placed outside the application and shared among a plurality of applications.
- the authentication system of the present embodiment basically includes a client device (that is, an authentication device in the present embodiment; for example, a personal computer) 1, a server device (for example, a server computer) 2, a client device 1, and a server device 2. It has a communication line (for example, a network such as the Internet) to be connected.
- applications A and B are installed in the client device 1 in FIG.
- the applications A and B are browser applications that interpret and execute different structured languages.
- the application A is a BML browser and the application B is an HTML browser.
- each of applications A and B is an SV (Server) information management unit, an AP (Application) information management unit, an AP activation unit, an AP determination unit, and AP information registration as a common application-side authentication function unit.
- the authentication function unit provided for application A includes SV information management unit Aa, AP information management unit Ab, AP activation unit Ac, AP determination unit Ad, and AP information registration unit Ae. Including.
- the authentication function unit provided for application B includes an SV information management unit Ba, an AP information management unit Bb, an AP activation unit Bc, an AP determination unit Bd, and an AP information registration unit Be.
- the application-side authentication function unit may be provided inside the application.
- the application-side authentication function unit may be provided in the client device separately from the application as shown in FIG. 1, or the application itself may be both an original function as an application (such as a browser) and the application-side authentication function. And the application may be provided in the client device.
- Each of the SV information management units Aa and Ba is a functional unit that manages a cooperation ID (information indicating a connection between the client device 1 and the server device 2) issued from the server device 2.
- Each of the SV information management units Aa and Ba manages the linkage ID using, for example, a predetermined storage unit in a storage device (for example, a memory or a hard disk device) provided in advance in the client device 1. That is, each of the SV information management units Aa and Ba has a storage unit that stores the cooperation ID.
- the SV information management unit managing the cooperation ID includes storing the cooperation ID received from the outside in the storage unit or reading the cooperation ID from the storage unit based on an external request.
- AP information management units Ab and Bb are functional units that manage connection information between applications (for example, between applications A and B).
- the connection information to be set is application information, and includes, for example, an application name, application position information, access right information, application type, and the like.
- Each of the AP information management units Ab and Bb manages connection information using a predetermined storage unit in a storage device provided in advance in the client device 1. That is, each of the AP information management units Ab and Bb has a storage unit that stores connection information.
- the AP information management unit managing the connection information between applications includes storing the connection information received from the outside in the storage unit, or reading the connection information from the storage unit based on the request.
- connection information may be different for each application.
- the client device 1 may perform authentication or the like in consideration of security or the like when setting the connection information.
- the AP information management unit may be provided for each application, or the client device may include one AP information management unit, and the AP information management unit may manage a plurality of applications collectively.
- Each of the AP activation units Ac and Bc is a functional unit that activates an application other than the running application that receives the request in response to a request transmitted from the server device 2. That is, in the client device 1, the AP activation unit Ac activates the application B, and the AP activation unit Bc activates the application A.
- Each of the AP determination units Ad and Bd is a functional unit that determines whether an application other than the corresponding application has already been registered for the corresponding application. That is, the AP determination unit Ad determines whether the application B has been registered with the application A, and the AP determination unit Bd determines whether the application A has been registered with the application B.
- AP information registration units Ae and Be are interface function units for registering application information.
- an operation executed by an application is an operation based on a function realized by executing an application program on a client device that is a computer.
- the server device 2 includes an authentication information management unit 2a, a linkage ID management unit 2b, an authentication unit 2c, an ID search unit 2d, a reception unit 2e, and a content unit 2f.
- the authentication information management unit 2a is a functional unit used when the authentication information is held in the own server.
- the cooperation ID management unit 2b has a function of issuing a cooperation ID (information indicating a connection between the client device 1 and the server device 2), and is a functional unit that manages the cooperation ID.
- the authentication unit 2c determines whether or not the requesting client device 1 has been authenticated, when an authentication mechanism (for example, the authentication unit 2c) in its own server or the server device 2 uses an external authentication mechanism. Is a function unit that queries an external authentication mechanism and returns the result.
- an authentication mechanism for example, the authentication unit 2c
- the ID search unit 2d is a functional unit that inquires the cooperation ID management unit 2b about the cooperation ID based on the cooperation ID request and returns the result.
- the reception unit 2e is a functional unit that distributes a request message to the authentication unit 2c or the content unit 2f in response to a request.
- the content unit 2f is a functional unit that provides content in response to a request.
- a screen for requesting registration from the user is displayed by the AP information registration unit (S101), and information on items to be set by the user is input to the client device 1 to set an application list that can be used for each application.
- Implemented S102.
- a list of applications that can be linked is created by the processing of steps S101 and S102.
- the registered contents include, for example, an application name, application position information (for example, an application storage position (file path) in the client apparatus 1), access right information, and application type.
- the application B is registered as an application that can cooperate with the application A.
- the name of the application B, the position information of the application B, the access right information of the application B, the application type of the application B, and the like are registered.
- the application A is registered as an application that can cooperate with the application B.
- the name of application A, location information of application A, access right information of application A, application type of application A, and the like are registered. It is not necessary to register application information for all applications, and application information related to at least one application may be registered as necessary.
- the registration is performed so that the application B and the application C (not shown) can be used.
- the application A receives access (such as when a cooperation ID request is received)
- the partner application to be answered is registered as the application B.
- application A when application A is registered for application B, it means that application A may reply to application A when accessed from application A. Further, the fact that application A is registered for application B also means that application B can access application A in order to obtain a cooperation ID.
- the application type is an identifier for identifying the processing content of the application. For example, by registering the application type of the application A for still image processing using the “ ⁇ image>” tag, the “ ⁇ image>” “Application A can be started by specifying a tag. Alternatively, if the application type is not specified in the tag, the AP activation unit is activated by designating the application type as an application activation parameter.
- the setting file (registration information stored in the AP information management unit) can be rewritten.
- You may have a configuration file for each registered application.
- There may be a countermeasure such as authenticating at the time of registration so that it cannot be rewritten from the outside without permission.
- There may be a mechanism for automatically setting the other application when registration is performed by one application.
- the cooperation ID is shared among a plurality of applications by using the SV information management unit, the AP information management unit, and the AP determination unit.
- a screen request message is issued from the requesting client device 1 to the server device 2.
- the server device 2 receives the screen (content) request message (S201). If the client device 1 and the server device 2 are linked at this point, the request message includes a linkage ID.
- the server device 2 searches for the cooperation ID corresponding to the client device 1 from the cooperation ID management unit 2b using the ID search unit 2d, and the search result Is used to determine the presence or absence of a linkage ID (S202).
- the cooperation ID management unit 2b has the cooperation ID, the process proceeds to step S203. If there is no linkage ID, the process proceeds to step S205.
- step S203 the authentication unit 2c confirms the authentication state of the client device 1 with the authentication information management unit 2a. If the client device 1 has been authenticated, the process proceeds to step S204. If the client device 1 is not authenticated, the process proceeds to step S205.
- step S204 the server apparatus 2 acquires the requested screen from the content unit 2f and returns it to the client apparatus 1.
- step S205 the authentication unit 2c of the server device 2 returns an authentication request to the client device 1, and proceeds to step S206.
- step S206 the authentication unit 2c of the server device 2 receives authentication information (for example, a login message) from the client device 1.
- authentication information for example, a login message
- the authentication unit 2c of the server device 2 performs an authentication process using the received authentication information (S207). If the authentication is successful, the process proceeds to step S204. If the authentication fails, the process returns to step S205.
- FIG. 4 shows a system configuration on the server side in this example.
- a single sign-on function providing server 10 for realizing single sign-on and a service providing server 20 for providing services such as a content service are provided as a server-side device.
- a system including the single sign-on function providing server 10 and the service providing server 20 may be referred to as a server device.
- the single sign-on function providing server 10 may also provide services such as content service provision.
- processing for the single sign-on function providing server 10 to provide services such as content service provision is shown. Absent.
- the account information of the user of the client device 1 is registered in the single sign-on function providing server 10 for the single sign-on function providing server, and the user account information for the service providing server is registered in the service providing server 20. Is registered.
- the client device 1 logs in to the single sign-on function providing server 10 by accessing the single sign-on function providing server 10 and transmitting account information to the single sign-on function providing server 10 based on a user operation.
- the single sign-on function providing server 10 is information indicating that the authentication is successful and the single sign-on function providing server 10 is authenticated, and identification information for identifying the single sign-on function providing server 10 Is stored together with user account information, and the information is transmitted to the client device 1 (step S502).
- the information is stored in the storage unit in the SV information management unit.
- This information is information stored so that only the application currently executed in the client device 1 can be used when the function according to the present invention is not used.
- This information is information indicating the connection between the client device 1 and the single sign-on function providing server 10, and is information corresponding to the cooperation ID described so far. Hereinafter, this information is referred to as a linkage ID.
- the client device 1 accesses the service providing server 20 and logs in to the service providing server 20 by transmitting account information (step S503).
- the service providing server 20 performs authentication (initial authentication in the service providing server 20) and succeeds in authentication.
- the login information includes a linkage ID, and the service providing server 20 identifies the single sign-on function providing server 10 by referring to the linkage ID, and the single sign-on function providing server 10 A screen for asking the user whether to link accounts is transmitted to the client apparatus 1 (step S504).
- step S505 When the user of the client device 1 permits account linkage, information to that effect is transmitted from the client device 1 to the service providing server 20 (step S505). Thereafter, account cooperation processing is performed between the service providing server 20 and the single sign-on function providing server 10 (step S506).
- the single sign-on function providing server 10 holds the account information and the user identifier in the user's single sign-on function providing server 10 in association with each other, and the service providing server 20 A user identifier is stored in association with each other.
- the client device 1 may proceed to a process for using the service of the service providing server 20 or may access another site.
- FIG. 6 shows an example of processing until the client device 1 receives a service from the service providing server 20 when the user authentication is completed by the service providing server 20 as described above and account linkage is completed.
- the processing here is processing related to so-called single sign-on. By simply logging into the single sign-on function providing server 10, the user can receive the service at the service providing server 20 without performing login authentication with the service providing server 20.
- step S601 of FIG. 6 the client apparatus 1 logs in to the single sign-on function providing server 10 in the same manner as the process of step S501 of FIG. Then, similarly to step S502 in FIG. 5, the cooperation ID is returned from the single sign-on function providing server 10 to the client device 1 (step S602).
- a link to the service providing server 20 is described on a screen displayed on the client device 1 by the single sign-on function providing server 10, and the client device 1 can select a service by selecting the link.
- the providing server 20 is accessed (step S603).
- the information transmitted from the client device 1 to the service providing server 20 includes a cooperation ID, and the service providing server 20 transmits an authentication request to the single sign-on function providing server 10 identified by the cooperation ID.
- An instructing redirect request is transmitted to the client device 1 (step S604).
- the client device 1 that has received the redirect request transmits an authentication request including the cooperation ID to the single sign-on function providing server 10 (step S605).
- the single sign-on function providing server 10 identifies the user account by the linkage ID, acquires the user identifier (a pseudonym), and sends the client device 1 the authentication assertion information indicating that the authentication has been confirmed, including the user identifier. To the service providing server 20 (steps S606 and S607). The service providing server 20 confirms that the user is authenticated by the authentication assertion information, and starts providing the service (step S608).
- the client device 1 transmits the authentication request to the single sign-on function providing server 10 and the cooperation ID when the single sign-on function providing server 10 successfully authenticates the authentication request.
- the client apparatus 1 logs in the single sign-on function providing server 10 using the application A and acquires the cooperation ID.
- the linkage ID is managed by the SV information management unit corresponding to the application A.
- the application B that can use the service is activated, and the application B acquires the cooperation ID from the application A side.
- the application B accesses the service providing server 20 so that the application B can receive the service without performing login authentication to the service providing server 20.
- the application B may be activated by the application A in some cases.
- the single sign-on method applicable to the present invention is not limited to the method described so far.
- the single sign-on method applicable to the present invention may be any method that performs single sign-on using information indicating the connection between the client apparatus 1 and the server side.
- the application B when the application B is started by the application A as described above, it is assumed that the application B can determine the starting application A. Then, when the application B needs the cooperation ID, the application B requests the cooperation ID to the application that has been authenticated with the server apparatus 2 (that is, the application A that has already obtained the cooperation ID from the server apparatus 2). Shall be notified.
- the AP determination unit Ad corresponding to the application A installed in the client device 1 receives the cooperation ID request from the application B side (S301).
- the application B itself may have a function of sending a cooperation ID request, or may have a function of sending a cooperation ID request in the application-side authentication function unit of the application B.
- the AP determination unit Ad determines whether or not the application B has been registered based on the received cooperation ID request (S302). For example, if the application name (that is, the application name of application B) included in the cooperation ID request is registered in the AP information management unit Ab, the AP determination unit Ad considers that the application B has been registered.
- the application B is regarded as unregistered. If it is registered (that is, the request is a request from a registered application (for example, application B)), the AP determination unit Ad notifies the SV information management unit Aa of the search request, and the step The process proceeds to S303. If it is unregistered (that is, the cooperation ID request is a request from an unregistered application), the processing is terminated or an error is returned. In the case of error return, for example, the AP determination unit Ad notifies the application B of the error, and the application B displays a message indicating the error.
- step S303 the AP determination unit Ad returns a result (for example, cooperation ID) to the search request to the requesting application (for example, application B).
- a result for example, cooperation ID
- the application B that has received the cooperation ID stores it in the storage unit in the SV information management unit Ba, transmits the cooperation ID to the server device 2, and returns an authenticated result from the server device 2.
- the sign-on is completed.
- the application-side authentication function unit (that is, the SV information management unit, the AP information management unit, the AP determination unit, the AP activation unit, and the AP information registration unit) may not be provided for each application.
- the application side authentication function unit may not be provided for each application.
- all the function units of the application side authentication function unit are placed outside the application. However, only a part of the application side authentication function is placed outside the application, and the rest is placed inside the application. Also good.
- the SV information management unit, the AP information management unit, the AP determination unit, and the cooperation ID are shared among a plurality of applications.
- the storage unit in the SV information management unit stores a cooperation ID for each application
- the storage unit of the AP information management unit stores application information for each application.
- the AP determination unit receives the cooperation ID request from the application B,
- the application information is acquired by searching an area corresponding to the application A in the storage unit of the AP information management unit.
- the subsequent processing is the same as the processing described above.
- the SV information management unit, the AP information management unit, and the AP determination unit are provided in another application (for example, only the application A of the application A and the application B), and the cooperation ID is assigned to the application from another application. It is good to do the procedure and communication about.
- applications A and B are installed in the client device 1 in FIG.
- the client apparatus 1 can be a set top box.
- the applications A and B are browser applications that interpret and execute different structured languages.
- the application A is an HTML browser
- the application B is a BML browser.
- an external memory such as an IC (Integrated Circuit) card, an SD (Secure Digital) memory card, or an internal memory area of a JAVA (registered trademark) application Etc.
- IC Integrated Circuit
- SD Secure Digital
- JAVA registered trademark
- the authentication system and the authentication device in the above embodiment a part or all of the functions of each unit in the authentication system and the authentication device are configured by a computer program, and the program is executed using the computer to realize the present invention. be able to.
- the procedure of the process regarding the authentication system and authentication apparatus in the said embodiment can be comprised by the program of a computer, and the computer can be made to run the program.
- single sign-on can be realized even in the communication between the BML browser and the HTML browser, which are existing broadcast service applications, and thus the convenience of the user is improved. To do.
- each of the SV information management unit and the AP information management unit can be realized by a general-purpose database.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Description
2…サーバ装置
2a…認証情報管理部
2b…連携ID管理部
2c…認証部
2d…ID検索部
2e…受信部
2f…コンテンツ部
10…シングルサインオン機能提供サーバ
20…サービス提供サーバ
A,B…アプリケーション
Aa,Ba,a…SV情報管理部
Ab,Bb,b…AP情報管理部
Ac,Bc,c…AP起動部
Ad,Bd,d…AP判定部
Ae,Be,e…AP情報登録部
Claims (11)
- サーバ装置に対しシングルサインオンを行う複数のアプリケーションがインストールされ、ネットワークにおけるクライアント機能を有する認証装置であって、
前記クライアント機能を有する認証装置と前記サーバ装置間のつながりを示す連携IDを前記複数のアプリケーション間で共有する連携ID共有手段、
を有することを特徴とする認証装置。 - 請求項1に記載の認証装置であって、
前記連携ID共有手段が、
前記連携IDをSV情報記憶部に記憶するSV情報管理部と、
前記複数のアプリケーションのうちの少なくとも1つのアプリケーションに対して、当該アプリケーションとは異なるアプリケーションのアプリケーション名を含む、アプリケーション間のつながり情報を、AP情報記憶部に記憶するAP情報管理部と、
受領した連携ID要求に含まれるアプリケーション名が前記AP情報記憶部に記憶されているか否かを判定し、該アプリケーション名がAP情報記憶部に記憶されていた場合、連携IDを前記SV情報記憶部から取得し、該連携ID要求の送信元に対し該連携IDを返信するAP判定部と、を有する、
ことを特徴とする認証装置。 - 請求項2に記載の認証装置であって、
前記複数のアプリケーション間で前記SV情報管理部とAP情報管理部とAP判定部を共有することを特徴とする認証装置。 - 請求項1ないし3のうちいずれか1項に記載の認証装置において、
前記サーバ装置は、前記連携IDを発行するシングルサインオン機能提供部を含み、前記認証装置は、
前記シングルサインオン機能提供部に対して認証要求を送信する手段と、
前記シングルサインオン機能提供部において前記認証要求に対する認証に成功した場合に、前記連携IDを前記シングルサインオン機能提供部から受信する手段と
を有することを特徴とする認証装置。 - 複数のアプリケーションがネットワークにおけるクライアント機能を有する装置にインストールされ、該インストールされた複数のアプリケーションがサーバ装置に対しシングルサインオンを行う認証方法であって、
前記クライアント機能を有する認証装置と前記サーバ装置間のつながりを示す連携IDを前記複数のアプリケーション間で共有する連携ID共有ステップを、
を有することを特徴とする認証方法。 - 請求項5に記載の認証方法であって、
前記連携ID共有ステップが、
前記連携IDをSV情報記憶部に記憶するSV情報管理ステップと、
前記複数のアプリケーションのうちの少なくとも1つのアプリケーションに対して、当該アプリケーションとは異なるアプリケーションのアプリケーション名を含む、アプリケーション間のつながり情報を、AP情報記憶部に記憶するAP情報管理ステップと、
受領した連携ID要求に含まれるアプリケーション名が前記AP情報記憶部に記憶されているか否かを判定し、該アプリケーション名がAP情報記憶部に記憶されていた場合、連携IDを前記SV情報記憶部から取得し、該連携ID要求の送信元に対し該連携IDを返信するAP判定ステップと、を有することを特徴とする認証方法。 - 請求項6に記載の認証方法であって、
前記複数のアプリケーション間で前記SV情報管理ステップとAP情報管理ステップとAP判定ステップを共通に使用するステップを有することを特徴とする認証方法。 - 請求項5ないし7のうちいずれか1項に記載の認証方法において、
前記サーバ装置は、前記連携IDを発行するシングルサインオン機能提供部を含み、前記認証方法は、
前記シングルサインオン機能提供部に対して認証要求を送信するステップと、
前記シングルサインオン機能提供部において前記認証要求に対する認証に成功した場合に、前記連携IDを前記シングルサインオン機能提供部から受信するステップと
を有することを特徴とする認証方法。 - サーバ装置に対しシングルサインオンを行う複数のアプリケーションがインストールされ、ネットワークにおけるクライアント機能を有するコンピュータを、
前記クライアント機能を有するコンピュータと前記サーバ装置間のつながりを示す連携IDを前記複数のアプリケーション間で共有する連携ID共有手段、
として機能させるためのプログラム。 - 前記コンピュータは、前記連携IDを記憶するSV情報記憶部と、前記複数のアプリケーションのうちの少なくとも1つのアプリケーションに対して、当該アプリケーションとは異なるアプリケーションのアプリケーション名を含む、アプリケーション間のつながり情報を記憶するAP情報記憶部とを有し、
前記連携ID共有手段は、
受領した連携ID要求に含まれるアプリケーション名が前記AP情報記憶部に記憶されているか否かを判定し、該アプリケーション名がAP情報記憶部に記憶されていた場合、連携IDを前記SV情報記憶部から取得し、該連携ID要求の送信元に対し該連携IDを返信するAP判定部を有することを特徴とする請求項9に記載のプログラム。 - 請求項9又は10に記載のプログラムにおいて、
前記サーバ装置は、前記連携IDを発行するシングルサインオン機能提供部を含み、前記プログラムは、前記コンピュータを、
前記シングルサインオン機能提供部に対して認証要求を送信する手段、
前記シングルサインオン機能提供部において前記認証要求に対する認証に成功した場合に、前記連携IDを前記シングルサインオン機能提供部から受信する手段、
として更に機能させるプログラム。
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2010500494A JP4729651B2 (ja) | 2008-02-28 | 2008-02-28 | 認証装置,認証方法およびその方法を実装した認証プログラム |
PCT/JP2008/053548 WO2009107219A1 (ja) | 2008-02-28 | 2008-02-28 | 認証装置,認証方法およびその方法を実装した認証プログラム |
CN2008801276083A CN101960462B (zh) | 2008-02-28 | 2008-02-28 | 认证装置和认证方法 |
EP08712119.0A EP2249277B1 (en) | 2008-02-28 | 2008-02-28 | Authentication device, authentication method, and authentication program with the method mounted thereon |
US12/919,971 US8726356B2 (en) | 2008-02-28 | 2008-02-28 | Authentication apparatus, authentication method, and authentication program implementing the method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2008/053548 WO2009107219A1 (ja) | 2008-02-28 | 2008-02-28 | 認証装置,認証方法およびその方法を実装した認証プログラム |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2009107219A1 true WO2009107219A1 (ja) | 2009-09-03 |
Family
ID=41015633
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2008/053548 WO2009107219A1 (ja) | 2008-02-28 | 2008-02-28 | 認証装置,認証方法およびその方法を実装した認証プログラム |
Country Status (5)
Country | Link |
---|---|
US (1) | US8726356B2 (ja) |
EP (1) | EP2249277B1 (ja) |
JP (1) | JP4729651B2 (ja) |
CN (1) | CN101960462B (ja) |
WO (1) | WO2009107219A1 (ja) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2012084081A (ja) * | 2010-10-14 | 2012-04-26 | Canon Inc | 情報処理装置、その制御方法、及びプログラム |
CN102622270A (zh) * | 2011-01-26 | 2012-08-01 | 腾讯科技(深圳)有限公司 | 一种应用程序的切换管理方法和终端 |
JP2013125410A (ja) * | 2011-12-14 | 2013-06-24 | Fujitsu Ltd | 認証処理プログラム、認証処理方法、及び認証処理装置 |
JP2014010532A (ja) * | 2012-06-28 | 2014-01-20 | Konica Minolta Inc | 認証制御装置、認証システムおよびプログラム |
JP5485484B1 (ja) * | 2013-08-22 | 2014-05-07 | 楽天株式会社 | 情報処理装置、情報処理方法、プログラム、記憶媒体 |
JP5485485B1 (ja) * | 2013-08-22 | 2014-05-07 | 楽天株式会社 | 情報処理装置、情報処理方法、プログラム、記憶媒体 |
JP2018049416A (ja) * | 2016-09-21 | 2018-03-29 | 京セラドキュメントソリューションズ株式会社 | 認証システムおよび認証方法 |
KR20180131586A (ko) * | 2016-07-12 | 2018-12-10 | 휴렛-팩커드 디벨롭먼트 컴퍼니, 엘.피. | 서비스를 위한 크리덴셜 |
JP7096939B1 (ja) * | 2021-09-08 | 2022-07-06 | プロパティエージェント株式会社 | システム、顔認証プラットフォームおよび情報処理方法 |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102625297B (zh) * | 2011-01-27 | 2016-01-13 | 腾讯科技(深圳)有限公司 | 用于移动终端的身份管理方法及装置 |
US9413750B2 (en) * | 2011-02-11 | 2016-08-09 | Oracle International Corporation | Facilitating single sign-on (SSO) across multiple browser instance |
CN103188221B (zh) * | 2011-12-28 | 2018-01-30 | 腾讯科技(深圳)有限公司 | 应用程序登录方法、装置和移动终端 |
JP6127610B2 (ja) * | 2013-03-14 | 2017-05-17 | 株式会社リコー | 端末装置、アプリケーション及び情報送信方法 |
CN103634316A (zh) * | 2013-11-26 | 2014-03-12 | 乐视网信息技术(北京)股份有限公司 | 一种账号登录方法及电子设备 |
KR102250867B1 (ko) * | 2014-03-19 | 2021-05-12 | (주)원더피플 | 애플리케이션에 대한 로그인을 수행하는 방법 및 이를 위한 서버 |
CN104601590B (zh) * | 2015-01-30 | 2018-02-27 | 网易(杭州)网络有限公司 | 一种登录方法、服务器及移动终端 |
JP7020384B2 (ja) * | 2018-11-29 | 2022-02-16 | 日本電信電話株式会社 | アプリケーション動作制御装置、アプリケーション動作制御方法、および、アプリケーション動作制御プログラム |
CN112769826B (zh) * | 2021-01-08 | 2023-05-12 | 深信服科技股份有限公司 | 一种信息处理方法、装置、设备及存储介质 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2006031064A (ja) * | 2004-07-12 | 2006-02-02 | Hitachi Ltd | セッション管理システム及び管理方法 |
JP2006178887A (ja) * | 2004-12-24 | 2006-07-06 | Nomura Research Institute Ltd | ユーザ端末装置及びWebアプリケーション間でデータを継承する方法 |
JP2007058391A (ja) * | 2005-08-23 | 2007-03-08 | Nippon Telegr & Teleph Corp <Ntt> | 放送通信連携サービスにおける認証方法,認証連携装置,そのプログラムおよびそのプログラム記録媒体 |
JP2008059038A (ja) * | 2006-08-29 | 2008-03-13 | Nippon Telegr & Teleph Corp <Ntt> | 認証装置,認証方法およびその方法を実装した認証プログラム |
Family Cites Families (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5689638A (en) * | 1994-12-13 | 1997-11-18 | Microsoft Corporation | Method for providing access to independent network resources by establishing connection using an application programming interface function call without prompting the user for authentication data |
US5892900A (en) * | 1996-08-30 | 1999-04-06 | Intertrust Technologies Corp. | Systems and methods for secure transaction management and electronic rights protection |
EP1018689A3 (en) * | 1999-01-08 | 2001-01-24 | Lucent Technologies Inc. | Methods and apparatus for enabling shared web-based interaction in stateful servers |
US7089563B2 (en) * | 2000-12-01 | 2006-08-08 | Cisco Technology, Inc. | Methods and apparatus for exchanging information between browser pages |
GB2390456A (en) * | 2001-04-16 | 2004-01-07 | Porto Ranelli S A | Method for integrating electronic mail and worldwide web communications with a user |
JP2002335239A (ja) | 2001-05-09 | 2002-11-22 | Nippon Telegr & Teleph Corp <Ntt> | シングルサインオン認証方法及びシステム装置 |
US7610390B2 (en) * | 2001-12-04 | 2009-10-27 | Sun Microsystems, Inc. | Distributed network identity |
US7221935B2 (en) * | 2002-02-28 | 2007-05-22 | Telefonaktiebolaget Lm Ericsson (Publ) | System, method and apparatus for federated single sign-on services |
US20060218629A1 (en) * | 2005-03-22 | 2006-09-28 | Sbc Knowledge Ventures, Lp | System and method of tracking single sign-on sessions |
US8214394B2 (en) * | 2006-03-01 | 2012-07-03 | Oracle International Corporation | Propagating user identities in a secure federated search system |
EP1997293A2 (en) * | 2006-03-22 | 2008-12-03 | Axalto SA | A method of securely login to remote servers |
US7991830B2 (en) * | 2007-02-28 | 2011-08-02 | Red Hat, Inc. | Multiple sessions between a server and multiple browser instances of a browser |
US20080281921A1 (en) * | 2007-05-08 | 2008-11-13 | Yahoo! Inc. | Systems and methods for inter-domain messaging |
US20090077638A1 (en) * | 2007-09-17 | 2009-03-19 | Novell, Inc. | Setting and synching preferred credentials in a disparate credential store environment |
US8849914B2 (en) * | 2007-12-20 | 2014-09-30 | The Vanguard Group, Inc. | System and method for synchronized co-browsing by users in different web sessions |
-
2008
- 2008-02-28 WO PCT/JP2008/053548 patent/WO2009107219A1/ja active Application Filing
- 2008-02-28 CN CN2008801276083A patent/CN101960462B/zh active Active
- 2008-02-28 US US12/919,971 patent/US8726356B2/en active Active
- 2008-02-28 JP JP2010500494A patent/JP4729651B2/ja active Active
- 2008-02-28 EP EP08712119.0A patent/EP2249277B1/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2006031064A (ja) * | 2004-07-12 | 2006-02-02 | Hitachi Ltd | セッション管理システム及び管理方法 |
JP2006178887A (ja) * | 2004-12-24 | 2006-07-06 | Nomura Research Institute Ltd | ユーザ端末装置及びWebアプリケーション間でデータを継承する方法 |
JP2007058391A (ja) * | 2005-08-23 | 2007-03-08 | Nippon Telegr & Teleph Corp <Ntt> | 放送通信連携サービスにおける認証方法,認証連携装置,そのプログラムおよびそのプログラム記録媒体 |
JP2008059038A (ja) * | 2006-08-29 | 2008-03-13 | Nippon Telegr & Teleph Corp <Ntt> | 認証装置,認証方法およびその方法を実装した認証プログラム |
Non-Patent Citations (4)
Title |
---|
"Ninsho Renkei · Ichigenka ni Kansuru Kiban Gijutsu Doko Oyobi System Jirei Chosa", PKI-J JOURNAL, 2007 (LAST ISSUE), [ONLINE], JAPAN PKI FORUM, March 2007 (2007-03-01), pages 4, 71 - 77, Retrieved from the Internet <URL:http://www.japanpkiforum.jp/journal/journal_07/journal2007.pdf> [retrieved on 20081114] * |
FUJII A.: "Digital Hoso Jushinki ni Okeru Ninsho Renkei", NENDO DAI 3 KAI SEMINAR SHIRYO, [ONLINE], JAPAN PKI FORUM, 2007, Retrieved from the Internet <URL:http://www.japanpkiforum.jp/seminar/listseminar.htm> [retrieved on 20081114] * |
MAJIMA K.: "Keitai Tanmatsu Muke Service no Kenkyu Doko", NHK SCIENCE AND TECHNICAL RESEARCH LABORATORIES R&D REPORT, NO.101, 15 January 2007 (2007-01-15), pages 16 - 27, XP001526201 * |
NAGANO I.: "Identity Kanri no Genzai to Mirai", OPEN ENTERPRISE MAGAZINE, vol. 5, no. 10, 1 October 2007 (2007-10-01), pages 56 - 59 * |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2012084081A (ja) * | 2010-10-14 | 2012-04-26 | Canon Inc | 情報処理装置、その制御方法、及びプログラム |
CN102622270A (zh) * | 2011-01-26 | 2012-08-01 | 腾讯科技(深圳)有限公司 | 一种应用程序的切换管理方法和终端 |
JP2013125410A (ja) * | 2011-12-14 | 2013-06-24 | Fujitsu Ltd | 認証処理プログラム、認証処理方法、及び認証処理装置 |
JP2014010532A (ja) * | 2012-06-28 | 2014-01-20 | Konica Minolta Inc | 認証制御装置、認証システムおよびプログラム |
JP5485484B1 (ja) * | 2013-08-22 | 2014-05-07 | 楽天株式会社 | 情報処理装置、情報処理方法、プログラム、記憶媒体 |
JP5485485B1 (ja) * | 2013-08-22 | 2014-05-07 | 楽天株式会社 | 情報処理装置、情報処理方法、プログラム、記憶媒体 |
KR20180131586A (ko) * | 2016-07-12 | 2018-12-10 | 휴렛-팩커드 디벨롭먼트 컴퍼니, 엘.피. | 서비스를 위한 크리덴셜 |
KR102140921B1 (ko) * | 2016-07-12 | 2020-08-05 | 휴렛-팩커드 디벨롭먼트 컴퍼니, 엘.피. | 서비스를 위한 크리덴셜 |
US11176238B2 (en) | 2016-07-12 | 2021-11-16 | Hewlett-Packard Development Company, L.P. | Credential for a service |
JP2018049416A (ja) * | 2016-09-21 | 2018-03-29 | 京セラドキュメントソリューションズ株式会社 | 認証システムおよび認証方法 |
JP7096939B1 (ja) * | 2021-09-08 | 2022-07-06 | プロパティエージェント株式会社 | システム、顔認証プラットフォームおよび情報処理方法 |
Also Published As
Publication number | Publication date |
---|---|
CN101960462A (zh) | 2011-01-26 |
EP2249277A1 (en) | 2010-11-10 |
CN101960462B (zh) | 2013-05-08 |
JPWO2009107219A1 (ja) | 2011-06-30 |
US8726356B2 (en) | 2014-05-13 |
EP2249277A4 (en) | 2011-12-21 |
EP2249277B1 (en) | 2018-07-18 |
US20110061098A1 (en) | 2011-03-10 |
JP4729651B2 (ja) | 2011-07-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4729651B2 (ja) | 認証装置,認証方法およびその方法を実装した認証プログラム | |
US8732815B2 (en) | System, method of authenticating information management, and computer-readable medium storing program | |
WO2017067227A1 (zh) | 一种第三方账号授权方法、设备、服务器及其系统 | |
KR101729633B1 (ko) | 통신 시스템에서 소셜 네트워크 서비스의 컨텐츠를 공유하기 위한 장치 및 방법 | |
US10555147B2 (en) | Systems and methods for facilitating service provision between applications | |
CN102171984A (zh) | 服务提供者访问 | |
KR20120002836A (ko) | 복수의 서비스에 대한 접근 제어 장치 및 방법 | |
EP2310977B1 (en) | An apparatus for managing user authentication | |
JP2002334056A (ja) | ログイン代行システム及びログイン代行方法 | |
JP4667326B2 (ja) | 認証装置,認証方法およびその方法を実装した認証プログラム | |
JP6898680B2 (ja) | 情報処理装置及びプログラム | |
JP2016148919A (ja) | ユーザ属性情報管理システムおよびユーザ属性情報管理方法 | |
CN114338130A (zh) | 信息的处理方法、装置、服务器及存储介质 | |
JP5732732B2 (ja) | 認証サーバ装置、プログラム、および方法 | |
US20050256808A1 (en) | System and method for implementing authentication web services for remote portlets | |
JP2008077614A (ja) | セッション管理プログラム及びセッション管理方法 | |
US20110289552A1 (en) | Information management system | |
US20080057907A1 (en) | Service Usage Control System, Service Usage Controller, Method For The Same, Computer Readable Medium For The Same, And Computer Data Signal of The Same | |
WO2013168492A1 (ja) | 通信端末装置、サイト装置、及び情報配信システム | |
JP2005346571A (ja) | 認証システム及び認証方法 | |
JP2005293161A (ja) | 認証システム、認証方法及びコンピュータプログラム | |
JP2005293088A (ja) | 認証システム及び認証方法 | |
JP6741310B1 (ja) | 情報処理装置及びプログラム | |
KR20100073884A (ko) | Id 연계 기반의 고객정보 중개 및 동기화 방법 | |
US20100175118A1 (en) | Access to service |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 200880127608.3 Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 08712119 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2010500494 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2008712119 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 12919971 Country of ref document: US |