JP2008234606A - Authentication cooperation system, repeating installation, authentication cooperation method and authentication cooperation program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an authentication cooperation system, a repeating installation, an authentication cooperation method and an authentication cooperation program, capable of eliminating authentication processing, without remodeling an existing system. <P>SOLUTION: This repeating installation 3 determines whether or not to store an authentication session identifier corresponding to a terminal identifier included in a service request message, when receiving an authentication request message from a service providing device 2. When the authentication session identifier is stored, the repeating installation 3 transfers a message to an authentication device 1 by imparting the authentication session identifier to a converted authentication request message. The authentication device 1 transmits an authentication response message including an authentication certificate to the service providing device 2, without requiring credential information, when determining that the received authentication request message includes an effective authentication session identifier. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to an authentication collaboration system, an authentication collaboration method, and an authentication collaboration program, and in particular, an authentication collaboration system and a relay device in which a communication protocol that is followed by an apparatus that provides a service is different from a communication protocol that is followed by an authentication apparatus that authenticates a user The present invention relates to an authentication linkage method and an authentication linkage program.

  In recent years, as the network infrastructure has been improved, applications that have been used only on user terminals have been increasingly provided as services via the network. Furthermore, with the evolution of information terminals, services that use various contents such as moving images as well as text and voice have appeared. In addition, services have been provided using various communication protocols that match the characteristics of the provided services.

  When using various services, if the users who can access each service are restricted, individual authentication processing is required. Prompts for credentials information. Therefore, there is a problem that processing for using the service becomes very complicated.

  As a conventional technique for solving the above-described problem, a method for linking authentication information between vendors on the Internet, such as SAML (Security Assertion Markup Language), has been technically specified. An example of an authentication system using SAML is described in Non-Patent Document 1. FIG. 32 is an explanatory diagram showing an example of a conventional authentication system described in Non-Patent Document 1.

  The authentication system described in Non-Patent Document 1 includes an IdP (identity provider) 100, an SP (service provider) 101, and a user agent (user terminal software) 102. The IdP 100, SP 101, and user agent 102 are connected via a network such as the Internet.

  As a typical operation of the authentication system described in Non-Patent Document 1 having such a configuration, a message exchange procedure at the time of single sign-on using the Web SSO protocol artifact profile will be described below. In the example shown in FIG. 32, as a premise, the user has an account in each of the user information 103 of the IdP 100 and the user information 104 of the SP 101. Both accounts are linked in advance. That is, both accounts are stored in association with each other. For example, when the IdP 100 authenticates the user, the IdP 100 transmits authentication result information to the SP 101. The SP 101 determines that the user is authenticated based on the received authentication result information, and provides a service (single sign-on).

  As shown in FIG. 32, the user uses the user agent 102 to receive IdP 100 authentication and log in (step S1). Thereafter, the user (user agent 102) accesses the SP 101 in order to use the service with the use restriction provided by the SP 101 (step S2).

  The SP 101 sends an authentication request message to the user agent 102 for user authentication (step S3-a). The user agent 102 redirects (transfers) the authentication request message from the SP 101 to the IdP 100 (step S3-b). The IdP 100 first confirms that the user has been authenticated in step S1, and creates an XML description document (authentication assertion) that proves that the user has been authenticated (step S4).

  Further, the IdP 100 creates an artifact that plays the role of a ticket corresponding to the authentication assertion, and sends it back to the user agent 102 (step S5-a). The user agent 102 redirects the artifact to the SP 101 (step S5-b). The SP 101 receives the artifact, sends it to the IdP 100, and requests a corresponding authentication assertion (step S6). The IdP 100 confirms the artifact received from the SP 101, and returns a corresponding authentication assertion to the SP 101 (step S7). The SP 101 confirms the validity of the authentication assertion received from the IdP 100, and verifies whether or not to grant permission for the access request to the user's service using the security policy of the SP 101. When granting permission, the SP 101 starts providing a service to the user agent 102 (step S8).

  As described above, the SP 101 does not authenticate the user itself, but entrusts the authentication function to the IdP 100 so that the service of the SP 101 can be used based on the user authentication information obtained from the IdP 100. . That is, single sign-on can be realized only by an authentication procedure from the user to the IdP 100. As a result, for the user, the number of authentication processes can be reduced when using a plurality of services, thereby improving convenience.

  Further, Patent Document 1 describes a computer system that realizes a single sign-on environment without modifying a back-end server. FIG. 33 is an explanatory diagram showing an example of a conventional computer system for realizing a single sign-on environment.

  As illustrated in FIG. 33, the system described in Patent Document 1 includes a client 201, a back-end server 202, a window server 203, and a relay server 204, which are connected via a network 200. The window server 203 has a user management table 205 and a mapping table 206. The relay server 204 has an authentication information table 207.

  A case where the client 201 makes an access request to one of the back-end servers 202 will be described. The client 201 first accesses the window server 203 and presents credential information for accessing the window server 203. The window server 203 performs authentication by comparing the presented credential information with the user credential information managed by the user management table 205. The client 201 receives authentication from the window server 203 and establishes a session with the window server 203.

  Thereafter, when the client 201 makes an access request to the back-end server 202, the window server 203 extracts credential information for accessing the back-end server 202 corresponding to the user from the mapping table 206. The window server 203 creates authentication information necessary for authentication in the backend server 202 based on the extracted credential information for access to the backend server 202. The window server 203 associates the session identifier established between the window server 203 and the client 201 with the created authentication information and sets it in the authentication information table 207 of the relay server 204.

  Next, the window server 203 transmits an HTTP redirect request to the client 201. The client 201 transmits a service access request to the back-end server 202 to the relay server 204 set as a proxy. The relay server 204 that has received the service access request refers to the authentication information table 207 and extracts authentication information for accessing the back-end server 202. The relay server 204 adds the extracted authentication information to the HTTP header of the access request message, and transfers the access request to the back-end server 202.

  As described above, the relay server 204 manages the credential information of the user to the back-end server 202 and the session information of the window server 203 in association with each other, so that the user can manage the back-end server 202 on behalf of the user. Automatically send credential information. Therefore, the user can sign on to the back-end server 202 with only one authentication procedure to the window server 203, and convenience is improved.

JP 2005-321970 A OASIS, “Assertations and Protocol for the OASIS Security Assessment Markup Language” (SAML) V 2.0 ], March 15, 2005, [March 9, 2007 search], Internet <URL: http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0- os.pdf>

  The first problem is that when a different service provided by a different communication protocol is used, the user is required to perform an authentication process for each service use, which makes the process complicated and impairs convenience. is there. This is because the conventional method does not consider the case where the user accesses a service provided by a different communication protocol. For example, in the authentication system described in Non-Patent Document 1, it is assumed that IdP and SP communicate using the same communication protocol. The computer system described in Patent Document 1 is also the same, and does not consider that each back-end server communicates with a different protocol. That is, in the conventional method, single sign-on cannot be performed if the communication protocol of each service is different.

  The second problem is that, in the conventional system, in order to reduce the user authentication opportunities between different services provided by different communication protocols, it is necessary to modify the device that provides the service. As described in the first problem, the authentication system described in Non-Patent Document 1 does not consider the case where the communication protocols of IdP and SP are different, and IdP when the communication protocols of IdP and SP are different. In order to communicate between SP and SP, either IdP or SP needs to support the other communication protocol. In the computer system described in Patent Document 1, it is not necessary to modify the back-end server because the relay server is installed. However, when a plurality of back-end servers use different communication protocols, it is necessary to modify the relay server so that it can adapt to the communication protocol for each back-end server.

  Therefore, an object of the present invention is to provide an authentication collaboration system, a relay device, an authentication collaboration method, and an authentication collaboration program that can reduce the opportunity of authentication processing without modifying an existing system.

  An authentication collaboration system according to the present invention is an authentication collaboration system including a terminal device used by a user, an authentication device that authenticates the user, and a relay device that relays communication between the service providing device that provides a service to the user. The relay device stores an authentication session identifier generated for each user authenticated by the authentication device in association with information indicating the user and stores an authentication request for the user who requested the service. When the service providing device transmits to the authentication device, the authentication request is received and converted based on the conversion rule stored in advance, and the authentication session identifier corresponding to the information indicating the user is linked information storage device Authentication request extracted from the authentication request, including the extracted authentication session identifier in the authentication request converted by the conversion means, and transmitting the authentication request to the authentication device The authentication device determines whether the received authentication request includes an authentication session identifier, and if it is determined that the authentication device includes an authentication session identifier, provides an authentication response indicating that the user has been authenticated. It is characterized by including an authentication determining means for performing a user authentication process when it is determined that the information is not included in the transmission to the providing apparatus.

  The linkage information storage means stores the service session identifier generated by the service providing apparatus every time the service is provided to the terminal apparatus in association with information indicating the user, and the conversion means transmits the terminal apparatus to the service providing apparatus. The service request is received, and the received service request is converted based on a conversion rule stored in advance, and the relay device extracts a service session identifier corresponding to information indicating the user who requested the service from the cooperation information storage unit. The service request relay unit includes the extracted service session identifier in the service request converted by the conversion unit and transmits the service request to the service providing device. The service providing device includes the service session identifier in the received service request. If it is determined that the service session identifier is included Send a service response that provides service to the user on the terminal device, when it is determined to be free, it is desirable to include a service determination unit that transmits the authentication request for the user to the authentication device. According to such a configuration, the service providing apparatus can omit the authentication request.

  The authentication determination unit preferably transmits an authentication response when the authentication session identifier satisfies a predetermined condition. According to such a configuration, it is possible to determine whether or not to transmit an authentication response based on a predetermined condition.

  The service determination means preferably transmits a service response when the service session identifier satisfies a predetermined condition. According to such a configuration, it is possible to determine whether or not to transmit a service response based on a predetermined condition.

  An authentication collaboration system according to the present invention is an authentication collaboration system including a terminal device used by a user, an authentication device that authenticates the user, and a relay device that relays communication between the service providing device that provides a service to the user. The relay device stores an authentication session identifier generated for each user authenticated by the authentication device in association with information indicating the user and stores an authentication request for the user who requested the service. When the service providing apparatus transmits to the authentication apparatus, the authentication request is received, the authentication session identifier corresponding to the information indicating the user is extracted from the cooperation information storage unit, and the authentication request including the extracted authentication session identifier is Authentication request relay means for transmitting to the authentication device. The authentication device determines whether or not the received authentication request includes an authentication session identifier. When it is determined that the session identifier is included, an authentication response indicating that the user has been authenticated is transmitted to the service providing apparatus, and when it is determined that the session identifier is not included, an authentication determination unit that performs user authentication processing is included. Features.

  The linkage information storage means stores the service session identifier generated by the service providing device every time the service is provided to the terminal device in association with information indicating the user, and the relay device is information indicating the user who requested the service. And a service request relay unit that extracts a service request including the extracted service session identifier to the service providing apparatus, and the service providing apparatus receives the service request as a service session. When it is determined whether or not the identifier includes the service session identifier, a service response for providing the service to the user is transmitted to the terminal device. When it is determined that the identifier does not include the identifier, the user authentication is performed. It is desirable to include service determination means for transmitting the request to the authentication device. According to such a configuration, the service providing apparatus can omit the authentication request.

  A relay device according to the present invention is a relay device that relays communication between a terminal device used by a user, an authentication device that authenticates the user, and a service providing device that provides a service to the user. When the service providing apparatus transmits an authentication request for the user who has requested the service to the authentication apparatus, the cooperation information storage means for storing the authentication session identifier generated for each user in association with the information indicating the user A conversion unit that receives the authentication request and converts the authentication request based on a conversion rule stored in advance, and extracts an authentication session identifier corresponding to information indicating the user from the cooperation information storage unit, and converts the extracted authentication session identifier And an authentication request relaying means for transmitting the authentication request to the authentication apparatus in addition to the authentication request converted by the means.

  The linkage information storage means stores the service session identifier generated by the service providing apparatus every time the service is provided to the terminal apparatus in association with information indicating the user, and the conversion means transmits the terminal apparatus to the service providing apparatus. The service request is received and converted based on the conversion rule stored in advance, the received service request is converted, the service session identifier corresponding to the information indicating the user who requested the service is extracted from the cooperation information storage means, and the extracted service It is desirable to include service request relay means for including the session identifier in the service request converted by the conversion means and transmitting the service request to the service providing apparatus. According to such a configuration, the service providing apparatus can omit the authentication request.

  An authentication collaboration method according to the present invention is an authentication collaboration method in which a relay device relays communication between a terminal device used by a user, an authentication device that authenticates the user, and a service providing device that provides a service to the user, The relay device stores the authentication session identifier generated for each user authenticated by the authentication device in association with the information indicating the user in the cooperation information storage means, and the relay device authenticates the user who requested the service. When the service providing device transmits the request to the authentication device, the authentication request is received and converted based on a conversion rule stored in advance, and the relay device links the authentication session identifier corresponding to the information indicating the user. Extracted from the information storage means, including the extracted authentication session identifier in the converted authentication request, transmitting the authentication request to the authentication device, and receiving the authentication device When it is determined whether the authentication request includes an authentication session identifier, and when it is determined that the authentication request includes the authentication session identifier, an authentication response indicating that the user has been authenticated is transmitted to the service providing apparatus, and it is determined that the authentication request is not included In addition, a user authentication process is performed.

  The relay device stores the service session identifier generated by the service providing device every time the service is provided to the terminal device in association with the information indicating the user in the cooperation information storage unit. The service request identifier to be transmitted is received, the received service request is converted on the basis of the conversion rule stored in advance, and the relay device converts the service session identifier corresponding to the information indicating the user who requested the service into the cooperative information storage means The service request identifier is included in the converted service request, and the service request is transmitted to the service providing apparatus. The service providing apparatus determines whether the received service request includes the service session identifier. Provide service to users when it is determined that the service session identifier is included. Send a service response to the terminal device, when it is determined to be free, it is desirable to transmit an authentication request for the user to the authentication device. According to such a configuration, the service providing apparatus can omit the authentication request.

  An authentication linkage program according to the present invention is an authentication linkage program for relaying communication between a terminal device used by a user, an authentication device that authenticates the user, and a service providing device that provides a service to the user, In addition, an authentication session identifier generated for each user authenticated by the authentication device is stored in the cooperative information storage means in association with information indicating the user, and an authentication request for the user who requested the service is provided. When the device transmits to the authentication device, the authentication request is received and converted based on the conversion rule stored in advance, and the authentication session identifier corresponding to the information indicating the user is extracted from the cooperative information storage means , Including the extracted authentication session identifier in the converted authentication request and transmitting the authentication request to the authentication device. It is characterized in.

  A process in which a service session identifier generated by the service providing device every time the service is provided to the terminal device is stored in association information storage means in association with information indicating the user, and the terminal device transmits the service session identifier to the service providing device. Process for receiving service request and converting received service request based on conversion rule stored in advance, and extracting service session identifier corresponding to information indicating user who requested service from cooperation information storage means It is desirable to include the service session identifier thus converted in the converted service request and execute processing for transmitting the service request to the service providing apparatus. According to such a configuration, the service providing apparatus can omit the authentication request.

  A preferred aspect of the authentication cooperation system according to the present invention is characterized in that, for example, an authentication device, a service providing device, a relay device, and a terminal device are connected to a network.

  The authentication apparatus of the first authentication cooperation system according to the present invention includes a predetermined communication means, a user authentication means for authenticating the user, and the user authentication is completed when the user authentication means authenticates the user. An authentication information issuance means for issuing an authentication certificate for proving that it has been created, a user information management means for managing personal information of the user, and a new session is created when the user authentication means authenticates the user, A session information management means for managing a session identifier corresponding to the session, a user information storage section for storing user personal attribute information, user credential information for authentication by the user authentication means, etc., and a session A session information storage unit that stores a session identifier issued by the information management unit and session information corresponding to the session identifier.

  The service providing apparatus of the first authentication collaboration system according to the present invention provides service providing means for providing a predetermined service, and provides the service by a predetermined communication protocol different from the communication protocol of the authentication apparatus. Based on the authentication information of the user provided by the communication means for communicating with the authentication information issuing means of the authentication device, the session information storage unit stores a session valid during a predetermined period and a session identifier corresponding to the session. Based on the security information of the service providing apparatus stored in the security policy storage unit and the user authentication information provided by the authentication information issuing means of the authentication apparatus, the session information management means to be managed, and the user of the service Access control means for giving an authorization decision as to whether or not to permit the access request.

  The relay device of the first authentication collaboration system according to the present invention includes a communication unit capable of communicating by both communication protocols used by the communication unit of the authentication device and the service providing device, and between the authentication device, the service providing device, and the terminal device. The data conversion means for converting the content of the communication message to a predetermined communication protocol for performing communication with the communication means, analyzing the content of the communication message received from another device received by the communication means, the conversion result by the data conversion means, Stored in the communication message analysis creation means for reconfiguring and creating an appropriate communication message according to the communication content and its destination based on the cooperation session information, and the received message of the communication means acquired by the communication message analysis creation means Session information management means for managing the session information in the cooperation session information storage unit and the communication means Associate a set of messages related to the communication message, and acquires the identifier information about the underlying terminal device of the communication message, and a terminal identifier management means for managing.

  In addition, the terminal device of the first authentication collaboration system of the present invention provides a communication unit that can communicate with a predetermined communication protocol used by a service provided by the service providing unit of the service providing device, and a predetermined amount with respect to the service providing device. Service request means for creating a service request message, authentication processing means for sending credential information when the authentication apparatus is requested to provide user credential information, and the terminal apparatus. Terminal identifier management means for managing in the terminal identifier storage unit an identifier that can be specified by the terminal device or a user of the terminal device.

  Adopting such a configuration, even when the communication protocol of the communication means used by the authentication device is different from the communication protocol of the communication means of the service providing device, the relay device converts the protocol, and the authentication device and the service providing device. By associating and managing the session identifier and the terminal identifier issued from each of the above, it is possible to authenticate the user without modifying the existing authentication device, service providing device, and communication protocol or basic function of the terminal device. By enabling the reduction, the first and second objects of the present invention can be achieved.

  The first effect is that convenience for the user when using the service is improved. The reason is that when a user uses a plurality of services disclosed by various communication protocols, the authentication procedure can be kept to a minimum, and the use of the service is not interrupted.

  The second effect is that the introduction cost for realizing single sign-on can be reduced. The reason is that the authentication linkage system can be introduced without modifying the communication protocol and basic functions of the existing system.

Embodiment 1 FIG.
Hereinafter, embodiments of the present invention will be described with reference to the drawings. FIG. 1 is a block diagram showing a configuration example of an authentication collaboration system according to the present invention. The authentication cooperation system illustrated in FIG. 1 includes an authentication device 1, a service providing device 2, a relay device 3, and a terminal device 4. The authentication device 1, the service providing device 2, the relay device 3, and the terminal device 4 are connected via a network 500 and communicate with each other.

  In the present invention, the terminal device 4 transmits a service request message to the service providing device 2 via the relay device 3. The service request message is information including information that can identify the user who requested the service. Hereinafter, a case where the information that can identify the user who requested the service is information that can identify the terminal device 4 (hereinafter referred to as a terminal identifier) will be described as an example. When the service request message is received, the service providing apparatus 2 transmits an authentication request message about the user who has made the service request to the authentication apparatus 1 via the relay apparatus 3. When the authentication of the user is required, the authentication device 1 transmits a credential information request message to the terminal device 4 via the relay device 3 to receive the credential information, and receives the credential information via the relay device 3. Send an authentication response message to. If the user has already been authenticated and authentication is not required, the authentication device 1 sends an authentication response message to the service providing device 2 via the relay device 3 without requesting the credential information from the terminal device 4. To do. When the service providing device 2 receives the authentication response message, the service providing device 2 transmits the service response message to the terminal device 4 via the relay device 3.

  Further, when the terminal device 4 transmits a service request message to the same service providing device 2 again via the relay device 3, the service providing device 2 sends an authentication request message to the authentication device 1 within a predetermined period, for example. A service response message is transmitted to the terminal device 4 without transmitting.

  Further, in a series of processing, the relay device 3 converts the received information based on a predetermined conversion rule, and transmits it to the transfer destination device. For example, the relay device 3 converts the protocol of information to be transferred from the protocol corresponding to the transfer source device to the protocol corresponding to the transfer destination device, and transmits the converted protocol.

  The authentication device 1 authenticates the user by a predetermined authentication method. Specifically, the authentication device 1 is realized by an information processing device such as a workstation or a personal computer. The authentication device 1 is realized by, for example, a server device that manages a user of the terminal device 4 and is operated by a business operator that authenticates the user.

  FIG. 2 is a block diagram illustrating an example of the configuration of the authentication device 1. As shown in FIG. 2, the authentication apparatus 1 includes a communication unit 10, an authentication information issuing unit 11, a user authentication unit 12, a user information management unit 13, a session information management unit 14, and a user information storage. Unit 15 and session information storage unit 16.

  When the communication unit 10 of the authentication device 1 receives the authentication request message transmitted by the service providing device 2, the session information management unit 14 determines whether or not user authentication is necessary. When the session information management unit 14 determines that authentication is necessary, the user authentication unit 12 requests credential information from the terminal device 4.

  When the communication unit 10 receives the credential information, the user authentication unit 12 authenticates the user based on the user information stored in advance in the user information storage unit 15 and the received credential information. For example, when the user information including the received credential information is stored in the user information storage unit 15, the user authentication unit 12 authenticates the sender of the credential information with the user himself / herself. When the user authentication unit 12 authenticates the user, the authentication information issuing unit 11 issues an authentication certificate. Further, the session information management unit 14 issues a session identifier and stores it in the session information storage unit 16 as session information in association with the authentication certificate. Hereinafter, the session identifier issued by the session information management unit 14 may be referred to as an authentication session identifier, and the session information stored in the session information storage unit 16 may be referred to as authentication session information.

  The user authentication unit 12 transmits an authentication response message including an authentication certificate and an authentication session identifier to the service providing apparatus 2. On the other hand, when the session information management unit 14 determines that authentication is not required when receiving the authentication request message, the user authentication unit 12 sends an authentication response message including an authentication certificate to the service providing apparatus 2 without requesting credential information. Send to.

  The “credential information” is information for certifying the user of the terminal device 4 such as a user identifier and a password. “User information” includes user attribute information such as a user's name and age, information that characterizes or associates the user, and includes credential information. The “authentication session identifier” is information indicating that the authentication device 1 authenticates the user and a session between the authentication device 1 and the terminal device 4 is established for authentication.

  The communication unit 10 performs communication according to a communication destination device according to a predetermined communication protocol. Specifically, the communication unit 10 is realized by a CPU and a network interface unit of an information processing terminal that operates according to a program.

  The user authentication means 12 is means for authenticating a user who uses the terminal device 4 in response to an authentication request message transmitted by the service providing apparatus 2. When the user authentication is required, the user authentication means 12 requests the user to provide credential information, and the contents of the user credential information sent from the terminal device 4 used by the user. And authenticate the identity of the user.

  The authentication information issuing unit 11 issues an authentication certificate for certifying that the user authentication unit 12 has completed user authentication. Specifically, the authentication certificate may include information such as a user authentication method, an authentication time, a user identifier, and a certificate expiration date. The authentication information issuing unit 11 issues an authentication certificate in which appropriate information is described according to the destination to be issued. For example, depending on the destination to be issued, the identifier of the user may be a common identifier between the authentication device 1 and the destination, or may be an anonymous identifier to protect privacy.

  The user information management means 13 stores user information in the user information storage unit 15 and manages new registration, update, and deletion of user information. The user information management means 13 stores user information in the user information storage unit 15 in advance.

  The user information storage unit 15 appropriately stores user information in response to registration, update, and deletion requests from the user information management means 13. Specifically, the user information storage unit 15 is realized by a storage device such as a magnetic disk device or an optical disk device.

  When the user authentication unit 12 authenticates the user, the session information management unit 14 issues an authentication session identifier that is valid during a predetermined period and stores it in the session information storage unit 16. For example, the session information management unit 14 receives the authentication session identifier from the session information storage unit 16 when a predetermined period has elapsed after the issuance of the authentication session identifier or when an explicit session termination request is received from the user. Process such as deleting.

  Further, the session information management means 14 determines whether or not user authentication is necessary when receiving the authentication request message. The presence of a valid authentication session means that authentication has already been completed. When the user accesses the authentication device 1 (that is, when the service providing device 2 transmits an authentication request message to the authentication device 1 in response to a service request message from the terminal device 4), the session information management unit 14 And determining whether the received authentication request message includes an authentication session identifier.

  If it is determined that the authentication session identifier is included, the session information management unit 14 determines whether or not the authentication session indicated by the received authentication session identifier is valid based on the authentication session information stored in the session information storage unit 16. To do. The authentication session information is information including the validity period of the authentication session identifier, the authentication strength, and the like, for example. When the session information management unit 14 determines that the authentication session is valid and re-authentication is not necessary, the user authentication unit 12 omits the process of requesting credential information from the user. In addition, the communication unit 10 transmits an authentication response message to the service providing apparatus 2.

  For example, even if the authentication session information exists, the session information management unit 14 determines that re-authentication is necessary when the valid period has passed. In addition, for example, when the authentication strength of the authentication method at the time of initial authentication is weak (ID, password, etc.) and then use a service with severe usage restrictions (for example, debiting from a bank account) Since the previous authentication result is insufficient, an authentication with a strong authentication strength is additionally requested. The authentication session information is information including a policy indicating whether or not re-authentication is necessary, in addition to the validity period of the authentication session identifier, the authentication strength, and the like.

  The session information storage unit 16 stores authentication session information including a user authentication session identifier and an authentication certificate. The session information storage unit 16 is specifically realized by a storage device such as a magnetic disk device or an optical disk device.

  FIG. 3 is a block diagram illustrating an example of the configuration of the service providing apparatus 2. As shown in FIG. 3, the service providing apparatus 2 includes a communication unit 20, a session information management unit 21, a service providing unit 22, an access control unit 23, a session information storage unit 24, and a security policy storage unit 25. including.

  When the communication means 20 of the service providing apparatus 2 receives the service request message transmitted from the terminal apparatus 4, the session information management means 21 determines whether it is necessary to authenticate the user who requested the service. When it is determined that authentication is necessary, the session information management unit 21 transmits an authentication request message to the authentication device 1.

  When the communication unit 20 receives the authentication response message from the authentication device 1, the access control unit 23 determines that the user who has requested the service uses the service based on the security policy stored in the security policy storage unit 25. It is determined whether or not it has. When the user has authority and the authentication certificate included in the authentication response message is valid, the session information management unit 21 issues a session identifier and stores it in the session information storage unit 24. Hereinafter, the session identifier issued by the session information management unit 21 may be referred to as a service session identifier, and the session information stored in the session information storage unit 24 may be referred to as service session information.

  The session information management unit 21 transmits a service response message including the service session identifier to the terminal device 4. On the other hand, when the session information management unit 21 determines that the authentication is unnecessary when receiving the service request message, the session information management unit 21 transmits the service response message to the terminal device 4 without transmitting the authentication request message.

  The communication unit 20 performs communication according to a communication destination device according to a predetermined communication protocol. Specifically, the communication unit 20 is realized by a CPU and a network interface unit of an information processing terminal that operates according to a program.

  Specifically, the session information management means 21 is realized by a CPU of an information processing apparatus that operates according to a program. The session information management unit 21 has a function of managing session information when a user receives a service provided by the service providing unit 22.

  That is, the session information management means 21 determines whether or not it is necessary to authenticate the user who requested the service when receiving the service request message. When the session information management unit 21 determines that the received service request message includes the service session identifier, the session information management unit 21 determines whether the received service session identifier is valid based on the service session information stored in the session information storage unit 24. Judgment. The service session information is information including the expiration date of the service session identifier, authentication strength, and the like, for example.

  In addition, when the authentication response received from the authentication device 1 is valid and the user has an access authority, the session information management unit 21 issues a session identifier and stores it in the session information storage unit 24 as session information. Hereinafter, the session identifier issued by the session information management unit 21 may be referred to as a service session identifier, and the session information stored in the session information storage unit 24 may be referred to as service session information.

  Specifically, the service providing means 22 is realized by a CPU of an information processing apparatus that operates according to a program. The service providing unit 22 publishes a predetermined service using a predetermined communication protocol different from that of the authentication device 1. The service providing unit 22 has a function of providing various services to the terminal device 4 via the communication unit 20 and the network 500.

  The access control unit 23 analyzes the authentication response message regarding the user received from the authentication device 1, and the service providing unit 22 determines that the service providing unit 22 is based on the analysis result of the authentication response message and the security policy managed by the security policy storage unit 25. An authorization decision is made as to whether or not to permit access to the service.

  The security policy storage unit 25 manages policy information for the access control unit 23 of the service providing apparatus 2 to determine whether or not to give a user permission to provide a predetermined service. Specifically, the policy information is a policy relating to access control such as permitting a user to access a service disclosed with a predetermined URL when the received authentication certificate is valid. The policy information is described in a predetermined description language.

  FIG. 4 is a block diagram illustrating an example of the configuration of the relay device 3. As shown in FIG. 4, the relay device 3 includes a communication unit 30, a data conversion unit 31, a communication message analysis creation unit 32, a terminal identifier management unit 33, a cooperative session information management unit 34, and a cooperative session information storage. Unit 35, terminal identifier information storage unit 36, and conversion rule information storage unit 37.

  When the communication unit 30 of the relay device 3 receives the information to be transferred, the data conversion unit 31 converts the received information based on the conversion rule stored in the conversion rule information storage unit 37 and transmits it to the transfer destination device. To do. For example, the data conversion unit 31 converts the protocol of information to be transferred from the protocol corresponding to the transfer source device to the protocol corresponding to the transfer destination device.

  When the communication unit 30 receives a service request message from the terminal device 4, the cooperation session information management unit 34 stores a service session identifier corresponding to the terminal identifier included in the received service request message in the cooperation session information storage unit 35. Judge whether or not. When the service session identifier corresponding to the terminal identifier is not stored, the communication message analysis creating unit 32 transfers the service request message to the service providing apparatus 2. On the other hand, when the service session identifier corresponding to the terminal identifier is stored, the communication message analysis creating unit 32 assigns the service session identifier to the service request message and forwards it to the service providing apparatus 2.

  When the communication means 30 receives the authentication request message from the service providing apparatus 2, the cooperation session information management means 34, in the cooperation session information storage unit 35, the authentication session identifier corresponding to the terminal identifier included in the service request message is the cooperation session. It is determined whether or not the information is stored in the information storage unit 35. When the authentication session information corresponding to the terminal identifier is not stored, the communication message analysis creation unit 32 transfers the authentication request message converted by the data conversion unit 31 to the authentication device 1. On the other hand, when the authentication session identifier corresponding to the terminal identifier is stored, the communication message analysis creation unit 32 assigns the authentication session identifier to the authentication request message converted by the data conversion unit 31 and forwards it to the authentication device 1. .

  When the communication unit 30 receives the authentication response message from the authentication device 1, the communication message analysis / creation unit 32 extracts the authentication session identifier included in the received authentication response message. The cooperation session information management unit 34 stores the authentication session identifier in the cooperation session information storage unit 35 as cooperation session information in association with the terminal identifier of the terminal that has transmitted the service request message corresponding to the authentication response message. The communication message analysis creation unit 32 transfers the authentication response message converted by the data conversion unit 31 to the service providing apparatus 2.

  When the communication unit 30 receives a service response message from the service providing apparatus 2, the communication message analysis / creation unit 32 extracts a service session identifier included in the received service response message. The cooperation session information management unit 34 stores the service session identifier in the cooperation session information storage unit 35 as cooperation session information in association with the terminal identifier of the terminal that has transmitted the service request message corresponding to the service response message. The communication message analysis creation means 32 transfers the service response message to the terminal device 4.

  The communication unit 30 uses both communication protocols used by the communication unit 10 of the authentication device 1 and the communication unit 20 of the service providing unit 2 to communicate according to a device serving as a communication destination. That is, the communication unit 30 corresponds to both the protocol that the communication unit 10 of the authentication device 1 follows and the protocol that the communication unit 20 of the service providing unit 2 follows. Specifically, the communication unit 30 is realized by a CPU and a network interface unit of an information processing terminal that operates according to a program.

  The data conversion means 31 has a function of converting message data received with a certain protocol into transmission message data with a different protocol. For example, when the data conversion unit 31 uses a different communication protocol among the authentication device 1, the service providing device 2, and the terminal device 4, the data conversion unit 31 determines whether the protocol is based on the result analyzed by the communication message analysis creation unit 32. Process to absorb the difference. The relay device 3 manages each data stored in each communication message in a common format, and converts the data into a format depending on each communication protocol.

  Further, the data conversion means 31 has a name resolution function for each data, and performs conversion from a predetermined device name to an appropriate URL, for example. Further, the data conversion means 31 has a meta information search function, and for example, acquires a communication protocol corresponding to a destination of a predetermined device name.

  The conversion rule information storage unit 37 stores conversion rule information used when the data conversion unit 31 converts data. The conversion rule information is, for example, information for each communication protocol, and is information including a session information format, a storage parameter, a storage location, a data conversion method, a data resolution rule, meta information about each device, and the like.

  The communication message analysis creation unit 32 analyzes the content of a predetermined message received by the communication unit 30. The communication message analysis creation means 32 analyzes the source and destination of the received message and the intended contents of the received message, and determines whether or not conversion of the communication protocol is necessary based on the analyzed contents. When conversion is necessary, the communication message analysis creation means 32 requests the data conversion means 31 for data conversion. Based on the analysis result of the received message, the communication message analysis creating unit 32 determines to which destination the received message is sent, and creates a message that defines the appropriate destination.

  Further, when receiving an authentication response message from the authentication device 1, the communication message analysis creating unit 32 extracts an authentication session identifier. When receiving a service response message from the service providing apparatus 2, the communication message analysis creating unit 32 extracts a service session identifier.

  The terminal identifier management means 33 is means for extracting identifier information (terminal identifier) related to the terminal device 4 that has sent the communication message received by the communication means 30. Here, the identifier information related to the terminal device 4 is an IP address of the terminal device 4, an identifier unique to the terminal device 4, a user identifier of a user of the terminal device 4, and the like. The terminal identifier management means 33 associates and manages a series of messages related to a certain user based on the identifiers of communication messages relayed between the terminal device 4, the authentication device 1, and the service providing device 2, and manages each message. The terminal identifier information is acquired from the identifier.

  That is, the terminal identifier management unit 33 extracts the terminal identifier included in the service request message when relaying the service request message transmitted from the terminal device 4 to the service providing apparatus 2, and can identify the service request message. And stored in the terminal identifier information storage unit 36. When receiving an authentication request message or a service response message from the service providing apparatus 2 or receiving an authentication response message from the authentication apparatus 1, the terminal identifier management unit 33 specifies a service request message corresponding to these messages, Extract the corresponding terminal identifier.

  The cooperation session information management unit 34 stores the authentication session information and the service session information extracted by the communication message analysis creation unit 32 in the cooperation session information storage unit 35. For example, the cooperation session information management unit 34 performs processing such as new registration, update, and deletion of cooperation session information.

  The cooperation session information storage unit 35 stores the authentication session information and the service session information extracted by the communication message analysis creation unit 32. Specifically, the cooperation session information storage unit 35 is realized by a storage device such as a magnetic disk device or an optical disk device.

  The terminal identifier information storage unit 36 stores the terminal identifier information extracted by the terminal identifier management unit 33. Specifically, the terminal identifier information storage unit 36 is realized by a storage device such as a magnetic disk device or an optical disk device.

  FIG. 5 is a block diagram illustrating an example of the configuration of the terminal device 4. As shown in FIG. 5, the terminal device 4 includes a communication unit 40, an authentication processing unit 41, a service request unit 42, a terminal identifier management unit 43, and a terminal identifier storage unit 44.

  The communication unit 40 performs communication according to a predetermined communication protocol for using the service provided by the service providing unit 22 of the service providing apparatus 2. The communication unit 40 can communicate with the authentication device 1 and the service providing unit 2 via the relay device 3 using a communication protocol. Specifically, the communication unit 40 is realized by a CPU and a network interface unit of an information processing terminal that operates according to a program.

  The service request unit 42 transmits a service request message in order to receive the service provided by the service providing apparatus 2, and receives information (service response message) returned as a result via the communication unit 40. Further, the service request unit 42 displays an information (service response message) transmitted from the service providing device 2 to the user of the terminal device 4 and provides an appropriate interface function that allows information input from the user. Prepare.

  When receiving the credential request from the authentication device 1, the authentication processing unit 41 performs processing such as prompting the user to input the credential information and transmits the credential information to the authentication device 1.

  The terminal identifier management unit 43 stores the terminal identifier, which is an identifier given to the terminal device 4 and can identify the terminal device 4 or the user of the terminal device 4, in the terminal identifier storage unit 44. Specifically, the terminal identifier is given by the operator operating the authentication device 1, or is automatically assigned and acquired at the time of network access, the identifier unique to the terminal device 4, and the use of the terminal device 4 User identifier of the user.

  The terminal identifier storage unit 44 stores a terminal identifier assigned to the terminal device 4 and managed by the terminal identifier management unit 43. The terminal identifier storage unit 44 is specifically realized by a storage device such as a magnetic disk device or an optical disk device.

  When the communication means in the authentication device 1, the service providing device 2, the relay device 3, and the terminal device 4 communicate with each other, SSL (Secure Sockets Layer), TLS (Transport Layer Security), or the like, It has a mechanism to prevent interception of messages sent to and received from the three parties. In addition, each communication means is provided with an encryption function for notifying only the predetermined communication partner of the contents of messages transmitted and received to each other and preventing exposure to the intended communication partner, and decrypting the received encrypted information. It has a composite function to do this. Further, each communication means has a signature function for verifying that the contents of messages transmitted and received with each other have been created by an appropriate device and have not been tampered with, and a function for verifying the signature contents.

  Next, the operation of the first embodiment will be described with reference to FIGS.

  First, the operation of the authentication device 1 will be described. FIG. 6 is a flowchart illustrating an example of processing executed by the authentication device 1. In the present embodiment, it is assumed that the user authentication unit 12 of the authentication device 1 discloses a service for authenticating the user and can receive an authentication request from another device. Hereinafter, as the most characteristic process executed by the authentication apparatus 1, a process when an authentication request from the service providing apparatus 2 is received via the relay apparatus 3 will be described.

  The communication means 10 of the authentication device 1 receives the user authentication request message from the relay device 3 (step S101).

  The session information management unit 14 determines whether an authentication session identifier is included in the authentication request message (step S102). If the authentication session identifier is not included (No), the process proceeds to step S103 to perform user authentication processing. That is, the user authentication unit 12 transmits a message requesting the user credential information to the terminal device 4 via the relay device 3 (step S103), and the communication unit 10 transmits the message from the terminal device 4 via the relay device 3. The credential information is received (step S104).

  The user authentication unit 12 verifies the received credential information by comparing it with the user information stored in the user information storage unit 15 managed by the user information management unit 13, and authenticates the user (step). S105). The session information management unit 14 issues a new authentication session identifier after the user authentication is completed (step S106), and manages it in association with the authenticated user (terminal identifier).

  On the other hand, if the authentication session identifier is included in step S102 (Yes), the session information management unit 14 confirms the details of the session managed as the authentication session identifier and checks the validity of the session (step S109). . If it is determined that the session is invalid because the valid period of the investigated session has passed (No), the user authentication means 12 requires additional authentication of the user. Then, the process proceeds to step S103 to perform user authentication processing. On the other hand, if it is confirmed that the session is valid (Yes), the user authentication process is omitted, and the process proceeds to step S107.

  When a valid session is established, the authentication information issuing unit 11 issues user authentication certificate information (step S107) and creates an authentication response message for the authentication request. The user authentication unit 12 transmits an authentication response message to the service providing device 2 via the communication unit 10 and the relay device 3 (step S108). The authentication device 1 moves to step S101, and returns to the waiting state for the authentication request from the relay device 3.

  Next, the operation of the service providing apparatus 2 will be described. FIG. 7 is a flowchart illustrating an example of processing executed by the service providing apparatus 2. In the present embodiment, the service providing unit 22 of the service providing apparatus 2 discloses a predetermined service to the user who uses the terminal apparatus 4 and requests for accessing the service from the terminal apparatus 4. Is in a state where it can be received. Hereinafter, as the most characteristic process executed by the service providing apparatus 2, a process when an authentication request from the terminal apparatus 4 is received via the relay apparatus 3 will be described.

  The communication means 20 of the service providing apparatus 2 receives an access request (service request) message to the user service from the relay apparatus 3 (step S201). The session information management means 21 confirms whether or not the service session identifier is included in the received service request message (step S202). If the service session identifier is included (Yes), the session information management means 21 corresponds to the service session identifier. Service session information is extracted from the session information storage unit 24 and its validity is confirmed (step S203). If the service session identifier is valid (Yes), the service providing unit 22 proceeds to step S211, continues to provide the service, and transmits a service response message. If it is determined in step S203 that the service session identifier is not valid (No), the process proceeds to step S204.

  On the other hand, if the service session identifier is not included in the process of step S202 (No), the process proceeds to step S204. In step S204, the session information management unit 21 creates an authentication request message indicating a request for user authentication in order to authenticate the user. Here, the service providing unit 22 may include information indicating a predetermined authentication device 1 that should perform user authentication in the authentication request message. The communication unit 20 transmits an authentication request message to the relay device 3 and waits for a response from the relay device 3.

  The communication unit 20 receives an authentication response message for the authentication request message from the relay device 3 (step S205). The access control means 23 analyzes the authentication response message, extracts an authentication certificate corresponding to the user from the authentication response message, and analyzes the appropriateness of the user authentication result by the authentication device 1 (step S206).

  Based on the authentication response message and the analysis result of the authentication certificate, the access control unit 23 refers to the security policy stored in the security policy storage unit 25 and issues a service request to the service provided by the service providing unit 22. It is determined whether or not the user who has done so has the authority to use the service (step S207).

  If the authentication information of the user authentication certificate is invalid or the user does not have access authority to the service (No), the service providing means 22 indicates an error indicating that the user does not have access authority to the service. A message is created and transmitted to the relay device 3 through the communication means 20 (step S208).

  On the other hand, if the authentication information of the user authentication certificate is valid and the user has access authority to the service (Yes), the session information management means 21 creates a new session corresponding to the user. Then, a service session identifier corresponding to the session is issued (step S209) and stored in the session information storage unit 24 (step S210). The service providing unit 22 creates a service response message including the newly issued service session identifier, and the communication unit 20 transmits the service response message to the relay device 3 (step S211).

  Next, the operation of the relay device 3 will be described. FIG. 8 is a flowchart illustrating an example of processing executed by the relay device 3. In the present embodiment, relay device 3 is connected to each device so as to be able to transmit and receive communication messages in order to relay communication among authentication device 1, service providing device 2, and terminal device 4.

  The communication means 30 receives a communication message from a waiting state for communication messages from other devices. The message analysis creation means 32 extracts and analyzes information included in the communication message, such as the communication content, the transmission source of the communication message, and the destination of the intended communication partner (step S301), and performs processing according to the analysis content. Do.

  When the received communication message is a service request from the terminal device 4 to the service providing device 2 (step S310), the service request / other reception processing in step S311 is performed. FIG. 9 is a flowchart illustrating an example of the process of step S311 when a service request message is received.

  In the service request / other reception process, the communication message analysis creating means 32 checks whether or not the credential requested from the authentication device 1 is included in the received service request message (step S312). If it is included (Yes), the received message is regarded as a service request including a credential response to the credential request from the authentication device 1, and the process proceeds to step S316.

  In step S316, the data conversion unit 31 stores the conversion rule information corresponding to each communication protocol based on the communication protocol of the service request message and the communication protocol of the response message to be transmitted to the authentication device 1. Extracted from the unit 37. Based on the extracted conversion rule information, the data conversion unit 31 appropriately stores information such as the authentication method, authentication algorithm, domain (Realm), Nonce, and IP address of the authentication device 1 specified in the credential response message. Convert the data so that

  The communication message analysis creation unit 32 creates a credential response message for the newly reconfigured authentication device 1 (step S317). Next, referring to FIG. 8, the communication unit 30 transmits a credential response message to the authentication device 1 (step S <b> 302), and shifts to a waiting state for communication from another device.

  On the other hand, in step S312, if the received message does not include the credential (No), the communication message analysis creating unit 32 performs the relay process for transferring the service request to the service providing apparatus 2 as follows.

  That is, the communication message analysis / creation unit 32 determines whether or not a service session identifier is included in the service request message (step S313). When the service session identifier is included (Yes), the process proceeds to step S316.

  In step S316, the data conversion unit 31 is required according to the service providing apparatus 2 that is the transmission destination based on the communication protocol of the service request message and the communication protocol of the response message to be transmitted to the authentication apparatus 1. Convert the data.

  The communication message analysis creating means 32 creates a new service request message for the service providing apparatus 2 by adding protocol-dependent information such as a service session identifier and information indicating that the service request message has passed through the relay apparatus 3. (Step S317). Next, referring to FIG. 8, the communication unit 30 transmits a service request message to the service providing apparatus 2 (step S302), and shifts to a standby state for communication from another apparatus.

  On the other hand, when the service request identifier is not included in the service request message in step S313 (No), the cooperative session information management unit 34 refers to the cooperative session information storage unit 35 and transmits the service request 4 It is determined whether or not the cooperative session information regarding is already registered (step S314).

  In step S314, when there is no cooperation session information (No), no process is performed on the session information, and the process proceeds to step S316. On the other hand, when there is cooperation session information (Yes), the cooperation session information management means 34 acquires cooperation session information and acquires a service session identifier related to the terminal device 4 (step S315).

  The data conversion unit 31 then converts the data required according to the service providing apparatus 2 that is the transmission destination based on the communication protocol of the service request message and the communication protocol of the response message to be transmitted to the authentication apparatus 1. Conversion is performed (step S316).

  The communication message analysis creating means 32 adds a service request identifier to the service providing apparatus 2 by adding protocol-dependent information such as a service session identifier and information indicating that the relay apparatus 3 has been passed to the service request message. A message is created (step S317). Next, referring to FIG. 8, the communication unit 30 transmits a service request message to the service providing apparatus 2 (step S302), and shifts to a standby state for communication from another apparatus.

  When the communication message is an authentication request message from the service providing apparatus 2 to the authentication apparatus 1 (step S320), the authentication request reception process in step S321 is performed. FIG. 10 is a flowchart illustrating an example of the process of step S321.

  In the authentication request reception process, the terminal identifier management means 33 uses the identifier of the service request message of the terminal device 4 that triggered the sending of the authentication request message included in the authentication request message as a key. Are extracted from the terminal identifier information storage unit 36 (step S322).

  The communication message analysis / creation unit 32 checks whether or not the authentication request message includes information indicating the authentication device 1 that is a destination to which the authentication request message is sent. If there is information indicating the authentication device 1, the information indicating the authentication device 1 is extracted as a new destination authentication device. On the other hand, if there is no information indicating the authentication device 1, information on the predetermined authentication device is set as a new destination authentication device (step S323).

  The cooperation session information management unit 34 acquires the cooperation session information from the cooperation session information storage unit 35 using the terminal identifier extracted in step S322 as a key, and authenticates the user's destination authentication apparatus 1 included in the cooperation session information. A session identifier is acquired (step S324).

  The data conversion means 31 converts the message data of the authentication request message according to the communication protocol with which the destination authentication apparatus 1 communicates (step S325). The communication message analysis / creation unit 32 reconstructs a new authentication request message using the result of data conversion and the authentication session identifier (step S326). As shown in FIG. 8, the communication message analysis creating means 32 transfers the generated authentication request message to the destination authentication apparatus 1 (step S302), and shifts to a standby state for communication from other apparatuses.

  When the received communication message is a credential request message from the authentication device 1 to the terminal device 4 via the relay device 3 (step S330), a credential request reception process in step S331 is performed. FIG. 11 is a flowchart illustrating an example of the process in step S331.

  In the credential request reception process, the communication message analysis creation unit 32 acquires information used for user authentication such as an authentication method and an algorithm included in the credential request message (step S332). Then, the data conversion unit 31 uses the information for user authentication based on the information for user authentication, the communication protocol of the credential request message, and the communication protocol to the terminal device 4 that is the destination of the credential request. Is converted (step S333). Further, the communication message analysis creating unit 32 creates a new credential request message to the terminal device 4 (step S334). Next, referring to FIG. 8, the communication unit 30 transfers the credential request message to the terminal device 4 (step S <b> 302), and shifts to a standby state for communication from another device.

  When the received communication message is an authentication response message from the authentication device 1 to the service providing device 2 in response to an authentication request message from the service providing device 2 to the authentication device 1 (step S340), a response to the authentication request in step S341 Perform reception processing. FIG. 12 is a flowchart illustrating an example of the process of step S341.

  In the process for receiving a response to the authentication request, the communication message analysis creation management unit 32 extracts the authentication session identifier information included in the communication message (step S342). The terminal identifier management means 33 uses the identifier of the authentication request message from the service providing apparatus 2 that triggered the sending of the message included in the message as the terminal identifier of the terminal apparatus 4 that made the original service request. Obtain (step S343). Based on the terminal identifier, the cooperation session information management unit 34 associates the authentication session identifier with the terminal device 4 and stores it as cooperation session information in the cooperation session information storage unit 35 (step S344).

  The data converter 31 converts the received message according to the communication protocol with which the service providing device 2 communicates (step S345). The cooperation session information management unit 34 extracts a service session identifier for the terminal device 4 assigned from the service providing apparatus 2 from the cooperation session information. The communication message analysis creating means 32 reconstructs an authentication response message for the authentication request by using the data converted result (step S346), forwards it to the service providing apparatus 2 (step S302), and other It shifts to the standby state for communication from the device.

  When the received communication message is a service response message from the service providing apparatus 2 to the terminal apparatus 4 in response to a service request from the terminal apparatus 4 to the service providing apparatus 2 (step S350), the service response reception process in step S351 is performed. Do. FIG. 13 is a flowchart illustrating an example of the process of step S351.

  In the service response reception process, the communication message analysis creation means 32 confirms whether the service session identifier is included in the service response message. If it is included, the communication message analysis creation means 32 extracts the service session identifier (step S352). The terminal identifier management unit 33 acquires terminal identifier information (step S353). The cooperative session information management unit 34 associates the service session identifier with the terminal identifier and stores them in the cooperative session information storage unit 35 (step S354). Here, the cooperative session information management unit 34 compares the extracted service session identifier with the service session identifier stored in advance in the cooperative session information storage unit 35, and if it is the same, performs no processing. If they are different, overwrite and update. Next, the communication unit 30 transfers the service response message to the terminal device 4 (step S302), and shifts to a standby state for waiting for communication from another device.

  Next, the operation of the terminal device 4 will be described with reference to FIG. FIG. 14 is a flowchart illustrating an example of processing executed by the terminal device 4.

  When the user of the terminal device 4 makes an input indicating a service request for the service provided by the service providing device 2 (step S401), the terminal identifier management unit 43 stores the terminal identifier stored in the terminal identifier storage unit 44. Information is extracted (step S402). The service request means 42 creates a service request message for accessing the service (step S403). The communication means 40 transmits a service request message to the relay device 3 (step S404) and waits for a response from the relay device 3.

  The communication means 40 receives the message from the relay device 3 (step S405) and confirms the content of the received message (step S406). If the received message means a request for credential information from the authentication device 1 (credential request), the authentication processing means 41 prompts the user to input the credential information or the terminal device 4 stores it in advance. Create a response message that stores the credential information, for example, by automatically entering the credential information of the user. The communication unit 30 transmits a response message to the relay device 3 (step S407).

  If the received message is a service response to the service request in step S404 (response to the service request), the user can use the service without the terminal device 4 transmitting credential information (step S408). .

  Next, the effect of this embodiment will be described. In the present embodiment, even when the communication protocol followed by the communication unit 10 of the authentication device 1 and the communication protocol followed by the communication unit 20 of the service providing device 2 are different, the relay device 3 converts messages between the respective protocols. I do. Further, an authentication session identifier indicating a session between the authentication device 1 and the relay device 3 relating to the user, a service session identifier indicating a session between the service providing device 2 and the relay device 3, and a user terminal device It manages in association with the terminal identifier. Therefore, the user can use a plurality of services disclosed by different protocols only with one authentication to the authentication device 1. For this reason, the user is less required to re-authenticate, and can use various services without interruption by the authentication process, thereby improving convenience.

  In the present embodiment, by installing a relay device, single sign-on can be realized without modifying the communication protocols and basic functions of existing authentication devices, service providing devices, and terminal devices. For this reason, the mounting cost for making a service provision apparatus, an authentication apparatus, and a terminal device respond | correspond to a different protocol, and the cost accompanying the test and maintenance for that become unnecessary.

  In the method described in Patent Document 1, the user's credential information for each service is deposited in a relay device. On the other hand, in the embodiment of the present invention, it is not necessary to deposit the credential information in the relay device. For this reason, not only is it unnecessary for the user to deposit the credential information, but there is no risk of information leakage due to the deposit, so a safe system can be constructed.

  In the present embodiment, the terminal device does not need to manage a session identifier issued from the service providing device or the authentication device. For this reason, this authentication cooperation system can be used even in a terminal device that does not manage a session identifier such as a mobile phone or a PDA.

Embodiment 2. FIG.
Next, a second embodiment of the present invention will be described with reference to the drawings. FIG. 15 is a block diagram showing a second embodiment of the authentication collaboration system according to the present invention.

  The authentication cooperation system shown in FIG. 15 includes an authentication device 601, a service providing device 602, a relay device 603, and a terminal device 604, as in the first embodiment. The authentication device 601, the service providing device 602, the relay device 603, and the terminal device 604 are connected via the network 600 and communicate with each other.

  The authentication device program 611 is read into the authentication device 601. When the authentication device 601 is realized by a computer, the CPU mounted on the authentication device 601 executes the authentication device program 611 to control the operation of the authentication device 601 and to provide the service providing device 602 and the relay device. Communication between 603 and the terminal device 604 is realized. The authentication device 601 executes the same processing as the processing by the authentication device 1 in the first embodiment by executing the authentication device program 611.

  The service providing apparatus program 612 is read into the service providing apparatus 602. When the service providing apparatus 602 is realized by a computer, the CPU installed in the service providing apparatus 602 executes the service providing apparatus program 612 to control the operation of the service providing apparatus 602 and the authentication apparatus 601. Communication between the relay device 603 and the terminal device 604 is realized. The service providing apparatus 602 executes the same process as the process by the service providing apparatus 2 in the first embodiment by executing the service providing apparatus program 612.

  The relay device program 613 is read into the relay device 603. When the relay device 603 is realized by a computer, the CPU installed in the relay device 603 executes the relay device program 613, thereby controlling the operation of the relay device 603, the authentication device 601 and the service providing device. Communication between 602 and the terminal device 604 is realized. The relay device 603 executes the same processing as the processing by the relay device 3 in the first embodiment by executing the relay device program 613.

  The terminal device program 614 is read into the terminal device 604. When the terminal device 604 is realized by a computer, the CPU installed in the terminal device 604 executes the terminal device program 614 to control the operation of the terminal device 604, and the authentication device 601 and the service providing device. Communication between 602 and the relay device 603 is realized. The terminal device 604 executes the same processing as the processing by the terminal device 4 in the first embodiment by executing the terminal device program 614.

  Next, a first embodiment of the present invention will be described with reference to the drawings. This example corresponds to the first embodiment of the present invention.

  FIG. 16 is an explanatory diagram for explaining an embodiment of the authentication system according to the present invention. The authentication system illustrated in FIG. 16 includes an authentication device 1, a service providing device 2, a relay device 3, and a terminal device 4. The authentication device 1, the service providing device 2, the relay device 3, and the terminal device 4 each include the functions in the first embodiment.

  In the present embodiment, for example, the authentication device 1 includes a communication unit 20 that uses HTTP (Hyper Text Transfer Protocol) as a communication protocol (see FIG. 2).

  The service providing apparatus 2 includes, for example, a communication unit 20 capable of SIP (Session Initiation Protocol) communication (see FIG. 3). The service providing means 22 starts a session by SIP and provides a VoIP (Voice over IP) service.

  The terminal device 4 is, for example, a mobile phone that includes communication means 40 corresponding to the SIP protocol (see FIG. 4) and can receive a VoIP service. The terminal device 4 includes terminal identifier management means 43 capable of managing IP Address as a terminal identifier of the terminal device 4.

  The relay device 3 includes a communication unit 30 that can perform both HTTP and SIP communication, and a data conversion unit 31 that converts HTTP and SIP.

  For example, a telecommunications carrier that operates the authentication device 1 also has a relay device 3 in the domain. A provider that provides a VoIP service using the service providing device 2 can provide a VoIP service to a user who has access authority if, for example, the provider has a partnership with a communication carrier and is authenticated by the authentication device 1. It has become a mechanism.

  The user subscribes to the communication carrier that operates the authentication device 1 in advance and has an account. The user also subscribes to a VoIP service provider and still has an account. Both accounts of the user's telecommunications carrier and the VoIP service provider are managed in association with each other in the telecommunications carrier and the VoIP service provider. Initially, the user is not authenticated by either the authentication device 1 or the service providing device 2, and a session related to the user is not established in both devices.

  The user tries service access to the VoIP service of the service providing apparatus 2. That is, the user terminal device 4 makes a service access request (service request) to the relay device 3 using SIP (step S510). The terminal device 4 stores and sends the IP address of the terminal device 4 as a terminal identifier in the service access request.

  FIG. 17 is an explanatory diagram illustrating an example of a service request message transmitted from the terminal device 4 to the relay device 3 in step S510. FIG. 17 shows a service request when the terminal device 4 implements access to the Bob as an SIP INVITE request when the user Alice tries to make a call from the terminal device 4 to another user Bob. Illustrate the message.

  FIG. 18 is an explanatory diagram showing an example of cooperative session information stored in the cooperative session information storage unit 35. FIG. 18 shows an example of cooperative session information extracted by the cooperative session information management unit 34 when a service request is received. At the time of step S510, the relay device 3 has not established valid authentication session information regarding the user. Therefore, although the cooperation session information management unit 34 extracts the cooperation session information (see FIG. 18) stored in the cooperation session information storage unit 35 based on the IP address, it cannot obtain a valid session identifier. Therefore, the relay device 3 transfers the received service access request as it is to the service providing device 2 using SIP (step S511).

  FIG. 19 is an explanatory diagram illustrating an example of a service request message that the relay device 3 transmits to the service providing device 2 in step S511. The service request message illustrated in FIG. 19 includes header information indicating that the service request message illustrated in FIG. 17 has been transferred via the relay device 3.

  When the service providing apparatus 2 that has received the service access request determines that the service access request does not include a valid service session identifier, the service providing apparatus 2 sends a message requesting the user to the authentication apparatus 1 to the relay apparatus 3. (Step S512).

  FIG. 20 is an explanatory diagram illustrating an example of an authentication request message transmitted from the service providing apparatus 2 to the relay apparatus 3 in step S512. FIG. 20 illustrates a case in which the relay apparatus 3 is instructed as an authentication apparatus to be requested for authentication by storing information indicating the authentication apparatus 1 in the Contact information of the SIP redirect message. Note that the relay device 3 may store in advance information indicating the authentication device to be requested for authentication, without entering the Contact information.

  The relay device 3 converts the received SIP authentication request into HTTP. Further, the authentication session identifier corresponding to the authentication device 1 is searched based on the terminal identifier (IP address of the terminal device 4), and it is confirmed that it does not exist (step S513). Then, the relay device 3 transmits an authentication request message based on the converted HTTP to the authentication device 1 (step S514).

  FIG. 21 is an explanatory diagram illustrating an example of an authentication request message that the relay device 3 transmits to the authentication device 1 in step S514. The authentication request message illustrated in FIG. 21 is in accordance with an ID-FF (Identity Federation Framework) authentication request defined by the Liberty Alliance Project. The relay device 3 configures an HTTP authentication request storing a predetermined message with the contact information of the SIP redirect message in step S512 as a destination.

  The authentication device 1 examines the received HTTP authentication request, and determines that the authentication session identifier is not included, creates a message requesting the user's credential information and transmits the message to the relay device 3 (step S515). ).

  FIG. 22 is an explanatory diagram illustrating an example of a credential request message transmitted from the authentication device 1 to the relay device 3 in step S515. FIG. 22 shows an example of requesting credential information from the user Alice. The message shown in FIG. 22 is a message including nonce information according to the HTTP digest authentication method.

  The relay device 3 converts the received credential request message into SIP (step S516) and transmits it to the terminal device 4 (step S517).

  FIG. 23 is an explanatory diagram illustrating an example of a credential request message that the relay device 3 transmits to the terminal device 4 in step S517. FIG. 23 shows an example of requesting credential information from the user Alice. The message shown in FIG. 23 is a message conforming to the SIP Digest authentication method. The relay device 3 converts the HTTP Digest authentication message received from the authentication device 1 in step S515 into SIP, and assigns a Call-ID that is an identifier of a message that associates a series of messages related to the user.

  The terminal device 4 receives the credential request message, and transmits a credential response message including the user credential information to the relay device 3 by SIP (step S518).

  FIG. 24 is an explanatory diagram illustrating an example of a response message transmitted from the terminal device 4 to the relay device 3 in step S518. FIG. 24 shows an example in which the response message includes the credential information of the user Alice. The message shown in FIG. 24 is a response to the credential request message transmitted in step S517, and includes encrypted credential information in the proxy-authorization response.

  The relay device 3 converts the response message including the credential information transmitted by the terminal device 4 from SIP to HTTP (step S519), and transmits the response message to the authentication device 1 (step S520).

  FIG. 25 is an explanatory diagram illustrating an example of a response message that the relay device 3 transmits to the authentication device 1 in step S520. FIG. 25 shows an example when the response message includes the credential information of the user Alice. The message shown in FIG. 25 is a message in which the relay apparatus 3 converts the SIP INVITE message received in step S518 into an HTTP GET.

  The authentication device 1 confirms the credential information and authenticates the user. When the authentication is completed, the authentication device 1 creates an authentication certificate based on the authentication result, and further issues a new authentication session corresponding to the user (step S521).

  The authentication device 1 creates an authentication response message including an authentication certificate and an authentication session identifier corresponding to the authentication session, and transmits the authentication response message to the relay device 3 using HTTP (step S522).

  FIG. 26 is an explanatory diagram illustrating an example of an authentication response message transmitted from the authentication device 1 to the relay device 3 in step S522. FIG. 26 shows an example where the authentication response message includes the authentication certificate of user Alice. The message shown in FIG. 26 includes the encoded Alice authentication certificate in the input value of the form, and the authentication session identifier in the Set-Cookie.

  The relay device 3 extracts the authentication session identifier included in the received authentication response message, and newly registers it as user cooperation session information (step S523). FIG. 27 is an explanatory diagram showing an example of cooperative session information stored in the cooperative session information storage unit 35. FIG. 27 shows an example of cooperative session information registered by the cooperative session information management unit 34 when an authentication response message is received. In the example illustrated in FIG. 27, the authentication session identifier (1234abcd) transmitted from the authentication device 1 is registered in association with the IP address of the terminal device 4. Further, the relay device 3 converts the received HTTP authentication response message into SIP and forwards it to the service providing device 2 (step S524).

  FIG. 28 is an explanatory diagram illustrating an example of an authentication response message transmitted from the relay device 3 to the service providing device 2 in step S524. FIG. 28 shows an example in which the authentication response message includes the authentication certificate of user Alice. FIG. 28 illustrates a case where the SIP message includes the authentication certificate (Assert) transmitted in step S522 in the MIME format.

  The service providing apparatus 2 extracts the authentication certificate information included in the received authentication response message, and specifies the user described in the extracted authentication certificate. Then, it is checked whether or not the specified user has an access right to the service. If authorized, a new service session for service provision is created, and a service response message including the corresponding service session identifier is created and transmitted to the relay device 3 (step S525).

  The relay device 3 acquires the service session identifier information included in the service response message for the service request, and newly registers it as cooperation session information related to the user (step S526). FIG. 29 is an explanatory diagram showing an example of cooperative session information stored in the cooperative session information storage unit 35. FIG. 29 shows an example of cooperative session information registered by the cooperative session information management unit 34 at the time of step S526. In the example illustrated in FIG. 29, the service session identifier (aaabb) transmitted from the service providing apparatus 2 is registered in association with the IP address of the terminal apparatus 4. Further, the relay device 3 transfers the received service response message to the terminal device 4 (step S527).

  Next, when the same user uses the terminal device 4 to access a content service provided by the same service providing apparatus 2 although it is different from the VoIP service published by the VoIP service provider. Will be described with reference to FIG.

  FIG. 30 is an explanatory diagram for explaining an embodiment of the authentication system according to the present invention. The authentication system illustrated in FIG. 30 includes an authentication device 1, a service providing device 2, a relay device 3, and a terminal device 4. The authentication device 1, the service providing device 2, the relay device 3, and the terminal device 4 each include the functions in the first embodiment. Hereinafter, it is assumed that the settings of the user and each device are exactly the same as the above settings (see FIG. 16). The state of the authentication system shown in FIG. 30 is inherited from the state of the authentication system shown in FIG. The relay device 3 holds the cooperative session information illustrated in FIG.

  From this state, the user makes an access request (service request) to the content service from the terminal device 4 (step S530).

  The relay device 3 receives the access request, extracts the terminal identifier of the terminal device 4, and extracts cooperative session information corresponding to the terminal identifier (step S531). As shown in FIG. 29, the service session identifier corresponding to the service providing apparatus 2 is stored in the cooperative session information. The relay device 3 performs protocol conversion on the received service request message, creates a new message, assigns a service session identifier, and transmits the message to the service providing device 2 (step S532).

  The service providing apparatus 2 refers to the service session identifier included in the received service request message, and confirms that the user's session is effectively established (step S533).

  Further, the service providing apparatus 2 confirms the user's authority to access the content service, and then transmits a response for providing the service (service response message) to the relay apparatus 3 (step S534).

  The relay device 3 registers again if the service session identifier included in the received service response message has been updated (step S535), and transfers it to the terminal device 4 (step S536).

  As described above, in the processing from step S530 to step S536, an additional user authentication procedure does not occur.

  Next, referring to FIG. 31, a case where the user subsequently accesses the content service provided by SIP by a content provider different from the above VoIP service provider by using the terminal device 4. explain.

  FIG. 31 is an explanatory diagram for explaining an embodiment of the authentication system according to the present invention. The authentication system illustrated in FIG. 31 includes an authentication device 1, a service providing device 302, a relay device 3, and a terminal device 4. The authentication device 1, the service providing device 302, the relay device 3, and the terminal device 4 each include the functions in the first embodiment.

  The service providing apparatus 302 is a service providing apparatus different from the service providing apparatus 2 shown in FIGS. For example, the service providing apparatus 2 and the service providing apparatus 302 are managed by different operators. In the authentication system shown in FIG. 31, the user, the terminal device 4, the relay device 3, and the authentication device 1 are the same as those illustrated in FIG. 30, and inherit the state of FIG. The relay device 3 has the cooperative session information shown in FIG.

  The user uses the terminal device 4 to make a service access request to the relay device 3 (step S540).

  When the relay device 3 receives the service access request, extracts the cooperative session information corresponding to the terminal device 4, and determines that there is no service session identifier corresponding to the service providing device 302 (step S541), the service providing device 302 The service access request is transferred to the server (step S542).

  When determining that the service message identifier is not included in the received message, the service providing apparatus 302 transmits an authentication request message for the authentication apparatus 1 to the relay apparatus 3 (step S543).

  When the relay device 3 extracts the cooperative session information based on the terminal identifier of the terminal device 4 and determines that the authentication session related to the user is established, the relay device 3 converts the data from SIP to HTTP and stores the authentication session identifier. An authentication request message is created (step S544) and transmitted to the authentication device 1 (step S545).

  The authentication device 1 extracts the authentication session identifier included in the authentication request message and confirms that it is a valid session (step S546), creates an authentication certificate, and sends a response message to the authentication request to the relay device 3. Is transmitted (step S547).

  The relay device 3 confirms that the authentication session identifier included in the received authentication response message has not been updated (step S548), converts the protocol from HTTP to SIP, and then sends an authentication response message to the service providing device 302. Is transmitted (step S549).

  After providing authorization for user access, the service providing apparatus 302 newly creates a service session, issues a service session identifier, and transmits a service response message to the relay apparatus 3 (step S550).

  The relay device 3 receives the service response message, newly registers the service session identifier from the service providing device 302 in the cooperative session information (step S551), and transfers the service response message to the terminal device 4 (step S552).

  As described above, in steps S540 to S552, although the service providing apparatus 302 accessed by the user is different from the service providing apparatus 2 shown in FIG. 16, the user has already authenticated by the authentication apparatus 1 and has established an authentication session Yes. Therefore, no credential request is issued from the authentication device 1 to the user, and the user can access the service providing device 302 without an authentication procedure.

  In this embodiment, the authentication apparatus is compatible with HTTP and the service providing apparatus is compatible with SIP, but the flow of processing is the same even with this combination or another protocol.

  The present invention can be applied to uses such as an authentication system in a distributed system constructed on a network such as the Internet, a mobile phone network, a fixed telephone network, a wireless LAN, and a WAN, and a program for realizing the authentication system on a computer. .

It is a block diagram which shows the structural example of the authentication cooperation system by this invention. It is a block diagram which shows an example of a structure of an authentication apparatus. It is a block diagram which shows an example of a structure of a service provision apparatus. It is a block diagram which shows an example of a structure of a relay apparatus. It is a block diagram which shows an example of a structure of a terminal device. It is a flowchart which shows an example of the process which an authentication apparatus performs. It is a flowchart which shows an example of the process which a service provision apparatus performs. It is a flowchart which shows an example of the process which a relay apparatus performs. It is a flowchart which shows the example of a process at the time of a service request / other reception. It is a flowchart which shows the example of a process at the time of authentication request reception. It is a flowchart which shows the example of a process at the time of credential request | requirement reception. It is a flowchart which shows the example of the process at the time of the response reception to an authentication request. It is a flowchart which shows the example of the process at the time of service response reception. It is a flowchart which shows an example of the process which a terminal device performs. It is a block diagram which shows 2nd Embodiment of the authentication cooperation system by this invention. It is explanatory drawing for demonstrating the Example of the authentication system by this invention. It is explanatory drawing which shows an example of the service request message which a terminal device transmits to a relay apparatus. It is explanatory drawing which shows an example of cooperation session information. It is explanatory drawing which shows an example of the service request message which a relay apparatus transmits to a service provision apparatus. It is explanatory drawing which shows an example of the authentication request message which a service provision apparatus transmits to a relay apparatus. It is explanatory drawing which shows an example of the authentication request message which a relay apparatus transmits to an authentication apparatus. It is explanatory drawing which shows an example of the credential request message which an authentication apparatus transmits to a relay apparatus. It is explanatory drawing which shows an example of the credential request message which a relay apparatus transmits to a terminal device. It is explanatory drawing which shows an example of the response message which a terminal device transmits to a relay apparatus. It is explanatory drawing which shows an example of the response message which a relay apparatus transmits to an authentication apparatus. It is explanatory drawing which shows an example of the authentication response message which an authentication apparatus transmits to a relay apparatus. It is explanatory drawing which shows an example of cooperation session information. It is explanatory drawing which shows an example of the authentication response message which a relay apparatus transmits to a service provision apparatus. It is explanatory drawing which shows an example of cooperation session information. It is explanatory drawing for demonstrating the Example of the authentication system by this invention. It is explanatory drawing for demonstrating the Example of the authentication system by this invention. It is explanatory drawing which shows the example of the conventional authentication system described in the nonpatent literature 1. It is explanatory drawing which shows the example of the conventional computer system which implement | achieves a single sign-on environment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Authentication apparatus 2 Service provision apparatus 3 Relay apparatus 4 Terminal apparatus 500 Network

Claims (12)

An authentication linkage system comprising a terminal device used by a user, an authentication device that authenticates the user, and a relay device that relays communication between a service providing device that provides a service to the user,
The relay device is
Cooperation information storage means for storing an authentication session identifier generated for each user authenticated by the authentication device in association with information indicating the user;
A conversion unit that receives an authentication request when the service providing apparatus transmits an authentication request for a user who has requested a service to the authentication apparatus, and converts the authentication request based on a conversion rule stored in advance;
An authentication session identifier corresponding to the information indicating the user is extracted from the cooperation information storage unit, the extracted authentication session identifier is included in the authentication request converted by the conversion unit, and the authentication request is transmitted to the authentication device. Authentication request relay means,
The authentication device
It is determined whether or not the received authentication request includes an authentication session identifier. If it is determined that the authentication request includes an authentication session identifier, an authentication response indicating that the user has been authenticated is transmitted to the service providing apparatus, and is not included. An authentication linkage system comprising authentication determination means for performing authentication processing of the user when it is determined. The linkage information storage means stores the service session identifier generated by the service providing device every time the service is provided to the terminal device in association with information indicating the user,
The conversion means receives a service request transmitted from the terminal device to the service providing device, converts the received service request based on a conversion rule stored in advance,
The relay device
A service session identifier corresponding to information indicating a user who requested a service is extracted from the cooperation information storage unit, the extracted service session identifier is included in the service request converted by the conversion unit, and the service request is provided to the service Including a service request relay means for transmitting to the device,
The service providing apparatus includes:
It is determined whether or not the received service request includes a service session identifier. When it is determined that the service request includes a service session identifier, a service response for providing a service to the user is transmitted to the terminal device and is determined not to include The authentication cooperation system according to claim 1, further comprising: a service determination unit that transmits an authentication request for the user to an authentication device. The authentication cooperation system according to claim 1, wherein the authentication determination unit transmits an authentication response when the authentication session identifier satisfies a predetermined condition. The authentication cooperation system according to claim 2 or 3, wherein the service determination unit transmits a service response when the service session identifier satisfies a predetermined condition. An authentication linkage system comprising a terminal device used by a user, an authentication device that authenticates the user, and a relay device that relays communication between a service providing device that provides a service to the user,
The relay device is
Cooperation information storage means for storing an authentication session identifier generated for each user authenticated by the authentication device in association with information indicating the user;
When the service providing apparatus transmits an authentication request for a user who has requested a service to the authentication apparatus, the authentication information is received, and an authentication session identifier corresponding to information indicating the user is received in the cooperation information storage unit And an authentication request relay means for transmitting an authentication request including the extracted authentication session identifier to the authentication device,
The authentication device
It is determined whether or not the received authentication request includes an authentication session identifier. If it is determined that the authentication request includes an authentication session identifier, an authentication response indicating that the user has been authenticated is transmitted to the service providing apparatus, and is not included. An authentication linkage system comprising authentication determination means for performing authentication processing of the user when it is determined. The linkage information storage means stores the service session identifier generated by the service providing device every time the service is provided to the terminal device in association with information indicating the user,
The relay device
A service request relay unit that extracts a service session identifier corresponding to information indicating a user who requested a service from the cooperation information storage unit, and transmits a service request including the extracted service session identifier to the service providing device;
The service providing apparatus includes:
It is determined whether or not the received service request includes a service session identifier. When it is determined that the service request includes a service session identifier, a service response for providing a service to the user is transmitted to the terminal device and is determined not to include The authentication cooperation system according to claim 5, further comprising a service determination unit that transmits an authentication request for the user to an authentication device. A relay device that relays communication between a terminal device used by a user, an authentication device that authenticates the user, and a service providing device that provides a service to the user,
Cooperation information storage means for storing an authentication session identifier generated for each user authenticated by the authentication device in association with information indicating the user;
A conversion unit that receives an authentication request when the service providing apparatus transmits an authentication request for a user who has requested a service to the authentication apparatus, and converts the authentication request based on a conversion rule stored in advance;
An authentication session identifier corresponding to the information indicating the user is extracted from the cooperation information storage unit, the extracted authentication session identifier is included in the authentication request converted by the conversion unit, and the authentication request is transmitted to the authentication device. A relay device comprising an authentication request relay means. The linkage information storage means stores the service session identifier generated by the service providing device every time the service is provided to the terminal device in association with information indicating the user,
The conversion means receives a service request transmitted from the terminal device to the service providing device, converts the received service request based on a conversion rule stored in advance,
A service session identifier corresponding to information indicating a user who requested a service is extracted from the cooperation information storage unit, the extracted service session identifier is included in the service request converted by the conversion unit, and the service request is provided to the service The relay apparatus according to claim 7, further comprising service request relay means for transmitting to the apparatus. An authentication linkage method in which a relay device relays communication between a terminal device used by a user, an authentication device that authenticates the user, and a service providing device that provides a service to the user,
The relay apparatus stores an authentication session identifier generated for each user authenticated by the authentication apparatus in association information storage means in association with information indicating the user,
When the relay device transmits an authentication request for a user who has requested a service to the authentication device, the service providing device receives the authentication request and converts it based on a conversion rule stored in advance.
The relay device extracts an authentication session identifier corresponding to information indicating the user from the cooperation information storage unit, includes the extracted authentication session identifier in the converted authentication request, and transmits the authentication request to the authentication device. And
When the authentication device determines whether or not the received authentication request includes an authentication session identifier, and determines that the authentication device includes an authentication session identifier, an authentication response indicating that the user has been authenticated is sent to the service providing device. An authentication linkage method, wherein the user authentication process is performed when it is determined that the user is not included. The relay device stores the service session identifier generated by the service providing device every time the service is provided to the terminal device in association with the information indicating the user in the cooperation information storage unit,
The relay device receives a service request transmitted from the terminal device to the service providing device, converts the received service request based on a conversion rule stored in advance,
The relay device extracts a service session identifier corresponding to information indicating a user who has requested a service from the cooperation information storage unit, includes the extracted service session identifier in the converted service request, and includes the service request in the service To the providing device,
When the service providing apparatus determines whether the received service request includes a service session identifier, and determines that the service request includes a service session identifier, a service response for providing a service to the user is transmitted to the terminal apparatus. The authentication cooperation method according to claim 9, wherein if it is determined that the user is not included, an authentication request for the user is transmitted to an authentication device. An authentication linkage program for relaying communication between a terminal device used by a user, an authentication device that authenticates the user, and a service providing device that provides a service to the user,
On the computer,
Processing for storing an authentication session identifier generated for each user authenticated by the authentication device in association information storage means in association with information indicating the user;
When the service providing apparatus transmits an authentication request for a user who requested a service to the authentication apparatus, the authentication request is received and converted based on a conversion rule stored in advance;
A process of extracting an authentication session identifier corresponding to information indicating the user from the cooperation information storage unit, including the extracted authentication session identifier in the converted authentication request, and transmitting the authentication request to the authentication device. Authentication cooperation program to let you. On the computer,
A process in which the service providing apparatus stores the service session identifier generated every time the service is provided to the terminal device in association with the information indicating the user in the cooperation information storage unit;
Processing for receiving the service request transmitted from the terminal device to the service providing device and converting the received service request based on a conversion rule stored in advance;
A service session identifier corresponding to information indicating a user who has requested a service is extracted from the cooperation information storage unit, the extracted service session identifier is included in the converted service request, and the service request is transmitted to the service providing apparatus. The authentication cooperation program according to claim 11 for performing processing.

Images