Recently, a variety of apparatuses, such as personal computer (PC), portable telephone, PDA and network-applicable household appliance, have emerged which have a higher-performance processing function and a communication function. These apparatuses are capable of receiving a variety of services via wired and wireless networks while using a variety of communication systems. Along with this emergence, it has become important on the security aspect for a service provider providing services via the network to authenticate the user of a terminal that is accessed via the network.
Upon authentication of the user of a terminal, it is usual that each service provider authenticates the user by respective different authentication systems. Therefore, if the user wishes to receive a variety of services as described above, the user is requested to have an authentication thereof each time the user receives the service, whereby it takes a long time and thus inconvenient for the user to perform the authentication processing.
Conventional techniques for solving the problem that authentication is needed for every service include one that allows service providers to exchange the authentication information therebetween on the Internet by using markup languages, such as SAML (security assertion markup language) and is prescribed in a technological specification. For example, SAML described in “Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0”, [online], Mar. 15, 2005, OASIS [searched on Sep. 20, 1995], Internet <URL: HYPERLINK “http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf” (Non-Patent Document) may be used to achieve the distributed authentication system.
FIG. 26 shows a flow of messages for achieving a single-sign-on in the conventional distributed authentication system using the SAML described in the Non-Patent Document. In the distributed authentication system using the SAML described in the Non-Patent Document, an IdP (identity provider) 900, a SP (service provider) 901, and a user agent (software of the user terminal) 902 are connected together via the Internet. Specifically, IdP 900 and SP 901 are realized by a server and a database that are managed by each provider. Although an expression that the user agent 902 performs login etc. is used hereinafter, the user terminal actually performs a processing according to the user agent 902 that is configured by software.
A procedure for exchanging messages during the single-sign-on will be described in the case of using an artifact profile of a WebSSO protocol, as a typical operation of the distributed authentication system that uses the SAML described in the Non-Patent Document and has the configuration shown in FIG. 26. The example shown in FIG. 26 premises that account of the user of the user agent 902 is entered beforehand into user information 903 of the database managed by IdP 900, and into user information 904 of the database managed by SP 901. IdP 900 and SP 901 cooperate with each other beforehand to manage both the accounts registered in the user information 903 and user information 904.
As shown in FIG. 26, the user agent 902 receives authentication from IdP 900 according to operation by the user, and logins IdP 900 (step (1)). The user agent 902 also accesses SP 901 according to operation by the user in order to use the service, the use of which is restricted by SP 901 (step (2)).
SP 901 transmits an authentication request message to IdP 900 via the user agent 902 in order to authenticate the user (step (3-a)). The user agent 902 redirects (transfers) the certification request message from SP 901 to IdP 900 (step (3-b)). Thereafter, IdP 900 acknowledges that the user is already authenticated in a step (1), and creates a XML document (authentication assertion) that attests the user is already authenticated (step (4)).
IdP 900 also creates an artifact that acts as a ticket corresponding to the authentication assertion, and replies the user agent 902 (step (5-a)). The user agent 902 redirects (transfers) the artifact to SP 901 (step (5-b)). Upon receiving the artifact, SP 901 transmits the same to IdP 900 and requests a corresponding authentication assertion (step (6)).
IdP 900 checks the artifact received from SP 901 and returns the corresponding authentication assertion to SP 901 (step (7)). SP 901 checks validity of the authentication assertion received from IdP 900. SP 901 verifies whether or not the request of access to the service from the user agent 902 is to be permitted by using the security policy in SP 901. If the access is to be permitted, SP 901 starts providing the service to the user agent 902 (step (8)).
As described heretofore, in the distributed authentication system using the SAML described in Non-Patent Document, SP 901 entrusts the authentication function to IdP 900 rather than authenticating the user by itself. SP 901 judges permission or denial for providing the service based on the authentication information of the user received from IdP 900. Therefore, if the user performs only a procedure for authentication to IdP 900, a single-sign-on that allows use of the service of SP 901 is attained. The above procedure reduces the number of times for authentication processing by the user if the user uses a plurality of services, thereby increasing the level of convenience of the user upon using a variety of services.
In the SAML described in Non-Patent Document, a search technique for searching the IdP for identifying the IdP to be used for authentication by the SP is provided, in addition to the technique for single-sign-on as described above. The technique for searching the IdP by using the SAML will be described hereinafter with reference to FIG. 27.
FIG. 27 is an explanatory diagram showing a flow of searching the IdP by using the SAML described in Non-Patent Document. As shown in FIG. 27, IdP 911 and SP 915 manage respective common-domain servers (common-domain server IdP 913 and common-domain server SP 914 in this example) belonging to a common domain 912. If the user agent 910 that is configured a Web browser is authenticated by IdP 911 according to operation by the user (step (1) of FIG. 27), the user agent 910 is redirected (by automated transfer of URL) to the common domain server IdP 913 (step (2-a), (2-b)). The user agent 910 acquires (receives) from IdP 913 a common-domain-applicable cookie, that describes in a specific format the list of IdPs that have authenticated (step (3)).
Thereafter, if the user agent 910 requests an access to the service by SP 915 (step (4)), SP 915 redirects the user agent 910 (by automated transfer of URL) to the common domain server SP 914 (step (5-a), (5-b)). The common domain server SP 914 acquires (extracts) the list of IdPs that have authenticated from the cookie data. The common domain server 914 creates a message storing therein list information of the extracted IdPs, and redirects the user agent 910 (by automated transfer of URL) to SP 915 (step (6-a), (6-b)).
Upon receiving the message from the common domain server 914, SP 915 finds (identifies) IdP 911 out of the list of the IdPs that have authenticated, and acknowledges the fact of being authenticated by IdP 911. If the user is authenticated by a second IdP other than IdP 911 by using the user agent 910, information of the second IdP is described in the common domain cookie as well. Therefore, SP 915 can acquire the list of IdPs that have authenticated the user.
As described heretofore, in the technique for searching the IdP by using the SAML, the SP cooperates with a plurality of IdPs, and uses the common domain cookie on the basis of HTTP, if the user is equally accessible to each IdP. This procedure allows the SP to acquire information of the list of IdPs that have authenticated the user. The information of IdP list thus acquired is available to determine the IdP to which an authentication request is to be transmitted in order to perform the single-sign-on.
Patent Publication JP-2004-362189A describes a user-information distribution system wherein terminals of service providers each providing a service to users are connected to a network and exchange therebetween information on users. In the system described in JP-2004-362189A, the terminal of a first service provider that has authenticated a user enters the user information including authentication information into the user-information distribution system. When the user accesses the terminal of a second service provider, the user-information distribution system provides the user information registered in the user-information distribution system based on environment information, in addition to a public control policy and an information request policy of the user.
As shown above, in the system described in JP-2004-362189A, a plurality of service providers share thereamong the authentication information of the user via the user-information distribution system, whereby it is possible to reduce the number of times for authentication processing by which the service providers authenticate the user.
The specification of Patent Publication JP-3569122B describes a session management system that manages a communication exchanged among a plurality of servers as the same session. In the session management system described in the specification of JP-3569122B, a session identifier is attached to the URL transmitted from a user subjected to user authentication, and a display-data-creation-program controller that received this data notifies a session-management-identifier management unit. The management-identifier management unit, upon recognizing that the session management identifier is installed in the URL thus received, refers to a session-management-identifier management table and investigates whether the session is already authenticated. If it is authenticated, the display-data-creation-program controller provides the service.
In the conventional distribution authentication system using the SAML described in Non-Patent Document and the system described in the specification of JP-3569122B, it is not considered that a single terminal accesses a single service by using a plurality of communication systems. Thus, if the communication system of the terminal is switched when the user uses the service, authentication is again requested. This results in an interruption of the service, or in that the state of using the service before the change of communication system is not succeeded after the change of communication system, whereby a continued service cannot be used. Accordingly, there is a first problem in that if the communication system of the terminal accessing the service is changed in the act of using the service, the session state established during using the service cannot be succeeded.
In the distributed authentication system using the SAML described in Non-Patent Document, if a plurality of authentication agents manage a user, there is no measure to share the user authentication information among those authentication agents. On the other hand, the system described in the conventional technique 1 employs a reference system that introduces the authentication agent by using the common domain cookie under the circumstance where there are a plurality of authentication agents.
However, if the common domain cookie is used, it is premised that the HTTP protocol is used as the communication system, whereby it is necessary for the user terminal to use a Web browser, and also for the authentication agents and service providers to use a HTTP protocol. Therefore, if the system described in the conventional technique 1 is used, the authentication information cannot be exchanged if another communication protocol other than the HTTP is used.
In addition, if the service provider cooperates with a plurality of authentication agents using the above search technique (search technique of the authentication agents using the common domain cookie), the service provider may acquire the list of authentication agents that have authenticated by using the common domain cookie to select a target authentication agent. However, if the service provider needs to fixedly use or select a specific authentication agent, use of the technique for searching the authentication agent does not make sense, whereby the authentication information of the authentication agents is not exchanged therebetween.
In the distributed authentication system described in JP-2004-362189A, a plurality of service providers share thereamong information that identifies individual persons in order to realize the single-sign-on, which may cause a possibility of privacy exposure.
More specifically, in the system described in JP-2004-362189A, it is clearly described that the personal information includes the information such as name or address that can identify the individual person. It is to be noted that if the information fixedly associated with a user is shared among the plurality of service providers, it is possible to correlate the information with the user each time an access from the user occurs, irrespective of whether the information does not identify an individual person in fact.
Therefore, if there are a plurality of authentication agents, there is a second problem in that the procedure of authentication of a user for a plurality of service providers cannot be performed at once in block without depending on the communication system or communication protocol while preventing disclosure of privacy information of the user.
Neither the conventional distributed authentication system using the SAML described in Non-Patent Document, nor the system described in JP-2004-362189A takes into consideration that a terminal used by the user employs a plurality of communication systems and a situation where the user selects one of the communication systems for communication. Thus, there is a third problem in that the user cannot select an optimum communication system when the user is allowed to use a plurality of communication systems.
In the session management system described in the specification of Patent Publication JP-3569122B, first servers share the session information issued by the second server, whereby if a first server once obtains the session information of a user, this information can also be used by another first server. Accordingly, if the session management system described in the specification of Patent Publication JP-3569122B is applied to a heterogeneous environment (that is, environment where a plurality of first servers are managed by respective different providers), takeover of the session (session hijacking) may occur among the different providers.