1. Field of the Invention
The present invention relates to an information processing system complying with single sign-on, a method for controlling the information processing system, and a storage medium.
2. Description of the Related Art
Conventionally, as techniques for coordinating authentication among a plurality of service, single sign-on (hereinafter, referred to as SSO) systems using Security Assertion Markup Language (SAML) have been provided. In the SSO systems using SAML, a user has two identifications (IDs), i.e., the one at a side of an authentication service provider (identity provider, hereinafter, referred to as IdP) and the other at a side of providing a service based on an authentication result in the authentication service (service provider, hereinafter, referred to as SP).
When the user is authenticated by the IdP, the SP relies on the authentication result, and the SP authenticates the IdP as an ID for managing access by the user in the SP. This flow is referred to as IdP-initiated SSO. When an unauthenticated user who is not authenticated by the IdP accesses the SP, the SP guides the unauthenticated user to an appropriate IdP, and the unauthenticated user is to be authenticated by the IdP. This flow is referred to as SP-initiated SSO.
At the time the unauthenticated user accesses the SP, it is not possible to specify to which IdP the user is to be guided and authenticated. To solve this issue, the conventional SP-initiated SSO provides a method for displaying a list of IdPs for enabling the user to select the IdP. Japanese Patent Application Laid-Open No. 2010-128719 discusses a method for determining an IdP that satisfies a request from a SP according to an authentication level expected to be requested by the SP to which the user accesses and a user attribute, and redirecting the user thereto.