Currently, authentication technology of a composite machine (multifunctional peripheral, hereafter “MFP”) using an IC card and authentication technology of an MFP using a keyboard are widely spread. Such an authentication system for an MFP uses an authentication server for collating information read from an IC card and information input by a keyboard.
The authentication server includes, for example, a method of producing its own authentication database inside the MFP to utilize the MFP itself as an authentication server, a method for establishing its own authentication server in the same network where the MFP is present, and a method for utilizing a directory server in operation in an existing authentication system.
For example, Japanese Patent Application Laid-Open No. 2006-099714 discloses a mechanism of utilizing both of its own authentication server and directory server. Specifically, in Japanese Patent Application Laid-Open No. 2006-099714, a held IC card information is read to make an inquiry on the IC card information to its own authentication server in the case of authentication (IC card authentication) with the IC card. If the IC card information is registered in a table on its own authentication sever, authentication is regarded as successful. If there is no registration, authentication is regarded as failure. In Japanese Patent Application Laid-Open No. 2006-099714, a user inputs a user name, a password, a login destination domain in the case of authentication with a keyboard (keyboard authentication). A directory server authenticates through a login service PC based thereon.
An authentication system for realizing the IC card authentication and the keyboard authentication in the above described prior arts will be described below.
FIG. 20 is a schematic diagram exemplifying a skeleton framework of an authentication system for realizing the IC card authentication and the keyboard authentication in the background art.
An authentication system illustrated in FIG. 20 includes an MFP 2010, an IC card authentication server 2020, a login service server 2030, a directory server 2040 and a network 105 communicably connecting those apparatuses.
The MFP 2010 includes an authentication application 20 including a card reading operation part 21, an authentication processing functioning part 22 and a login service connecting operation part 23, an operation part 330 including a keyboard and a card reader 340 for reading information of the IC card. The IC card authentication server 2020 includes an IC card authentication service part 2021 and an IC card authentication table memory 2022. The login service server 2030 includes a login service part 2031. The directory server 2040 includes an LDAP (Lightweight Directory Access Protocol) service part 2041 and a management data memory 2042.
For IC card authentication in the authentication system illustrated in FIG. 20, a user holds an IC card over the card reader 340 of the MFP 2010 at first. Then the card reading operation part 21 of the MFP 2010 controls the card reader 340 to obtain card information from the card. The card reading operation part 21 delivers the obtained card information to the authentication processing functioning part 22. The authentication processing functioning part 22 establishes connection to the IC card authentication service part 2021 of the IC card authentication server 2020 and then issues authentication request for card information to the IC card authentication service part 2021.
The IC card authentication service part 2021 receives the authentication request from the authentication processing functioning part 22 and searches for the relevant user 200 with an IC card authentication table stored in the IC card authentication table memory 2022. The IC card authentication service part 2021 replies to the authentication processing functioning part 22 with a search result. The authentication processing functioning part 22 delivers the search result to a control part of the MFP 2010 to carry out a login process to the MFP 2010 corresponding to the search result.
For keyboard authentication in the authentication system illustrated in FIG. 20, the user 200 inputs a user name, a password and login destination with a keyboard login screen in the operation part 330 of the MFP 2010 and pushes the login button down.
In that case, the authentication processing functioning part 22 of the MFP 2010 delivers user input information (a user name, a password and login destination) having been input from the operation part 330 to the login service connecting operation part 23 of the MFP 2010 to ask for authentication. The login service connecting operation part 23 takes the domain indicated in the user input information login destination and searches for the login service server 2030 with the relevant domain. Subsequently, the login service connecting operation part 23 establishes connection to the login service part 2031 of the searched login service server 2030 and delivers the user name and the password in the user input information to the relevant login service part 2031 to ask for authentication.
The login service part 2031 establishes connection to the LDAP service part 2041 starting up on the directory server 2040. Subsequently, the login service part 2031 logins the LDAP service part 2041 with a user name and a password having been set in advance. Subsequently, the login service part 2031 delivers the user name and the password of the user input information to the LDAP service part 2041.
The LDAP service part 2041 determines whether or not the user 200 is a valid user according to the user information, that is managed and stored by the management data memory 2042, and the user name and the password of the user input information. The LDAP service part 2041 replies to the login service part 2031 with the result of determination on validity of the user.
When the login service part 2031 receives the result of determination from the LDAP service part 2041 and replies to the login service connecting operation part 23 therewith, the login service connecting operation part 23 replies to the authentication processing functioning part 22 with the relevant determination result. When the authentication processing functioning part 22 receives the determination result from the login service connecting operation part 23 and delivers the determination result to a control part of the MFP 2010, the MFP 2010 undergoes login processing corresponding to the relevant determination result.
Thus, the authentication system for realizing IC card authentication and keyboard authentication described in the conventional example had to manage its own authentication server (IC card authentication server 2020) and the directory server 2040 and needed to mange both of the IC card authentication table memory 2022 and the management data memory 2042 as user information. Consequently, the operation management costs for the authentication system will increase, giving rise to a problem.
In order to solve this problem, it is considered, for example, that the directory server 2040 manages the IC card user information (IC card authentication table). However, the directory server 2040 searches for user information and, therefore, needs to login the relevant directory server 2040 once. Therefore, a user name and a password will be required. In this regard, the IC card authentication will need to store the password and the like in an IC card. Consequently, this case will give rise to a security problem. More in detail, the password stored in an IC card will be fixed in the case of utilizing medium such as an IC card where internal information is not changed regularly in spite that passwords are regularly changed for the purpose of security, giving rise a big security problem in this regard.
Moreover, the authentication system for realizing IC card authentication and keyboard authentication described in the conventional example requires a login service PC (login service server 2030) in the case of authentication for the directory server 2040. The operation management costs for the authentication system will increase also from this view point, giving rise to a problem. In addition, in order to solve this problem, it is considered that the MFP 2010 carries out the login service function. However, in this case, when the MFP 2010 being inferior to a PC in process speed directly communicates to the directory server 2040 to carry out authentication processing, authentication will take time due to that complicated process, giving rise to a problem.