1. Field
Aspects of the present invention generally relate to an information processing system for realizing Single Sign-On (SSO) between different domains, a control method thereof, and a storage medium thereof.
2. Description of the Related Art
Conventionally, SSO using Security Assertion Markup Language (SAML) is known as a technique for causing authentication to be federated between a plurality of servers existing under different domains.
The SAML-based SSO is realized by an information processing system (i.e., an identity (ID) provider) including a server that requests a user to input authentication information and performs authentication based on the input authentication information and an information processing system (i.e., a service provider) including a server that trusts an authentication result of the ID provider and thus provides services without performing authentication based on the authentication information. If the user is to receive a service from the service provider, the user is required to access the ID provider and be authenticated. For example, the user is authenticated by the ID provider based on user authentication information such as a user ID and a password managed by the ID provider.
The ID provider then issues to the service provider an assertion which is a certificate of authentication. The service provider authenticates the user by verifying whether the assertion has been issued by a reliable ID provider. The user can thus be authenticated by the service provider based on the verification result without inputting the authentication information managed by the service provider, and receive the service from the service provider.
As described above, the SAML-based SSO depends on a trust relationship between the ID provider and the service provider. Therefore, it is necessary for a trust relationship to be previously established between the ID provider and the service provider before realizing SSO. Such a trust relationship is established by exchanging metadata describing the function for performing the SSO among a plurality of functions in the SAML, and an electronic certificate certifying that the assertion has been issued from the ID provider. The specific content of the metadata and the technique for establishing the trust relationship are defined in SAML V2.0, i.e., a standard technology. The metadata and the information necessary for verifying the assertion, such as the electronic certificate, will be referred to as prior information. The service provider uses the prior information to verify whether the assertion satisfies the requirements. The prior information is data generally issued by the ID provider.
In SAML, whether such ID provider is a reliable ID provider as viewed from the service provider is verified in addition to verifying whether the user has been authenticated by the ID provider, so that the secure SSO can be realized. Reliability of the ID provider is actually determined by the service provider verifying, using an electronic certificate in which a signature in the assertion issued by the ID provider is preset.
The SSO is advantageous in reducing the number of user authentication to be performed. However, there are issues in realizing SSO as follows. For example, if there is an error in associating a user of the ID provider with a user of the service provider in setting the SAML, the user authenticated by the ID provider is authenticated by the service provider as a different user instead of the actual user. The user is thus authenticated as a different user of the service provider and receives the functional service of the service provider. Since the authenticated user does not receive the service as the actual user managed by the service provider, it is disadvantageous for both the service provider and the user. In other words, it is necessary to correctly and securely establish the trust relationship to safely use the SAML mechanism.
Conventionally, Japanese Patent Application Laid-Open No. 2009-118110 discusses a method for setting a trust relationship between an ID provider and a service provider. More specifically, Japanese Patent Application Laid-Open No. 2009-118110 discusses a technique related to SSO for securely establishing the trust relationship between a dynamically-arranged device and a service providing server. When establishing the trust relationship, the service providing server causes a certificate authority to verify the signature in the metadata, so that secure SSO is realized while dynamically registering the metadata.
The trust relationship for realizing the SSO can be dynamically established using the technique discussed in Japanese Patent Application Laid-Open No. 2009-118110. However, since the technique discussed in Japanese Patent Application Laid-Open No. 2009-118110 is only for establishing the trust relationship with respect to the service providing server, i.e., the ID provider, and does not consider establishing the trust relationship with respect to the service provider. In particular, since it is assumed that a plurality of ID providers, each of which manages the prior information differently, and the service provider are to realize the SSO federation in the future, it is desirable to establish an appropriate service provider.