1. Field of the Invention
The present invention relates to a cooperation system for causing a plurality of information processing systems to cooperate with one another by single sign-on, a cooperation method thereof, an information processing system therein, and a storage medium.
2. Description of the Related Art
Configurations for managing operation data and performing various types of processing operations on a cloud platform have been gaining popularity. A user accesses a web page provided by the cloud platform from a browser of a client personal computer (PC) via the Internet, and displays the operation data to be viewed on the web page. For example, when the user gives a document generation instruction via a screen of the PC, the client PC accesses a document generation server. Subsequently, the document generation server acquires the operation data on the cloud platform, generates the document, and then transmits the generated document to the client PC. A typical example of the cloud platform includes Salesforce CRM (registered trademark) of Salesforce.com.
The cloud platform and the document generation server are operated in a multi-tenant manner. The tenant refers to a unit of companies or organizations that are under contract for using the cloud platform and the document generation server, and a group to which the user belongs. In a service operated in a multi-tenant manner, one information processing system manages data of a plurality of tenants and separately manages the data of each tenant so that the data of the tenant cannot be referred to from another tenant. To make the tenant refer to only its own data, the cloud platform and the document generation server authenticate the user and check the tenant. The user is authenticated using a user identification (ID) for identifying the user and a password, which is confidential information, and the tenant is checked on whether the tenant input by the user exists.
When the cloud platform and the document generation server cooperate with each other, the user does not need to be authenticated by each server but the authentication can be made to cooperate with one another among the information processing systems. Conventionally, techniques for making the authentication cooperate with one another among a plurality of information processing systems include a single sign-on (SSO) structure by a security assertion markup language (SAML). In the SSO by the SAML, the user retains both user IDs of the information processing system (an identity provider (IdP)) providing an authentication service and an information processing system (a service provider (SP)) providing a service with an authentication result of the IdP relied. When the user receives the user authentication by the IdP, the SP relies on the authentication result and authenticates user's access as the user ID managed in the SP (IdP preceding). Further, when the user who has not been authenticated yet by the IdP accesses the SP, the SP guides the unauthenticated user to an appropriate IdP and makes the user authenticated by the IdP (SP preceding). By any method, the user can receive the service provided by the SP only by inputting the user authentication information in the IdP, and reduce the user authentication processing in the SP, thereby improving convenience.
When the SSO is performed by the SAML, the user ID retained by the IdP and the user ID retained by the SP are associated with each other (hereinafter referred to as “user mapping”) to be managed. Particularly, when the service always requiring identifying the user is associated with the document generation server, the ID needs to be managed by the user mapping. A printing service for managing and printing the document for each user always requires identifying the user.
Further, a method for associating the IDs retained by each of the plurality of information processing systems with one another has been conventionally known. Japanese Patent Application Laid-Open No. 2011-221729 discusses a method in which the service providing server guides the user to access the authentication server, registers the authentication information between the authentication server and the user to perform the authentication processing.
However, the conventional method has problems as described below. In order for a plurality of information processing systems to perform the SSO, the user mapping is essential for associating a plurality of user IDs in the information processing system of a cooperation source and a plurality of user IDs in the information processing system of a cooperation destination.
The user takes much work on the user mapping. When the number of user IDs increases, the user's work increases accordingly.