JP6424864B2 - system - Google Patents

Description

The present invention also relates to the system.

  For example, an image forming apparatus management system having an image forming apparatus and a management server that controls processing of the image forming apparatus is conventionally known (see, for example, Patent Document 1).

  In the conventional image forming apparatus management system, the image forming apparatus acquires IC card identification information using, for example, an IC card reader. The management server acquires the user ID corresponding to the IC card identification information acquired by the image forming apparatus and the use restriction information related to the use of the image forming apparatus, and causes the process in the image forming apparatus to be executed based on the use restriction information. .

  BACKGROUND In recent years, a usage form using a server on a public network represented by a cloud service has become widespread without using a server on a private network such as a corporate network. In such a usage form, it is assumed that an unspecified number of users and companies use a server on a public network.

  Therefore, when an unspecified number of users and companies use a server on a public network, user authentication is generally performed from the viewpoint of information security. User authentication is performed, for example, on a private network such as a corporate network, and on a public network represented by a cloud service.

  For example, using common authentication information for user authentication performed on a private network and on a public network is not preferable in terms of information security. On the other hand, using separate authentication information for user authentication performed on a private network and on a public network, and inputting authentication information for each function or service to be used, impairs the convenience of the user.

The present invention has been made in view of the above, and an object thereof is to provide a system that can be linked user authentication is performed on a different network, while maintaining information security.

In order to achieve the above object, claim 1 of the present application is a system in which an apparatus using a service and an information processing apparatus providing the service to the apparatus exist on different networks and are connected via the network. The device is a first authentication information used for authentication on a first network in which the device is present, and the acquiring unit acquires the first authentication information for which the user authentication has succeeded . Authentication request means for transmitting, to the information processing apparatus, an authentication request including user specifying information for specifying a user among the authentication information, and the information processing apparatus receives the authentication request Means for associating the user identification information contained in the received authentication request with the information used for authentication on the second network in which the information processing apparatus exists And having an authentication processing means for performing authentication on the second network using the information.

  According to the present invention, user authentication performed on different networks can be coordinated while maintaining information security.

It is a block diagram of an example of the system concerning this embodiment. It is a hardware block diagram of an example of the computer system concerning this embodiment. It is a processing block diagram of an example of office equipment concerning this embodiment. It is a processing block diagram of an example of the authentication device concerning this embodiment. It is a block diagram of an example of attestation information which an attestation information storage part memorizes. It is a processing block diagram of an example of the service providing system concerning this embodiment. It is a block diagram of an example of enterprise management information. It is a block diagram of an example of user management information. It is a block diagram of an example of apparatus management information. It is an image figure of an example of the login setting screen to a service provision system. It is a screen transition figure of an example when login setting "do not cooperate with in-house authentication" is selected. FIG. 13 is a screen transition diagram of an example when a “cooperation with in-house authentication” login setting is selected. It is a flowchart of an example showing processing of a service providing system which received a login demand from a terminal unit. 5 is a flowchart of an example showing processing of a service providing system that has received a login request from an image forming apparatus. It is a flowchart of an example showing the login process of the system concerning this embodiment. It is a screen transition diagram of an example in case a terminal unit uses a service. FIG. 6 is a sequence diagram of an example showing processing of inputting data such as a print job from a terminal device. It is a block diagram of an example of the data management information which a data management information storage part memorizes. FIG. 6 is a block diagram of an example of output data management information managed by the print service application. It is a sequence diagram of an example of processing which acquires a data list from a service offer system, or deletes data. It is a flowchart of an example of a status determination process. FIG. 6 is an example screen transition diagram when the image forming apparatus acquires a data list. It is a sequence diagram of an example of processing which acquires a data list from a service offer system. FIG. 6 is a sequence diagram of an example of a process of outputting data from the image forming apparatus or deleting data from the service providing system. It is a processing block diagram of an example of the authentication device concerning this embodiment. It is a processing block diagram of an example of the service providing system concerning this embodiment. It is a block diagram of an example of attestation information which an attestation information storage part memorizes. It is a block diagram of an example of the user management information which a user management information storage part memorizes. It is a flowchart of an example showing the login process of the system concerning this embodiment. It is a block diagram of an example of the system concerning this embodiment. It is a processing block diagram of an example of office equipment concerning this embodiment.

Next, embodiments of the present invention will be described in detail.
First Embodiment
<System configuration>
FIG. 1 is a block diagram of an example of a system according to the present embodiment. The system 1 of FIG. 1 has a private network N1 such as an in-office network, a public network N2 represented by a cloud service, and a network N3 such as the Internet.

  The network N1 and the network N3 are connected by the firewall FW on the network N1 side. The firewall FW is installed at the contact between the network N1 and the network N3 and relays the access from the network N1 to the network N3.

  The network N2 and the network N3 are connected by the access control device 21 on the network N2 side. Security of the network N2 is protected by the access control device 21.

  The network N1 is a private network inside the firewall FW. Connected to the network N1 are a client terminal 11, a portable terminal 12, a print control device 13 such as a print server, an image forming device 14 such as a multifunction machine, a projector 15, other devices 16, and an authentication device 17 such as an authentication server. .

  The client terminal 11 is an example of a terminal device. The client terminal 11 can be realized by an information processing apparatus (computer system) equipped with a general OS or the like. The client terminal 11 has a wireless communication means or a wired communication means. The client terminal 11 is a terminal that can be operated by the user, such as a tablet PC or a notebook PC.

  The portable terminal 12 is an example of a terminal device. The portable terminal 12 has a means of wireless communication or a means of wired communication. The mobile terminal 12 is a terminal that can be carried by the user, such as a smartphone, a mobile phone, a tablet PC, or a notebook PC.

  The print control apparatus 13 can be realized by an information processing apparatus (computer system) equipped with a general server OS or the like. The print control device 13 has a means of wireless communication or a means of wired communication. The print control device 13 stores and provides, for example, print data.

  The image forming apparatus 14 is an apparatus having an image forming function such as a multifunction peripheral. The image forming apparatus 14 has means for wireless communication or means for wired communication. The image forming apparatus 14 is an apparatus such as a multifunction peripheral, a copier, a scanner, a printer, a laser printer, etc., which performs processing related to image formation. The projector 15 is an apparatus for projecting an image. The projector 15 has a means of wireless communication or a means of wired communication.

  The client terminal 11, the mobile terminal 12, the print control device 13, the image forming device 14, the projector 15, and the other devices 16 are an example of devices that perform authentication by the authentication device 17 at the time of use.

  The authentication device 17 can be realized by an information processing device (computer system) equipped with a general server OS or the like. The authentication device 17 has means for wireless communication or means for wired communication. The authentication device 17 provides a user authentication function such as an authentication server.

  Although one client terminal 11, one portable terminal 12, one print control device 13, one image forming device 14, one projector 16, another device 16, and one authentication device 17 are shown in FIG. It may be

  The network N2 is connected by the access control device 21 to a network N3 such as the Internet. An access control device 21, a print service providing device 22, a scan service providing device 23, and another service providing device 24 are connected to the network N2. In the system 1 of FIG. 1, the access control device 21, the print service providing device 22, the scan service providing device 23, and the other service providing device 24 realize a service providing system.

  The access control device 21 controls login to each service, such as a print service provided by the print service providing device 22 and a scan service provided by the scan service providing device 23. The access control device 21, the print service providing device 22, the scan service providing device 23, and the other service providing device 24 are realized by one or more information processing devices (computer systems).

  The print service providing apparatus 22, the scan service providing apparatus 23, and the other service providing apparatus 24 of the system 1 of FIG. 1 may be realized by being integrated into one computer, or may be realized by being dispersed into a plurality of computers. May be

<Hardware configuration>
The client terminal 11, the mobile terminal 12, the print control device 13, the authentication device 17, the access control device 21, the print service providing device 22, the scan service providing device 23, and the other service providing device 24 shown in FIG. It is realized by a computer system of hardware configuration. FIG. 2 is a hardware configuration diagram of an example of a computer system according to the present embodiment.

  The computer system 100 illustrated in FIG. 2 includes an input device 101, a display device 102, an external I / F 103, a random access memory (RAM) 104, a read only memory (ROM) 105, a central processing unit (CPU) 106, and a communication I / O. An F 107, an HDD (Hard Disk Drive) 108 and the like are provided, and they are mutually connected by a bus B.

  The input device 101 includes a keyboard, a mouse, a touch panel, and the like, and is used by the user to input each operation signal. The display device 102 includes a display and the like, and displays the processing result by the computer system 100.

  The communication I / F 107 is an interface for connecting the computer system 100 to the network N1 or N2. Thus, the computer system 100 can perform data communication via the communication I / F 107.

  The HDD 108 is a non-volatile storage device storing programs and data. The stored programs and data include, for example, an OS (Operating System), which is basic software for controlling the entire computer system 100, and application software for providing various functions on the OS. The HDD 108 manages stored programs and data by a predetermined file system and / or a DB (database).

  The external I / F 103 is an interface with an external device. The external device is, for example, a recording medium 103a. Thus, the computer system 100 can read and / or write the recording medium 103 a via the external I / F 103. The recording medium 103a may be a flexible disk, a CD (Compact Disk), a DVD (Digital Versatile Disk), an SD memory card (SD Memory card), a USB memory (Universal Serial Bus memory), or the like.

  The ROM 105 is a non-volatile semiconductor memory (storage device) capable of holding programs and data even after the power is turned off. The ROM 105 stores programs and data such as a BIOS (Basic Input / Output System), an OS setting, and a network setting which are executed when the computer system 100 is started. The RAM 104 is a volatile semiconductor memory (storage device) that temporarily holds programs and data.

  The CPU 106 is an arithmetic device that implements control and functions of the entire computer system 100 by reading programs and data from a storage device such as the ROM 105 or the HDD 108 onto the RAM 104 and executing processing.

  The client terminal 11, the portable terminal 12, the print control apparatus 13, the authentication apparatus 17, the access control apparatus 21, the print service providing apparatus 22, the scan service providing apparatus 23, and the other service providing apparatus 24 in FIG. The hardware configuration of 100 can realize various processes as described later.

<Software configuration>
Office equipment
The office device 30 such as the client terminal 11 according to the present embodiment is realized by, for example, a processing block illustrated in FIG. FIG. 3 is a processing block diagram of an example of the office device according to the present embodiment.

  The office device 30 executes the program to realize the input reception unit 31, the authentication request unit 32, the function processing unit 33, the service login request unit 34, the registration request unit 35, the login setting unit 36, and the service use request unit 37. ing.

  The input receiving unit 31 receives an input by a user operation such as a touch panel touch operation or a keyboard input operation. The authentication request unit 32 transmits authentication information to the authentication device 17 and requests authentication. The function processing unit 33 executes processing using hardware and application programs (applications) included in the office device 30, and provides functions included in the office device 30.

  The service login request unit 34, the registration request unit 35, the login setting unit 36, and the service usage request unit 37 are realized by, for example, a service usage application. The service login request unit 34 transmits authentication information to the service providing system, and requests login. The registration request unit 35 requests the service providing system to register a part (for example, a user name or the like) or all of the authentication information authenticated by the authentication device 17.

  The login setting unit 36 sets authentication information used to log in to the service providing system. The service use request unit 37 requests the use of the service provided by the service providing system.

«Authentication device»
The authentication device 17 according to the present embodiment is realized by, for example, a processing block shown in FIG. FIG. 4 is a process block diagram of an example of the authentication device according to the present embodiment. The authentication device 17 implements an authentication processing unit 41 and an authentication information storage unit 42 by executing a program.

  The authentication processing unit 41 executes authentication based on the authentication request from the office device 30. The authentication information storage unit 42 stores authentication information used when determining the result of authentication of the received authentication information (authentication success, authentication failure). The authentication information storage unit 42 stores, for example, authentication information as shown in FIG.

  FIG. 5 is a block diagram of an example of the authentication information stored in the authentication information storage unit. FIG. 5A shows authentication information constituted by user identification information such as a user name and a password. FIG. 5B is authentication information configured by user identification information, a password, and card identification information (card ID etc.) such as an IC card. The authentication information is not limited to the example shown in FIG. 5. For example, even if device identification information (such as a machine number) of the office device 30 is used, biometric information (fingerprint, vein, retina, etc.) of the user is used. It is also good.

<< service offer system >>
The service providing system according to the present embodiment is realized by, for example, a processing block shown in FIG. FIG. 6 is a process block diagram of an example of the service providing system according to the present embodiment. The service providing system 50 of FIG. 6 implements a service application 51, a platform 52, a management data storage unit 53, and a platform API (Application Programming Interface) 54 by executing a program.

  The service application 51 of FIG. 6 has a print service application 61, a scan service application 62, and one or more other service applications 63 as an example. The print service application 61 is an application for providing a print service. The scan service application 62 is an application that provides a scan service. Also, the service application 63 is an application that provides some service.

  The platform API 54 is an interface for the service application 51 such as the print service application 61, the scan service application 62, and other service applications 63 to use the platform 52. The platform API 54 is a predefined interface provided for the platform 52 to receive a request from the service application 51, and is configured by, for example, a function or a class. When the service providing system 50 is configured to be distributed to a plurality of information processing apparatuses, the platform API 54 can use, for example, a Web API that can be used via a network.

  The platform 52 in FIG. 6 includes an authentication processing unit 71, a device communication unit 72, a user information registration unit 73, a session management unit 54, and a data processing unit 75 as an example. The authentication processing unit 71 executes authentication based on a login request from the office device 30.

  The device communication unit 72 executes communication with the office device 30. The user information registration unit 73 receives a registration request for a part or all of the authentication information authenticated by the authentication device 17 from a terminal device such as the client terminal 11, and registers the authentication information in user management information described later. The session management unit 74 manages a session with the office device 30. The data processing unit 75 executes data processing based on the request from the service application 51.

  The management data storage unit 53 includes, as an example, a company management information storage unit 81, a user management information storage unit 82, a device management information storage unit 83, a data management information storage unit 84, and a data storage 85. The company management information storage unit 81 stores company management information described later. The user management information storage unit 82 stores user management information described later. The device management information storage unit 83 stores device management information described later. The data management information storage unit 84 stores data management information described later. The data storage 85 stores other data and the like.

  FIG. 7 is a block diagram of an example of enterprise management information. The enterprise management information of FIG. 7 has an enterprise code, an enterprise name, a country, a language, and the like as data items. The company code is information identifying a group such as a company or an organization.

  The company code is information identifying one or more users and a set of one or more office devices 30. Note that the present embodiment is not limited to the word “company”, and may be, for example, identification information identifying a contract for a user or a set of office devices 30. The company code is unique.

  FIG. 8 is a block diagram of an example of user management information. The user management information of FIG. 8 has data items such as a company code, user name, password, role, address information, output setting, office authentication information, and the like. User management information manages information in company code units. The username and password are information for identifying the user on the service providing system 50 side. The username may be, for example, a user ID. Password is not required.

  Furthermore, as the user name, an electronic medium (for example, an IC card) possessed by the user or information (a card ID, a serial ID of the office device 30, a telephone number, etc.) for identifying the office device 30 may be used instead. You may use. Also, although the user name and password associated with the company code are unique, different company codes may be duplicated.

  The office authentication information is user identification information included in authentication information on the private network N1 side. The user identification information on the network N1 side registered as the office authentication information is user identification information authenticated on the private network N1 side. The office authentication information is registered by the user information registration unit 73. The user management information associates the user identification information (user name) on the private network N1 side with the user name on the public network N2 side.

  Based on the user management information, the system 1 of this embodiment can cooperate the authentication on the private network N1 side with the authentication on the public network N2 side while maintaining information security.

  FIG. 8A shows user management information in which office authentication information of the user name "Kobayashi" is not registered. The user management information in FIG. 8A represents an example in which the authentication on the private network N1 side and the authentication on the public network N2 side are not linked.

  FIG. 8B shows user management information in which office authentication information "Koba" of user name "Kobayashi" is registered. The user management information in FIG. 8B represents an example in which the authentication on the private network N1 side and the authentication on the public network N2 side are linked.

  FIG. 9 is a block diagram of an example of device management information. The device management information in FIG. 9 includes, as data items, a company code, device authentication information, business office information, capabilities, and the like. Device management information manages information in company code units. The device authentication information is information for device authentication for determining that the office device 30 has a specific condition. The device authentication information may be an ID indicating that a specific application is installed, or a device number indicating that the device is a specific device.

<Details of processing>
Hereinafter, details of processing of the system 1 according to the present embodiment will be described.

Login setting
FIG. 10 is an image diagram of an example of a login setting screen for the service providing system. The login setting screen 1000 of FIG. 10 is displayed on the office device 30 by the service utilization application of the office device 30. The login setting screen 1000 indicates that the authentication on the private network N1 side and the authentication on the public network N2 are linked. The “link with in-house authentication” login setting and the non-linkage “do not link with the in-house authentication” It is a screen which makes a user select login setting.

Login process
The screen transition when the “do not cooperate with in-house authentication” login setting is selected is as shown in FIG. 11, for example. FIG. 11 is a screen transition diagram of an example when “do not cooperate with in-house authentication” login setting is selected.

  For example, the office device 30 displays an application selection screen 1010 and allows the user to select an application. When the service utilization application selection button 1011 is pressed by the user, the service utilization application of the office device 30 displays a login screen 1020. The user inputs a company code, a user name and a password on the login screen 1020. The company code, the user name and the password are examples of authentication information on the public network N2 side.

  After inputting the authentication information on the login screen 1020, the user presses the login button 1021. When the login button 1021 is pressed, the service login request unit 34 of the office device 30 transmits authentication information to the service providing system 50, and requests login.

  When the login is successful, the service utilization application of the office device 30 displays a service list selection screen 1030. The service list selection screen 1030 is a screen that allows the user to select a service provided by the service providing system. The user selects a service to be used from the service list selection screen 1030. For example, when the user presses the “print service” button, the service use request unit 37 of the office device 30 requests the service providing system 50 to use the “print service”.

  The screen transition when the “cooperation with in-house authentication” login setting is selected is as shown in FIG. 12, for example. FIG. 12 is a screen transition diagram of an example when the “cooperation with in-house authentication” login setting is selected.

  For example, the office device 30 displays one of the login screens 1040, 1050, and 1060 for authentication on the private network N1 side. The login screen 1040 is a screen that allows the user to enter a user name and a password, which are examples of authentication information. The login screen 1040 is a screen that allows the user to hold the IC card and input card identification information (card ID) of the IC card as an example of authentication information. The login screen 1060 is a screen for letting the user hold the finger and input biometric information (fingerprint) of the user as an example of authentication information.

  When the authentication information is input, the authentication request unit 32 of the office device 30 transmits the authentication information to the authentication device 17 and requests authentication. If the authentication is successful, the office device 30 displays an application selection screen 1010 to allow the user to select an application.

  When the service use application selection button 1011 is pressed by the user, the service use application of the office device 30 transmits a company code and a user name authenticated on the private network N1 side as authentication information to the service providing system as described later. , Request a login. When device authentication information is set in the office device 30, the device authentication information is included in the authentication information.

  If the user identification information (user name) authenticated on the private network N1 side and the user name on the public network N2 side are associated with the user management information, the login succeeds. When the login is successful, the service utilization application of the office device 30 displays a service list selection screen 1030.

  If the username authenticated on the private network N1 side and the username on the public network N2 side are not associated with the user management information, login fails. If login fails, the service use application of the office device 30 displays a login screen 1020, and allows the user to input authentication information on the public network N2 side. Then, the service login request unit 34 of the office device 30 transmits the authentication information on the public network N2 side input by the user to the service providing system 50, and requests a login.

  The user enters authentication information on the public network N2 side in the login screen 1020 when the user name authenticated on the private network N1 side and the user name on the public network N2 side are associated with the user management information. It is possible to select the service to be used from the service list selection screen 1030 without using the service list system, and to use the service provided by the service providing system 50.

  FIG. 13 is a flowchart of an example showing the process of the service providing system that has received the login request from the terminal device. Note that FIG. 13 is an example when “do not cooperate with in-house authentication” login setting is selected.

  In step S1, the authentication processing unit 71 of the service providing system 50 receives, from a terminal device such as the client terminal 11, a login request in which the company code and the user name and password on the public network N2 side are authentication information.

  In step S2, the authentication processing unit 71 makes a company authentication judgment to determine whether the company code included in the authentication information is present in the company management information shown in FIG. If the company code included in the authentication information exists in the company management information shown in FIG. 7, the authentication processing unit 71 determines that the company authentication is successful (authentication OK), and performs the process of step S3.

  In step S3, in the user management information shown in FIG. 8, the authentication processing unit 71 determines whether the user name and the password included in the authentication information exist in the user management information associated with the authenticated company code. To determine the user authentication judgment.

  If the user name and the password included in the authentication information exist, the authentication processing unit 71 determines that the user authentication is successful (authentication OK), and performs the process of step S5. In step S5, the authentication processing unit 71 determines that the authentication result for the login request from the terminal device is successful (authentication OK).

  If the company code included in the authentication information does not exist in the company management information illustrated in FIG. 7 in step S2, the authentication processing unit 71 fails in the authentication result for the login request from the terminal device in step S4 (authentication NG Judge as).

  Similarly, if the user name and password included in the authentication information do not exist in the user management information associated with the authenticated company code in step S3, the authentication processing unit 71 determines the terminal device in step S4. The authentication result for the login request from is judged as failure (authentication NG).

  FIG. 14 is a flowchart of an example showing the process of the service providing system that has received the login request from the image forming apparatus. FIG. 14 is an example in the case where “do not cooperate with in-house authentication” login setting is selected. In the flowchart of FIG. 14, the device authentication determination of step S <b> 13 is added to the flowchart of FIG. 13.

  In step S11, the authentication processing unit 71 of the service providing system 50 receives, from the image forming apparatus 14, a login request in which the company code, the device authentication information, the user name and password of the public network N2 side are authentication information.

  In step S12, the authentication processing unit 71 makes a company authentication judgment to determine whether the company code included in the authentication information is present in the company management information shown in FIG. If the company code included in the authentication information is present in the company management information, the authentication processing unit 71 determines that the company authentication is successful (authentication is OK), and performs the process of step S13.

  In step S13, the authentication processing unit 71 determines whether the device authentication information included in the authentication information is present in the device management information associated with the authenticated company code among the device management information illustrated in FIG. Perform device authentication judgment to judge. If the device authentication information included in the authentication information exists, the authentication processing unit 71 determines that the device authentication is successful (authentication is OK) and performs the process of step S14.

  In step S14, in the user management information shown in FIG. 8, the authentication processing unit 71 determines whether the user name and password included in the authentication information exist in the user management information associated with the authenticated company code. To determine the user authentication judgment.

  If the user name and password included in the authentication information exist, the authentication processing unit 71 determines that the user authentication is successful (authentication is OK), and performs the process of step S16. In step S16, the authentication processing unit 71 determines that the authentication result in response to the login request from the image forming apparatus 14 is success (authentication OK).

  If the company code included in the authentication information does not exist in the company management information illustrated in FIG. 7 in step S12, the authentication processing unit 71 fails in the authentication result for the login request from the image forming apparatus 14 in step S15 ( Judge as authentication NG).

  Similarly, in step S13, if there is no device authentication information included in the authentication information among the device management information associated with the authenticated company code, the authentication processing unit 71 performs the image forming apparatus in step S15. The authentication result for the login request from 14 is judged as failure (authentication NG).

  Similarly, if there is no user name and password included in the authentication information in the user management information associated with the authenticated company code in step S14, the authentication processing unit 71 forms an image in step S15. The authentication result in response to the login request from the device 14 is determined as failure (authentication NG).

  FIG. 15 is a flowchart of an example showing a login process of the system according to the present embodiment. In step S21, the image forming apparatus 14 displays, for example, a login screen 1050 of FIG. The image forming apparatus 14 receives an authentication request by inputting a card ID of an IC card, which is an example of authentication information, from the user.

  In step S22, the authentication request unit 32 of the image forming apparatus 14 transmits authentication information to the authentication device 17, and requests authentication. The authentication information transmitted in step S22 may be a card ID or a user name and password associated with the card ID.

  In step S23, the authentication processing unit 41 of the authentication apparatus 17 performs user authentication to determine whether the user name and password included in the authentication information from the image forming apparatus 14 exist in the authentication information shown in FIG. If the user name and password included in the authentication information exist in the authentication information shown in FIG. 5, the authentication processing unit 41 determines that the user authentication is successful (authentication is OK), and performs the process of step S25. In step S 25, the authentication processing unit 41 notifies the authentication request unit 32 of the image forming apparatus 14 of the user authentication success.

  If the user name and password included in the authentication information do not exist in the authentication information shown in FIG. 5, the authentication processing unit 41 determines that the user authentication is unsuccessful (authentication NG), and performs the process of step S24. In step S24, the authentication processing unit 41 notifies the authentication request unit 32 of the image forming apparatus 14 of the user authentication failure, and ends the process of the flowchart of FIG.

  In step S26, the image forming apparatus 14 notified of the success of the user authentication displays the application selection screen 1010 as shown in FIG. 12, and allows the user to select an application. For example, when the service use application selection button 1011 of the application selection screen 1010 is pressed by the user, the image forming apparatus 14 receives a log-in request from the user to the service providing system.

  In step S27, the service login request unit 34 of the image forming apparatus 14 determines whether the “do not cooperate with in-house authentication” login setting is selected. If the login setting “do not cooperate with in-house authentication” is selected, the service login request unit 34 displays, for example, the login screen 1020 shown in FIG. 11 in step S28, and displays the company code, the user name and password of the public network N2 side. Let the user enter After the process of step S28, the image forming apparatus 14 is logged in to the service providing system 50 by the process of the flowchart shown in FIG.

  In step S27, the service login request unit 34 performs the process of step S29 if the “cooperation with in-house authentication” login setting is selected. In step S29, the service login request unit 34 transmits the company code, the device authentication information, and the user name (Koba) as authentication information to the service providing system, and requests login.

  The user name (Koba) is an example of the private network N1 side user name, as shown in FIG. In step S30, the authentication processing unit 71 of the service providing system 50 performs the same enterprise authentication determination as in step S12. If the authentication processing unit 71 determines that the company authentication is successful (authentication is OK), the processing in step S31 is performed.

  In step S31, the authentication processing unit 71 performs the same device authentication determination as in step S13. If the authentication processing unit 71 determines that the device authentication is successful (authentication is OK), the processing in step S33 is performed.

  If the authentication processing unit 71 determines that the company authentication is unsuccessful (authentication NG) in step S30, the authentication result in response to the login request from the image forming apparatus 14 is determined as failure (authentication NG) in step S32. If the authentication processing unit 71 determines that the device authentication is unsuccessful (authentication NG) in step S31, the authentication processing unit 71 determines that the authentication result in response to the login request from the image forming apparatus 14 is unsuccessful (authentication NG).

  In step S33, the authentication processing unit 71 transmits the private network N1 side included in the authentication information among the user management information associated with the authenticated company code among the user management information shown in FIG. A user authentication determination is performed to determine whether the user name (Koba) exists.

  If the private network N1 side user name (Koba) included in the authentication information exists, the authentication processing unit 71 determines that the user authentication is successful (authentication is OK) and performs the process of step S34. In step S34, the authentication processing unit 71 acquires the public network N2 side user name (Kobayashi) corresponding to the private network N1 side user name (Koba) from the user management information of FIG. In step S35, the authentication processing unit 71 determines that the authentication result in response to the login request from the image forming apparatus 14 is successful (authentication OK).

  If the private network N1 side user name (Koba) included in the authentication information does not exist in step S33, the authentication processing unit 71 determines that the user authentication is unsuccessful (authentication NG) and the process of step S36. I do.

  In step S36, since the service utilization application of the image forming apparatus 14 has failed in login to the service providing system 50, the login screen 1020 as shown in FIG. 12 is displayed.

  In step S37, the service use application of the image forming apparatus 14 causes the user to input a company code, a user name (Kobayashi) and a password as an example of authentication information on the public network N2 side from the login screen 1020.

  In step S38, the registration request unit 35 of the image forming apparatus 14 requests the service providing system 50 to register the authenticated user name (Koba) on the private network N1 side. The registration request in step S38 includes the company code, the device authentication information, the username (Kobayashi) on the public network N2 side, and the password.

  In step S39, the authentication processing unit 71 of the service providing system 50 performs the same enterprise authentication determination as in step S12. If the authentication processing unit 71 determines that the company authentication is successful (authentication is OK), the processing in step S40 is performed.

  In step S40, the authentication processing unit 71 performs the same device authentication determination as in step S13. If the authentication processing unit 71 determines that the device authentication is successful (authentication is OK), the processing in step S41 is performed.

  In step S41, the authentication processing unit 71 performs the same user authentication determination as in step S14. If the authentication processing unit 71 determines that the user authentication is successful (authentication is OK), the processing in step S43 is performed.

  In step S43, the user information registration unit 73 associates the authenticated user name (Koba) on the network N1 side with the public network N2 side user name (Kobayashi) and registers it as office authentication information of the user management information.

  When the authentication processing unit 71 determines that the company authentication is unsuccessful (authentication NG) in step S39, and when it is determined that the device authentication is unsuccessful (authentication NG) in step S40, the authentication processing unit 71 determines that the user authentication fails (authentication NG) in step S41. At the time, in step S42, the authentication result in response to the registration request from the image forming apparatus 14 is determined as failure (authentication NG).

  As shown in the flowchart of FIG. 15, in the case where the authenticated user name (Koba) on the private network N1 side and the public network N2 side user name (Kobayashi) are associated with the user management information, as shown in the flowchart of FIG. By presetting authentication information on the public network N2 side in the login setting unit 36, login to the service providing system 50 can be performed without inputting authentication information on the public network N2 side on the login screen 1020.

  In addition, even if the user is not associated with the user management information, the authenticated user name (Koba) on the private network N1 side and the user name (Kobayashi) on the public network N2 side are not associated with each other. It is possible to easily register user management information in which the authenticated user name (Koba) on the N1 side is associated with the public network N2 side user name (Kobayashi).

<< service use processing >>
The screen transition when the terminal device such as the client terminal 11 uses the service is as shown in FIG. 16, for example. FIG. 16 is a screen transition diagram of an example when the terminal device uses a service.

  For example, the terminal device displays a service list selection screen 1030, and allows the user to select a service to be used from the services provided by the service providing system 50. For example, when the “print service” button 1031 of the service list selection screen 1030 is pressed, the service utilization application of the terminal device displays the print service screen 1100 or 1110.

  The print service screen 1100 is an example of a screen for transmitting data such as a print job from the terminal device. The user can transmit data such as a print job to the service providing system 50 by setting data such as a print job on the print service screen 1100 and pressing the send button 1101.

  The print service screen 1110 is an example of a screen for displaying a data list such as a print job transmitted to the service providing system 50. By pressing the update button 1111 or the delete button 1112 on the print service screen 1110, the user can update the data list on the print service screen 1110 or delete data such as a print job from the data list. Since the print service screen 1110 in FIG. 16 shows the case where the user is the administrator as an example, data lists of a plurality of users are displayed.

  FIG. 17 is a sequence diagram of an example showing processing of inputting data such as a print job from the terminal device. In step S51, the input reception unit 31 of the terminal device receives, for example, a login request from the user by pressing the service use application selection button 1011 of the application selection screen 1010. The input accepting unit 31 requests the service login request unit 34 to log in.

  In step S52, the service login request unit 34 requests the authentication processing unit 71 of the service providing system 50 to log in as described above. In step S53, the authentication processing unit 71 of the service providing system 50 performs authentication as described above. In step S54, the authentication processing unit 71 transmits an authentication result as a login response to the service login request unit 34 of the terminal device. If the authentication result is successful (authentication OK), the authentication processing unit 71 also transmits a token (cookie) to the service login request unit 34 of the terminal device. The service providing system 50 stores the token in association with the user name of the authenticated user and the company code.

  The process after step S55 represents an example in which the authentication result is success (authentication OK) and data is input to the service providing system 50. In step S55, the input receiving unit 31 of the terminal device receives, for example, data setting of data to be input to the service providing system 50 from the print service screen 1100 of FIG.

  In step S56, the input reception unit 31 sends a data input request of the data for which the data setting has been received from the user to the service use request unit 37. Based on the data input request from the input reception unit 31, in step S57, the service use request unit 37 transmits a data input request by transmitting the aforementioned token and data for which data setting has been received from the user to the service providing system 50. . At this time, the terminal device inputs, for example, print data in PDL (page description language) format or application data created by an application such as word processing software or spreadsheet software to the service providing system 50. Also, execution condition information can be included in the data input request. Also, the data to be input may be URL data specifying web data.

  In step S58, the session management unit 74 of the service providing system 50 confirms whether or not the token received as the data insertion request exists in the stored tokens. If there is a token received as a data input request among the stored tokens, the session management unit 74 prints the user name and company code stored in association with the token in step S59. Send to 61

  In step S60, the print service application 61 requests the authentication processing unit 71 to acquire the user management information associated with the user name and the company code received from the session management unit 74. In step S 61, the authentication processing unit 71 acquires user management information associated with the user name and the company code from the user management information storage unit 82, and transmits the user management information to the print service application 61.

  In step S62, the print service application 61 uses the data format (extension) of the data received as the data input request and the user management information associated with the user name and the company code to convert data (before conversion). Determine the data format, the data format after conversion, and the output conditions at the time of conversion).

  In step S63, the print service application 61 requests the data processing unit 75 to execute data processing by specifying the job ID of the data received as the data input request and the conversion processing content of the determined data. Also, in step S 64, the print service application 61 assigns an output data ID to the data received as a data input request, and records the data in the data storage 85. Also, the print service application 61 records output data management information described later, to which the output data ID is assigned, in the data storage 85.

  In step S 65, the data processing unit 75 acquires data corresponding to the job ID from the data storage 85 in accordance with the data processing requested by the print service application 61. In step S66, the data processing unit 75 performs conversion processing on the acquired data. In step S67, the data processing unit 75 records the data after conversion processing in the data storage 85.

  FIG. 18 is a block diagram of an example of data management information stored in the data management information storage unit. The data management information of FIG. 18 includes, as data items, a job ID, input data URL, one or more conversion data URLs, conversion status, and the like. The job ID is information for specifying data such as an input print job. The input data URL is information indicating a place where the input data is recorded. The conversion data URL is information representing a place where data which has been converted one or more times from input data is recorded. The conversion status is information representing the status of the conversion process, and represents, for example, a status such as “during processing” or “completed”.

  FIG. 19 is a block diagram of an example of output data management information managed by the print service application. The output data management information of FIG. 19 includes, as data items, an output data ID, a company code, user identification information, bibliographic information, a job ID, a conversion status, and the like. The output data management information is information for specifying data such as an input print job. The print service application 61 can determine the state of conversion processing for data such as input print job based on the output data management information.

  FIG. 20 is a sequence diagram of an example of a process of acquiring a data list or deleting data from a service providing system. The processes of steps S71 to S74 are the same as the processes of steps S51 to S54 of FIG.

  The process of steps S75 to S84 represents an example in which the authentication result is successful and the data list is acquired from the service providing system 50. In step S75, the input reception unit 31 of the terminal device receives, for example, a data list acquisition request from the print service screen 1110 of FIG.

  In step S76, the input accepting unit 31 sends a request for acquiring a data list to the service use requesting unit 37. Based on the data list acquisition request from the input reception unit 31, the service use request unit 37 transmits the above-described token and data list acquisition request to the service providing system 50 in step S77, thereby acquiring the data list acquisition request. Do.

  The session management unit 74 of the service providing system 50 performs the same session confirmation as in step S58 of FIG. 17, and confirms whether or not the token received as the data list acquisition request exists in the stored tokens. . If the token received as a data list acquisition request exists in the stored token, the session management unit 74 prints the user name and the company code stored in association with the token in step S78. Send to the service application 61.

  In step S79, the print service application 61 refers to the output data management information shown in FIG. 19 and confirms the conversion status of the output data management information corresponding to the received user name and company code. If there is a conversion status “in process” in the conversion status of the output data management information corresponding to the received user name and company code, the conversion status may have changed. Determine to perform an update.

  Here, the description will be continued on the assumption that the conversion status is determined to be updated. If it is determined that the conversion status is to be updated, the print service application 61 transmits the job ID of the output data management information corresponding to the received user name and company code to the data processing unit 75 in step S80, and corresponds to the job ID. Request for acquisition of conversion status of data management information. In step S81, the data processing unit 75 refers to the data management information shown in FIG. 18 and acquires the conversion status of the data management information corresponding to the received job ID.

  In step S 82, the data processing unit 75 transmits the conversion status of data management information corresponding to the received job ID to the print service application 61. In step S 83, the print service application 61 updates the output data management information based on the conversion status of the data management information corresponding to the job ID received from the data processing unit 75.

  Then, in step S84, the print service application 61 transmits a data list based on the updated output data management information to the service use request unit 37 of the terminal device. For example, the print service application 61 includes the job whose conversion status is “completed” in the data list.

  If it is determined in step S79 that the conversion status is not to be updated, the output data management information is not updated, and in step S84, the service use request unit 37 of the terminal apparatus is provided with a data list based on the output data management information. Send.

  Therefore, based on the conversion status changed by the processing of the data processing unit 75, the terminal apparatus can display the data list for which the conversion processing has been completed, as shown in FIG.

  Further, the process of steps S91 to S96 represents an example in which the authentication result is successful and data is deleted from the service providing system 50. In step S91, the input receiving unit 31 of the terminal device receives, for example, a data deletion request from the print service screen 1110 of FIG.

  In step S 92, the input reception unit 31 sends a data deletion request to the service usage request unit 37. Based on the data deletion request from the input reception unit 31, the service use request unit 37 sends a data deletion request by transmitting the above-described token and data deletion request to the service providing system 50 in step S93.

  The session management unit 74 of the service providing system 50 performs the same session confirmation as in step S58 in FIG. 17, and confirms whether the token received as a data deletion request exists in the stored tokens.

  If there is a token received as a request to delete data in the stored token, the session management unit 74 prints the user name and company code stored in association with the token in step S94. Send to app 61. In step S95, the print service application 61 transmits the received user name and company code to the data processing unit 75, and makes a data deletion request. In step S96, the data processing unit 75 executes data deletion processing based on the data deletion request.

  The process of step S79 of FIG. 20 can be performed, for example, according to the procedure shown in the flowchart of FIG. In step S101, the print service application 61 refers to the user management information shown in FIG. 8 and manages the role of the login user who made the data list acquisition request from the received user name and user management information corresponding to the company code. To determine whether or not

  If the role of the login user is the administrator, the print service application 61 refers to the output data management information shown in FIG. 19 in step S102, and confirms the conversion status of the output data management information corresponding to the received company code. . On the other hand, if the role of the login user is the user, the print service application 61 refers to the output data management information shown in FIG. 19 in step S103, and corresponds to the received company code and user name (user identification information). Check the conversion status of output data management information.

  In step S104, the print service application 61 determines whether the conversion status of the output data management information confirmed in step S102 or S103 is only "completed". If the conversion status confirmed in step S102 or S103 is only “completed”, the print service application 61 ends the processing of the flowchart in FIG. 21 because there is no possibility that the conversion status has changed.

  On the other hand, if the conversion status confirmed in step S102 or S103 is not only “completed”, the print service application 61 performs the process of step S105 because the conversion status may have changed. In step S105, the print service application 61 requests acquisition of the conversion status of data management information corresponding to the job ID whose conversion status is not "completed".

<< Data list acquisition process >>
The screen transition when the image forming apparatus 14 such as a multifunction peripheral (MFP) acquires the data list is as shown in FIG. 22, for example. FIG. 22 is an exemplary screen transition diagram when the image forming apparatus acquires a data list.

  For example, the image forming apparatus 14 displays a service list selection screen 1030, and allows the user to select a service to be used from the services provided by the service providing system 50. For example, when the “print service” button 1031 of the service list selection screen 1030 is pressed, the service utilization application of the image forming apparatus 14 displays the print service screen 1200.

  The print service screen 1200 is an example of a screen for displaying a data list such as a print job transmitted to the service providing system 50. The user can output or delete data such as a print job from the data list of the print service screen 1200 by pressing the output button 1201 or the delete button 1202 of the print service screen 1200.

  FIG. 23 is a sequence diagram of an example of processing for acquiring a data list from the service providing system. The processes of steps S111 to S114 are the same as the processes of steps S51 to S54 of FIG.

  The process after step S115 represents an example in which the authentication result is success. In step S115, the service login request unit 34 sends the above-described token and data list acquisition request to the service providing system 50 to make a data list acquisition request.

  The session management unit 74 of the service providing system 50 performs the same session confirmation as in step S58 of FIG. 17, and confirms whether or not the token received as the data list acquisition request exists in the stored tokens. . If the token received as a data list acquisition request exists in the stored token, the session management unit 74 prints the user name and the company code stored in association with the token in step S116. Send to the service application 61.

  In step S117, the print service application 61 performs status determination similar to that of step S79 in FIG. If there is a conversion status “in process” in the conversion status of the output data management information corresponding to the received user name and company code, the print service application 61 outputs the output data corresponding to the received user name and company code in step S118. The job ID of the management information is transmitted to the data processing unit 75, and the acquisition request of the conversion status of the data management information corresponding to the job ID is made. In step S119, the data processing unit 75 refers to the data management information shown in FIG. 18 and acquires the conversion status of the data management information corresponding to the received job ID.

  In step S120, the data processing unit 75 transmits the conversion status of the data management information corresponding to the received job ID to the print service application 61. In step S121, the print service application 61 updates the output data management information based on the conversion status of the data management information corresponding to the job ID received from the data processing unit 75.

  Then, in steps S122 and S123, the print service application 61 transmits a data list based on the updated output data management information to the service use request unit 37 of the image forming apparatus 14 via the session management unit 74. If it is determined in step S117 that the conversion status is not updated, the output data management information is not updated, and in steps S122 and S123, the data list based on the output data management information is used by the service of the image forming apparatus 14. It is transmitted to the request unit 37.

  Therefore, based on the conversion status changed by the processing of the data processing unit 75, the image forming apparatus 14 can display the data list for which the conversion processing has ended, as shown in FIG.

<< Data output processing / data deletion processing >>
FIG. 24 is a sequence diagram of an example of a process of outputting data from the image forming apparatus or deleting data from the service providing system. The processing of the sequence diagram of FIG. 24 is performed, for example, after the processing of the sequence diagram of FIG.

  The processing in steps S131 to S141 represents an example in which the authentication result is successful and data is output from the image forming apparatus 14. In step S131, the input reception unit 31 of the image forming apparatus 14 receives, for example, a data output request from the print service screen 1200 of FIG.

  In step S132, the input / output unit 31 sends an acquisition request for data (output target data) for which the output request has been received to the service use request unit 37. In step S133, the service utilization request unit 37 transmits the above-described token and data list acquisition request to the service providing system 50 to make a data acquisition request.

  The session management unit 74 of the service providing system 50 performs the same session confirmation as in step S58 of FIG. 17, and confirms whether or not the token received as the data acquisition request exists in the stored tokens. If the token received as the data acquisition request exists in the stored token, the session management unit 74 prints the user name and the company code stored in association with the token in step S134. Send to app 61.

  In step S135, the print service application 61 transmits the received job name of the output data management information corresponding to the received user name and company code to the data processing unit 75, and makes a request for acquiring data corresponding to the job ID. In step S136, the data processing unit 75 refers to the data management information shown in FIG. 18 and acquires data corresponding to the received job ID. In step S137, the data processing unit 75 transmits data corresponding to the received job ID to the print service application 61.

  Before transmitting the data to the image forming apparatus 14, the print service application 61 rewrites the public network N2 side username (Kobayashi) to a private network N1 side username (Koba).

  In steps S138 and S139, the print service application 61 transmits the acquired data to the service use request unit 37 of the image forming apparatus 14 via the session management unit 24. In step S140, the service usage request unit 37 transmits the received data to the function processing unit 33 such as an output unit. In step S141, the function processing unit 33 outputs the received data. In step S141, the image forming apparatus 14 can output the data as the private user name (Koba) on the network N1 side.

  In addition, the process of steps S142 to S147 represents a case where the authentication is successful and data is deleted from the service providing system 50. In step S142, the input receiving unit 31 of the image forming apparatus 14 receives, for example, a data deletion request from the print service screen 1200 of FIG.

  In step S143, the input reception unit 31 sends a data deletion request to the service usage request unit 37. Based on the data deletion request from the input reception unit 31, the service use request unit 37 sends a data deletion request by transmitting the token and the data deletion request to the service providing system 50 in step S144.

  The session management unit 74 of the service providing system 50 performs the same session confirmation as in step S58 in FIG. 17, and confirms whether the token received as a data deletion request exists in the stored tokens.

  If there is a token received as a request for deletion of data among the stored tokens, the session management unit 74 prints the user name and the company code stored in association with the token in step S145. Send to app 61. In step S146, the print service application 61 transmits the received user name and company code to the data processing unit 75, and makes a data deletion request. In step S147, the data processing unit 75 executes data deletion processing based on the data deletion request.

<Summary>
In the system 1 according to the first embodiment, a private network is provided by providing a mechanism for associating user identification information (user name) authenticated on the private network N1 side with a user name on the public network N2 side. Authentication on the N1 side and authentication on the public network N2 side can be seamlessly coordinated while maintaining information security.
Second Embodiment
In the first embodiment, the service providing system 50 records the correspondence between the authenticated user name on the private network N1 side and the public network N2 side user name. In the second embodiment, an association between a username authenticated on the private network N1 and a username on the public network N2 is recorded in the private network N1 authentication device 17. Description of the same parts as those of the first embodiment will be omitted. The system configuration and the hardware configuration are the same as in the first embodiment.

<Software configuration>
The software configuration of the authentication device 17 and the service providing system 50 is different from that of the first embodiment. The authentication device 17 according to the second embodiment is realized by, for example, a processing block shown in FIG. FIG. 25 is a process block diagram of an example of the authentication apparatus according to the present embodiment.

  The authentication device 17 of FIG. 25 implements an authentication processing unit 41, an authentication information storage unit 42, and a user information registration unit 43 by executing a program. The authentication device 17 of FIG. 25 is obtained by adding the user information registration unit 43 to the authentication device 17 of FIG. The user information registration unit 43 corresponds to the user information registration unit 73 included in the service providing system 50 in the first embodiment. The user information registration unit 43 receives a registration request for a part or all of the authenticated authentication information from a terminal device such as the client terminal 11, and registers the authentication information in authentication information described later.

  Therefore, the registration request unit 35 of the office device 30 in the second embodiment replaces the registration of a part (for example, a user name or the like) or all of the authentication information authenticated by the authentication device 17 with the service providing system 50. To request.

  Further, the service providing system 50 according to the second embodiment is realized by, for example, a processing block shown in FIG. FIG. 26 is a processing block diagram of an example of the service providing system according to the present embodiment. The service providing system 50 of FIG. 26 is obtained by deleting the user information registration unit 73 of the service providing system 50 of FIG.

  The authentication information storage unit 42 of the authentication device 17 stores, for example, authentication information as shown in FIG. FIG. 27 is a block diagram of an example of authentication information stored in the authentication information storage unit. The authentication information in FIG. 27 is obtained by adding the service user name and the service password as data items to the authentication information in FIG. The service user name and the service password correspond to authentication information on the public network N2 side.

  According to the authentication information of FIG. 27, the system 1 of the second embodiment can cooperate the authentication on the private network N1 side and the authentication on the public network N2 side while maintaining information security.

  The user management information of the second embodiment is as shown in FIG. FIG. 28 is a block diagram of an example of user management information stored in the user management information storage unit. The user management information of FIG. 28 is obtained by deleting the office authentication information from the user management information of the first embodiment shown in FIG.

<Details of processing>
Regarding the process, the login process of the system 1 according to the present embodiment is different from that of the first embodiment.

  FIG. 29 is a flowchart of an example showing a login process of the system according to the present embodiment. Note that the flowchart in FIG. 29 is the same as the flowchart in FIG.

  In step S151, the image forming apparatus 14 receives an authentication request by inputting a card ID of an IC card, which is an example of authentication information, from the user. In step S152, the authentication request unit 32 of the image forming apparatus 14 transmits authentication information to the authentication device 17, and requests authentication.

  In step S153, the authentication processing unit 41 of the authentication apparatus 17 performs user authentication to determine whether the user name and password included in the authentication information from the image forming apparatus 14 exist in the authentication information shown in FIG. If the user name and password included in the authentication information exist in the authentication information shown in FIG. 27, the authentication processing unit 41 determines that the user authentication is successful (authentication is OK), and performs the process of step S155.

  In step S 155, the authentication processing unit 41 reads the authentication information (user information) including the user name and password from the image forming apparatus 14 from the authentication information storage unit 42, and transmits the information to the authentication request unit 32 of the image forming apparatus 14. Notify user authentication success.

  If the user name and password included in the authentication information do not exist in the authentication information shown in FIG. 27, the authentication processing unit 41 determines that the user authentication is unsuccessful (authentication NG), and performs the process of step S154. In step S154, the authentication processing unit 41 notifies the authentication request unit 32 of the image forming apparatus 14 of the user authentication failure, and ends the processing of the flowchart in FIG.

  In step S156, the image forming apparatus 14 notified of the user authentication success receives a login request from the user to the service providing system. In step S157, the service login request unit 34 of the image forming apparatus 14 determines whether the “cooperation with in-house authentication” login setting is selected.

  If the login setting “to cooperate with in-house authentication” is not selected, the service login request unit 34 displays, for example, the login screen 1020 shown in FIG. 11 in step S158, and displays the company code, the user name and password on the public network N2 side. Let the user enter After the process of step S158, the image forming apparatus 14 logs in to the service providing system 50 by the process of the flowchart shown in FIG.

  In step S157, the service login request unit 34 performs the process of step S159 if the “cooperation with in-house authentication” login setting is selected. In step S159, the service login request unit 34 determines whether a service user name and a service password exist in the user information received in step S155.

  If the service user name and the service password exist, the service login request unit 34 transmits the company code, the device authentication information, the service user name, and the service password as authentication information to the service providing system in step S160, and requests login. After the process of step S160, the image forming apparatus 14 logs in to the service providing system 50 by the process of the flowchart shown in FIG.

  If the service user name and the service password do not exist, the service login request unit 34 starts the company code, the user name (Kobayashi) and the password as an example of authentication information on the public network N2 side from the login screen 1020 in step S161. Make it input.

  In step S162, the service login request unit 34 of the image forming apparatus 14 transmits the company code, the device authentication information, the user name (Kobayashi) and the password as authentication information to the service providing system, and requests login.

  In step S163, the authentication processing unit 71 of the service providing system 50 performs the same enterprise authentication determination as in step S12. If the authentication processing unit 71 determines that the company authentication is successful (authentication is OK), the process of step S164 is performed.

  In step S164, the authentication processing unit 71 performs the same device authentication determination as in step S13. If the authentication processing unit 71 determines that the device authentication is successful (authentication is OK), the processing in step S165 is performed.

  In step S165, the authentication processing unit 71 performs the same user authentication determination as in step S14. If the authentication processing unit 71 determines that the user authentication is successful (authentication is OK), the processing in step S167 is performed.

  In step S167, the authentication processing unit 71 determines that the authentication result for the login request from the image forming apparatus 14 is successful (authentication OK). In step S168, the registration request unit 35 of the image forming apparatus 14 requests the authentication apparatus 17 to register the authenticated service user name (Kobayashi) and service password on the public network N2 side. The registration request in step S38 includes the user name on the private network N1 side, the service user name, and the service password.

  In step S169, the user information registration unit 43 of the authentication device 17 associates the service user name and the service password with the private network N1 side user name (user identification information) and registers it in the authentication information.

  When the authentication processing unit 71 determines that the company authentication is unsuccessful (authentication NG) in step S163, and when it is determined that the device authentication is unsuccessful (authentication NG) in step S164, the authentication processing unit 71 determines that the user authentication fails (authentication NG) in step S165. At the time, in step S166, the authentication result in response to the registration request from the image forming apparatus 14 is determined as failure (authentication NG).

  As shown in the flowchart of FIG. 29, the user is associated with authentication information (Koba) authenticated on the private network N1 side and service user name (Kobayashi) authenticated on the public network N2 side. In the case where there is, it is possible to log in to the service providing system 50 without inputting the authentication information on the public network N2 side in the login screen 1020.

  Also, even if the user is not associated with the authentication information, the username (Koba) authenticated on the private network N1 side and the service username (Kobayashi) authenticated on the public network N2 side. It is possible to easily register authentication information that associates an authenticated user name (Koba) on the private network N1 side with a service user name (Kobayashi) authenticated on the public network N2 side.

<Summary>
In the system 1 according to the second embodiment, the private network N1 is associated with the user identification information (user name) authenticated on the private network N1 side and the authenticated user name on the public network N2 side. It can be recorded by the side.
Third Embodiment
In the third embodiment, there is no authentication device 17 on the private network N1 side, and authentication is performed by the office device 30. Description of the same parts as those of the first embodiment will be omitted.

  FIG. 30 is a block diagram of an example of a system according to the present embodiment. The system 2 of FIG. 30 is obtained by deleting the authentication device 17 from the system 1 of FIG. In the case of the system 2, the software configuration of the office device 30 is as shown in FIG.

  FIG. 31 is a processing block diagram of an example of the office device according to the present embodiment. The office device 30 illustrated in FIG. 31 has a processing block when the authentication device 17 is deleted from the system 1 of the first embodiment and a processing block when the authentication device 17 is deleted from the system 1 of the second embodiment. And show.

  FIG. 31A is a processing block diagram of the office device 30 when the authentication device 17 is deleted from the system 1 of the first embodiment. The office device 30 of FIG. 31A has a configuration in which the authentication processing unit 38 and the authentication information storage unit 39 are added to the office device 30 of FIG. 3 and the authentication request unit 32 is deleted. The authentication processing unit 38 and the authentication information storage unit 39 are the same as the authentication processing unit 41 and the authentication information storage unit 42 of the authentication device 17.

  FIG. 31B is a processing block diagram of the office device 30 when the authentication device 17 is deleted from the system 1 of the second embodiment. The office device 30 shown in FIG. 31B has a configuration in which the authentication processing unit 38, the authentication information storage unit 39 and the user information registration unit 40 are added to the office device 30 shown in FIG. . The user information registration unit 40 is similar to the user information registration unit 43 of the authentication device 17 of FIG.

<Summary>
In the printing system 2 according to the third embodiment, even if there is no authentication device 17, the user identification information (user name) authenticated on the private network N1 side and the user name on the public network N2 side Can provide a mechanism to

  The present invention is not limited to the above specifically disclosed embodiments, and various modifications and changes are possible without departing from the scope of the claims.

1, 2 system 11 client terminal 12 portable terminal 13 print control device 14 image forming device 15 projector 16 other device 17 authentication device 21 access control device 22 print service providing device 23 scan service providing device 24 other service providing device 31 input accepting unit 32 authentication request unit 33 function processing unit 34 service login request unit 35 registration request unit 36 login setting unit 37 service use request unit 38, 41, 71 authentication processing unit 39, 42 authentication information storage unit 50 service providing system 51 service application 52 platform 53 management data storage unit 53
54 Platform API (Application Programming Interface)
61 Print Service Application 62 Scan Service Application 63 Other Service Applications 72 Device Communication Unit 40, 43, 73 User Information Registration Unit 74 Session Management Unit 75 Data Processing Unit 81 Corporate Management Information Storage Unit 82 User Management Information Storage Unit 83 Device Management Information Storage unit 84 Data management information storage unit 85 Data storage 100 Computer system 101 Input device 102 Display device 103 External I / F
103a, 203a recording medium 104 RAM
105 ROM
106 CPU
107 Communication I / F
108 HDD
FW Firewall N1 to N3 Network

JP, 2008-244518, A

Claims (5)

A system in which an apparatus using a service and an information processing apparatus providing the service to the apparatus exist on different networks and are connected via the network,
The device is
An acquisition unit configured to acquire the first authentication information , which is first authentication information used for authentication on a first network in which the device is present , and in which user authentication has succeeded ;
Authentication request means for transmitting, to the information processing apparatus, an authentication request including user specifying information for specifying a user among the first authentication information,
The information processing apparatus is
Receiving means for receiving the authentication request;
Authentication processing for performing authentication on the second network using management information that associates the user identification information included in the received authentication request with information used for authentication on the second network where the information processing apparatus exists Means,
With a system. A system in which an apparatus using a service and an information processing apparatus providing the service to the apparatus exist on different networks and are connected via the network,
The device is
A first acquisition unit that acquires the first authentication information that is the first authentication information that is used for authentication on the first network in which the device is present , and in which user authentication has succeeded ;
A second acquisition unit that acquires second authentication information used for authentication on a second network in which the information processing apparatus exists;
An authentication request for transmitting, to the information processing apparatus, a first authentication request including user identification information for specifying a user among the first authentication information or a second authentication request including the second authentication information. Means, and
The authentication request means transmits the first authentication request when the authentication on the first network and the authentication on the second network cooperate with each other, and the authentication on the first network and the second Sending the second authentication request if the authentication on the network does not cooperate,
The information processing apparatus is
Receiving means for receiving the first authentication request or the second authentication request;
When authentication on the first network cooperates with authentication on the second network, the user identification information included in the received first authentication request and information used for authentication on the second network Authentication on the second network using the management information that associates the two, and if the authentication on the first network and the authentication on the second network do not cooperate, the information is included in the received second authentication request Authentication processing means for performing authentication on the second network using the second authentication information to be transmitted;
With a system. The first authentication request includes device management information on the device,
When the authentication on the first network and the authentication on the second network cooperate with each other, the authentication processing means includes user identification information and the device management information included in the received first authentication request. The system according to claim 2, wherein authentication on the second network is performed using the management information that associates information used for authentication on the second network. The system according to claim 3, wherein the second authentication information includes the device management information.   The system according to claim 3, wherein the device management information includes information identifying a group.

Images