AUTHENTICATION FEDERATION SYSTEM AND ID PROVIDER DEVICE

1. An authentication federation system comprising:

• an ID provider device which is configured to perform log-in processing for a user terminal operable by a user and which has a first memory; and
  
  a plurality of service provider devices which are configured to transmit service data to the user terminal when the log-in processing is successful and which have second memories,the ID provider device comprisinga user attribute information storage unit which stores pieces of user attribute information in which item names of user attributes to identify the user are associated with item values of the user attributes, the item names including at least a user ID to identify the user,a service usage storage unit which stores the user ID, a service provider ID, and service usage in association with one another, the service provider ID serving to identify each of the service provider devices, the service usage indicating a service in use showing that the transmission of the service data is permitted, or a service unused showing that the transmission of the service data is not permitted,a policy storage unit which stores pieces of policy information for each service provider ID, the policy information indicating a user to whom the service provider device identified by the service provider ID is permitted to transmit the service data,an item name storage unit which stores some of the item names of the user attributes in the user attribute information in association with the service provider ID,a key storage unit which stores a signature generating key for the ID provider device,a unit which outputs a user authentication request including the address information for the user terminal in an authentication federation request in response to the authentication federation request which is transmitted from one of the service provider devices and which includes the service provider ID for the service provider device and the address information for the user terminal,a unit which performs log-in processing to transmit a log-in request to the user terminal in accordance with the address information for the user terminal in the output user authentication request, and authenticates a user ID and user authentication information received from the user terminal in accordance with the user ID and the reference information in the user attribute information storage unit,a unit which outputs a policy evaluation request including the user ID used in the log-in processing and the service provider ID in the authentication federation request when the log-in processing is successful,a unit which reads the user attribute information from the user attribute information storage unit in accordance with the user ID in the output policy evaluation request,a unit which reads the policy information from the policy storage unit in accordance with the service provider ID in the output policy evaluation request,a transmission permission judging unit which judges whether to permit the transmission of the service data in accordance with the read user attribute information, the kind of service to be used by the user, the operation to be performed for a service by the user, and environmental conditions of the user for the execution of a service conform to the read policy information,a unit which outputs a policy evaluation reply including the judgment result to a transmission source of the policy evaluation request,a unit which outputs an account federation request including the user ID and the service provider ID in the policy evaluation request when the judgment result in the policy evaluation reply indicates permission,a unit which reads some of the item names of the user attributes from the item name storage unit in accordance with the service provider ID in the output account federation request,a unit which acquires user attribute partial information comprising item names corresponding to some of the item names and item values associated with the item names in the user attribute information including the user ID corresponding to the user ID in the user attribute information storage unit in accordance with some of the item names that have been read and the user ID in the account federation request,a unit which adds an account registration instruction to the acquired user attribute partial information to create an account federation request message,a unit which transmits the account federation request message to the service provider device which is a transmission source of the account federation request,a unit which outputs an account federation reply indicating registration completion when the service provider device which is a transmission destination of the account federation request message reports the registration completion including the service provider ID of the service provider device and the user ID in the user attribute partial information,a unit which updates the service usage in the service usage storage unit from the service unused to the service in use in accordance with the service provider ID and the user ID included in the registration completion in the output account federation reply,a unit which outputs an authentication federation execution request including the service provider ID and the user ID included in the registration completion in the output account federation reply,a unit which issues an authentication federation ID shared between the service provider device identified by the service provider ID in an authentication federation execution request and the ID provider device in response to the authentication federation execution request, and writes the authentication federation ID and the user ID in the authentication federation execution request into the first memory in association with each other,a unit which generates a digital signature based on the signature generating key for an assertion body including the issued authentication federation ID and the name of an authentication method for the log-in processing, and creates an authentication assertion including the assertion body and the digital signature, anda unit which transmits an authentication federation reply including the created authentication assertion to the service provider device which is a transmission source of the authentication federation request,the service provider device comprisinga user attribute partial information storage unit which stores the user attribute partial information and an SP-side user ID in association with each other, some of the item names and item values of the user attributes in the user attribute information in the user attribute information storage unit being associated with one another in the user attribute partial information, the SP-side user ID serving to identify the user in the service provider device,a verification policy storage unit which stores an authentication assertion verification policy including the name of an authentication method for the log-in processing to permit the transmission of the service data when the log-in processing is successful, and a signature verification key corresponding to the signature generating key,a service data storage unit which stores the service data,a unit which judges whether a service request includes the authentication token in response to the service request from the user terminal, and transmits the authentication token and the service data in the service data storage unit to the user terminal when the service request includes the authentication token, or transmits an authentication federation request including the service provider ID of the service provider device and the address information for the user terminal to the ID provider device when the service request does not include the authentication token,a unit which issues a new SP-side user ID when receiving the account federation request message, and registers the issued SP-side user ID and the user attribute partial information in the account federation request message in the user attribute partial information storage unit in association with each other,a unit which reports, after the registration, registration completion including the user ID in the registered user attribute partial information and the service provider ID in the service provider device to the ID provider device which is a transmission source of the account federation request message,a unit which extracts an authentication federation ID from the authentication assertion in the authentication federation reply in response to the authentication federation reply from the ID provider device, and writes the extracted authentication federation ID and the user ID in the registered user attribute partial information into the second memory in association with each other,a verification unit which verifies the authentication method name and the digital signature in the authentication assertion in accordance with the authentication method name and the signature verification key in the authentication assertion verification policy,a unit which issues an authentication token and writes the authentication token into the second memory in association with the authentication federation ID when all the verification results are proper,a unit which outputs a service execution request including the written authentication token and the user ID which is associated with the authentication token in the second memory via the authentication federation ID, anda unit which transmits the authentication token in the service execution request and the service data in the service data storage unit in accordance with the output service execution request.