Authentication collaboration system and ID provider device

1. An authentication collaboration system, comprising:

• an ID provider device that performs a log-in process of a user terminal operated by a user; and
  
  a service provider device that transmits service data to the user terminal when the log-in process is completed,wherein the user terminal transmits a service use request to the service provider device,the ID provider device includesan IDP user attribute information storage unit that stores IDP user attribute information in which an item name of a user attribute including a user identifier identifying the user and specifying the user is associated with an item value of the user attribute,an IDP authentication session storage unit that stores an ID of the user in association with an authentication token representing that the log-in status of the user is a log-in completion status,a policy information storage unit that stores policy information representing a user of a target to whom transmission of the service data is permitted,a key storage unit that stores a signature generation key of the ID provider device,an IDP authentication collaborating unit that transmits a log-in request to the user terminal when a log-in process of the user terminal is in a non-completion status, receives an SP authentication collaboration request issued from the service provider device that has received the service use request when the log-in process of the user terminal is in a completion status, generates a digital signature on an assertion context including an authentication scheme name of the log-in process based on the signature generation key, generates an authentication assertion including the assertion context and the digital signature, and transmits an authentication collaboration response including the authentication assertion to the service provider device, andan authentication collaboration control unit includes a log-in status determining unit that performs a log-in status checking process of checking whether or not an authentication token issued to the user remains stored in the authentication session storage unit when the SP authentication collaboration request is received from the user terminal, an authentication collaboration request transfer unit that transfers the SP authentication collaboration request to the IDP authentication collaborating unit when a result of the log-in status checking process is a log-in non-completion status, an authentication identifying unit that receives authentication information of the user transmitted based on the log-in request from the IDP authentication collaborating unit from the user terminal and performs the log-in process based on the received authentication information, a policy evaluating unit that evaluates whether or not a user operating the user terminal based on the IDP user attribute information acquired from the IDP user attribute information storage unit and the policy information is a user of a target to whom transmission of service data is permitted based on a user ID stored in the authentication session storage unit in association with the authentication token issued to the user when a result of the log-in status checking process is the log-in completion status, and evaluates whether or not a user operating the user terminal based on the IDP user attribute information acquired from the IDP user attribute information storage unit and the policy information is a user to whom transmission of service data is permitted based on a user ID included in the authentication information when a result of the log-in status checking process is the log-in non-completion, an account collaborating unit that performs an account collaboration process with the service provider device with reference to the acquired IDP user attribute information when an evaluation result by the policy evaluating unit is permission, and generates an SP side user ID which is an identifier of the user in the service provider device, and an authentication collaboration request transfer unit that transmits the SP authentication collaboration request to the IDP authentication collaborating unit after the account collaboration process, andthe service provider device includesa verification policy storage unit that stores verification policy including an authentication scheme name of the log-in process of permitting transmission of the service data when the authentication collaboration response is received and a signature verification key corresponding to the signature generation key,an SP user attribute information storage unit that stores account registration in which the SP side user ID issued in the account collaboration process is associated with user attribute partial information which is at least one item name and one item value among item names and item values of a user attribute included in the user attribute information,an SP authentication collaborating unit that determines whether or not the service use request includes the authentication token when the service use request is received, transmits the authentication token and the service data to the user terminal when it is determined that the service use request includes the authentication token, issues an SP authentication collaboration request including address information of the user terminal to the ID provider device when it is determined that the service use request does not include the authentication token, verifies the authentication scheme name and the digital signature based on the authentication scheme name and the signature verification key in the verification policy when the authentication collaboration response is received, and issues the authentication token and transmits the authentication token and the service data to the user terminal when the verification result is valid, andan SP authentication session storage unit that stores the SP side user ID and the authentication token in association with each other.