System for delegation of authority, access management service system, medium, and method for controlling the system for delegation of authority

US 9,065,828 B2
Filed: 01/10/2013
Issued: 06/23/2015
Est. Priority Date: 01/16/2012
Status: Active Grant

First Claim

Patent Images

1. A system for delegation of authority, comprising:

a first service system configured to provide a first online service;

a second service system configured to provide a second online service and configured to communicate with the first service system;

an access management service system configured to manage authentication information and approval tokens that are required to use a plurality of service systems including the second service system; and

wherein the system for delegation of authority is configured to receive information from a client configured to be operated by a user who has registered authentication information required to use online services that are provided by the first service system and the second service system,wherein the first service system includes a first redirect instruction unit configured to transmit scope information to the client to identify the second online service, if it is necessary to use the second online service provided by the second service system in a process of responding to a processing request from the client operated by the user, and configured to transmit a message causing the client to access the access management service system,wherein the access management service system includes an approval screen transmission unit configured to confirm whether the user has an authority to use the second online service and, if it is confirmed that the user has the authority, configured to transmit an approval screen to the client to enable the user to confirm whether to approve that the first service system uses the second online service;

the access management service system further includes a management unit configured to issue a code required to issue an approval token if it is confirmed that the user has approved via the approval screen, and manage the issued code in such a way as to be linked with the scope information acquired when accessed by the client;

the access management service system further includes a second redirect instruction unit configured to transmit the code to the client causing the client to access the first service system;

the first service system further includes a transmission unit configured to transmit authentication information that is unique to the first service system and the code acquired when accessed by the client to the access management service system;

the access management service system further includes a confirmation unit configured to identify an online service that the first service system wants to use based on the scope information linked with the received code, and confirm whether the identified online service is included in online services that can be used by the first service system based on the received authentication information that is unique to the first service system; and

the access management service system further includes an issuance unit configured to issue an approval token if it is confirmed that the identified online service is included in the online services that can be used by the first service system,wherein the first service system can use the second online service with the issued approval token,wherein the first service system is configured to transmit another scope information to identify whether the user has an authority to approve that the first service system uses the second online service in addition to the scope information required to identify the second online service that the first service system wants to use, which has been transmitted to the client from the first service system, andwhen the access management service system confirms whether the user operating the currently accessing client has the authority to use the second online service, the access management service system is configured to confirm an authority to use an online service linked with the received another scope information and confirm the authority to use the online service allocated to the user, which can be identified based on the authentication information having been input by the user, andif it is confirmed that the authority to use the online service linked with the received another scope information is allocated to the user, the access management service system is configured to determine that the user operating the currently accessing client has the authority to use the second online service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In sequential processing including issuance of an approval token from a user to a cooperation source service via an access management service, a system for delegation of authority confirms whether each of the user and the cooperation source service has a sufficient authority to execute a service of a cooperation destination before issuing the approval token.

6 Citations

View as Search Results

9 Claims

1. A system for delegation of authority, comprising:
- a first service system configured to provide a first online service;
  
  a second service system configured to provide a second online service and configured to communicate with the first service system;
  
  an access management service system configured to manage authentication information and approval tokens that are required to use a plurality of service systems including the second service system; and
  
  wherein the system for delegation of authority is configured to receive information from a client configured to be operated by a user who has registered authentication information required to use online services that are provided by the first service system and the second service system,wherein the first service system includes a first redirect instruction unit configured to transmit scope information to the client to identify the second online service, if it is necessary to use the second online service provided by the second service system in a process of responding to a processing request from the client operated by the user, and configured to transmit a message causing the client to access the access management service system,wherein the access management service system includes an approval screen transmission unit configured to confirm whether the user has an authority to use the second online service and, if it is confirmed that the user has the authority, configured to transmit an approval screen to the client to enable the user to confirm whether to approve that the first service system uses the second online service;
  
  the access management service system further includes a management unit configured to issue a code required to issue an approval token if it is confirmed that the user has approved via the approval screen, and manage the issued code in such a way as to be linked with the scope information acquired when accessed by the client;
  
  the access management service system further includes a second redirect instruction unit configured to transmit the code to the client causing the client to access the first service system;
  
  the first service system further includes a transmission unit configured to transmit authentication information that is unique to the first service system and the code acquired when accessed by the client to the access management service system;
  
  the access management service system further includes a confirmation unit configured to identify an online service that the first service system wants to use based on the scope information linked with the received code, and confirm whether the identified online service is included in online services that can be used by the first service system based on the received authentication information that is unique to the first service system; and
  
  the access management service system further includes an issuance unit configured to issue an approval token if it is confirmed that the identified online service is included in the online services that can be used by the first service system,wherein the first service system can use the second online service with the issued approval token,wherein the first service system is configured to transmit another scope information to identify whether the user has an authority to approve that the first service system uses the second online service in addition to the scope information required to identify the second online service that the first service system wants to use, which has been transmitted to the client from the first service system, andwhen the access management service system confirms whether the user operating the currently accessing client has the authority to use the second online service, the access management service system is configured to confirm an authority to use an online service linked with the received another scope information and confirm the authority to use the online service allocated to the user, which can be identified based on the authentication information having been input by the user, andif it is confirmed that the authority to use the online service linked with the received another scope information is allocated to the user, the access management service system is configured to determine that the user operating the currently accessing client has the authority to use the second online service.
- View Dependent Claims (2, 3)
- - 2. The system for delegation of authority according to claim 1, wherein the access management service system is configured to control the issuance unit to issue no approval token if it is confirmed that a user who operates a currently accessing client has no authority to use the second online service, or if it is confirmed that the identified online service is not included in the online services that can be used by the first service system although it is confirmed that the user operating the currently accessing client has an authority to use the second online service.
  - 3. The system for delegation of authority according to claim 1, wherein if it is confirmed that a user who operates a currently accessing client has no authority to use the second online service, the access management service system is configured to transmit an authentication error screen to the client to enable the user to recognize that the user has no authority to use the second online service, andif it is confirmed that the identified online service is not included in the online services that can be used by the first service system although it is confirmed that the user operating the currently accessing client has an authority to use the second online service, the first service system is configured to transmit a scope error screen to enable the user to recognize that the user has no authority to use the second online service.

4. An access management service system for a system for delegation of authority, wherein the system for delegation of authority comprises:
- a first service system configured to provide a first online service;
  
  a second service system configured to provide a second online service and configured to communicate with the first service system;
  
  an access management service system configured to manage authentication information that is required to use the second service system; and
  
  wherein the system for delegation of authority is configured to receive information from a client configured to be operated by a user who has registered authentication information required to use an online service that can be provided by the second service system,the access management service system comprising;
  
  a confirmation unit configured to receive the authentication information of the user and confirm whether the user can use the second online service based on the received authentication information of the user, and further configured to receive authentication information that is unique to the first service system and confirm whether the first service system can use the second online service based on the received authentication information that is unique to the first service system; and
  
  an issuance unit configured to issue an approval token if it is confirmed that the user can use the second online service and if it is confirmed that the first service system can use the second online service,wherein the first service system uses the issued approval token to use the second online service if it is necessary to use the second online service provided by the second service system in a process of responding to a processing request from the client operated by the user,wherein the first service system is configured to transmit another scope information to identify whether the user has an authority to approve that the first service system uses the second online service in addition to a scope information required to identify the second online service that the first service system wants to use, which has been transmitted to the client from the first service system, andwhen the access management service system confirms whether the user operating the currently accessing client has the authority to use the second online service, the access management service system is configured to confirm an authority to use an online service linked with the received another scope information and confirm the authority to use the online service allocated to the user, which can be identified based on the authentication information having been input by the user, andif it is confirmed that the authority to use the online service linked with the received another scope information is allocated to the user, the access management service system is configured to determine that the user operating the currently accessing client has the authority to use the second online service.

5. A control method for a system for delegation of authority, the system comprising:
- a first service system configured to provide a first online service;
  
  a second service system configured to provide a second online service and configured to communicate with the first service system;
  
  an access management service system configured to manage authentication information and approval token that are required to use a plurality of service systems including the second service system; and
  
  wherein the system for delegation of authority is configured to receive information from a client configured to be operated by a user who has registered authentication information required to use online services that can be provided by the first service system and the second service system,wherein a first redirect instruction unit of the first service system transmits scope information to the client to identify the second online service, if it is necessary to use the second online service provided by the second service system in a process of responding to a processing request from the client operated by the user, and transmitting a message causing the client to access the access management service system;
  
  an approval screen transmission unit of the access management service system confirms whether the user has an authority to use the second online service and, if it is confirmed that the user has the authority, transmits an approval screen to the client to enable the user to confirm whether to approve that the first service system uses the second online service;
  
  a management unit of the access management service system issues a code required to issue an approval token if it is confirmed that the user has approved via the approval screen, and manages the issued code in such a way as to be linked with the scope information acquired when accessed by the client;
  
  a second redirect instruction unit of the access management service system transmits the code to the client causing the client to access the first service system;
  
  a transmission unit of the first service system transmits authentication information that is unique to the first service system and the code acquired when accessed by the client to the access management service system;
  
  a confirmation unit of the access management service system identifies an online service that the first service system wants to use based on the scope information linked with the received code, and confirms whether the identified online service is included in online services that can be used by the first service system based on the received authentication information that is unique to the first service system; and
  
  an issuance unit of the access management service system issues an approval token if it is confirmed that the identified online service is included in the online services that can be used by the first service system,wherein the approval token issued by the first service system is usable to use the second online service and to realize a mashup service that causes the first online service and the second online service to cooperate with each other,wherein the first service system is configured to transmit another scope information to identify whether the user has an authority to approve that the first service system uses the second online service in addition to the scope information required to identify the second online service that the first service system wants to use, which has been transmitted to the client from the first service system, andwhen the access management service system confirms whether the user operating the currently accessing client has the authority to use the second online service, the access management service system is configured to confirm an authority to use an online service linked with the received another scope information and confirm the authority to use the online service allocated to the user, which can be identified based on the authentication information having been input by the user, andif it is confirmed that the authority to use the online service linked with the received another scope information is allocated to the user, the access management service system is configured to determine that the user operating the currently accessing client has the authority to use the second online service.

6. A non-transitory computer readable medium encoded with instructions for an access management service comprising instructions for:
- the access management service transmitting a first approval token to a first online service, the first approval token is associated with a particular user and a plurality of particular privileges accorded the particular user with a second online service;
  
  the access management service receiving a verification request of the first approval token from the second online service;
  
  the access management service verifying that the first approval token is associated with the plurality of particular privileges accorded the particular user with the second online service; and
  
  the access management service transmitting a message to the second online service if the access management service positively affirms that the first approval token is associated with the plurality of particular privileges accorded the particular user with the second online service,wherein a first service system is configured to transmit another scope information to identify whether the particular user has an authority to approve that the first service system uses the second online service in addition to a scope information required to identify the second online service that the first service system wants to use, which has been transmitted to the client from the first service system, andwhen the access management service system confirms whether the user operating the currently accessing client has the authority to use the second online service, the access management service system is configured to confirm an authority to use an online service linked with the received another scope information and confirm the authority to use the online service allocated to the user, which can be identified based on the authentication information having been input by the user, andif it is confirmed that the authority to use the online service linked with the received another scope information is allocated to the user, the access management service system is configured to determine that the user operating the currently accessing client has the authority to use the second online service.
- View Dependent Claims (7, 8)
- - 7. The non-transitory computer readable medium of claim 6 further comprising instructions for:
    - the access management service transmitting a message to the first online service if the access management service determines that the first approval token is not associated with the plurality of particular privileges accorded the particular user with the second online service.
  - 8. The non-transitory computer readable medium of claim 6 further comprising instructions for:
    - the access management service transmitting a message to a client of the particular user if the access management service determines that the first approval token is not associated with the plurality of particular privileges accorded the particular user with the second online service.

9. A non-transitory computer readable medium encoded with instructions for an access management service comprising instructions for:
- the access management service transmitting a first approval token to a first online service, the first approval token is associated with a particular user and a plurality of particular privileges accorded the particular user with a second online service;
  
  the access management service receiving a verification request of the first approval token from the second online service;
  
  the access management service verifying that the first approval token is associated with the plurality of particular privileges accorded the particular user with the second online service; and
  
  the access management service transmitting a message to the second online service if the access management service positively affirms that the first approval token is associated with the plurality of particular privileges accorded the particular user with the second online service,wherein the access management service transmits the first approval token after;
  
  the access management service receiving an authentication request from the first service;
  
  the access management service transmitting the authentication request to a client of the particular user;
  
  the access management service receiving authentication information from the client;
  
  the access management service verifying the authentication information against information stored by the access management service about the particular user;
  
  the access management service transmitting a request to the client of the particular user for approval of the first service to have access to the plurality of particular privileges accorded the particular user with the second online service;
  
  the access management service receiving approval information from the client;
  
  wherein the access management service transmits the first approval token to first online service after receiving approval information from the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Canon Ayutthaya Limited (Canon Inc.)
Original Assignee
Canon Ayutthaya Limited (Canon Inc.)
Inventors
Yabe, Kenta
Primary Examiner(s)
Patel, Nirav B
Assistant Examiner(s)
Waliullah, Mohammed

Application Number

US13/738,477
Publication Number

US 20130185809A1
Time in Patent Office

894 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/10 for controlling access to d...

System for delegation of authority, access management service system, medium, and method for controlling the system for delegation of authority

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

6 Citations

9 Claims

Specification

Use Cases

Quick Links

Others

System for delegation of authority, access management service system, medium, and method for controlling the system for delegation of authority

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

9 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others