Authority delegation system, method, authentication server system, and storage medium therefor

US 9,967,253 B2
Filed: 05/27/2015
Issued: 05/08/2018
Est. Priority Date: 05/30/2014
Status: Active Grant

First Claim

Patent Images

1. An authentication server system capable of communicating with a server system providing a service accessible from a first client and a second client, the authentication server system comprising:

one or more processors; and

at least one memory device storing a program which, when executed by the one or more processors, causes the authentication server system to function as;

an authentication unit configured to determine whether a user is a legitimate user based on authentication information input by the user via an authentication screen displayed on the first client;

an issuance unit configured to issue authority information indicating that authority of the user has been delegated to the first client in a case where the user, determined to be the legitimate user by the authentication unit, provides an instruction for authorizing, under the authority of the user on the service, the first client via an authorization confirmation screen displayed on the first client;

an authorization unit configured to authorize the first client to access the service by the authority of the user based on the authority information transmitted when the first client requests an access to the service;

a management unit configured to manage an identifier of the user determined to be the legitimate user by the authentication unit and an identifier of a client in association with each other;

wherein the legitimate user is a user who has accessed the authentication server system using the second client and has been authenticated based on authentication information input by the user via an authentication screen displayed on the second client, and, after authentication, thelegitimate user issues an instruction to associate the legitimate user with the identifier of the second client via a client association confirmation screen,a first determination unit configured to determine whether the authority information has been issued for any of client identifiers associated with the identifier of the user determined to be the legitimate user by the authentication unit; and

a second determination unit configured to determine whether the identifier of the user determined to be the legitimate user by the authentication unit is associated with the identifier of the second client used by the user wherein, in a case where the first determination unit determines that the authority information has been issued for the any of client identifiers and the management second determination unit determines that the identifier of the user determined to be the legitimate user by the authentication unit is associated with the identifier of the second client, the issuance unit issues authority information indicating that the authority of the user has been delegated to the second client without receiving an instruction for authorizing the second client on the service,wherein in a case where the management unit confirms that the second client operated by the user is not associated with the identifier of the user after the user has been determined to be the legitimate user by the authentication unit, the management unit provides an association confirmation screen for inquiring whether to associate the identifier of the user with the identifier of the second client in order to omit an operation for providing the instruction for authorizing the authority of the user on the service to be delegated to the second client, and manages the identifier of the user and the identifier of the second client in association with each other in response to an instruction for associating the identifier of the user with the identifier of thesecond client instructed via the association confirmation screen, andwherein the management unit manages the identifier of the user, the identifier of the first client, and a type of the first client in association with one another, and in a case where a type of the second client is same as the type of the first client when the identifier of the user is to be associated with the identifier of the second client, the management unit manages the identifier of the user and the identifier of the second client in association with each other without receiving the instruction for associating the identifier of the user with the identifier of the second client via the association confirmation screen.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is provided an authority delegation system capable of issuing, in a case where an identifier of a user is associated with an identifier of a client, authority information indicating that an authority of the user has been delegated to the client without receiving an instruction for authorizing the authority of the user on the service to be delegated to the client.

Citations

11 Claims

1. An authentication server system capable of communicating with a server system providing a service accessible from a first client and a second client, the authentication server system comprising:
- one or more processors; and
  
  at least one memory device storing a program which, when executed by the one or more processors, causes the authentication server system to function as;
  
  an authentication unit configured to determine whether a user is a legitimate user based on authentication information input by the user via an authentication screen displayed on the first client;
  
  an issuance unit configured to issue authority information indicating that authority of the user has been delegated to the first client in a case where the user, determined to be the legitimate user by the authentication unit, provides an instruction for authorizing, under the authority of the user on the service, the first client via an authorization confirmation screen displayed on the first client;
  
  an authorization unit configured to authorize the first client to access the service by the authority of the user based on the authority information transmitted when the first client requests an access to the service;
  
  a management unit configured to manage an identifier of the user determined to be the legitimate user by the authentication unit and an identifier of a client in association with each other;
  
  wherein the legitimate user is a user who has accessed the authentication server system using the second client and has been authenticated based on authentication information input by the user via an authentication screen displayed on the second client, and, after authentication, thelegitimate user issues an instruction to associate the legitimate user with the identifier of the second client via a client association confirmation screen,a first determination unit configured to determine whether the authority information has been issued for any of client identifiers associated with the identifier of the user determined to be the legitimate user by the authentication unit; and
  
  a second determination unit configured to determine whether the identifier of the user determined to be the legitimate user by the authentication unit is associated with the identifier of the second client used by the user wherein, in a case where the first determination unit determines that the authority information has been issued for the any of client identifiers and the management second determination unit determines that the identifier of the user determined to be the legitimate user by the authentication unit is associated with the identifier of the second client, the issuance unit issues authority information indicating that the authority of the user has been delegated to the second client without receiving an instruction for authorizing the second client on the service,wherein in a case where the management unit confirms that the second client operated by the user is not associated with the identifier of the user after the user has been determined to be the legitimate user by the authentication unit, the management unit provides an association confirmation screen for inquiring whether to associate the identifier of the user with the identifier of the second client in order to omit an operation for providing the instruction for authorizing the authority of the user on the service to be delegated to the second client, and manages the identifier of the user and the identifier of the second client in association with each other in response to an instruction for associating the identifier of the user with the identifier of thesecond client instructed via the association confirmation screen, andwherein the management unit manages the identifier of the user, the identifier of the first client, and a type of the first client in association with one another, and in a case where a type of the second client is same as the type of the first client when the identifier of the user is to be associated with the identifier of the second client, the management unit manages the identifier of the user and the identifier of the second client in association with each other without receiving the instruction for associating the identifier of the user with the identifier of the second client via the association confirmation screen.
- View Dependent Claims (2, 3, 4, 9)
- - 2. The authentication server system according to claim 1,wherein, in a case where it is previously set to omit the association confirmation screen when an instruction for associating the identifier of the user with an identifier of an optional client is issued by the user, the management unit manages the identifier of the user and the identifier of the first client in association with each other without receiving an instruction for associating the identifier of the user with the identifier of the first client via the association confirmation screen when the identifier of the user is to be associated with the identifier of the first client.
  - 3. The authentication server system according to claim 1,wherein, in a case where the authority information is not issued by the issuance unit, the authorization unit does not authorize the first client and/or the second client to access the service by the authority of the user.
  - 4. The authentication server system according to claim 1,wherein, in a case where the identifier of the user is associated with an identifier of an optional client, the issuance unit performs control to not display the authorization confirmation screen on the optional client.
  - 9. An authority delegation system including a server system providing a service accessible from a first client and a second client, and an authentication server system according to claim 1.

5. A method executed by an authority delegation system including a server system providing a service accessible from a first client and a second client, and an authentication server system, the method comprising:
- determining, by an authentication unit, whether a user is a legitimate user based on authentication information input by the user via an authentication screen displayed on the first client;
  
  issuing, by an issuance unit, authority information indicating that authority of the user has been delegated to the first client in a case where the user, determined to be the legitimate user by the authentication unit, provides an instruction for authorizing, under the authority of the user on the service, the first client via an authorization confirmation screen displayed on the first client;
  
  authorizing, by an authorization unit, the first client to access the service by the authority of the user based on the authority information transmitted when the first client requests an access to the service;
  
  managing, by a management unit, an identifier of the user, determined to be the legitimate user by the authentication unit, and an identifier of a client in association with each other;
  
  wherein the legitimate user is a user who has accessed the authentication server system using the second client and has been authenticated based on authentication information input by the user via an authentication screen displayed on the second client, and, after authentication, the legitimate user issues an instruction to associate the legitimate user with the identifier of the second client via a client association confirmation screen,determining, by a first determination unit, whether the authority information has been issued for any of client identifiers associated with the identifier of the user determined to be the legitimate user by the authentication unit; and
  
  determining, by a second determining unit, whether the identifier of the user determined to be the legitimate user by the authentication unit is associated with the identifier of the second client used by the userwherein, the issuance unit further issues authority information indicating that the authority of the user has been delegated to the second client without receiving an instruction for authorizing the second client on the service, in a case where the first determination unit determines that the authority information has been issued for the any of client identifiers and the second determination unit determines that the identifier of the user determined to be the legitimate user by the authentication unit is associated with the identifier of the second client,wherein in a case where the management unit confirms that the second client operated by the user is not associated with the identifier of the user after the user has been determined to be the legitimate user by the authentication unit, the management unit provides an association confirmation screen for inquiring whether to associate the identifier of the user with the identifier of the second client in order to omit an operation for providing the instruction for authorizing the authority of the user on the service to be delegated to the second client, and manages the identifier of the user and the identifier of the second client in association with each other in response to an instruction for associating the identifier of the user with the identifier of the second client instructed via the association confirmation screen, andwherein the management unit manages the identifier of the user, the identifier of the first client, and a type of the first client in association with one another, and in a case where a type of the second client is same as the type of the first client when the identifier of the user is to be associated with the identifier of the second client, the management unit manages the identifier of the user and the identifier of the second client in association with each other without receiving the instruction for associating the identifier of the user with the identifier of the second client via the association confirmation screen.
- View Dependent Claims (6, 7, 8)
- - 6. The method according to claim 5,wherein, in a case where it is previously set to omit the association confirmation screen when an instruction for associating the identifier of the user with an identifier of an optional client is issued by the user, the management unit manages the identifier of the user and the identifier of the first client in association with each other without receiving an instruction for associating the identifier of the user with the identifier of the first client via the association confirmation screen when the identifier of the user is to be associated with the identifier of the first client.
  - 7. The method according to claim 5,wherein, in a case where the authority information is not issued by the issuance unit, the authorization unit does not authorize the first client and/or the second client to access the service by the authority of the user.
  - 8. The method according to claim 5,wherein, in a case where the identifier of the user is associated with an identifier of an optional client, the issuance unit performs control to not display the authorization confirmation screen on the optional client.

10. A non-transitory computer-readable storage medium storing a program for causing a computer to execute a method in an authentication server system capable of communicating with a server system providing a service accessible from a first client and a second client, the method comprising:
- determining, by a authentication unit, whether a user is a legitimate user based on authentication information input by the user via an authentication screen displayed on the first client;
  
  issuing, by an issuance unit, authority information indicating that authority of the user has been delegated to the first client in a case where the user, determined to be the legitimate user, provides an instruction for authorizing, under the authority of the user on the service, the first client via an authorization confirmation screen displayed on the first client;
  
  authorizing, by an authorization unit, the first client to access the service by the authority of the user based on the authority information transmitted when the first client requests an access to the service;
  
  managing, by a management unit, an identifier of the user determined to be the legitimate user and an identifier of a client in association with each other;
  
  wherein the legitimate user is a user who has accessed the authentication server system using the second client and has been authenticated based on authentication information input by the user via an authentication screen displayed on the second client, and, after authentication, the legitimate user issues an instruction to associate the legitimate user with the identifier of the second client via a client association confirmation screen,determining, by a first determination unit, whether the authority information has been issued for any of client identifiers associated with the identifier of the user determined to be the legitimate user by a authentication unit; and
  
  wherein authority information indicating that the authority of the user has been delegated to the second client is issued without receiving an instruction for authorizing the second client on the service, in a case where the first determination unit determines that the authority information has been issued for the any of client identifiers and a second determination unit determines that the identifier of the user determined to be the legitimate user by the authentication unit is associated with the identifier of the second client,wherein in a case where the management unit confirms that the second client operated by the user is not associated with the identifier of the user after the user has been determined to be the legitimate user by the authentication unit, the management unit provides an association confirmation screen for inquiring whether to associate the identifier of the user with the identifier of the second client in order to omit an operation for providing the instruction for authorizing the authority of the user on the service to be delegated to the second client, and manages the identifier of the user and the identifier of the second client in association with each other in response to an instruction for associating the identifier of the user with the identifier of the second client instructed via the association confirmation screen, andwherein the management unit manages the identifier of the user, the identifier of the first client, and a type of the first client in association with one another, and in a case where a type of the second client is same as the type of the first client when the identifier of the user is to be associated with the identifier of the second client, the management unit manages the identifier of the user and the identifier of the second client in association with each other without receiving the instruction for associating the identifier of the user with the identifier of the second client via the association confirmation screen.

11. A system including a first client, a second client and an authentication server system capable of communicating with a server system providing a service accessible from the first client and the second client, the system comprising:
- one or more processors; and
  
  at least one memory device storing a program which, when executed by the one or more processors, causes the authentication server system to act as;
  
  an authentication unit configured to determine whether a user is a legitimate user based on authentication information input by the user via an authentication screen displayed on the first client;
  
  an issuance unit configured to issue authority information indicating that authority of the user has been delegated to the first client in a case where the user, determined to be the legitimate user by the authentication unit, provides an instruction for authorizing, under the authority of the user on the service, the first client via an authorization confirmation screen displayed on the first client;
  
  an authorization unit configured to authorize the first client to access the service by the authority of the user based on the authority information transmitted when the first client requests an access to the service;
  
  a management unit configured to manage an identifier of the user determined to be the legitimate user by the authentication unit and an identifier of a client in association with each other;
  
  wherein the legitimate user is a user who has accessed the authentication server system using the second client and has been authenticated based on authentication information input by the user via an authentication screen displayed on the second client, and, after authentication, the legitimate user issues an instruction to associate the legitimate user with the identifier of the second client via a client association confirmation screen,a first determination unit configured to determine whether the authority information has been issued for any of client identifiers associated with the identifier of the user determined to be the legitimate user by the authentication unit; and
  
  a second determination unit configured to determine whether the identifier of the user determined to be the legitimate user by the authentication unit is associated with the identifier of the second client used by the userwherein, in a case where the first determination unit determines that the authority information has been issued for the any of client identifiers and the management second determination unit determines that the identifier of the user determined to be the legitimate user by the authentication unit is associated with the identifier of the second client, the issuance unit issues authority information indicating that the authority of the user has been delegated to the second client without receiving an instruction for authorizing the second client on the service,wherein in a case where the management unit confirms that the second client operated by the user is not associated with the identifier of the user after the user has been determined to be the legitimate user by the authentication unit, the management unit provides an association confirmation screen for inquiring whether to associate the identifier of the user with the identifier of the second client in order to omit an operation for providing the instruction for authorizing the authority of the user on the service to be delegated to the second client, and manages the identifier of the user and the identifier of the second client in association with each other in response to an instruction for associating the identifier of the user with the identifier of the second client instructed via the association confirmation screen, andwherein the management unit manages the identifier of the user, the identifier of the first client, and a type of the first client in association with one another, and in a case where a type of the second client is same as the type of the first client when the identifier of the user is to be associated with the identifier of the second client, the management unit manages the identifier of the user and the identifier of the second client in association with each other without receiving the instruction for associating the identifier of the user with the identifier of the second client via the association confirmation screen.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Canon Kabushiki Kaisha (Canon Inc.)
Original Assignee
Canon Kabushiki Kaisha (Canon Inc.)
Inventors
Tamura, Yu
Primary Examiner(s)
Patel, Ashok
Assistant Examiner(s)
Farooqui, Quazi

Application Number

US14/723,301
Publication Number

US 20150350209A1
Time in Patent Office

1,077 Days
Field of Search

713150-154, 726 1- 33
US Class Current
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0853   using an additional device,...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

Authority delegation system, method, authentication server system, and storage medium therefor

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Authority delegation system, method, authentication server system, and storage medium therefor

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links