JP7601264B2 - System, server device, and method and program for controlling server device - Google Patents

Description

The present invention relates to a system, a server device, a control method for a server device, and a storage medium.

There are information distribution systems that provide personal information held by hospitals and other institutions to information recipient devices such as businesses with the consent of the individual. Such systems include, for example, information trading devices managed by information banks and the like, information source devices managed by information source companies, and information recipient devices managed by information recipients. The information trading devices store personal information acquired from the information source devices. The information trading devices transmit personal information desired by the utilization business, etc. from the stored personal information to the information recipient device.

For example, Patent Document 1 describes the provision of an information management system, information management method, and information management program for conducting transactions using a user's personal information. The information management server in Patent Document 1 includes a registrant information storage unit that stores personal information of registrants, a provision history storage unit that stores the provision history of personal information, and a control unit connected to a purchaser terminal. The control unit acquires information acquisition conditions from the purchaser terminal and extracts personal information from the registrant information storage unit based on the information acquisition conditions. The control unit provides the extracted personal information to the purchaser terminal and records the provision history of the personal information in the provision history storage unit. The control unit collects the provision fee based on the provision history recorded in the provision history storage unit, and returns compensation to the registrant who provided the personal information based on the provision fee.

In addition, various technologies related to user authentication are being developed.

For example, Patent Document 2 describes that it provides an authentication technology using IC tags with higher security. The authentication system of Patent Document 2 includes at least one information terminal and at least one server. The authentication system includes a reading unit, an acquisition unit, a decryption unit, a verification unit, a first authentication unit, and a confirmation unit. The reading unit uses one or more PINs to read personal information and an electronic signature from an IC card that includes personal information including a facial image of a legitimate owner of the IC card and an electronic signature generated based on the personal information and a private key. The acquisition unit acquires imaging data showing the subject's face. The decryption unit decrypts the electronic signature using a public key corresponding to the private key. The verification unit verifies the validity of the personal information based on the decrypted electronic signature and the personal information. The first authentication unit performs face authentication using the imaging data and a facial image included in the personal information. The verification unit performs identity verification of the subject based on the verification result of the validity of the personal information and the result of face authentication.

Patent document 3 describes that an authentication system, authentication server, business server, and user terminal capable of appropriately determining a combination of authentication methods according to a service are provided. The user terminal of patent document 3 includes an authentication request unit that requests a service, and an authentication information transmission unit that transmits authentication information for each authentication method. The business server includes a service point management unit that manages service points that indicate the security of authentication required by the service. The authentication server includes an authentication point management unit, an authentication method determination unit, and an authentication processing unit. The authentication point management unit manages authentication points that indicate the security obtained by the combination of authentication methods. The authentication method determination unit prioritizes combinations of authentication methods in which the authentication points are equal to or greater than the service points, and determines combinations in which the difference between the authentication points and the service points is small. The authentication processing unit receives authentication information for each determined combination of authentication methods, and performs authentication processing.

Patent Document 4 describes a network system capable of identifying the same user between user management systems of different systems. The network system of Patent Document 4 includes first and second user management systems and a gateway server. The first user management system manages ID information in a first ID federation information table. The second user management system manages the first and second intermediation ID information in a second ID federation information table. The gateway server associates the ID information with the second intermediation ID information and manages them in a third ID federation information table. When there is a login request to one user management system via the other user management system, the gateway server detects the second intermediation ID information or ID information corresponding to the notified ID information or second intermediation ID information from the third ID federation information table. The gateway server outputs the detected information to the other user management system.

JP 2019-128648 A JP 2019-050014 A JP 2017-072979 A JP 2013-114622 A

In an information distribution system, advanced services can be provided by collecting personal data held by each service provider (service operator, data holder). In doing so, the data provided by the service provider must have a certain level of reliability. This is because using unreliable data (data provided by a service provider with a low level of security and low identity verification) will result in a decline in the overall quality of the services provided by the information distribution system.

However, this problem cannot be solved by applying the technologies disclosed in the above-mentioned Patent Documents 1 to 4. In particular, Patent Documents 3 and 4 only disclose technologies related to user authentication and identification.

The primary objective of the present invention is to provide a system, a server device, a control method for a server device, and a storage medium that contribute to maintaining and improving the quality of services provided from an information distribution system.

According to a first aspect of the present invention, there is provided a system including a first server device that stores a first ID required to provide a first service to a user logged in to a first account and accumulates data related to the first service provided to the user, and a second server device that controls data distribution of the accumulated data for the user logged in to a second account, wherein after the first ID managed in the first account and the second ID managed in the second account are associated with each other, when the user logs in to the first account, the second server device requests the user to follow the same procedure as the procedure for logging in to the second account.

According to a second aspect of the present invention, there is provided a server device comprising: a communication control unit that communicates with a server, stores a first ID required to provide a first service to a user logged in to a first account and accumulates data related to the first service to be provided to the user; a data distribution control unit that controls data distribution of the accumulated data for the user logged in to a second account; an ID linkage management unit that associates the first ID managed in the first account with the second ID managed in the second account; and a login management unit that, after the first ID and the second ID are associated, requests the user to follow the same procedure as the procedure for logging in to the second account when logging in to the first account.

According to a third aspect of the present invention, there is provided a method for controlling a server device, which stores a first ID required to provide a first service to a user logged in to a first account, accumulates data related to the first service to be provided to the user, communicates with a server, controls data distribution of the accumulated data for the user logged in to a second account, associates the first ID managed in the first account with the second ID managed in the second account, and after the first ID and the second ID are associated, when the user logs in to the first account, requests the user to follow the same procedure as the procedure for logging in to the second account.

According to a fourth aspect of the present invention, there is provided a computer-readable storage medium that stores a program for causing a computer mounted on a server device that stores a first ID required to provide a first service to a user logged in to a first account and accumulates data related to the first service provided to the user and communicates with a server to execute the following processes: controlling the distribution of the accumulated data for the user logged in to a second account; associating the first ID managed in the first account with the second ID managed in the second account; and, after the first ID and the second ID are associated, requesting the user to perform the same procedure as the procedure for logging in to the second account when logging in to the first account.

According to each aspect of the present invention, a system, a server device, a control method for a server device, and a storage medium are provided that contribute to maintaining and improving the quality of services provided by an information distribution system. Note that the effects of the present invention are not limited to those described above. The present invention may achieve other effects instead of or in addition to the effects.

FIG. 1 is a diagram for explaining an overview of an embodiment. FIG. 2 is a flowchart illustrating an example of the operation of one embodiment. FIG. 3 is a diagram showing an example of a schematic configuration of an information distribution system according to the first embodiment. FIG. 4 is a diagram for explaining the operation of the information distribution system according to the first embodiment. FIG. 5 is a diagram for explaining the operation of the information distribution system according to the first embodiment. FIG. 6 is a diagram for explaining the operation of the information distribution system according to the first embodiment. FIG. 7 is a diagram for explaining the operation of the information distribution system according to the first embodiment. FIG. 8 is a diagram for explaining the operation of the information distribution system according to the first embodiment. FIG. 9 is a diagram illustrating an example of a processing configuration of the portal server according to the first embodiment. FIG. 10 is a diagram illustrating an example of a display on the terminal according to the first embodiment. FIG. 11 is a diagram illustrating an example of a display on the terminal according to the first embodiment. FIG. 12 is a diagram illustrating an example of a display of the terminal according to the first embodiment. FIG. 13 is a diagram illustrating an example of a processing configuration of the distribution control server according to the first embodiment. FIG. 14 is a diagram illustrating an example of a user information database according to the first embodiment. FIG. 15 is a diagram illustrating an example of a part of the user information database according to the first embodiment. FIG. 16 is a flowchart illustrating an example of the operation of the ID federation management unit according to the first embodiment. FIG. 17 is a flowchart illustrating an example of the operation of the ID federation management unit according to the first embodiment. FIG. 18 is a diagram illustrating an example of a location information database according to the first embodiment. FIG. 19 is a diagram illustrating an example of a processing configuration of the service server according to the first embodiment. FIG. 20 is a diagram illustrating an example of a display on the terminal according to the first embodiment. FIG. 21 is a diagram illustrating an example of a customer information database according to the first embodiment. FIG. 22 is a sequence diagram showing an example of the operation of the information distribution system according to the first embodiment. FIG. 23 is a diagram for explaining ID federation according to the first embodiment. FIG. 24 is a diagram showing an example of a schematic configuration of an information distribution system according to the second embodiment. FIG. 25 is a diagram illustrating an example of a processing configuration of a hospital terminal according to the second embodiment. FIG. 26 is a diagram illustrating an example of a processing configuration of a service server according to the second embodiment. FIG. 27 is a diagram for explaining the operation of the information distribution system according to the second embodiment. FIG. 28 is a diagram for explaining the operation of the information distribution system according to the second embodiment. 29A and 29B are diagrams illustrating an example of a display of a hospital terminal according to the second embodiment. FIG. 30 is a diagram illustrating an example of a hardware configuration of the distribution control server according to the present disclosure. FIG. 31 is a diagram showing an example of a schematic configuration of an information distribution system according to a modification of the present disclosure.

First, an overview of one embodiment will be described. The reference numbers in the drawings are added to each element for convenience as an example to aid in understanding, and the description of this overview is not intended to be limiting. Furthermore, unless otherwise specified, the blocks shown in each drawing represent functional units rather than hardware units. The connection lines between blocks in each drawing include both bidirectional and unidirectional. The unidirectional arrows are used to show the main signal (data) flow diagrammatically, and do not exclude bidirectionality. In this specification and drawings, elements that can be described in the same way may be given the same reference numbers to avoid duplicated explanations.

The system according to one embodiment includes a first server device 101 and a second server device 102 (see FIG. 1). The first server device 101 stores a first ID required to provide a first service to a user who has logged in to a first account, and accumulates data related to the first service provided to the user. The second server device 102 controls the distribution of accumulated data for a user who has logged in to a second account. The second server device 102 associates the first ID managed in the first account with the second ID managed in the second account (associating IDs; step S1 in FIG. 2). Thereafter, when the user logs in to the first account, the second server device 102 requests the user to perform the same procedure as the procedure for logging in to the second account (request for login procedure; step S2).

The procedure or method for logging in to the first account of the first server device 101 may have a low security level (authentication strength) or a low identity verification level. Even in such a case, after the first ID of the first account is registered in the system (associated with the second ID), the second server device 102 requests the user to perform the same procedure as the procedure for logging in to the second account. That is, if multi-factor authentication combining ID authentication, biometric authentication, etc. is required when logging in to the second account, the second server device 102 also performs multi-factor authentication when logging in to the first account. That is, even if the system includes a service provider that adopts a method with a low security level when authenticating a user, the system (second server device 102) authenticates the user using a method with a high security level, etc., instead of the service provider. As a result, the identity, etc. of the user to whom the service provider with a low security level provides a service is more reliably guaranteed, and the reliability of the data accumulated by the service provider is also improved. The information distribution system uses data with guaranteed reliability, which allows for the improvement or maintenance of the services provided.

Specific embodiments are described in further detail below with reference to the drawings.

[First embodiment]
The first embodiment will be described in more detail with reference to the drawings.

[System configuration]
Fig. 3 is a diagram showing an example of a schematic configuration of an information distribution system according to the first embodiment. As shown in Fig. 3, participating members (actors) of the information distribution system include information distribution businesses and service businesses.

The information distribution operator is an entity that provides services related to data distribution (information distribution services). The information distribution operator includes a portal server 10 and a distribution control server 20.

The portal server 10 is a server device that provides a portal site that serves as an interface for users who use the information distribution service. When using the information distribution service, users access the portal server 10.

The distribution control server 20 is a server device that controls (realizes) data distribution between service providers. The distribution control server 20 is a device that realizes data distribution of data stored in the service providers.

A service provider is an entity that provides services to individuals. A service provider may be a private business or a public institution. Examples of service providers include medical institutions (hospitals, pharmacies, etc.) that provide medical services to users, retailers, and healthcare providers that provide health services to customers.

Each service provider has a service server 30 for providing services to customers. The service server 30 is managed and operated by the service provider. The service server 30 accumulates data generated by the service provider's provision of services to users and data necessary for providing services to users (accumulates user data). In other words, the service server 30 accumulates data related to the services provided to users.

A user who uses the information distribution system uses terminal 40.

The devices shown in FIG. 3 are connected to each other via a network. For example, the distribution control server 20 and the service server 30 are connected by wired or wireless communication means and configured to be able to communicate with each other.

The configuration shown in FIG. 3 is an example and is not intended to limit the configuration of the information distribution system disclosed in the present application. For example, an information distribution business operator may include two or more distribution control servers 20.

[System Operation Overview]
Next, an outline of the operation of the information distribution system according to the first embodiment will be described.

In the first embodiment, a healthcare provider that provides health advice to users and an EC (Electronic Commerce) provider that sells products and the like over the Internet are used as examples of service providers.

As shown in Figure 3, the healthcare provider has a service server 30-1, and the EC provider has a service server 30-2. In the following explanation, unless there are special circumstances to distinguish between the service servers 30-1 and 30-2, they will simply be referred to as "service server 30."

To receive services from a healthcare provider, the user must log in to an account (first account) managed by the service server 30-1. Specifically, the user logs in to the account by providing an ID and password to the service server 30-1. Furthermore, when the healthcare provider creates an account, no identity verification is performed.

The service server 30-1 (first server device) stores an ID (first ID; membership number, etc.) required to provide a first service (health advice) to a user who has logged in to the account. The service server 30-1 also accumulates data (e.g., exercise time, etc.) related to the service provided to the user.

Note that we will not go into detail about the specific services offered by healthcare providers and EC operators. Healthcare providers collect (accumulate) data on users' diet and exercise, and provide advice, etc. based on the accumulated data. EC operators provide commercial transaction services (online shopping) over a network.

There are two means of data distribution in the information distribution system: "sharing" and "provision." The distribution control server 20 (second server device) controls the data distribution of the accumulated data of a user who has logged in to an account (second account).

"Sharing" is a means by which a service provider obtains data accumulated by other service providers. For example, data distribution through "sharing" is used when an e-commerce business obtains data generated by a healthcare business providing services to users.

"Sharing" is used to improve the convenience of the service user himself, so in principle no compensation is generated for data distribution. In other words, "sharing" is used to utilize data accumulated by other service providers so that users can receive better services from the service providers.

"Provision" is a means by which data utilization businesses obtain data accumulated by other service businesses. For example, data distribution through "provision" is used when a pharmaceutical company obtains the results of health checkups or medical examinations from medical institutions.

"Provision" is a method used by data utilization businesses that do not provide services directly to users, so in principle, a fee is charged for data distribution. In other words, "provision" is used so that users can receive compensation from data utilization businesses.

In the first embodiment, the data distribution means for the stored data will be explained using "sharing" as an example. However, it goes without saying that stored data can also be the subject of data distribution through "provision."

<Creating a system account>
A user of the information distribution system is required to register in advance (user registration, system registration). More specifically, the user accesses the portal server 10 and performs the procedure for creating an account. In the following explanation, an account created in the information distribution system is referred to as a "system account."

To generate a system account, the user operates the terminal 40 owned by the user to access the portal server 10. In response to the access from the terminal 40, the portal server 10 displays a WEB page for generating a system account.

The user performs an operation for generating a system account (e.g., pressing a specific button) and requests the portal server 10 to generate a system account (see FIG. 4). The portal server 10 acquires the information necessary to generate the user's system account. Specifically, the portal server 10 acquires the user's login information (login ID, password), personal information (name, date of birth, etc.), biometric information (e.g., facial image), and identification documents (driver's license, etc.).

The portal server 10 sends an "account creation request" including the acquired login information, personal information, biometric information, identification documents, etc. to the distribution control server 20 (step S01).

The distribution control server 20 performs identity verification using the biometric information included in the account creation request and the biometric information recorded on the identity document. If identity verification is successful, the distribution control server 20 creates a system account for the user. At that time, the distribution control server 20 creates a user ID (identifier) to uniquely identify the user in the information distribution system.

The distribution control server 20 stores the generated user's user ID, login information, personal information (name, date of birth, contact information, etc.), and biometric information in association with each other. The distribution control server 20 stores this information in a "user information database." Details of the user information database will be described later.

The distribution control server 20 transmits the generated user ID to the portal server 10 (step S02). The portal server 10 issues the user ID acquired from the distribution control server 20 to the user (terminal 40) (step S03). The terminal 40 stores the issued user ID.

<Creating a service account>
In order to receive services from a service provider, a user needs to create an account with the service provider. More specifically, the user accesses the service server 30 managed by the service provider and performs user registration to create an account. In the following explanation, the account created by the service provider is referred to as a "service account."

To create a service account, a user operates the terminal 40 that the user owns to access the desired service server 30. For example, a user who wishes to receive services from a healthcare provider accesses the service server 30-1. In response to the access from the terminal 40, the service server 30 displays a WEB page for creating a service account.

When a user performs an operation to create a service account (e.g., pressing a specific button), the service server 30 acquires the information necessary to create the user's service account. Specifically, the service server 30 acquires the user's login information (login ID, password) and personal information (name, date of birth, etc.).

The service server 30 generates a service account for the user. The service server 30 generates identification information (ID, code) for identifying the user within its own company (service provider). In the following explanation, the identification information generated by the service provider will be referred to as a "personal identification ID." For example, a membership number, a patient registration card number, etc., correspond to the personal identification ID (personal identification code).

The service server 30 stores the user's login information, personal information, and personal identification ID in association with each other. The service server 30 stores this information in a "customer information database." Details of the customer information database will be described later.

The service server 30 issues the generated personal identification ID to the user (terminal 40). The terminal 40 stores the issued personal identification ID.

<Log in to system account>
To use the information distribution service, a user needs to log in to a system account. For example, the user requests the portal server 10 to log in to the system account by pressing a "login" button displayed on the portal site (see FIG. 5).

When a user requests to log in, the portal server 10 redirects the user's login request to the distribution control server 20 (authentication redirection). Specifically, the portal server 10 sends an "authentication request" to the distribution control server 20 (step S11).

Here, the information distribution system employs multi-factor authentication to authenticate users. Specifically, the distribution control server 20 and the terminal 40 perform multi-factor authentication by transmitting and receiving different types of authentication information (step S12).

For example, the terminal 40 transmits login information (ID, password) as authentication information to the distribution control server 20. If the distribution control server 20 is successful in ID authentication (password authentication), it requests the terminal 40 to provide authentication information related to biometric information. The terminal 40 acquires the user's biometric information and transmits the biometric information to the distribution control server 20 as second-stage authentication information. The distribution control server 20 performs biometric authentication using the biometric information.

The distribution control server 20 transmits the authentication result (the authentication result by the multi-factor authentication) to the portal server 10 (step S13). At that time, if the authentication is successful, the distribution control server 20 notifies the portal server 10 of the user ID of the user.

The portal server 10 determines that the user corresponding to the notified user ID is the target of the service provision. If the user successfully logs in to the system account, the user can change settings when using the information distribution system on the portal site.

<Log in to your service account>
A detailed description of how to log in to a service account will be omitted. The user's terminal 40 and the service server 30 may authenticate the user using a predetermined ID and password.

<ID linking>
In order to distribute data (user data) stored in the service server 30, the user needs to link the system account ID (user ID) with the service account ID (personal identification ID). For example, in order to distribute data stored in a healthcare provider, the user needs to link (link) the user ID of the information distribution system with the personal identification ID issued by the healthcare provider.

In the following explanation, linking (associating) the user ID of a system account with the personal identification ID of a service account will be referred to as "ID linking."

To achieve ID federation, the user logs in to the system account. If the login is successful, the user performs the procedure for ID federation on the portal site (see FIG. 6). Specifically, the user operates the terminal 40 and presses a specific button to request the portal server 10 to issue a "feedback code."

The linking code is information (data) for realizing ID linking. More specifically, the linking code is a token with an expiration date that is linked to the system account (personal information such as name and identity verification information such as biometric information) of the user who wishes to link their ID.

When an operation to issue an integration code is received, the portal server 10 sends an "integration code issuance request" to the distribution control server 20 (step S21).

In response to receiving the linkage code issuance request, the distribution control server 20 generates a linkage code. The distribution control server 20 stores the generated linkage code in the user information database.

The distribution control server 20 transmits the generated linkage code to the portal server 10 (step S22). The portal server 10 transmits the received linkage code to the terminal 40 (step S23). The terminal 40 stores the received linkage code and manages it in a state where the user can view the linkage code.

Once the user has obtained the linking code, the user logs into the service account of the service provider with which they wish to link their IDs. The user then carries out the procedure for ID linking on a website provided by the service provider. For example, the user operates terminal 40 and presses a specific button to request ID linking from service server 30 (see Figure 7).

When the user presses a specified button, the service server 30 obtains a link code from the user (step S31).

Upon acquiring the linking code, the service server 30 requests the distribution control server 20 to execute ID linking. Specifically, the service server 30 transmits an "ID linking request" including the acquired linking code, the personal identification ID of the user currently logged in to the service account, and the business code to the distribution control server 20 (step S32).

The business code is identification information (ID) for identifying service businesses participating in the information distribution system. For example, different codes are assigned to a healthcare business (service server 30-1) and an EC business (service server 30-2).

The business code is shared between system participants (information distribution businesses, service businesses) by any means. For example, when a service business participates in the information distribution system, the information distribution business generates a business code to be assigned to the service business. The information distribution business notifies the service business provider of the generated business code.

Upon receiving an ID linking request, the distribution control server 20 searches the user information database using the linking code included in the ID linking request as a key to identify the corresponding user.

Thereafter, the distribution control server 20 requests the provision of biometric information from the terminal 40 held by the identified user. Specifically, the distribution control server 20 transmits a "biometric information provision request" to the terminal 40 (step S33).

In response to receiving the biometric information request, the terminal 40 displays a GUI or the like for acquiring the user's biometric information (e.g., a facial image). The terminal 40 transmits the acquired biometric information (facial image) to the distribution control server 20 (step S34).

The distribution control server 20 performs biometric authentication (one-to-one authentication) using the biometric information (facial image) of the user identified using the linkage code and the biometric information provided by the terminal 40. That is, the distribution control server 20 confirms the identity of the user requesting ID linkage through biometric authentication.

If the biometric authentication is successful, the distribution control server 20 executes ID federation. Specifically, the distribution control server 20 identifies the service provider from the provider code included in the ID federation request, and stores the personal identification ID of the identified service provider in the user information database. That is, the distribution control server 20 associates the user ID of the system account with the personal identification ID and registers them in the user information database.

For example, consider a user who is assigned a user ID of "#10" in their system account and a personal identification ID of "#100" in their service account. When this user performs ID federation, the two IDs (#10, #100) are registered in the system as the IDs of the same person.

The distribution control server 20 notifies the service server 30 of the result of the ID federation process. The distribution control server 20 sends a response (positive response, negative response) to the ID federation request to the service server 30 (step S35).

The service server 30 notifies the user of the results of the ID linking process.

<Log in to your service account after ID integration>
When receiving a service from a service provider with which ID federation has been completed, the user logs in to the service server 30 via the distribution control server 20. That is, the user logs in to the service server 30 by so-called Single Sign On (SSO).

Specifically, the user operates the terminal 40 to access the service server 30. When the user performs a login procedure on a web page provided by the service server 30, the service server 30 sends an authentication redirect to the distribution control server 20. Specifically, the service server 30 sends an authentication request to the distribution control server 20. At that time, the service server 30 sends the business code of the service business that operates the service server 30 and the address of the terminal 40 to the distribution control server 20.

When the distribution control server 20 receives an authentication request (authentication redirect), it requests the user to perform a procedure similar to the procedure when the user logs in to a system account. Specifically, the distribution control server 20 performs multi-factor authentication using different types of authentication information.

If the multi-factor authentication is successful, the distribution control server 20 reads from the user information database the personal identification ID of the user identified by the authentication process that corresponds to the business code included in the authentication request.

The distribution control server 20 notifies the service server 30, which is the sender of the authentication request, of the read personal identification ID. Upon acquiring the personal identification ID, the service server 30 determines that the user of the personal identification ID has logged in.

In this way, the distribution control server 20 associates the personal identification ID managed by the service account with the user ID managed by the system account (performs ID linking). After the IDs are linked, when the user logs in to the service account, the distribution control server 20 requests the user to follow the same procedure as the procedure for logging in to the system account.

In addition, the portal server 10 (third server device) accepts a login request to a system account by a user and requests authentication of the user from the distribution control server 20. The distribution control server 20 performs multi-factor authentication on the user and notifies the portal server 10 of the result of the multi-factor authentication.

<Data storage and location information transmission>
The service provider accumulates user data of the users. The service provider (service server 30) stores the personal identification code of each user and the data obtained as a result of the provision of the service in association with each other.

Each time a service provider accumulates user data (data resulting from the provision of the service, data necessary for the provision of the service), it transmits "location information" to the distribution control server 20. The location information is information about the storage location of the data accumulated at the service provider (the entity accumulating the data; the service provider), etc. The location information includes a personal identification code, a business code, the type of accumulated data, etc.

The distribution control server 20 stores the acquired location information in a "location information database." Details of the location information database will be described later. The location information database stores personal identification codes, business codes, and data types in association with each other.

<Data distribution through sharing>
A service provider that wishes to obtain data accumulated by another service provider can obtain that data through "sharing."

Here, referring to Figure 8, we will explain the case where an EC operator obtains data of user U1 stored in a healthcare operator through "sharing."

The service server 30-2 of the EC business requesting data sharing sends a "sharing request" to the distribution control server 20 (step S41).

Based on the sharing request, the distribution control server 20 identifies the target of data distribution (user U1) and the data accumulator (healthcare provider) of the data to be distributed. The distribution control server 20 sends an inquiry about data sharing to the terminal 40 held by the identified target (user U1) (step S42).

Terminal 40, which receives the data sharing inquiry, acquires the user's intention regarding data sharing. For example, terminal 40 acquires the intention of user U1 using a GUI (Graphical User Interface). In the above example, terminal 40 displays a GUI with the content such as "By sharing the healthcare provider's data with the EC business, you can receive better service. Do you want to share?" and acquires the user's intention (agree or disagree to data sharing).

The terminal 40 sends a response to the data sharing inquiry (agreeing to data sharing or rejecting data sharing) to the distribution control server 20 (step S43).

If the user's consent is obtained, the distribution control server 20 sends a sharing instruction to the data accumulator (healthcare provider's service server 30-1) (step S44).

Upon receiving the sharing instruction, the healthcare provider's service server 30-1 refers to the customer information database and transmits the data of user U1 (e.g., exercise time, etc.) to the specified data sharing destination service server 30-2 (step S45).

Next, we will explain in detail each device included in the information distribution system related to the first embodiment.

[Portal Server]
Fig. 9 is a diagram showing an example of a processing configuration (processing module) of the portal server 10 according to the first embodiment. Referring to Fig. 9, the portal server 10 includes a communication control unit 201, an account creation control unit 202, a login control unit 203, an ID linkage control unit 204, and a storage unit 205.

The communication control unit 201 is a means for controlling communication with other devices. For example, the communication control unit 201 receives data (packets) from the distribution control server 20. The communication control unit 201 also transmits data to the distribution control server 20. The communication control unit 201 passes the data received from other devices to other processing modules. The communication control unit 201 transmits data acquired from other processing modules to other devices. In this way, the other processing modules transmit and receive data to and from other devices via the communication control unit 201. The communication control unit 201 has a function as a receiving unit that receives data from other devices and a function as a transmitting unit that transmits data to other devices.

The account generation control unit 202 is a means for controlling the generation of a system account. When a user performs a specified operation on the portal site, the account generation control unit 202 performs processing related to the generation of a system account for that user. For example, when the "Create account" button is pressed on the portal site shown in Figure 10, the account generation control unit 202 displays a GUI for obtaining the user's login information, etc.

For example, the account generation control unit 202 displays a GUI as shown in Fig. 11 on the terminal 40. The account generation control unit 202 acquires login information, personal information, biometric information, a copy of an identification document, etc., using a GUI as shown in Fig. 11. Alternatively, the account generation control unit 202 may instruct the user to take a photograph of the face or an identification document in relation to the biometric information or the identification document.

When the account generation control unit 202 acquires the user's login information, etc. from the terminal 40, it transmits the acquired information (login information, personal information, biometric information, identity verification documents) to the distribution control server 20. The account generation control unit 202 transmits an "account generation request" including the login information, etc. to the distribution control server 20.

The account creation control unit 202 receives a response (positive response, negative response) to the account creation request from the distribution control server 20.

When the distribution control server 20 successfully generates a system account (receives a positive response), the account generation control unit 202 sends the user ID included in the positive response to the terminal 40.

If the distribution control server 20 fails to generate a system account (receives a negative response), the account generation control unit 202 notifies the user of this.

The login control unit 203 is a means for controlling login to a system account. For example, when the "Login" button in FIG. 10 is pressed, the login control unit 203 performs an authentication redirect to the distribution control server 20.

Specifically, the login control unit 203 sends an "authentication request" including the address of the terminal 40 to the distribution control server 20. The login control unit 203 receives a response (positive response, negative response) to the authentication request from the distribution control server 20.

If the login fails (if a negative response is received), the login control unit 203 notifies the user accordingly. If the login is successful (if a positive response is received), the login control unit 203 notifies the user accordingly and stores the user ID included in the positive response as the ID of the system user (stores it as the user currently logged in).

The ID linking control unit 204 is a means for controlling the linking of the ID of a system account and the ID of a service account.

When a user who is logged in to a system account performs a predetermined operation (e.g., pressing an ID linking button), the ID linking control unit 204 displays a GUI such as that shown in Fig. 12 on the terminal 40. The ID linking control unit 204 obtains information on the service providers that are the targets of ID linking using the GUI such as that shown in Fig. 12.

Upon obtaining information about the service provider (e.g., the business code of the service provider that is the target of ID federation), the ID federation control unit 204 sends a request to the distribution control server 20 to issue a federation code, including the user ID and business code of the logged-in user.

The ID linking control unit 204 receives a response (positive response, negative response) to the linking code issuance request.

If the linking code is not issued (if a negative response is received), the ID linking control unit 204 notifies the user that ID linking is not possible.

When a linking code is issued (when a positive response is received), the ID linking control unit 204 sends the linking code to the terminal 40 together with the business code of the ID linking destination.

The memory unit 205 stores information necessary for the operation of the portal server 10. For example, the memory unit 205 stores table information that associates the names of service providers with their service provider codes.

[Distribution control server]
Fig. 13 is a diagram showing an example of a processing configuration (processing module) of the distribution control server 20 according to the first embodiment. Referring to Fig. 13, the distribution control server 20 includes a communication control unit 301, an account management unit 302, a login management unit 303, an ID linkage management unit 304, a location information management unit 305, a data distribution control unit 306, and a storage unit 307.

The communication control unit 301 is a means for controlling communication with other devices. For example, the communication control unit 301 receives data (packets) from the service server 30. The communication control unit 301 also transmits data to the service server 30. The communication control unit 301 passes the data received from the other devices to the other processing modules. The communication control unit 301 transmits data acquired from the other processing modules to the other devices. In this way, the other processing modules transmit and receive data to and from the other devices via the communication control unit 301. The communication control unit 301 has a function as a receiving unit that receives data from other devices and a function as a transmitting unit that transmits data to the other devices.

The account management unit 302 is a means for controlling and managing the user's system account.

The account management unit 302 receives an account creation request from the portal server 10. The account management unit 302 performs identity verification using the biometric information (facial image) acquired from the portal server 10 and the biometric information recorded on the identity document.

Specifically, the account management unit 302 generates features from each of the two pieces of biometric information (face images). Existing technology can be used for the feature generation process, so a detailed description thereof will be omitted. For example, the account management unit 302 extracts the eyes, nose, mouth, etc. as feature points from the face image. The account management unit 302 then calculates the position of each feature point and the distance between each feature point as feature amounts, and generates a feature vector (vector information characterizing the face image) consisting of multiple feature amounts.

The account management unit 302 performs authentication processing (one-to-one authentication) using the two features generated above. Specifically, the account management unit 302 calculates the similarity between the two features. The similarity can be calculated using chi-square distance, Euclidean distance, or the like. Note that the greater the distance, the lower the similarity, and the closer the distance, the higher the similarity.

If the similarity is equal to or greater than a predetermined value, the account management unit 302 determines that identity verification has been successful. If the similarity is less than the predetermined value, the account management unit 302 determines that identity verification has failed.

If identity verification fails, the account management unit 302 notifies the portal server 10 that the account creation has failed. Specifically, the account management unit 302 sends a negative response to the account creation request to the portal server 10.

If identity verification is successful, the account management unit 302 generates a system account for the user. Specifically, the account management unit 302 generates a user ID for uniquely identifying the user in the information distribution system. The user ID may be any information that can uniquely identify the user. For example, the account management unit 302 may assign a unique value each time an account creation request is processed, and use this value as the user ID.

The account management unit 302 stores the generated user's user ID, login information, personal information (name, date of birth, contact details, etc.), and biometric information, etc. in association with each other. The distribution control server 20 stores this information in the "user information database" (see Figure 14).

As shown in Figure 14, the user information database (DB; Data Base) has, in addition to fields for storing login information, etc., a field for storing information related to ID federation (ID federation information), a field for storing a personal identification ID for each service provider, etc. Note that "HL" written in the personal identification ID field indicates the business code of the healthcare provider, and "EC" indicates the business code of the EC provider.

Although the ID federation information is shown collectively in Figure 14, the actual ID federation information is associated with a user ID as a set of a federation code, a business code, and a validity period, as shown in Figure 15.

Note that the user information database shown in Figures 14 and 15 is an example and is not intended to limit the items to be stored. For example, identity verification documents obtained from the portal server 10 may be registered in the user information database.

When the system account for the user is generated, the account management unit 302 notifies the portal server 10 that the account has been successfully generated. Specifically, the account management unit 302 transmits an affirmative response to the account generation request to the portal server 10. At that time, the account management unit 302 transmits an affirmative response including the user ID of the generated user to the portal server 10.

The login management unit 303 is a means for controlling and managing logins to system accounts by users. When the login management unit 303 receives an authentication request (authentication redirect) from the portal server 10, it controls multi-factor authentication for the terminal 40 whose address is included in the authentication request.

First, the login management unit 303 requests the terminal 40 to provide login information (a combination of ID and password). The login management unit 303 searches the user information database using the login information acquired from the terminal 40 as a key, and attempts to identify the corresponding user.

If the corresponding user is identified, the login management unit 303 determines that the first authentication using the initial authentication information (login information) was successful. If the corresponding user is not identified, the login management unit 303 determines that the first authentication using the initial authentication information was unsuccessful.

If the first authentication is successful, the login management unit 303 requests the terminal 40 to provide biometric information (facial image). The login management unit 303 attempts authentication using the biometric information acquired from the terminal 40 and the biometric information of the user identified in the first authentication. In other words, the login management unit 303 performs a second authentication using the second authentication information (biometric information).

If the second authentication (biometric authentication) is also successful, the login management unit 303 determines that the multi-factor authentication for the user who possesses the terminal 40 has been successful. If the first or second authentication (biometric authentication) fails, the login management unit 303 determines that the multi-factor authentication for the user who possesses the terminal 40 has failed.

The login management unit 303 notifies the portal server 10 of the authentication result (result of multi-factor authentication). If the multi-factor authentication fails, the login management unit 303 sends a negative response to the portal server 10. If the multi-factor authentication is successful, the login management unit 303 sends a positive response to the portal server 10. When notifying the portal server 10 of successful authentication, the login management unit 303 sends a positive response including the user ID of the user (person who successfully logged in).

The login management unit 303 processes the authentication request received from the service server 30 in the same manner as the authentication request received from the portal server 10. When the multi-factor authentication is successful, the login management unit 303 notifies the service server 30 of the personal identification ID corresponding to the business code included in the authentication request obtained from the service server 30.

The ID federation management unit 304 is a means for controlling and managing ID federation. The operation of the ID federation management unit 304 will be explained using Figures 16 and 17.

The ID federation management unit 304 processes the "federalization code issuance request" received from the portal server 10. Figure 16 is a flowchart showing an example of the operation of the ID federation management unit 304 when processing a federation code issuance request.

The ID federation management unit 304 searches the user information database using the user ID included in the federation code issuance request as a key and attempts to identify the corresponding user (step S101).

If the identification of the user fails (step S102, No branch), the ID federation management unit 304 notifies the portal server 10 that the federation code cannot be issued. Specifically, the ID federation management unit 304 transmits a negative response to the federation code issuance request to the portal server 10 (step S103).

If the user is successfully identified (step S102, Yes branch), the ID federation management unit 304 generates a federation code (step S104). As described above, the federation code is a token with an expiration date that is linked to the system account of the user who wishes to federate ID. For example, the ID federation management unit 304 calculates a concatenation value of the user's user ID, the current time, the business code of the service business that is the target of ID federation, etc., and generates the federation code by calculating a hash value of the calculated concatenation value.

The ID federation management unit 304 registers the generated federation code in the user information database (step S105). The ID federation management unit 304 associates the business code included in the federation code issuance request with the generated federation code and stores them in the user information database. At that time, the ID federation management unit 304 also registers the validity period of the federation code in the user information database. In the example of FIG. 15, the date and time when the validity period of the federation code ends is registered in the user information database.

In addition, the ID federation management unit 304 may set a predetermined period as the validity period, or may determine the validity period based on a predetermined rule, etc. For example, the ID federation management unit 304 may set a different validity period for each service provider.

When the generation and registration of the linkage code is completed, the ID linkage management unit 304 notifies the portal server 10 of the generated linkage code. Specifically, the ID linkage management unit 304 sends an affirmative response (response to the linkage code issuance request) including the generated linkage code to the portal server 10 (step S106).

The ID federation management unit 304 also processes an "ID federation request" received from the service server 30. Figure 17 is a flowchart showing an example of the operation of the ID federation management unit 304 when processing an ID federation request.

When an ID federation request is received, the ID federation management unit 304 searches the user information database using the federation code included in the ID federation request as a key. If the search is successful, the ID federation management unit 304 verifies the validity period of the identified federation code (step S201).

If the validity period of the linking code has expired (step S202, No branch), the ID linking management unit 304 sets the result of the ID linking process to "ID linking failed" (step S203).

If the validity period of the linking code has not expired (step S202, Yes branch), the ID linking management unit 304 sends a "biometric information provision request" to the user's contact information (the address of terminal 40) identified based on the linking code (step S204).

If biometric information is not provided (if a negative response to the biometric information provision request is received; step S205, No branch), the ID federation management unit 304 sets the result of the ID federation process to "ID federation failed" (step S203).

When the biometric information is provided (when a positive response to the biometric information provision request is received; step S205, Yes branch), the ID federation management unit 304 executes biometric authentication (step S206). Specifically, the ID federation management unit 304 executes biometric authentication (one-to-one authentication) using the biometric information (face image) of the user identified using the federation code and the biometric information provided by the terminal 40.

If biometric authentication fails (step S207, No branch), the ID federation management unit 304 sets the result of the ID federation process to "ID federation failed" (step S203).

If the biometric authentication is successful (step S207, Yes branch), the ID federation management unit 304 executes ID federation (step S208). Specifically, the ID federation management unit 304 identifies a service provider that is the target of ID federation from the provider code included in the ID federation request, and stores the personal identification ID generated by the identified service provider (the personal identification ID included in the ID federation request) in the user information database.

For example, in the example of Figure 15, a user with user ID "uID01" has requested ID federation from a healthcare provider (see line 1). When ID federation is performed for that user, the user's personal identification ID (personal identification ID generated by the healthcare provider) is set to the healthcare provider in the personal identification ID field shown in line 1 of Figure 14. As a result, the user ID "uID01" of the user named U1 and the healthcare provider's personal identification ID are registered in the system as the IDs of the same person.

Once ID federation is completed, the ID federation management unit 304 sets the result of the ID federation process to "ID federation successful" (step S209).

The ID federation management unit 304 notifies the service server 30 of the result of the ID federation process (step S210). If the ID federation is successful, the ID federation management unit 304 sends a positive response to the service server 30. If the ID federation is unsuccessful, the ID federation management unit 304 sends a negative response to the service server 30.

The location information management unit 305 is a means for managing location information acquired from service providers. The location information management unit 305 stores the location information acquired from each service server 30 in a location information database (see FIG. 18). As shown in FIG. 18, the location information database stores a personal identification code, a business code, and a data type in association with each other. Note that the location information database shown in FIG. 18 is an example, and is not intended to limit the items to be stored. For example, the date and time when the location information was registered may be registered in the location information database.

The data distribution control unit 306 is a means for controlling the distribution of data stored by users (user data held by the service provider). For example, the data distribution control unit 306 controls data distribution related to "sharing."

The data distribution control unit 306 receives a sharing request from the service server 30. The sharing request includes the personal identification code of the user who is the subject of data acquisition, the business code, the type of data that the data sharing destination wishes to acquire, information on the data sharing destination (data transmission destination), etc.

The data distribution control unit 306 identifies the target of data distribution based on the personal identification code and business code included in the sharing request. Specifically, the data distribution control unit 306 refers to the user information database shown in FIG. 14 to identify the target.

The data distribution control unit 306 identifies a service provider that stores the required data using the personal identification code of the identified user and the data type included in the sharing request. Specifically, the data distribution control unit 306 refers to the location information database shown in FIG. 18 and identifies a service provider that stores data corresponding to the data type included in the sharing request.

Once the target of data distribution and the accumulator of the data to be distributed are identified, the data distribution control unit 306 makes an inquiry about data sharing to the target of data distribution. The inquiry about data sharing includes information such as the requester of the data sharing, the data accumulator, and the type of data to be shared.

The data distribution control unit 306 receives a response to the data sharing inquiry from the terminal 40.

If the user refuses data sharing, the data distribution control unit 306 notifies the data sharing requester that data sharing is not possible. If the user agrees to data sharing, the data distribution control unit 306 sends a sharing instruction to the data accumulator.

The sharing instructions include a personal identification code generated by the data accumulator, information about the data sharing destination, and the type of data to be shared.

The memory unit 307 stores information necessary for the operation of the distribution control server 20. The memory unit 307 stores at least biometric information for authenticating a user who logs in to a system account. A user information database is constructed in the memory unit 307. Furthermore, the memory unit 307 constructs a database that stores the names of service providers in association with their business codes.

[Service Server]
Fig. 19 is a diagram showing an example of a processing configuration (processing module) of the service server 30 according to the first embodiment. Referring to Fig. 19, the service server 30 includes a communication control unit 401, a customer management unit 402, a sharing request unit 403, a data accumulation unit 404, a data distribution unit 405, and a storage unit 406.

The communication control unit 401 is a means for controlling communication with other devices. For example, the communication control unit 401 receives data (packets) from the distribution control server 20. The communication control unit 401 also transmits data to the distribution control server 20. The communication control unit 401 passes the data received from other devices to other processing modules. The communication control unit 401 transmits data acquired from other processing modules to other devices. In this way, the other processing modules transmit and receive data with other devices via the communication control unit 401. The communication control unit 401 has a function as a receiving unit that receives data from other devices and a function as a transmitting unit that transmits data to other devices.

The customer management unit 402 is a means for controlling and managing the customers of the service provider. Specifically, the customer management unit 402 generates service accounts for users and controls logins by users. Furthermore, the customer management unit 402 controls and manages ID federation.

When a user performs a predetermined operation on the web page, the customer management unit 402 displays a GUI or the like for obtaining a link code on the terminal 40. For example, the customer management unit 402 displays a screen such as that shown in FIG. 20.

Upon obtaining the linking code, the customer management unit 402 sends an "ID linking request" to the distribution control server 20, which includes the obtained linking code, the user's personal identification ID, and the business code.

The customer management unit 402 receives a response (positive response, negative response) to the ID federation request from the distribution control server 20. The customer management unit 402 notifies the user of the result of ID federation (ID federation successful, ID federation failed).

In addition, the customer management unit 402 stores the address of the terminal 40 used by the user who has successfully completed ID federation as an ID-federated address. Specifically, the customer management unit 402 adds the address of the terminal 40 to the ID federation completed list.

The customer management unit 402 processes logins to a user's service account. When processing operations related to a user's login, the customer management unit 402 refers to the ID federation completed list and determines whether the login request is from a terminal 40 for which ID federation has been completed.

If the login request is from a terminal 40 for which ID federation has not been completed, the customer management unit 402 requests the user's terminal 40 to provide login information. In other words, the customer management unit 402 authenticates the user using a method unique to the service provider.

If the login request is from a terminal 40 for which ID federation has been completed, the customer management unit 402 sends an authentication request to the distribution control server 20. The customer management unit 402 receives a response (positive response, negative response) from the distribution control server 20. The customer management unit 402 performs an operation according to the response from the distribution control server 20. In this way, for login processing related to a user for whom ID federation has been completed, the customer management unit 402 performs an authentication redirect to the information distribution system, requesting the user to carry out a procedure equivalent to logging in to a system account.

Note that detailed explanation of the operation of the customer management unit 402 regarding the generation of a service account will be omitted because the operation is obvious to those skilled in the art.

When providing a service to a new customer, the customer management unit 402 may generate a personal identification ID for the customer. Alternatively, the customer management unit 402 may obtain a personal identification ID generated by an employee of the service provider, etc.

The sharing request unit 403 is a means for requesting the information distribution business operator to "share" the user's data. The sharing request unit 403 transmits a sharing request to the distribution control server 20 in response to an operation by an employee of the service business operator, etc. Specifically, the sharing request unit 403 transmits a sharing request to the distribution control server 20, which includes the personal identification code of the user who is the subject of data acquisition, the business code of the user's own device, the type of data desired to be acquired, information on the data sharing destination, etc.

The data storage unit 404 is a means for storing the user's user data (data resulting from providing a service to the user or data necessary for providing a service to the user). The data storage unit 404 associates the user's personal identification code with the user data and stores them in the storage database (see Figure 21).

As shown in Figure 21, the data storage unit 404 stores information on the generated data in a field corresponding to the type of data generated. Note that Figure 21 shows an example of an accumulation database constructed in the service server 30-1 of a healthcare provider.

The data accumulation unit 404 transmits location information to the distribution control server 20 each time data is stored in the accumulation database. For example, when acquiring user data of a user with personal identification code "HL21", location information including the personal identification code "HL21", business code "healthcare business operator", and data type "exercise time" is transmitted to the distribution control server 20.

The data distribution unit 405 is a means for realizing data distribution through "sharing". The data distribution unit 405 processes the "sharing instruction" received from the distribution control server 20.

When a sharing instruction is received, the data distribution unit 405 refers to the accumulation database and identifies an entry corresponding to the personal identification code and data type included in the sharing instruction. For example, when a sharing instruction including the personal identification code "HL21" and the data type "sleep time" is received, the data distribution unit 405 identifies the entry shown in the top row of FIG. 21.

The data distribution unit 405 transmits the accumulated data described in the corresponding data type field of the identified entry to the data sharing destination specified in the sharing instruction.

The memory unit 406 stores information necessary for the operation of the service server 30.

[Device]
Examples of the terminal 40 include a mobile terminal device such as a smartphone, a mobile phone, a game machine, a tablet, etc., a computer (personal computer, notebook computer), etc. The terminal 40 can be any equipment or device that can accept user operations and communicate with the portal server 10, etc.

For example, when the terminal 40 receives a request for biometric information from the distribution control server 20, it displays a GUI that prompts the user to take a facial image (so-called a GUI that prompts a selfie) and acquires the user's biometric information. The terminal 40 transmits the acquired biometric information to the distribution control server 20 as a response to the request for biometric information.

Furthermore, since the configuration of terminal 40 is clear to those skilled in the art, detailed explanation will be omitted.

[System Operation]
Next, the operation of the information distribution system according to the first embodiment will be described.

Figure 22 is a sequence diagram showing an example of the operation of the information distribution system relating to the first embodiment. With reference to Figure 22, the system operation when realizing ID federation will be described.

The service server 30 obtains a linking code from a person who wishes to link their ID (step S301).

Upon obtaining the linking code, the service server 30 sends an ID linking request to the distribution control server 20 (step S302).

Upon receiving the ID linking request, the distribution control server 20 sends a biometric information provision request to the terminal 40 of the person wishing to link the ID (step S303).

In response to receiving the request for biometric information, the terminal 40 acquires the user's biometric information and transmits the acquired biometric information (facial image) to the distribution control server 20 (step S304).

The distribution control server 20 performs biometric authentication using the biometric information of the user identified using the link code and the biometric information provided by the terminal 40 (step S305).

If biometric authentication is successful, the distribution control server 20 performs ID linking (step S306).

The distribution control server 20 notifies the service server 30 of the result of the ID integration (step S307).

The service server 30 notifies the user of the results of the ID integration (step S308).

In this way, when the portal server 10 accepts an ID linking procedure for a personal identification ID from a user, it requests the distribution control server 20 to issue a linking code. The distribution control server 20 generates a linking code linked to the user's system account and transmits the generated linking code to the portal server 10. The portal server 10 notifies the user of the transmitted linking code.

The service server 30 acquires an association code from a user who wishes to federate IDs, and sends an ID federation request including a personal identification ID and the acquired association code to the distribution control server 20. The distribution control server 20 identifies the user who wishes to federate IDs from the association code included in the ID federation request, and requests the identified user to provide biometric information. The distribution control server 20 performs biometric authentication using the biometric information acquired in response to the request and the biometric information stored in the system account, and if the biometric authentication is successful, associates the personal identification ID with the user ID.

As described above, in the information distribution system according to the first embodiment, a linking code is used to link the personal identification ID of a service account with the user ID of a system account. Such ID linking allows data stored by a service provider to be subject to data distribution. Furthermore, in the first embodiment, when receiving a service from a service provider with which ID linking has been completed, the user is required to follow a procedure similar to that used when logging in to a system account. As a result, high reliability can be given to data stored by a service provider with low authentication strength or identity verification strength.

Specifically, as shown in FIG. 23, when a system account for an information distribution system is generated, identity verification is performed using an identification document, and the identity verification strength for the user of the account is high. In addition, when a user logs in to a system account, multi-factor authentication such as a combination of ID authentication and biometric authentication is used, so the authentication strength when authenticating the authenticatee is also high. For example, a match using an ID and a password is performed as a primary match, and a match (authentication) using biometric information is performed as a secondary match, so authentication with high strength is performed. In contrast, when an account for a service provider (e.g., a health care provider) is generated, identity verification is not performed, and the identity verification strength is low. In addition, when logging in to a service account of the service provider, only ID authentication using an ID and a password is performed, and the authentication strength for the authenticatee is also low. In the first embodiment, when a service is provided by a service provider with which ID integration has been completed (when logging in to a service account), the distribution control server 20 authenticates the authenticatee using single sign-on. As a result, the authentication strength and identity verification strength of the user who uses the service provider are ensured, and the reliability of the data accumulated by the service provider is improved.

As described above, in order to utilize user data accumulated by a service provider that does not require high identity verification or authentication strength when providing a service, it is necessary to increase the reliability of authentication by the service provider (service provider organization) that accumulates the data. Specifically, it is necessary to raise the authentication security level and identity verification level when accessing the service server 30 provided by the service provider to the same level as that of a system account. In order to raise the level, in the first embodiment, when receiving a service from a service provider (for example, when using a health app provided by a healthcare provider), an authentication request for the health app is redirected to an information distribution system. The information distribution system processes the authentication request for the health app (performs multi-factor authentication). As a result, the authentication security level when using the health app is raised to the level when using a personal portal. In addition, biometric authentication is performed when ID linking is performed using a link code, so that the identity of the person using the health app and the person using the personal portal is confirmed. As a result, the identity verification level when using the health app is raised to the level when using a personal portal.

Thus, for example, applications provided by healthcare providers (health applications) may perform authentication using an ID and password, but do not perform biometric authentication, and therefore the authentication strength is low. In contrast, in the information distribution system according to the first embodiment, when a user uses a health application, the service account and system account are linked, and biometric authentication is required of the user. This makes it possible to increase the authentication strength when using applications such as health applications, and makes it possible to utilize user data accumulated by service providers such as healthcare providers.

Second Embodiment
Next, the second embodiment will be described in detail with reference to the drawings.

In the first embodiment, we have described ID linking in the case where a user is required to log in to a service account managed by a service provider when receiving a service. In the second embodiment, we will describe a case where a personal identification ID of a service provider that does not require login, etc., is linked when receiving a service such as a hospital service.

Below, we will mainly explain the differences between the first and second embodiments.

Figure 24 is a diagram showing an example of a schematic configuration of an information distribution system according to the second embodiment. As shown in Figure 24, the information distribution system according to the second embodiment includes a hospital terminal 50 installed inside the hospital and a service server 30-3 installed outside the hospital.

The hospital terminal 50 is used by staff of the service provider (hospital) that provides the second service, and is a terminal that stores the third ID in association with the user's personal identification information. Specifically, the hospital terminal 50 stores the patient's personal information (name, date of birth, etc.), personal identification ID (e.g., patient card number, health insurance card number), etc. The hospital terminal 50 is installed at a reception desk, etc. Hospital staff (hospital staff in the medical department, etc.) use the hospital terminal 50 to perform their duties. The hospital terminal 50 is equipped with a camera device and is configured to be connectable to a network.

25 is a diagram showing an example of a processing configuration (processing module) of a hospital terminal 50 according to the second embodiment. Referring to FIG. 25, the hospital terminal 50 includes a communication control unit 501, an ID linking instruction processing unit 502, and a memory unit 503.

The hospital terminal 50 performs processing related to the system account user ID and the hospital's personal identification ID in response to operations by hospital staff.

The communication control unit 501 is a means for controlling communication with other devices. For example, the communication control unit 501 receives data (packets) from the service server 30-3. The communication control unit 501 also transmits data to the service server 30-3. The communication control unit 501 passes the data received from the other devices to the other processing modules. The communication control unit 501 transmits data acquired from the other processing modules to the other devices. In this way, the other processing modules transmit and receive data to and from the other devices via the communication control unit 501. The communication control unit 501 has a function as a receiving unit that receives data from other devices and a function as a transmitting unit that transmits data to the other devices.

The ID linking instruction processing unit 502 is a means for processing instructions regarding ID linking from hospital staff. Details of the ID linking instruction processing unit 502 will be described later.

The memory unit 503 stores information necessary for the operation of the hospital terminal 50. A patient information database that stores patient information is constructed in the memory unit 503. The patient information database stores the patient's identity verification information (personal information; name, date of birth, etc.) and personal identification ID (patient card number, etc.).

The service server 30-3 (fourth server device) accumulates a personal identification ID (such as a patient registration card number) necessary to provide a second service (medical service) to the user and data related to the second service to be provided to the user. The service server 30-3 is a server device (operation server) that stores data necessary to operate a data distribution service for patient user data (for example, medical examination results such as disease name).

The service server 30-3 provides an operation portal necessary for the operation of the hospital. The service server 30-3 stores the personal identification ID of the patient (user) and the user data (disease name, etc.) to be subject to data distribution in association with each other.

The service server 30-3 also has a function related to ID linking. That is, the service server 30-3 has a function to register the patient's personal identification ID (e.g., patient card number) in the system in order to make the patient's accumulated data the subject of data distribution. Note that, unlike the first embodiment, users cannot directly access the service server 30-3.

Figure 26 is a diagram showing an example of the processing configuration (processing module) of the service server 30-3 according to the second embodiment. Referring to Figure 26, a matching unit 407 has been added to the configuration of the service server 30 according to the first embodiment.

In addition, the operation of the ID federation function (customer management unit 402) of the service server 30-3 is different from that of the service server 30 of the first embodiment. In addition, the service server 30-3 is provided with an ID federation target database that stores information on persons who wish to federate their IDs.

When a personal identification ID issued by a hospital is to be the subject of ID linking, the user operates terminal 40 to log in to the system account. When carrying out the ID linking procedure, the user selects the hospital with which the user wishes to link the ID.

The ID linkage control unit 204 of the portal server 10 changes the request to the distribution control server 20 according to the information of the service provider entered by the user. Specifically, as described in the first embodiment, for a service provider that requires the user to log in to a service account when receiving a service, the ID linkage control unit 204 requests the distribution control server 20 to issue a linkage code.

In contrast, as in the second embodiment, for a service provider (such as a hospital) that does not require a user to log in to a service account when receiving a service, the ID linkage control unit 204 requests (requests) the distribution control server 20 to transmit the user's identity verification information. Specifically, the ID linkage control unit 204 transmits a "request to transmit identity verification information" including the user's user ID and the service provider's (hospital's) business code to the distribution control server 20 (step S51 in FIG. 27).

In addition, the ID linkage control unit 204 switches requests to the distribution control server 20 by referring to table information that associates the business code with the service provision form of the service business (whether or not logging in to the service account is required).

Upon receiving the request to send personal identification information, the ID linkage management unit 304 of the distribution control server 20 searches the user information database based on the user ID and identifies the corresponding user. The ID linkage management unit 304 transmits the user ID, personal identification information (e.g., name or a combination of name and date of birth), and biometric information (e.g., a facial image) of the identified user to the hospital's service server 30-3 (step S52).

The service server 30-3 stores the received user ID, identity verification information and biometric information in the ID association target database.

After completing the procedure for ID federation on the system account (portal server 10), the user visits the hospital. The user conveys their desire for ID federation to hospital staff at the hospital reception desk or accounting desk (see Figure 28).

The hospital staff instructs the hospital terminal 50 to perform processing for ID federation. In response to the instruction, the ID federation instruction processing unit 502 acquires the biometric information of the user in front of them (the user who wishes to federate ID). The ID federation instruction processing unit 502 sends a "matching request" including the acquired biometric information (facial image) to the hospital's service server 30-3 (step S61).

The matching unit 407 of the service server 30-3 executes a matching process (one-to-N matching; N is a positive integer, same below) using the biometric information included in the matching request and the biometric information stored in the ID linking target database to identify the person who wishes to link ID and has visited the hospital. The matching unit 407 transmits the identity verification information (for example, name or a combination of name and date of birth) and user ID of the identified user to the hospital terminal 50 (step S62).

The ID federation instruction processing unit 502 of the hospital terminal 50 extracts candidates (candidates) who wish to federate IDs by searching the patient information database using the personal identification information acquired from the service server 30-3 as a key. The ID federation instruction processing unit 502 presents information about the extracted candidates who wish to federate IDs to hospital staff.

For example, when there is one candidate, the ID federation instruction processing unit 502 displays a GUI as shown in FIG. 29A. When there are multiple candidates, the ID federation instruction processing unit 502 displays a GUI as shown in FIG. 29B.

29A and 29B, the ID linkage instruction processing unit 502 displays a face image obtained by photographing the user in front of the user and the personal identification ID of the candidate extracted using the personal identification information. At that time, if multiple candidates are identified due to the fact that patients with the same name are registered, the ID linkage instruction processing unit 502 displays the personal identification IDs of the multiple candidates and also displays a GUI that allows the hospital staff to select a candidate who wishes to be ID linked from the multiple candidates.

If there is only one candidate wishing to link IDs, the ID linking instruction processing unit 502 sends an ID linking request including the personal identification ID, user ID, and business code obtained by searching the patient information database to the distribution control server 20 (step S63 in FIG. 28).

If there are multiple people wishing to link their IDs, hospital staff will check the patient registration cards or other documents submitted by the people wishing to link their IDs at reception or when paying, and select the patient registration card number (personal identification ID) written on the card or other documents on the GUI shown in Figure 29B.

The ID linking instruction processing unit 502 sends an ID linking request including the personal identification ID selected by the hospital staff to the distribution control server 20 (step S63 of Figure 28).

The ID federation management unit 304 of the distribution control server 20 identifies the person who wishes to federate ID based on the user ID included in the ID federation request. The ID federation management unit 304 sets a personal identification ID of the acquired business code for the identified user.

When the ID federation process is completed, the distribution control server 20 notifies the portal server 10 of the processing result (step S53 in FIG. 27). The portal server 10 notifies the user of the result of the ID federation (ID federation successful, ID federation failed). At that time, the portal server 10 may notify the user of the personal identification ID for which ID federation has been completed.

The user checks the results notified by the portal server 10. At that time, the user checks the personal identification ID (such as a medical card number) for which ID federation has been completed, and if it differs from the user's own personal identification ID, the user may request the portal server 10 to correct the personal identification ID. For example, the user may input the correct personal identification ID to the portal server 10. In this case, the portal server 10 may send an ID federation request including the personal identification ID to the distribution control server 20.

In this way, when the portal server 10 accepts an ID federation procedure for a personal identification ID (third ID) of a hospital or the like from a user, it requests the distribution control server 20 to send the identity verification information of the user who wishes to federate ID. In response to the request, the distribution control server 20 transmits the identity verification information and biometric information of the user who wishes to federate ID to the service server 30-3 (fourth server device). The hospital terminal 50 transmits a matching request including the biometric information of the user who wishes to federate ID to the service server 30-3. The service server 30-3 identifies the user who wishes to federate ID using the biometric information acquired from the hospital terminal 50 and the biometric information acquired from the distribution control server 20, and transmits the identity verification information of the identified user to the hospital terminal 50. The hospital terminal 50 transmits an ID federation request including the personal identification ID corresponding to the identity verification information acquired from the service server 30-3 to the distribution control server 20.

The hospital terminal 50 presents to the hospital staff the personal identification ID corresponding to the identity verification information acquired from the service server 30-3 and the biometric information (facial image) of the user who wishes to link the ID. At that time, if there are multiple candidates corresponding to the identity verification information acquired from the service server 30-3, the hospital terminal 50 presents the personal identification IDs of the multiple candidates to the hospital staff. The hospital terminal 50 sends to the distribution control server 20 an ID linking request including an individual identification ID selected by the hospital staff from among the multiple personal identification IDs.

As described above, in the second embodiment, in order to utilize data (medical data) accumulated by a hospital or the like, a personal identification ID (such as a patient card number) managed by the hospital is registered in the system. When a user requests ID federation, the portal server 10 requests the distribution control server 20 to send the identity verification information of the person requesting ID federation to the hospital's service server 30-3. The biometric information of the person requesting ID federation is acquired by the hospital terminal 50, and the hospital terminal 50 requests the service server 30-3 to perform matching using the biometric information. The service server 30-3 identifies the person requesting ID federation through a matching process using the biometric information, and transmits the identity verification information to the hospital terminal 50. The hospital terminal 50 identifies the person requesting ID federation using the identity verification information notified by the service server 30-3 and the identity verification information in the patient information database (the details on the face of the health insurance card stored by the hospital). In other words, the hospital terminal 50 performs primary matching using the identity verification information. When multiple ID federation applicants are extracted due to duplication of names, etc., the hospital terminal 50 presents a candidate list consisting of multiple ID federation applicants to the hospital staff. The hospital staff performs secondary matching using the presented candidate list and the patient card, etc., presented by the ID federation applicant to identify the final ID federation target patient. In this way, in the second embodiment, matching (authentication) using biometric information is performed as the primary matching, and visual matching by the hospital staff is performed as the secondary matching. In addition, since the candidate list includes a personal identification ID (such as a patient card number), the hospital staff can identify the ID federation applicant without inputting the number. Therefore, there is almost no load on the hospital staff. The hospital terminal 50 notifies the distribution control server 20 of an ID federation request including the personal identification ID of the ID federation applicant. The distribution control server 20 performs ID federation regarding the notified personal identification ID.

As explained above, when using data managed by a hospital or the like that does not require logging in to a service account, logging in to a system account is required (multi-factor authentication is performed). Therefore, the authentication security level when using data stored in a hospital (medical data) is raised to the level when using an information distribution system. In addition, in hospitals, face-to-face identity verification (checking the patient's face) is performed when creating a patient card, so the level of identity verification is inherently high. In this respect, there is no problem. However, when linking the system's user ID and personal identification ID, if hospital staff are asked to enter the patient card number into the system, the burden on the staff increases. Regarding this problem, in the second embodiment, the hospital terminal 50 automatically identifies the patient card number, eliminating the need to match IDs and reducing the burden on hospital staff.

Next, we will explain the hardware of each device that makes up the information distribution system. Figure 30 is a diagram showing an example of the hardware configuration of the distribution control server 20.

The distribution control server 20 can be configured by an information processing device (so-called a computer) and has the configuration shown in Fig. 30. For example, the distribution control server 20 has a processor 311, a memory 312, an input/output interface 313, a communication interface 314, etc. The components such as the processor 311 are connected by an internal bus or the like and are configured to be able to communicate with each other.

However, the configuration shown in FIG. 30 is not intended to limit the hardware configuration of the distribution control server 20. The distribution control server 20 may include hardware not shown, and may not have an input/output interface 313 as necessary. Furthermore, the number of processors 311, etc. included in the distribution control server 20 is not intended to be limited to the example shown in FIG. 30, and for example, multiple processors 311 may be included in the distribution control server 20.

The processor 311 is, for example, a programmable device such as a CPU (Central Processing Unit), an MPU (Micro Processing Unit), or a DSP (Digital Signal Processor). Alternatively, the processor 311 may be a device such as an FPGA (Field Programmable Gate Array) or an ASIC (Application Specific Integrated Circuit). The processor 311 executes various programs including an operating system (OS).

Memory 312 is a RAM (Random Access Memory), a ROM (Read Only Memory), a HDD (Hard Disk Drive), a SSD (Solid State Drive), etc. Memory 312 stores an OS program, application programs, and various data.

The input/output interface 313 is an interface for a display device and an input device (not shown). The display device is, for example, a liquid crystal display. The input device is, for example, a device that accepts user operations such as a keyboard or a mouse.

The communication interface 314 is a circuit, module, etc. that communicates with other devices. For example, the communication interface 314 includes a NIC (Network Interface Card), etc.

The functions of the distribution control server 20 are realized by various processing modules. The processing modules are realized, for example, by the processor 311 executing a program stored in the memory 312. The program can be recorded on a computer-readable storage medium. The storage medium can be a non-transitory medium such as a semiconductor memory, a hard disk, a magnetic recording medium, or an optical recording medium. That is, the present invention can also be embodied as a computer program product. The program can be downloaded via a network or updated using a storage medium storing the program. The processing modules may also be realized by a semiconductor chip.

In addition, the portal server 10, service server 30, etc. can also be configured using information processing devices in the same way as the distribution control server 20, and since their basic hardware configuration is no different from that of the distribution control server 20, explanations will be omitted.

The distribution control server 20, which is an information processing device, is equipped with a computer, and the functions of the distribution control server 20 can be realized by causing the computer to execute a program. In addition, the distribution control server 20 executes the control method of the distribution control server 20 by the program.

[Modification]
The configuration, operation, and the like of the information distribution system described in the above embodiment are merely examples, and are not intended to limit the system configuration, and the like.

In the above embodiment, a case has been described in which the portal server 10 serves as an interface for system accounts. However, all or part of the functions of the portal server 10 may be performed by the distribution control server 20. The information distribution system may not include the portal server 10. In other words, the terminal 40 and the distribution control server 20 may directly send and receive a "linkage code issuance request" or an "ID linkage request."

In the above embodiment, the case where the distribution control server 20 has a function for managing users (account generation, login management) and a function for controlling data distribution has been described. However, these functions may be realized by different server devices. Specifically, a management server 21 for managing users and a control server 22 for controlling data distribution may be included in the system (see FIG. 31). In this case, the management server 21 operates as a so-called eKYC (electronic Know Your Customer) server. The configurations, operations, etc. of the management server 21 and control server 22 are clear from the operations in the first and second embodiments described above, so explanations are omitted.

In the above embodiment, the multi-factor authentication adopted by the information distribution system is described by taking as examples authentication using an ID and a password and authentication using biometric information. However, it is obvious that multi-factor authentication is not limited to ID authentication and biometric authentication. For example, the information processing system may adopt email address authentication (terminal authentication) in which an email containing a verification URL (Uniform Resource Locator) is sent to the email address.

In the above embodiment, a facial image is used as biometric information. However, the biometric information may be a feature generated from a facial image. For example, a feature may be registered instead of a facial image when a system account is created.

Furthermore, the information distribution system may utilize biometric information other than facial images and features. That is, examples of biometric information include data (features) calculated from physical features unique to an individual, such as the face, fingerprints, voiceprints, veins, retina, and iris patterns. Alternatively, the biometric information may be image data such as a facial image or fingerprint image. The biometric information may include information on the user's physical features.

In the above embodiment, it has been described that the distribution control server 20 generates a character string consisting of a combination of numbers and letters as an association code and issues it to the user. In this case, the distribution control server 20 may issue to the user a two-dimensional code into which the character string has been converted as the association code. In other words, the association code issued to the user is not limited to the character string as shown in FIG. 20.

In the above embodiment, a case has been described in which a user information database is configured within the distribution control server 20, but the database may also be constructed in an external database server or the like. That is, some of the functions of the distribution control server 20 may be implemented in another server. More specifically, the above-described "ID federation management unit (ID federation management means)", "data distribution control unit (data distribution control means)", etc. may be implemented in any of the devices included in the system.

The form of data transmission and reception between each device (portal server 10, distribution control server 20, etc.) is not particularly limited, but data transmitted and received between these devices may be encrypted. Personal information of users and the like is transmitted and received between these devices, and in order to appropriately protect this information, it is desirable to transmit and receive encrypted data.

In the flow diagrams (flowcharts, sequence diagrams) used in the above explanation, multiple steps (processes) are described in order, but the order of execution of the steps performed in the embodiments is not limited to the order described. In the embodiments, the order of the steps shown in the diagrams can be changed to the extent that does not interfere with the content, such as by executing each process in parallel.

The above embodiments have been described in detail to facilitate understanding of the present disclosure, and it is not intended that all of the configurations described above are required. Furthermore, when multiple embodiments are described, each embodiment may be used alone or in combination. For example, it is possible to replace part of the configuration of an embodiment with the configuration of another embodiment, or to add the configuration of another embodiment to the configuration of an embodiment. Furthermore, it is possible to add, delete, or replace part of the configuration of an embodiment with other configurations.

The above explanation makes clear the industrial applicability of the present invention, and the present invention is particularly applicable to information distribution systems that distribute accumulated data related to services provided to users.

A part or all of the above-described embodiments can be described as, but is not limited to, the following supplementary notes.
[Appendix 1]
a first server device that stores a first ID required for providing a first service to a user who has logged in to a first account and accumulates data related to the first service provided to the user;
a second server device that controls data distribution of the stored data for the user who has logged in to a second account;
Including,
The system further comprises: after a first ID managed in the first account and a second ID managed in the second account are associated with each other, when the user logs in to the first account, the second server device requests the user to follow the same procedure as that for logging in to the second account.
[Appendix 2]
a third server device that accepts a login request to the second account by the user and requests the second server device to authenticate the user;
2. The system of claim 1, wherein the second server device performs multi-factor authentication on the user and notifies the third server device of the result of the multi-factor authentication.
[Appendix 3]
The system described in Appendix 2, wherein the second server device stores at least biometric information for authenticating the user logging in to the second account.
[Appendix 4]
When the third server device accepts a procedure for ID federation regarding the first ID from the user, the third server device requests the second server device to issue a federation code;
The second server device generates the link code associated with the second account of the user, and transmits the generated link code to the third server device;
The system described in Appendix 3, wherein the third server device notifies the user of the transmitted link code.
[Appendix 5]
The first server device acquires the federation code from a user who desires the ID federation, and transmits an ID federation request including the first ID and the acquired federation code to the second server device;
The second server device is
Identifying a user who desires to federate IDs from a federation code included in the ID federation request, and requesting the identified user to provide biometric information;
The system described in Appendix 4, which performs biometric authentication using biometric information acquired in response to the request and biometric information stored in the second account, and if the biometric authentication is successful, associates the first ID with the second ID.
[Appendix 6]
a fourth server device that stores a third ID necessary for providing a second service to the user and data related to the second service to be provided to the user;
a terminal used by a staff member of a service provider providing the second service, the terminal storing the third ID and the user's personal identification information in association with each other;
Further comprising:
The system described in Appendix 2, wherein the terminal executes processing related to linking the second ID and the third ID in response to the operation of the staff member.
[Appendix 7]
When the third server device accepts a procedure for ID federation regarding the third ID from the user, the third server device requests the second server device to transmit identity verification information of the user who desires the ID federation;
The second server device transmits, in response to the request, personal identification information and biometric information of the user who wishes to federate the ID to the fourth server device;
The terminal transmits a matching request including biometric information of the user who desires the ID federation to the fourth server device;
The fourth server device identifies a user who wishes to perform the ID federation using the biometric information acquired from the terminal and the biometric information acquired from the second server device, and transmits personal identification information of the identified user to the terminal;
The system according to claim 6, wherein the terminal transmits to the second server device an ID federation request including the third ID corresponding to the personal identification information acquired from the fourth server device.
[Appendix 8]
The terminal includes:
The system described in Appendix 7, wherein the third ID corresponding to the personal identification information obtained from the fourth server device and the biometric information of the user who wishes to link the IDs are presented to the staff.
[Appendix 9]
the terminal presents to the staff a plurality of the third IDs corresponding to the identity verification information acquired from the fourth server device;
The system described in Appendix 7 or 8, wherein the ID federation request including a third ID selected by the staff from among the plurality of third IDs is sent to the second server device.
[Appendix 10]
The system according to any one of claims 1 to 9, wherein the multi-factor authentication includes authentication using an ID and a password, and authentication using biometric information.
[Appendix 11]
11. The system of claim 10, wherein the biometric information is a facial image or a feature generated from the facial image.
[Appendix 12]
a communication control unit that stores a first ID required for providing a first service to a user who has logged in to a first account, accumulates data related to the first service provided to the user, and communicates with a server;
a data distribution control unit that controls data distribution of the stored data for the user who has logged in to a second account;
an ID federation management unit that associates a first ID managed by the first account with a second ID managed by the second account;
a login management unit that requests the user to follow the same procedure as that for logging in to the second account when logging in to the first account after the first ID and the second ID are associated with each other;
A server device comprising:
[Appendix 13]
A server device that stores a first ID required for providing a first service to a user who has logged in to a first account, accumulates data related to the first service provided to the user, and communicates with a server,
Controlling data distribution of the stored data for the user who has logged in to the second account;
Correlating a first ID managed by the first account with a second ID managed by the second account;
A control method for a server device, wherein after the first ID and the second ID are associated with each other, when the user logs in to the first account, the user is requested to follow the same procedure as that for logging in to the second account.
[Appendix 14]
A computer installed in a server device stores a first ID required for providing a first service to a user who has logged in to a first account, accumulates data related to the first service provided to the user, and communicates with the server.
A process of controlling data distribution of the stored data for the user who has logged in to a second account;
A process of associating a first ID managed by the first account with a second ID managed by the second account;
a process of requesting the user to follow the same procedure as that for logging in to the second account when the user logs in to the first account after the first ID and the second ID are associated with each other;
A computer-readable storage medium that stores a program for executing the above.

The disclosures of the above cited prior art documents are incorporated herein by reference. Although the embodiments of the present invention have been described above, the present invention is not limited to these embodiments. Those skilled in the art will understand that these embodiments are merely illustrative and that various modifications are possible without departing from the scope and spirit of the present invention. In other words, the present invention naturally includes various modifications and amendments that a person skilled in the art can make in accordance with the entire disclosure, including the scope of the claims, and the technical ideas.

10 Portal server 20 Distribution control server 21 Management server 22 Control server 30 Service server 30-1 Service server 30-2 Service server 30-3 Service server 40 Terminal 50 Hospital terminal 101 First server device 102 Second server device 201 Communication control unit 202 Account generation control unit 203 Login control unit 204 ID linkage control unit 205 Storage unit 301 Communication control unit 302 Account management unit 303 Login management unit 304 ID linkage management unit 305 Location information management unit 306 Data distribution control unit 307 Storage unit 311 Processor 312 Memory 313 Input/output interface 314 Communication interface 401 Communication control unit 402 Customer management unit 403 Sharing request unit 404 Data accumulation unit 405 Data distribution unit 406 Storage unit 407 Collation unit 501 Communication control unit 502 ID linkage instruction processing unit 503 Storage unit

Claims (10)

a first server device that stores a first ID required for providing a first service to a user who has logged in to a first account and accumulates data related to the first service provided to the user;
a second server device that controls data distribution of the stored data for the user who has logged in to a second account;
Including,
The system further comprises: after a first ID managed in the first account and a second ID managed in the second account are associated with each other, when the user logs in to the first account, the second server device requests the user to follow the same procedure as that for logging in to the second account. a third server device that accepts a login request to the second account by the user and requests the second server device to authenticate the user;
The system according to claim 1 , wherein the second server device performs multi-factor authentication on the user and notifies the third server device of a result of the multi-factor authentication. The system according to claim 2, wherein the second server device stores at least biometric information for authenticating the user who logs into the second account. When the third server device accepts a procedure for ID federation regarding the first ID from the user, the third server device requests the second server device to issue a federation code;
The second server device generates the link code associated with the second account of the user, and transmits the generated link code to the third server device;
The system according to claim 3 , wherein the third server device notifies the user of the transmitted link code. The first server device acquires the federation code from a user who desires the ID federation, and transmits an ID federation request including the first ID and the acquired federation code to the second server device;
The second server device is
Identifying a user who desires to federate IDs from a federation code included in the ID federation request, and requesting the identified user to provide biometric information;
The system according to claim 4, further comprising: performing biometric authentication using the biometric information acquired in response to the request and the biometric information stored in the second account; and, if the biometric authentication is successful, associating the first ID with the second ID. a fourth server device that stores a third ID necessary for providing a second service to the user and data related to the second service to be provided to the user;
a terminal used by a staff member of a service provider providing the second service, the terminal storing the third ID and the user's personal identification information in association with each other;
Further comprising:
The system according to claim 2 , wherein the terminal executes a process related to linking the second ID and the third ID in response to an operation by the staff member. When the third server device accepts a procedure for ID federation regarding the third ID from the user, the third server device requests the second server device to transmit identity verification information of the user who desires the ID federation;
The second server device transmits, in response to the request, personal identification information and biometric information of the user who wishes to federate the ID to the fourth server device;
The terminal transmits a matching request including biometric information of the user who desires the ID federation to the fourth server device;
The fourth server device identifies a user who wishes to perform the ID federation using the biometric information acquired from the terminal and the biometric information acquired from the second server device, and transmits personal identification information of the identified user to the terminal;
The system according to claim 6 , wherein the terminal transmits, to the second server device, an ID federation request including the third ID corresponding to the personal identification information acquired from the fourth server device. a communication control unit that stores a first ID required for providing a first service to a user who has logged in to a first account, accumulates data related to the first service provided to the user, and communicates with a server;
a data distribution control unit that controls data distribution of the stored data for the user who has logged in to a second account;
an ID federation management unit that associates a first ID managed by the first account with a second ID managed by the second account;
a login management unit that requests the user to follow the same procedure as that for logging in to the second account when logging in to the first account after the first ID and the second ID are associated with each other;
A server device comprising: A server device that stores a first ID required for providing a first service to a user who has logged in to a first account, accumulates data related to the first service provided to the user, and communicates with a server,
Controlling data distribution of the stored data for the user who has logged in to the second account;
Correlating a first ID managed by the first account with a second ID managed by the second account;
A control method for a server device, wherein after the first ID and the second ID are associated with each other, when the user logs in to the first account, the user is requested to follow the same procedure as that for logging in to the second account. A computer installed in a server device stores a first ID required for providing a first service to a user who has logged in to a first account, accumulates data related to the first service provided to the user, and communicates with the server.
A process of controlling data distribution of the stored data for the user who has logged in to a second account;
A process of associating a first ID managed by the first account with a second ID managed by the second account;
a process of requesting the user to follow the same procedure as that for logging in to the second account when the user logs in to the first account after the first ID and the second ID are associated with each other;
A program for executing .

Images