In use case 3, a service is provided by the Service Provider to the Human Service Consumer. Identity info is held at the Identity Provider.
Roles
Delegation info PIP | |||||||||||
No delegation | Service Provider | Entitled Party | Authorization Reg | ||||||||
Auth info PIP | Service Provider | 3. | 3a | 3b | 3c | ||||||
Entitled Party | 3.1 | 3a.1 | 3b.1 | 3c.1 | |||||||
3.2 | 3a.2 | 3b.2 | 3c.2 | Identity Provider | *3. | 33a.3 | 3b.3 | 3c.3 |
*The Identity Provider cannot hold explicit authorization info, but it can hold info about a Human Service Consumer's identity that implies authorization - i.e. 'working for truck company X'
As no delegation takes place, the legal entity fulfilling the Entitled Party-role also fulfils the Service Consumer-role.
Note that an Identity Broker is can be introduced to broker the relation between the Service Provider and the Identity Provider(s) and/or the Service Provider and the Authorization Registry(s). This is optional and useful in situations with several Identity Providers and/or Authorization Registries.
...
Depiction without Identity Broker
Legal
...
view
Prerequisite registration
Use case interaction
...
Interaction
Description without Identity Broker
It is prerequisite of this use case that:
- The Service Provider has and manages its own authorization information entitlement information indicating what Entitled Parties are entitled to what (parts of) services*;
- The Service Consumer has and manages its own authorization information indicating which Human Service Consumers are authorized to act on its behalf**;
- The delegation/authorization responsible at the the Service Service Consumer registers the authorization information at at the Service Identity Provider;
- The Human Service Consumer is able to authenticate the Service Provider;
- The Service Provider is able to authenticate the Human Service Consumer;
- The Identity Provider is able to authenticate the Service Provider;
- The Service Provider is able to authenticate the Identity Provider;
- The Identity Broker is able to authenticate the Service Provider;
- The Service Provider is able to authenticate the Identity Broker;
- The Human Service Consumer has been issued identity credentials by the Identity Provider.
In this use case the Entitled Party is also the Service Consumer.
*The Service Provider can outsource this function to a third party
**The Entitled Party Service Consumer can outsource this function to a third party
The use case consists of the following steps:
- The Human Service Consumer requests a service from the Service Provider;
- The Service Provider requests a login from the Identity Broker;The Identity Broker Provider asks the Human Service Human Service Consumer to select his Identity Provider;
- The Identity Broker requests Service Provider requests a login from the Identity Provider;
- The Identity Provider authenticates the Human Service Consumer;
- The Identity Provider issues an identity assertion for the Service Provider to the Identity Broker;The Identity Broker forwards the identity and authorization assertion to the Service Provider;
- The Service Provider validates the identity assertion through assertion and authorization assertion through the following steps:
- The Service Provider authenticates the Identity Broker and validates its iSHARE certification;The Service Provider authenticates the Identity Provider and validates its iSHARE certification.
- The Service Provider authenticates the Human Service Consumer based on the validity of the identity assertion, and validates the iSHARE adherence of the Service Consumer;
- The Service Provider authorizes the Human Service Consumer of the Service Consumer based Consumer based on the authorization information assertion and the entitlement information registered with the Service Provider;
- The Service Provider executes the requested service;
- The Service Provider provides the service result to the Human Service Consumer.
Sequence diagram without Identity Broker
This use case would look as follows without an Identity Broker:
Depiction
...
with Identity Broker
Legal
...
relations
Prerequisite registration
Interaction
...
Use case interaction
Description
...
with Identity Broker
It is prerequisite of this use case that:
- The Service Provider has and manages its own entitlement information authorization information indicating what Entitled Parties are entitled to what (parts of) services*;
- The Service Consumer has and manages its own authorization information indicating which Human Service Consumers are authorized to act on its behalf**;
- The Service delegation/authorization responsible at the the Service Consumer registers the authorization information at information at the Service Identity Provider;
- The Human Service Consumer is able to authenticate the Service Provider;
- The Service Provider is able to authenticate the Human Service Consumer;
- The Identity Provider is able to authenticate the Service Provider;
- The Service Provider is able to authenticate the Identity Provider;
- The Identity Broker is able to authenticate the Service Provider;
- The Service Provider is able to authenticate the Identity Broker;
- The Human Service Consumer has been issued identity credentials by the Identity Provider.
In this use case the Entitled Party is also the Service Consumer.
*The Service Provider can outsource this function to a third party
**The Service Consumer Entitled Party can outsource this function to a third party
The use case consists of the following steps:
- The Human Service Consumer requests a service from the Service Provider;
- The Service Provider requests a login from the Identity Broker;
- The Identity Broker asks the Human Service Consumer to select his Identity Provider;
- The Identity Broker requests a login from the Identity Provider;
- The Identity Provider authenticates the Human Service Consumer;
- The Identity Provider issues an identity assertion and authorization assertion for the Service Provider to the Identity Broker;
- The Identity Broker forwards the identity assertion to the Service Provider;
- The Service Provider validates the identity assertion through assertion and authorization assertion through the following steps:
- The Service Provider authenticates the Identity Broker and validates its iSHARE certification;
- The Service Provider authenticates the Identity Provider and validates its iSHARE certification.
- The Service Provider authenticates the Human Service Consumer based on the validity of the identity assertion, and validates the iSHARE adherence of the Service Consumer;
- The Service Provider authorizes the Human Service Consumer of the Service Consumer based on the entitlement information the authorization assertion and the entitlement information registered with the Service Provider;
- The Service Provider executes the requested service;
- The Service Provider provides the service result to the Human Service Consumer.
Sequence diagram
...