Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In use case 3, a service is provided by the Service Provider to the Human Service Consumer. Identity info is held at the Identity Provider.

Roles 

Authorization Reg*3


Delegation info PIP
No delegationService ProviderEntitled PartyAuthorization Reg

Auth info PIP

Service Provider3.3a3b3c

Entitled Party

3.13a.13b.13c.1

3.23a.23b.23c.2Identity Provider3.3a.33b.33c.3

*The Identity Provider cannot hold explicit authorization info, but it can hold info about a Human Service Consumer's identity that implies authorization - i.e. 'working for truck company X'

As no delegation takes place, the legal entity fulfilling the Entitled Party-role also fulfils the Service Consumer-role.

Note that an Identity Broker is  can be introduced to broker the relation between the Service Provider and the Identity Provider(s) and/or the Service Provider and the Authorization Registry(s). This is optional and useful in situations with several Identity Providers and/or Authorization Registries

...

Depiction without Identity Broker

 Legal

...

view

Image RemovedImage Added

 Prerequisite registration

Image RemovedImage Added

 Use case interaction

Image Removed 

...

 Interaction

Image Added

Description without Identity Broker

It is prerequisite of this use case that:

  • The Service Provider has and manages its own authorization information entitlement information indicating what Entitled Parties are entitled to what (parts of) services*;
  • The Service Consumer has and manages its own authorization information indicating which Human Service Consumers are authorized to act on its behalf**;
  • The delegation/authorization responsible at the the Service Service Consumer registers the authorization information  at at the Service Identity Provider;
  • The Human Service Consumer is able to authenticate the Service Provider;
  • The Service Provider is able to authenticate the Human Service Consumer;
  • The Identity Provider is able to authenticate the Service Provider;
  • The Service Provider is able to authenticate the Identity Provider;
  • The Identity Broker is able to authenticate the Service Provider;
  • The Service Provider is able to authenticate the Identity Broker;
  • The Human Service Consumer has been issued identity credentials by the Identity Provider.
     
  • In this use case the Entitled Party is also the Service Consumer.

*The Service Provider can outsource this function to a third party

**The Entitled Party Service Consumer can outsource this function to a third party


The use case consists of the following steps:

  1. The Human Service Consumer requests a service from the Service Provider;
  2. The Service Provider requests a login from the Identity Broker;The Identity Broker Provider asks the Human Service Human Service Consumer to select his Identity Provider;
  3. The Identity Broker requests Service Provider requests a login from the Identity Provider;
  4. The Identity Provider authenticates the Human Service Consumer;
  5. The Identity Provider issues an identity assertion for the Service Provider to the Identity Broker;The Identity Broker forwards the identity and authorization assertion to the Service Provider;
  6. The Service Provider validates the identity assertion through assertion and authorization assertion through the following steps:
    1. The Service Provider authenticates the Identity Broker and validates its iSHARE certification;The Service Provider authenticates the Identity Provider and validates its iSHARE certification.
  7. The Service Provider authenticates the Human Service Consumer based on the validity of the identity assertion, and validates the iSHARE adherence of the Service Consumer;
  8. The Service Provider authorizes the Human Service Consumer of the Service Consumer based Consumer based on the authorization information assertion and the entitlement information registered with the Service Provider;
  9. The Service Provider executes the requested service;
  10. The Service Provider provides the service result to the Human Service Consumer.

Sequence diagram without Identity Broker

Image RemovedImage Added


This use case would look as follows without an Identity Broker:

Depiction

...

with Identity Broker

 Legal

...

relations

Image RemovedImage Added

 Prerequisite registration

Image RemovedImage Added

 Interaction

...

 Use case interaction

Image Added 

Description

...

with Identity Broker

It is prerequisite of this use case that:

  • The Service Provider has and manages its own entitlement information authorization information indicating what Entitled Parties are entitled to what (parts of) services*;
  • The Service Consumer has and manages its own authorization information indicating which Human Service Consumers are authorized to act on its behalf**;
  • The Service delegation/authorization responsible at the the Service Consumer registers the authorization information at information at the Service Identity Provider;
  • The Human Service Consumer is able to authenticate the Service Provider;
  • The Service Provider is able to authenticate the Human Service Consumer;
  • The Identity Provider is able to authenticate the Service Provider;
  • The Service Provider is able to authenticate the Identity Provider;
  • The Identity Broker is able to authenticate the Service Provider;
  • The Service Provider is able to authenticate the Identity Broker;
  • The Human Service Consumer has been issued identity credentials by the Identity Provider.
     
  • In this use case the Entitled Party is also the Service Consumer.

*The Service Provider can outsource this function to a third party

**The Service Consumer Entitled Party can outsource this function to a third party


The use case consists of the following steps:

  1. The Human Service Consumer requests a service from the Service Provider;
  2. The Service Provider requests a login from the Identity Broker;
  3. The Identity Broker asks the Human Service Consumer to select his Identity Provider;
  4. The Identity Broker requests a login from the Identity Provider;
  5. The Identity Provider authenticates the Human Service Consumer;
  6. The Identity Provider issues an identity assertion and authorization assertion for the Service Provider to the Identity Broker;
  7. The Identity Broker forwards the identity assertion to the Service Provider;
  8. The Service Provider validates the identity assertion through assertion and authorization assertion through the following steps:
    1. The Service Provider authenticates the Identity Broker and validates its iSHARE certification;
    2. The Service Provider authenticates the Identity Provider and validates its iSHARE certification.
  9. The Service Provider authenticates the Human Service Consumer based on the validity of the identity assertion, and validates the iSHARE adherence of the Service Consumer;
  10. The Service Provider authorizes the Human Service Consumer of the Service Consumer based on the entitlement information the authorization assertion and the entitlement information registered with the Service Provider;
  11. The Service Provider executes the requested service;
  12. The Service Provider provides the service result to the Human Service Consumer.

Sequence diagram

...

with Identity Broker

Image RemovedImage Added