Versions Compared

Version Old Version 17 New Version 18
Changes made by

Pieter Nijs (Unlicensed)

Pieter Nijs (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

As there is no delegation, the Entitled Party acts as Human Service Consumer.

Depiction

Description

It is prerequisite of this use case that:

  • The Service Provider has and manages its own entitlement information indicating what Entitled Parties are entitled to what (parts of) services*;
  • The Entitled Party has and manages its own authorisation information indicating which Human Service Consumers are authorised to act on its behalf**;
  • The Entitled Party registers the authorisation information at the Service Provider;
  • The Human Service Consumer is able to authenticate the Service Provider;
  • The Service Provider is able to authenticate the Human Service Consumer;
  • The Identity Provider is able to authenticate the Service Provider;
  • The Service Provider is able to authenticate the Identity Provider Provider;
  • The Human Service Consumer has been issued identity credentials by the Identity Provider.
     
  • In this use case the Entitled Party acts as Human Service Consumer.


*The Service Provider can outsource this function to a third party
**The Entitled Party can outsource this function to a third party

...

  1. The Human Service Consumer requests a service from the Service Provider;
  2. The Service Provider requests a login from the Identity Provider;
  3. The Identity Provider authenticates the Human Service Consumer Consumer;
  4. The Identity Provider issues an identity assertion to the Service Provider;
  5. The Service Provider validates the identity assertion through the following steps:
    1. The Service Provider authenticates the Identity Provider and validates it as an iSHARE certified party.
  6. The Service Provider authenticates the Human Service Consumer based on the validity of the identity assertion;
  7. The Service Provider authorises the Human Service Consumer based on the entitlement information registered with the Service Provider;
  8. The Service Provider executes the requested service service;
  9. The Service Provider provides the service result to the Service Consumer.

Sequence diagram


Note that an Identity Broker can be introduced to broker the relation between the Service Provider and the Identity Provider(s) and/or the Service Provider and the Authorisation Registry(s). This is optional and useful in situations with several Identity Providers and/or Authorisation Registries. This use case would look as follows with a Service Broker:

...

  • The Service Provider has and manages its own authorisation information indicating what Entitled Parties are entitled to what (parts of) services*;
  • The Entitled Party has and manages its own authorisation information indicating which Human Service Consumers are authorised to act on its behalf**;
  • The Entitled Party registers the authorisation information at the Service Provider;
  • The Human Service Consumer is able to authenticate the Service Provider;
  • The Service Provider is able to authenticate the Human Service Consumer;
  • The Identity Provider is able to authenticate the Service Provider;
  • The Service Provider is able to authenticate the Identity Provider;
  • The Identity Broker is able to authenticate the Service Provider;
  • The Service Provider is able to authenticate the Identity Broker;
  • The Human Service Consumer has been issued identity credentials by the Identity Provider.
     
  • In this use case the Entitled Party acts as Human Service Consumer.

*The Service Provider can outsource this function to a third party

...

  1. The Human Service Consumer requests a service from the Service Provider;
  2. The Service Provider requests a login from the Identity Broker;
  3. The Identity Broker asks the Human Service Consumer to select his Identity Provider;
  4. The Identity Broker requests a login from the Identity Provider;
  5. The Identity Provider authenticates the Human Service Consumer;
  6. The Identity Provider issues an identity assertion for the Service Provider to the Identity Broker;
  7. The Identity Broker forwards the identity assertion to the Service Provider Service Provider;
  8. The Service Provider validates the identity assertion through the following steps:
    1. The Service Provider authenticates the Identity Broker and validates it as an iSHARE certified party;
    2. The Service Provider authenticates the Identity Provider and validates it as an iSHARE certified party.
  9. The Service Provider authenticates the Human Service Consumer based on the validity of the identity assertion;
  10. The Service Provider authorises the Human Service Consumer based on the authorisation information registered with the Service Provider;
  11. The Service Provider executes the requested service service;
  12. The Service Provider provides the service result to the Service Consumer

Practical examples with Identity Broker

...

  1. .

Sequence diagram with Identity Broker

...