In use case 3, a service is provided by the Service Provider to the Human Service Consumer. Identity info is held at the Identity Provider.
...
*The Identity Provider cannot hold explicit authorisation info, but it can hold info about a Human Service Consumer's identity that implies authorisation - i.e. 'working for truck company X'
As no delegation takes place, the legal entity fulfilling the Entitled Party-role also fulfils the Service Consumer-role.
Note that an Identity Broker is introduced to broker the relation between the Service Provider and the Identity Provider(s) and/or the Service Provider and the Authorisation Registry(s). This is optional and useful in situations with several Identity Providers and/or Authorisation Registries.
...
- The Service Provider has and manages its own authorisation information indicating what Entitled Parties are entitled to what (parts of) services*;
- The Service Consumer has and manages its own authorisation information indicating which Human Service Consumers are authorised to act on its behalf**;
- The delegation/authorisation responsible at the the Service Consumer registers the authorisation information at the Service Provider;
- The Human Service Consumer is able to authenticate the Service Provider;
- The Service Provider is able to authenticate the Human Service Consumer;
- The Identity Provider is able to authenticate the Service Provider;
- The Service Provider is able to authenticate the Identity Provider;
- The Identity Broker is able to authenticate the Service Provider;
- The Service Provider is able to authenticate the Identity Broker;
- The Human Service Consumer has been issued identity credentials by the Identity Provider.
In this use case the Entitled Party is also the Service Consumer.
...