...
Note that an Identity Broker can be introduced to broker the relation between the Service Provider and both the Authorisation Registry and the Identity Provider; this is optional and useful in situations with several Authorisation Registries and (especially) several Identity Providers. This use case would look as follows with a Service Broker:
Depiction with Identity Broker
Description with Identity Broker
It is prerequisite of this use case that:
...
- The Human Service Consumer requests a service from the Service Provider
- The Service Provider requests a login from the Identity Broker
- The Identity Broker asks the Human Service Consumer to select his Identity Provider
- The Identity Broker requests a login from the Identity Provider
- The Identity Provider authenticates the Human Service Consumer
- The Identity Provider issues an identity assertion for the Service Provider to the Identity Broker
- The Identity Broker forwards the identity assertion to the Service Provider
- The Service Provider validates the identity assertion through the following steps:
- The Service Provider authenticates the Identity Broker and validates it as an iSHARE certified party
- The Service Provider authenticates the Identity Provider and validates it as an iSHARE certified party
- The Service Provider authenticates the Human Service Consumer based on the validity of the identity assertion
- The Service Provider authorises the Human Service Consumer based on the authorisation information registered with the Service Provider
- The Service Provider executes the requested service
- The Service Provider provides the service result to the Service Consumer
Practical examples with Identity Broker
All Functional working group-members are invited to add practical examples of this use case in the comment section.
Sequence diagram with Identity Broker
