Versions Compared

Old Version 43

changes.mady.by.user Pieter Nijs

Saved on

compared with

New Version 44

changes.mady.by.user Denise Hoppenbrouwer (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In use case 3, a service is provided by the Service Provider to the Human Service Consumer. Identity info is held at the Identity Provider.

...



Delegation info PIP
No delegationService ProviderEntitled PartyAuthorisation Authorization Reg

Auth info PIP

Service Provider3. H2M service provision with identity info at the IP3a3b3c

Entitled Party

3.13a.13b.13c.1
Authorisation Reg3.23a.23b.23c.2
Identity Provider*3.33a.33b.33c.3

*The Identity Provider cannot hold explicit authorisation authorization info, but it can hold info about a Human Service Consumer's identity that implies authorisation authorization - i.e. 'working for truck company X'

...

Note that an Identity Broker is introduced to broker the relation between the Service Provider and the Identity Provider(s) and/or the Service Provider and the Authorisation Authorization Registry(s). This is optional and useful in situations with several Identity Providers and/or Authorisation Authorization Registries. 

Depiction 

 Legal relations

...

  • The Service Provider has and manages its own authorisation authorization information indicating what Entitled Parties are entitled to what (parts of) services*;
  • The Service Consumer has and manages its own authorisation authorization information indicating which Human Service Consumers are authorised authorized to act on its behalf**;
  • The delegation/authorisation authorization responsible at the the Service Consumer registers the authorisation authorization information at the Service Provider;
  • The Human Service Consumer is able to authenticate the Service Provider;
  • The Service Provider is able to authenticate the Human Service Consumer;
  • The Identity Provider is able to authenticate the Service Provider;
  • The Service Provider is able to authenticate the Identity Provider;
  • The Identity Broker is able to authenticate the Service Provider;
  • The Service Provider is able to authenticate the Identity Broker;
  • The Human Service Consumer has been issued identity credentials by the Identity Provider.
     

  • In this use case the Entitled Party is also the Service Consumer.

...

  1. The Human Service Consumer requests a service from the Service Provider;
  2. The Service Provider requests a login from the Identity Broker;
  3. The Identity Broker asks the Human Service Consumer to select his Identity Provider;
  4. The Identity Broker requests a login from the Identity Provider;
  5. The Identity Provider authenticates the Human Service Consumer;
  6. The Identity Provider issues an identity assertion for the Service Provider to the Identity Broker;
  7. The Identity Broker forwards the identity assertion to the Service Provider;
  8. The Service Provider validates the identity assertion through the following steps:
    1. The Service Provider authenticates the Identity Broker and validates its iSHARE certification;
    2. The Service Provider authenticates the Identity Provider and validates its iSHARE certification.
  9. The Service Provider authenticates the Human Service Consumer based on the validity of the identity assertion, and validates the iSHARE adherence of the Service Consumer;
  10. The Service Provider authorises authorizes the Human Service Consumer of the Service Consumer based on the authorisation authorization information registered with the Service Provider;
  11. The Service Provider executes the requested service;
  12. The Service Provider provides the service result to the Human Service Consumer.

...

  • The Service Provider has and manages its own entitlement information indicating what Entitled Parties are entitled to what (parts of) services*;
  • The Service Consumer has and manages its own authorisation authorization information indicating which Human Service Consumers are authorised authorized to act on its behalf**;
  • The Service Consumer registers the authorisation authorization information at the Service Provider;
  • The Human Service Consumer is able to authenticate the Service Provider;
  • The Service Provider is able to authenticate the Human Service Consumer;
  • The Identity Provider is able to authenticate the Service Provider;
  • The Service Provider is able to authenticate the Identity Provider;
  • The Human Service Consumer has been issued identity credentials by the Identity Provider.
     

  • In this use case the Entitled Party is also the Service Consumer.

...

  1. The Human Service Consumer requests a service from the Service Provider;
  2. The Service Provider requests a login from the Identity Provider;
  3. The Identity Provider authenticates the Human Service Consumer;
  4. The Identity Provider issues an identity assertion to the Service Provider;
  5. The Service Provider validates the identity assertion through the following steps:
    1. The Service Provider authenticates the Identity Provider and validates its iSHARE certification.
  6. The Service Provider authenticates the Human Service Consumer based on the validity of the identity assertion, and validates the iSHARE adherence of the Service Consumer;
  7. The Service Provider authorises authorizes the Human Service Consumer of the Service Consumer based on the entitlement information registered with the Service Provider;
  8. The Service Provider executes the requested service;
  9. The Service Provider provides the service result to the Human Service Consumer.

...