In use case 3, a service is provided by the Service Provider to the Human Service Consumer. Identity info is held at the Identity Provider.
Roles
...
Auth info PIP
...
Entitled Party
...
*The Identity Provider cannot hold explicit authorization info, but it can hold info about a Human Service Consumer's identity that implies authorization - i.e. 'working for truck company X'
As no delegation takes place, the legal entity fulfilling the Entitled Party-role also fulfils the Service Consumer-role.
Note that an Identity Broker is introduced to broker the relation between the Service Provider and the Identity Provider(s) and/or the Service Provider and the Authorization Registry(s). This is optional and useful in situations with several Identity Providers and/or Authorization Registries.
Depiction
Legal relations
Prerequisite registration
Use case interaction
Description
It is prerequisite of this use case that:
- The Service Provider has and manages its own authorization information indicating what Entitled Parties are entitled to what (parts of) services*;
- The Service Consumer has and manages its own authorization information indicating which Human Service Consumers are authorized to act on its behalf**;
- The delegation/authorization responsible at the the Service Consumer registers the authorization information at the Service Provider;
- The Human Service Consumer is able to authenticate the Service Provider;
- The Service Provider is able to authenticate the Human Service Consumer;
- The Identity Provider is able to authenticate the Service Provider;
- The Service Provider is able to authenticate the Identity Provider;
- The Identity Broker is able to authenticate the Service Provider;
- The Service Provider is able to authenticate the Identity Broker;
- The Human Service Consumer has been issued identity credentials by the Identity Provider.
In this use case the Entitled Party is also the Service Consumer.
*The Service Provider can outsource this function to a third party
**The Entitled Party can outsource this function to a third party
The use case consists of the following steps:
- The Human Service Consumer requests a service from the Service Provider;
- The Service Provider requests a login from the Identity Broker;
- The Identity Broker asks the Human Service Consumer to select his Identity Provider;
- The Identity Broker requests a login from the Identity Provider;
- The Identity Provider authenticates the Human Service Consumer;
- The Identity Provider issues an identity assertion for the Service Provider to the Identity Broker;
- The Identity Broker forwards the identity assertion to the Service Provider;
- The Service Provider validates the identity assertion through the following steps:
- The Service Provider authenticates the Identity Broker and validates its iSHARE certification;
- The Service Provider authenticates the Identity Provider and validates its iSHARE certification.
- The Service Provider authenticates the Human Service Consumer based on the validity of the identity assertion, and validates the iSHARE adherence of the Service Consumer;
- The Service Provider authorizes the Human Service Consumer of the Service Consumer based on the authorization information registered with the Service Provider;
- The Service Provider executes the requested service;
- The Service Provider provides the service result to the Human Service Consumer.
Sequence diagram
This use case would look as follows without an Identity Broker:
Depiction without Identity Broker
Legal view
Prerequisite registration
Interaction
Description without Identity Broker
It is prerequisite of this use case that:
- The Service Provider has and manages its own entitlement information indicating what Entitled Parties are entitled to what (parts of) services*;
- The Service Consumer has and manages its own authorization information indicating which Human Service Consumers are authorized to act on its behalf**;
- The Service Consumer registers the authorization information at the Service Provider;
- The Human Service Consumer is able to authenticate the Service Provider;
- The Service Provider is able to authenticate the Human Service Consumer;
- The Identity Provider is able to authenticate the Service Provider;
- The Service Provider is able to authenticate the Identity Provider;
- The Human Service Consumer has been issued identity credentials by the Identity Provider.
In this use case the Entitled Party is also the Service Consumer.
*The Service Provider can outsource this function to a third party
**The Service Consumer can outsource this function to a third party
The use case consists of the following steps:
- The Human Service Consumer requests a service from the Service Provider;
- The Service Provider requests a login from the Identity Provider;
- The Identity Provider authenticates the Human Service Consumer;
- The Identity Provider issues an identity assertion to the Service Provider;
- The Service Provider validates the identity assertion through the following steps:
- The Service Provider authenticates the Identity Provider and validates its iSHARE certification.
- The Service Provider authenticates the Human Service Consumer based on the validity of the identity assertion, and validates the iSHARE adherence of the Service Consumer;
- The Service Provider authorizes the Human Service Consumer of the Service Consumer based on the entitlement information registered with the Service Provider;
- The Service Provider executes the requested service;
- The Service Provider provides the service result to the Human Service Consumer.
Sequence diagram without Identity Broker
...
| Note | ||
|---|---|---|
| ||
This content has been moved. Please find the content here. |