Versions Compared

Old Version 24

changes.mady.by.user Remco Westenberg

Saved on

compared with

New Version 25

changes.mady.by.user Remco Westenberg

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • iSHARE adherence is REQUIRED.

      Certified roles

      In line with guiding principle 3, iSHARE utilises the Afsprakenstelsel elektronische toegangsdiensten as a building block for certifying Identity Providers, Identity Brokers, and Authorization Registries. Therefore, to  become an iSHARE certified party, a legal entity MUST (first) be admitted to the Afsprakenstelsel elektronische toegangsdiensten (in the relevant role). The relevant roles include:

        • Note: as it is the responsibility of the Service Provider to determine the Entitled Party, the Service Provider can choose to provide services where the Entitled Party is not admitted to iSHARE. In this event, the responsibilities of the Entitled Party are shifted to the Service Provider in question. This is particularly useful for Service Providers who have existing (smaller) customers, who do not have own systems, or are only an Entitled Party for services at a single Service Provider.


      ...

      Certified roles

      Please refer to the detailed Operation descriptions for what (other) criteria need to be met to be admitted to the iSHARE network.

      ...

      • Provides identifiers for humans;
      • Issues and manages credentials (i.e. a password or electronic keycard) to humans for humans;
      • Receive authentication requests from Service Providers;
      • Provides an online interface to authenticate humans based on their credentials;
      • Can hold information on authorisations of humans representing a Service Consumer;
        i.e. information indicating which humans are authorised to act on a Service Consumer's behalf.;
      • Can, after successful identification and authentication, on the basis of this information, identify and authenticate humans for Service Providers and determine whether the human representing a legal entity is authorised to take delivery of a service;
      • Can confirm whether this is the case the identity, authentication and authorisation information to the Service Provider. 

      ...

      The functional requirements applicable to Identity Providers are as follows:

      ...

      • The Identity Provider MUST have a clear agreement with the authorising entity concerning the process of allowing the registering, updating or removing of an authorisation;
      • The Identity Provider MUST prevent that a revoked authorisation is processed as a valid authorisation;
      • The Identity Provider MUST ensure that the identification and authentication process conforms to the Level of Assurance requested by the Service Provider;
      • The Identity Provider MUST conform to the service levels for Certified Parties as described here;
      • The Identity Provider MUST NOT claim accordance with a Level of Assurance for which it has not been certified by the Scheme Owner;
      • The processes of the Identity Provider MUST be in accordance with the Level of Assurance for which the Identity Provider has been certified;
      • iSHARE certification is REQUIRED;
      • All user interfaces available in an iSHARE context MUST comply with the iSHARE's user interface requirements.

      ...

      The functional requirements applicable to Identity Brokers are as follows:

      • All responsibilities and functional requirements applicable to Afsprakenstelsel elektronische toegangsdiensten role Herkenningsmakelaar.The Identity Broker MUST provide users an interface to select their Identity Provider;
      • The Identity Broker MUST conform to the service levels for Certified Parties as described here;
      • The Identity Broker MUST NOT claim accordance with a Level of Assurance for which it has not been certified by the Scheme Owner;
      • The processes of the Identity Broker MUST be in accordance with the Level of Assurance for which the Identity Broker has been certified;
      • iSHARE certification is REQUIRED;
      • All user interfaces available in an iSHARE context MUST comply with the iSHARE's user interface requirements.

      ...

      The Authorization Registry-role is fulfilled by a legal entity who provides solutions for adhering parties Adhering Parties for the storage of delegation - and authorisation information. An Authorization Registry: 

      • Can hold information on delegations to Service Consumers;
        i.e. information indicating what parts of the rights of an Entitled Party are delegated to a Service Consumer.;
      • Has a process in place allowing for the registration, update and revocation of delegations;
      • Can check, on the basis of this information, whether a machine representing a legal entity is authorised to take delivery of a service;
      • Can confirm whether this is the case to the Service Provider. 

      As a result, Adhering Parties can outsource tasks concerning the management of authorisation and delegation information to an Authorization Registry instead of implementing their own tooling.

      The functional requirements applicable to Authorization Registries are as follows:

      ...

      • The Authorization Registry MUST have a clear agreement with the delegating entity concerning the process of allowing the registering, updating or removing of a delegation;
      • The Authorization Registry MUST prevent that a revoked delegation is processed as a valid delegation;
      • The Authorization Registry MUST conform to the service levels for Certified Parties as described here;
      • The Authorization Registry MUST NOT claim accordance with a Level of Assurance for which it has not been certified by the Scheme Owner;
      • The processes of the Authorization Registry MUST be in accordance with the Level of Assurance for which the Authorization Registry has been certified;
      • iSHARE certification is REQUIRED.