With Identity Broker

Legal relations

Prerequisite registration

Use case interaction

Description with Identity Broker

It is a prerequisite of this use case that:

• The Service Provider has and manages its own authorisation information indicating what Entitled Parties are entitled to what (parts of) services*;

• The Service Consumer has and manages its own authorisation information indicating which Human Service Consumers are authorised to act on its behalf**;

• The delegation/authorisation responsible for the Service Consumer registers the authorisation information at the Authorisation Registry.

• The Service Provider can authenticate the Human Service Consumer.

• The Identity Provider can authenticate the Service Provider.

• The Service Provider can authenticate the Identity Provider.

• The Identity Broker can authenticate the Service Provider.

• The Service Provider can authenticate the Identity Broker.

• The Identity Broker is able to authenticate the Service Provider;

• The Service Provider is able to authenticate the Identity Broker;

• The Human Service Consumer has been issued identity credentials by the Identity Provider.

• In this use case, the Entitled Party is also the Service Consumer.

*The Service Provider can outsource this function to a third party

**The Entitled Party can outsource this function to a third party

Authorisation Registry discovery logic:

The Service Provider discovers the Authorisation Registry for the specific capability in the following order. The first condition that applies, determines the location of the Authorisation Registry.

1. The Entitled Party has registered an Authorisation Registry for the specific capability in its /capabilities endpoint;

2. The Entitled Party has registered the Authorisation Registry for the specific capability in the Participant Registry;

3. The Entitled Party has registered an Authorisation Registry for a specific data space in the Participant Registry;

4. The Entitled Party's has set a default Authorisation Registry in the Participant Registry.

The use case consists of the following steps:

(Numbers are intended to explain the use case flow, it might vary from the diagram due to multiple authorisation methods)

1. The Human Service Consumer requests a service from the Service Provider.

2. The Service Provider requests a login from the Identity Broker.

3. The Identity Broker asks the Human Service Consumer to select their Identity Provider.

4. The Human Service Consumer provides Identity Provider information to the Identity Broker.

5. The Identity Broker requests a login from the Identity Provider.

6. The Identity Provider requests credentials from the Human Service Consumer.

7. The Human Service Consumer provides credentials to the Identity Provider.

8. The Identity Provider authenticates the Human Service Consumer and provides an identity token to the Identity Broker, who forwards it to the Service Provider

9. The Service Provider validates the Identity Broker and Identity Provider’s iSHARE certification.

10. If the selected method of authorisation uses and Authorisation Registry, the Service Provider discovers the applicable registry as described in Discovering Authorisation rules.

11. The Service Provider validates the Human Service Consumer based on the authorisation token (Refer to methods of authorisation on how an authorisation token is obtained)

12. The Service Provider validates authorisation and iSHARE adherence of the Service Consumer.

13. The Service Provider executes the requested service and provides the service to the Human Service Consumer.

Methods of authorisation

Diagram 1: Authorisation via Identity Provider: Providing an Authorisation Link to the Service Provider

Diagram 2: Authorisation via Participant Registry Verifying Service Consumer Before Authorisation Check

Diagram 3: Authorisation via Identity Provider Checking Authorisation Registry (AR)

Diagram 4: Authorisation via Identity Broker Checking Authorisation Registry (AR)

Sequence diagram with Identity Broker