# With Identity Broker

#### Legal relations <a href="#id-3.h2mserviceprovisionwithidentityinfoattheip-legalrelations" id="id-3.h2mserviceprovisionwithidentityinfoattheip-legalrelations"></a>

<figure><img src="https://882767234-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRcS8SgN2qDaia8Qpn7m9%2Fuploads%2Fgit-blob-17db63b81a1e93d7ec3a5eb7152c91096476d786%2Fimage%20(7).png?alt=media" alt=""><figcaption></figcaption></figure>

#### Prerequisite registration <a href="#id-3.h2mserviceprovisionwithidentityinfoattheip-prerequisiteregistration.1" id="id-3.h2mserviceprovisionwithidentityinfoattheip-prerequisiteregistration.1"></a>

<figure><img src="https://882767234-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRcS8SgN2qDaia8Qpn7m9%2Fuploads%2Fgit-blob-2fd00bf2d350710b1d828338f5d19fce4ae7ba0d%2Fimage%20(8).png?alt=media" alt=""><figcaption></figcaption></figure>

#### Use case interaction <a href="#id-3.h2mserviceprovisionwithidentityinfoattheip-usecaseinteraction" id="id-3.h2mserviceprovisionwithidentityinfoattheip-usecaseinteraction"></a>

<figure><img src="https://882767234-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRcS8SgN2qDaia8Qpn7m9%2Fuploads%2Fgit-blob-6330dfece37ee3457b780e06db6b9eca5dfa337e%2Fimage%20(9).png?alt=media" alt=""><figcaption></figcaption></figure>

### Description with Identity Broker <a href="#id-3.h2mserviceprovisionwithidentityinfoattheip-descriptionwithidentitybroker" id="id-3.h2mserviceprovisionwithidentityinfoattheip-descriptionwithidentitybroker"></a>

**It is prerequisite of this use case that:**

* The Service Provider has and manages its own authorization information indicating what Entitled Parties are entitled to what (parts of) services\*;
* The Service Consumer has and manages its own authorization information indicating which Human Service Consumers are authorized to act on its behalf\*\*;
* The delegation/authorization responsible at the Service Consumer registers the authorization information at the Authorization Registry;
* The Service Provider is able to authenticate the Human Service Consumer;
* The Identity Provider is able to authenticate the Service Provider;
* The Service Provider is able to authenticate the Identity Provider;
* The Identity Broker is able to authenticate the Service Provider;
* The Service Provider is able to authenticate the Identity Broker;
* The Human Service Consumer has been issued identity credentials by the Identity Provider.
* In this use case, the Entitled Party is also the Service Consumer.

\*The Service Provider can outsource this function to a third party

\*\*The Entitled Party can outsource this function to a third party

**The use case consists of the following steps:**

(Numbers are intended to explain the use case flow, it might vary from the diagram due to multiple authorization methods)

1. The Human Service Consumer requests a service from the Service Provider.
2. The Service Provider requests a login from the Identity Broker.
3. The Identity Broker asks the Human Service Consumer to select their Identity Provider.
4. The Human Service Consumer provides Identity Provider information to the Identity Broker.
5. The Identity Broker requests a login from the Identity Provider.
6. The Identity Provider requests credentials from the Human Service Consumer.
7. The Human Service Consumer provides credentials to the Identity Provider.
8. The Identity Provider authenticates the Human Service Consumer and provides an identity token to the Identity Broker who forwards it to the Service Provider
9. The Service Provider validates the Identity Broker and Identity Provider’s iSHARE certification.
10. The Service Provider validates the Human Service Consumer based on the authorization token (Refer to [methods of authorization](#methods-of-authorization) on how an authorization token is obtained)
11. The Service Provider validates authorization and iSHARE adherence of the Service Consumer.
12. The Service Provider executes the requested service and provides the service to the Human Service Consumer.

#### Methods of authorization

Diagram 1: Authorization via Identity Provider Providing an Authorization Link to the Service Provider

Diagram 2: Authorization via Participant Registry Verifying Service Consumer Before Authorization Check

Diagram 3: Authorization via Identity Provider Checking Authorization Registry (AR)

### Sequence diagram with Identity Broker <a href="#id-3.h2mserviceprovisionwithidentityinfoattheip-sequencediagramwithidentitybroker" id="id-3.h2mserviceprovisionwithidentityinfoattheip-sequencediagramwithidentitybroker"></a>

<figure><img src="https://882767234-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRcS8SgN2qDaia8Qpn7m9%2Fuploads%2Fgit-blob-9d7acf05c8bda022812073e4802a7275cb7f1cd3%2FH2M%20Service%20Consumption%20and%20Broker%20(1).png?alt=media" alt=""><figcaption><p>Authorization via Identity Provider Providing an Authorization Link to the Service Provider</p></figcaption></figure>

<figure><img src="https://882767234-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRcS8SgN2qDaia8Qpn7m9%2Fuploads%2Fgit-blob-1642d7e80b4a433eb8fdbc58d2838c23a43aa1db%2FH2M%20Service%20Consumption%20and%20Broker%20(2).png?alt=media" alt=""><figcaption><p>Authorization via Authorization Registry Verifying Service Consumer getting details from Participant Registry before Authorization Check</p></figcaption></figure>

<figure><img src="https://882767234-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRcS8SgN2qDaia8Qpn7m9%2Fuploads%2Fgit-blob-3554adf65d8780d574882862f5fc5bd822838b1f%2FH2M%20Service%20Consumption%20and%20Broker.png?alt=media" alt=""><figcaption><p>Authorization via Identity Provider Checking Authorization Registry (AR)</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://framework.ishare.eu/version-2.1.1/detailed-descriptions/functional/primary-use-cases/3.-h2m-service-provision-with-identity-info-at-the-ip/with-identity-broker.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.