Digital

Page tree

European Commission Digital

eID Documentation

Use case: Proxy to Proxy


A user from Member State B (Proxy scheme based country) accesses an online Service in Member State A (Proxy scheme based country).

Components

The diagram below illustrates the main actors and components of the eIDAS solution. It shows:

  • Two Member States, both of which are 'Proxy countries'. Member State A is the Receiving country and Member State B is the Sending country.
  • A user from Member State B requests access to an online service in Member State A.
  • An eIDAS-Connector in the eIDAS-Node of the Requesting Member State A.
  • An eIDAS-Proxy-Service in the eIDAS-Node of the Sending Member State B.
  • A Service Provider (public administration or private online Service Provider) in Member State A.
  • A National Identity Provider in the Sending Member State B, and depending on individual solution, a National Identity Provider in the Receiving Member State A.



Use case description

  1. The user of Member State B requests access to the Service Provider in Member State A.
  2. The Service Provider in Member State A sends a request to authenticate the user, generally via the National Identity Provider that forwards it to the eIDAS-Connector of Member State A. The Member State specific implementation translates the country ID protocol to the eIDAS protocol. (Depending on individual solution implementation, the Service Provider may send this request directly to the eIDAS-Connector.)
  3. On receipt of the request, and if the Member State was not already pre-selected by the requesting relying party, the eIDAS-Connector asks the user for their country of nationality used in this identification process.
  4. When the country of origin is selected, an eIDAS Request is created by the Connector and then sent to the eIDAS-Proxy-Service in Member State B.
  5. The eIDAS-Proxy-Service translates the eIDAS Request into a request for the Identity Provider in Member State B thanks to the Member State specific implementation. The user authenticates using their national electronic identity. Once the user is authenticated, their identity is returned to the eIDAS-Proxy-Service in Member State B. Depending on the implementation there may be two additional steps within step 5 for the user:
    1. To select the attributes to be provided (therefore giving consent);
    2. To agree the values of the attributes to be provided.
  6. The eIDAS-Proxy-Service in Member State B creates the eIDAS Response, containing the Identity Assertion, and sends it to the requesting eIDAS-Connector in Member State A.
  7. The Member State specific part in the eIDAS-Connector in Member State A uses the eIDAS Response to create the reply to the Service Provider; again potentially via a local Identity Provider dependent on local solution.
  8. The Service Provider grants access to the user if the authentication is successful.

The interaction with the user only happens in stages 1, 3, 5 and 8. The remainder of the process is automated and invisible to the user.

« How does it work?   Proxy to Middleware »