Proxy to Middleware

A user from Member State B (Proxy scheme based country) accesses an online Service in Member State C (Middleware scheme based country).

Components

The diagram below illustrates the main actors and components of the eIDAS solution. It shows:

• Two Member States, Member State C (a Middleware scheme based country) and Member State B (a Proxy scheme based country)
• A user from Member State B requesting access to an online service in Member State C.
• In Member State C (Middleware / Receiving Member State):
  • Service Provider (public administration or private online Service Provider).
  • An eIDAS-Node, consisting of:
    • An eIDAS-Connector
    • eIDAS-Node Member State C Specific Middleware.
• In Member State B (Proxy / Sending Member State):
  • An eIDAS-Node, consisting of:
    • An eIDAS-Proxy-Service
    • Member State C Middleware-Service.
  • A National Identity Provider in the Sending Member State B, and depending on implementation, a National Identity Provider in the Receiving Member State C.
    
    

Use case description

1. The user of Member State B (a Proxy scheme based country) requests access to the Service Provider in Member State C (a Middleware scheme based country).
2. The Service Provider in Member State C sends a request to authenticate the user, depending on implementation via the National Identity Provider that forwards it to the eIDAS-Connector. The Member State specific implementation translates the country ID protocol to the eIDAS protocol. (In some cases depending on implementation, the Service Provider can send this request directly to the eIDAS-Connector.)
3. On receipt of the request, and if the home Member State of user was not already pre-selected by the requesting relying party, the eIDAS-Connector asks the user for their country of origin.
4. When the country of origin is selected, the eIDAS Request is created by the Connector in Member State C and then sent to the Member State C Specific Middleware which conveys it to the eIDAS-Node Member State C Middleware-Service.
5. The eIDAS Request is then passed to the eIDAS-Proxy-Service in Member State B.
6. The eIDAS-Proxy-Service translates the eIDAS Request into a request for the Identity Provider in Member State B thanks to the Member State specific implementation. The user authenticates using their national electronic identity. Once the user is authenticated, their identity is returned to the eIDAS-Node Proxy-Service. Depending on the implementation there may be two additional steps within step 5 for the user:
   1. To select the attributes to be provided (therefore giving consent);
   2. To agree the values of the attributes to be provided.
7. The eIDAS-Proxy-Service creates the eIDAS Response, containing the Identity Assertion, and sends it to the Member State C Specific Middleware.
8. The eID information is passed back to the Service Provider via the Member State C Specific Middleware, the eIDAS-Connector and via the National Identity Provider.
9. The Service Provider grants access to the user if the authentication is successful.

Interaction with the user only happens in stages 1, 3, 6 and 9. The remainder of the process is automated and invisible to the citizen.