User Delegation - kmd-identity/documentation GitHub Wiki

What is User Delegation?

Applications wanting to support scenarios where users can act on behalf of other users, must adhere to a set of functional and legal requirements based on the business domain. This wiki page is intended to help you understand the different terms, what is required from your application and how to get started with User Delegation by using one or more services provided by KMD Identity.

Note: User Delegation is not a "plug and play" service provided by KMD Identity. User Delegation requires analysis, design and implementation in your application. KMD Identity merely provides services to support your application in the process of adhering to the functional and legal requirements.

Applications can have different types of users and therefore also different requirements. Here are a number of examples where User Delegation might make sense:

  • Case workers acting on behalf of citizens
  • Teachers acting on behalf of students
  • Citizens acting on behalf of citizens (family members)

Terms

Defining and using proper terms is important to understand, discuss and implement User Delegation. These are the terms we use internally when discussing the example "Case workers acting on behalf of citizens":

  • Actor and Subject - An Actor acts on behalf of a Subject

    • Case worker is the Actor
    • Citizen is the Subject

  • Act - The process of an Actor performing an operation on behalf of Subject

    • Case worker performs an operation on behalf of the citizen

  • Delegate Access - The process of Subject delegating access to an Actor

    • Citizen delegates access to Case Worker

  • Revoke Access - The process of Subject (and potentially an Actor) revoking the delegated access

    • Citizen revokes delegated access given to Case Worker
    • Case Worker revokes delegated access given by Citizen

  • Scope - Defining the scope of the delegated access. Who (all or specific Actors), What (all or specific operations), When (always or specific date and time).

    • Citizen delegates access to specific Case Worker for specific operation for specific number of hours

Feel free to use these terms when discussing User Delegation internally or with KMD Identity members.

Processes in more details

Now that we have most of the terms covered, we can look at some of the processes in more details. The following sequence diagram shows how Actors, Subjects, applications, KMD Identity and Identity Providers are part of the process of supporting User Delegation.

Note: Custom Claims and FlowId are mentioned multiple times in the sequence diagram. Familiarize yourself with the capabilities of the Custom Claims and FlowId before viewing the sequence diagram.

If the sequence diagram is too small or blurry: Right click the image, open image in new tab and then zoom in. (does not work in certain unknown scenarios)

User Delegation in KMD Identity

Implementation of User Delegation is done entirely in your application, including auditing all processes and actions taken by Actors and Subjects.

Can I see this in action and test it?

Yes, glad you asked (or we did).

Our OpenID (Web) test application, located at https://test-openid-web.identity.kmd.dk/, is able showcase the different processes in the sequence diagram above. Navigate to the site, Click log-in, select an Identity Provider (eg: KMD - AD if you are an KMD employee) and then click the Delegation tab once you have authenticated. The information on the Delegation tab will instruct you in terms of how to test it.

The test application utilizes Custom Claims and FlowId.

Source code can be found at https://github.com/kmd-identity/testapplications.

Disclaimer: Do not copy code directly from the test application. It is only for testing purposes however it should give you a pretty good idea on how to implement some of the functionality required to support User Delegation.

Get started

  • New applications must follow our Get started guide to set up a working integration with KMD Identity
  • Ensure your application utilizes Custom Claims and FlowId
  • Analyze, design and implement the required functionality to support User Delegation in your application based on the functional and legal requirements