Authorization Servicesrequire that Serversbe registered with them because the Access Tokenscan only be used with a single Server. This can introduce a lot of complexity for administrators. One way to reduce this complexity is to leverage the Serverinformation that is already managed by a Global Discovery Service (GDS) described in OPC 10000-12. In this model the user identities are still managed by a central Authorization Service. The interactions are shown in Figure 25.


Figure 25– Direct handshake with an Identity Provider

The UserTokenPolicyreturned from the Serverprovides the URL of the Authorization Serviceand the identity provider. If the Application Authorization Serviceis linked with the GDS, it knows of all Serverswhich have been issued Certificates. The ApplicationUriis used as the identifier for the Serverpassed to the AS. The identity provider is responsible for managing users known to the system. It validates the credentials provided by the Clientand returns an Identity Access Tokenwhich identifies the user. The Identity Access Tokenis passed to the Application Authorization Servicewhich validates the Clientand Serverapplications and creates a new Access Tokenthat can be used to access the Server.