@startuml

actor User
participant Authn
participant "IdHub Control" as Control
participant "Key Manager" as KeyManager
participant Authz
' database "PKCS #11" as PKCS11
' database KDC
database LDAP
' database DNS

autonumber

activate User
activate Control
User -> Control: Alias Add user+ali@domain

== Access Control ==

	activate Authn
	Control -> Authn: SecureLayer @domain
	Authn -> Control: RemoteID user@domain
	deactivate Authn

	activate Authz
	Control -> Authz: WANT alias-create ON user@domain AS user@domain 
	Authz -> Control: OK FOR user1@domain
	deactivate Authz

== Sanity Check ==

	activate LDAP
	Control -> LDAP: Compare user+ali@domain AS user1@domain
	LDAP -[#blue]-> Control: UserID Found
note left: <color:blue>Alternative flow, fatal error</color>
Control -[#blue]-> User: Already Exists
	LDAP -> Control: UserID Not Found
	deactivate LDAP
Control -> User: Queued
deactivate User

== Key Management ==

	activate KeyManager
	Control -> KeyManager: Have User user+ali@domain
	KeyManager -> Control: Queued
deactivate Control
	' Do not deactivate KeyManager

		' No key material will be handled

	activate LDAP
	KeyManager -> LDAP: Retrieve user@domain
	note left: When copying the LDAP entry

	LDAP -> KeyManager: Creds MIIEVzCCAz...
	LDAP -> KeyManager: pkcs11:xxx;y;zz
	' deactivate LDAP

	' activate LDAP
	KeyManager -> LDAP: Have user+ali@domain XS public AS user1@domain
	KeyManager -> LDAP: Have user+ali@domain Alias user@domain AS user1@domain
	KeyManager -> LDAP: Have Creds for user+ali@domain AS user1@domain
	KeyManager -> LDAP: Have pkcs11:xxx;y;zz XS user@domain AS user1@domain
	note left: Or share the LDAP entry

	LDAP -> KeyManager: Ready
	deactivate LDAP

	' Now we deactivate KeyManager
	deactivate KeyManager

@enduml