--- Structure based on Flow: SURFnet 4.8-9 Registration Desk (Self-service token registration) and Flow: SURFnet 4.4 Mobile Application with Optical Scan + NFC +Selfie, to be combined with Jule's detailed structure below...
U_REGISTER/INITIATE I Initiate (U - is User the word? Candidate?? Or I=INITIATE R=REQUEST/REGISTER)
...
Applicant) optional
?_?? (optional)
V_AUTHENTICATE
U_ELIGIBILITY_CHECK
sending the token
U_INTRODUCE_FACTOR/U_PREREGISTER_TOKEN (optional) if the user (is expected to) posses a token at the time of registration, could be alternatively done during vetting (token preregistration)
U_CREATE_VETTING_CODE (typically for later token activation, but could also to identify user registration at the start of vetting)
U_COMMUNICATEARRANGE_VETTING _SPECIFICS (optional, only if the e-mail used scheduling, appointment, activation code communication or other relevant interaction, when this could be piggybacked to it)
U_GET_EMAIL_ADDRESS (if e-mail is used, from IdP account data or user)
U_SCHEDULE_VETTING ( optional, only if the load at the service desk requires this)
U_SENDCOMMUNICATE_VETTING_INTRO_MESSAGE (INFO with token activation or QR code, email validation link, instructions, application link, service desk contacts or address and appointment details, or whatever is needed)
U_VALIDATE/BIND_EMAIL ( optional, if a valid e-mail address is not already assured/guaranteed and accessible from the IdP data upon password login)
V _VETDo the vetting
V_NEGOTIATE /INITIATE (optional, related to U_SCHEDULE_VETTING)
...
V_CHECK_ELIGIBILITY optional, if U_ELIGIBILITY_CHECK was not performed, or if it was not sufficient; may include V_AUTHENTICATE, chech/examination of a firectorydirectory, federated identity, or written institutional certificate
V_PRESENT_PROOF applicant presents a proof of identity, typically picture ID doc with demographic and biometric data
(V_CREATE_DIGITAL_IDENTITY optional, only if the user does not already possess IdP identity (weak or 1st factor identity), done before V_VET_USER_IDENTITY in order to allow parallelism at the service desk; should be undo-able if V_VET_USER_IDENTITY fails. Includes creation of the username and the password and check of their alignment with the enforced policies)
V_SELECT_FACTOR
V_HAND_OVER_
...
FACTOR optional, (if the token is provided by the service desk)
V_VET_USER_IDENTITY detailed check of ID validity and match with the person
...