Tech-invite3GPPspaceIETF RFCsSIP

Content for  TR 22.904  Word version:  16.1.0

Top   Top   None   None   Next
1…   5…


1  ScopeWord‑p. 6

The present document aims to study the introduction of an optional, user-centric authentication layer on top of the existing subscription authentication, supporting various authentication mechanisms and interactions with external authentication systems as well as a degree of confidence (i.e. a value that allows differentiated service policies depending on the reliability of the User Identifier).
The new authentication layer shall not replace existing subscription credentials. The security and privacy of subscriber or end user data shall not be compromised.
Use cases are developed and potential requirements derived how to use the new User Identifier within the 3GPP system e.g. to provide customized services and enhanced charging and how to provide this identifier to external entities to enable authentication for systems and services outside 3GPP.
Use cases for use within 3GPP include
  • providing different users using the same UE with customized services
  • identifying users of devices behind a gateway with a 3GPP subscription, but without the devices having a dedicated 3GPP subscription
  • using a User Identifier being linked to a subscription to access 3GPP services via non-3GPP access
  • using a User Identifier for slice authorization.

2  References

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
  • References are either specific (identified by date of publication, edition number, version number, etc.) or non specific.
  • For a specific reference, subsequent revisions do not apply.
  • For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
TR 21.905: "Vocabulary for 3GPP Specifications".

3  Definitions, symbols and abbreviations

3.1  Definitions

For the purposes of the present document, the terms and definitions given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
Gateway UE:
a UE, which acts as a gateway providing access to and from the 3GPP network for one or more non-3GPP devices that are connected to the gateway UE.
As defined in TR 21.905: An entity, not part of the 3GPP System, which uses 3GPP System services. Example: a person using a 3GPP System mobile station as a portable telephone.
Additional examples for a user in the context of this TR: a non-3GPP device connected to the 3GPP system via a gateway, or an application running on a UE.
User Identity:
information representing a user in a specific context. A user can have several user identities, e.g. a User Identity in the context of his profession, or a private User Identity for some aspects of private life.
User Identifier:
a piece of information used to identify one specific User Identity in one or more systems.
User Identity Profile:
A collection of information associated with the User Identities of a user.

4  OverviewWord‑p. 7

4.1  Background and motivation

Current mobile networks are subscription-centric, which allows mobile operators to protect the access to the network and respect legal obligations. From a use case perspective this was sufficient in times when a user typically only had one phone with one subscription, using only a few services provided by the operator such as telephony and SMS.
However, times have changed: Today a person may have different kinds of devices (phones, tablets, laptops), some of which might belong to the user, others might be shared with someone else or belong to some other party to access various operator and non-operator services. Things are increasingly connected (sensors, gateways, actuators etc.) and there are many different flavours in the relation between the owner of the thing, the holder of the subscription and the actual user of the thing.
Presently it is common for each service to perform its own authentication, often based on username and password. For users it becomes more and more cumbersome to manage the different credentials of the growing number of services.
So-called identity providers address the above problem by providing identity information to entities and authentication to services for those entities. Such mechanisms could be used over the top of any data connections, but integration or interworking with operator networks provides additional advantages.
Identifying the user in the operator network (by means of an identity provided by some external party or the operator) enables to provide an enhanced user experience and optimized performance as well as to offer services to devices that are not part of 3GPP network. The user to be identified could be an individual human user, using a UE with a certain subscription, or an application running on or connecting via a UE, or a device ("thing") behind a gateway UE.
Network settings can be adapted and services offered to users according to their needs, independent of the subscription that is used to establish the connection. By acting as an identity provider the operator can take additional information from the network into account to provide a higher level of security for the authentication of a user.

4.2  Basic concept and relations of identity management

In the context of identity management something outside a system that needs to be identified in the system is referred to as "entity". In 3GPP such an entity is called a user. A user is not necessarily a person, it could also be an application or a device ("thing").
The entity is uniquely represented by an identity in the system. The identity can dependent on the role of the entity in the system (e.g. which kind of service is used for which purpose). As such, a user can have several user identities - e.g. one user identity representing the professional role of the (human) user and another one representing some aspects of her private life. There is a 1:n relation between user and user identity.
(not reproduced yet)
Figure 1: relation between user, identities, identifiers and attributes
A user identity is associated with some pieces of information, which are generally called attributes. One special form of attributes are identifiers. The relation between identity and identifier is 1:n.
Each user identity is identified in the system by one or more user identifiers. An identifier could take the form of an NAI, email address or some number, could be permanent (comparable to the IMSI), or temporary (comparable to the TMSI).
E.g., in the internet-world a user might choose to use her company email address when registering and using services (access to web portals) that she needs for her work. For access to other sites, e.g. online shopping or login to information servers concerning some hobby, she might use other email addresses. In this example the email addresses are the user identifiers that identify the different identities of the user for certain web services.
Other attributes could contain information about the date of birth of a user, the private address, the company name and address, job title etc. Attributes that are no identifiers may be associated with more than one identity, e.g. date of birth might be relevant in the professional as well as in the private context. One identity typically is associated with several attributes.
With having multiple user accounts the above information is distributed over multiple servers. An identity provider creates, manages and stores this information in one place, authenticates a selected user identity (i.e. verifies a claimed user identity) for a service and provides the result and necessary attributes to the service.

4.3  Impact on the 3GPP systemWord‑p. 8

The goal of this activity is not to define an identity provisioning service. The assumption is that operators can use existing systems to act as identity providers if they wish to do so. The actual process of identity creation, provisioning, managing, authentication etc. does not need to be defined within 3GPP.
The focus of this work is the interaction of such a service with the 3GPP system:
  • how to take a user identity into account for adapting network and operator-deployed service settings (e.g.policies, IMS, Gi-LAN service chain) and for network slice selection
  • support of providing the user identity to external services via the 3GPP network
  • extending 3GPP services to non-3GPP devices that are identified by user identifiers, e.g. to enable network and service access by these devices and to make them addressable and reachable from the network
  • additionally, if the operator acts as identity provider, how to improve the level of security or confidence in the identity by taking into account information from the network

Up   Top   ToC