Tech-invite3GPPspaceIETF RFCsSIP
index21222324252627282931323334353637384‑5x

Content for  TS 23.434  Word version:  18.3.0

Top   Top   Up   Prev   Next
0…   4…   6…   6.4…   6.5…   7…   8…   8.2.2…   9…   9.3…   9.3.6…   9.3.11…   9.4…   10…   10.3…   10.3.2.22…   10.3.3…   10.3.7…   10.3.10…   10.4…   11…   11.3…   12…   13…   14…   14.3…   14.3.3…   14.3.3.3…   14.3.4…   14.3.4.6   14.3.4.7…   14.3.4A…   14.3.4A.4…   14.3.4A.6…   14.3.4A.8…   14.3.4A.9…   14.3.4A.10…   14.3.5…   14.4…   15…   16…   17…   19…   A…

 

12  Identity managementp. 120

12.1  Generalp. 120

The identity management is a SEAL service that offers the identity management related capabilities to one or more vertical applications.

12.2  Functional model for identity managementp. 120

12.2.1  Generalp. 120

The functional model for the identity management is based on the generic functional model specified in clause 6. It is organized into functional entities to describe a functional architecture which addresses the support for identity management aspects for vertical applications. The on-network and off-network functional model is specified in this clause.

12.2.2  On-network functional model descriptionp. 121

Figure 12.2.2-1 illustrates the generic on-network functional model for identity management.
Reproduction of 3GPP TS 23.434, Fig. 12.2.2-1: On-network functional model for identity management
Up
The identity management client communicates with the identity management server over the IM-UU reference point. The identity management client provides the support for identity management functions to the VAL client(s) over IM-C reference point. The VAL server(s) communicate with the identity management server over the IM-S reference point.

12.2.3  Off-network functional model descriptionp. 121

Figure 12.2.3-1 illustrates the off-network functional model for identity management.
Reproduction of 3GPP TS 23.434, Fig. 12.2.3-1: Off-network functional model for identity management
Up
The identity management client of the UE1 communicates with the identity management client of the UE2 over the IM-PC5 reference point.

12.2.4  Functional entities descriptionp. 121

12.2.4.1  Generalp. 121

The functional entities for identity management SEAL service are described in the following subclauses.

12.2.4.2  Identity management clientp. 122

The identity management client functional entity acts as the application client for vertical applications layer user identity related transactions. The identity management client interacts with the identity management server. The identity management client also supports interactions with the corresponding identity management client between the two UEs.

12.2.4.3  Identity management serverp. 122

The identity management server is a functional entity that authenticates the vertical application layer user identity. The authentication is performed by verifying the credentials provided by the vertical applications' user. The identity management server acts as CAPIF's API exposing function as specified in TS 23.222. The identity management server also supports interactions with the corresponding identity management server in distributed SEAL deployments.
Up

12.2.5  Reference points descriptionp. 122

12.2.5.1  Generalp. 122

The reference points for the functional model for identity management are described in the following subclauses.

12.2.5.2  IM-UUp. 122

The interactions related to identity management functions between the identity management client and the identity management server are supported by IM-UU reference point. This reference point utilizes Uu reference point as described in TS 23.401 and TS 23.501.

12.2.5.3  IM-PC5p. 122

The interactions related to identity management functions between the identity management clients located in different VAL UEs are supported by IM-PC5 reference point. This reference point utilizes PC5 reference point as described in TS 23.303.

12.2.5.4  IM-Cp. 122

The interactions related to identity management functions between the VAL client(s) and the identity management client within a VAL UE are supported by IM-C reference point.

12.2.5.5  IM-Sp. 122

The interactions related to identity management functions between the VAL server(s) and the identity management server are supported by IM-S reference point. This reference point is an instance of CAPIF-2 reference point as specified in TS 23.222.

12.2.5.6  IM-Ep. 122

The interactions related to identity management functions between the identity management servers in a distributed deployment are supported by IM-E reference point.

12.3  Procedures and information flows for identity managementp. 122

12.3.1  Generalp. 122

The procedures related to the identity management are described in the following subclauses.

12.3.2  Information flowsp. 123

12.3.3  General user authentication and authorization for VAL servicesp. 123

12.3.3.1  Generalp. 123

The high level user authentication and authorization procedure is described in the following subclause.

12.3.3.2  Primary VAL systemp. 123

Figure 12.3.3.2-1 is a high level user authentication and authorization flow.
The user authentication process shown in Figure 12.3.3.2-1 may take place in some scenarios as a separate step independently from a SIP registration phase, for example if the SIP core is outside the domain of the VAL server.
A procedure for user authentication is illustrated in Figure 12.3.3.2-1. Other alternatives may be possible, such as authenticating the user within the SIP registration phase.
Reproduction of 3GPP TS 23.434, Fig. 12.3.3.2-1: VAL user authentication and registration with Primary VAL system, single domain
Up
Step 1.
In this step the identity management client begins the user authorization procedure. The VAL user supplies the user credentials (e.g. biometrics, secureID, username/password) for verification with the identity management server. This step may occur before or after step 3. In a VAL system with multiple VAL services, a single user authentication as in step 1 can be used for multiple VAL service authorizations for the user.
Step 2.
The signalling user agent establishes a secure connection to the SIP core for the purpose of SIP level authentication and registration.
Step 3.
The signalling user agent completes the SIP level registration with the SIP core (and an optional third-party registration with the VAL service server(s)).
Up

12.3.3.3  Interconnection partner VAL systemp. 124

Where communications with a partner VAL system using interconnection are required, user authorization takes place in the serving VAL system of the VAL service user, using the VAL user service authorization procedure specified in subclauses 5.2.5 and 5.2.6 of TS 33.434.

12.3.4  VAL server provisioning for identity management service |R18|p. 124

12.3.4.1  Generalp. 124

The high level procedure for VAL server to provision required information to SEAL identity management server in order to support VAL user authentication is described in the following subclause.

12.3.4.2  Procedurep. 124

The procedure for VAL server to provision required information to SEAL identity management server in order to support VAL user authentication is illustrated in Figure 12.3.4.2-1.
Reproduction of 3GPP TS 23.434, Fig. 12.3.4.2-1: VAL Server provisioning to SEAL Identity Management Server
Up
Step 1.
The VAL server sends a request message to identity management server to provision required information. The request message includes identity of the VAL server, endpoint information of the VAL server, security credentials of the VAL server, and service provider specific information like list of VAL user IDs per VAL service.
Step 2.
Upon receiving the request, the identity management server authorizes the request based on the security credentials provided in the request and considering the service level agreement between VAL service provider and SEAL service provider. If VAL server is authorized to use the SEAL service, then the identity management server stores the details about the VAL server including the list of VAL user IDs per VAL service.
The identity management server sends the response message to the VAL server..
Up

12.4  SEAL APIs for identity managementp. 124

12.4.1  Generalp. 124

There are no APIs defined for SEAL Identity Management.

12.4.2Void


Up   Top   ToC