Table 12.3.2.2-1 describes the information flow from the identity management server to the VAL server as a response for providing provisioning configuration.
Figure 12.3.3.2-1 is a high level user authentication and authorization flow.
The user authentication process shown in Figure 12.3.3.2-1 may take place in some scenarios as a separate step independently from a SIP registration phase, for example if the SIP core is outside the domain of the VAL server.
A procedure for user authentication is illustrated in Figure 12.3.3.2-1. Other alternatives may be possible, such as authenticating the user within the SIP registration phase.
In this step the identity management client begins the user authorization procedure. The VAL user supplies the user credentials (e.g. biometrics, secureID, username/password) for verification with the identity management server. This step may occur before or after step 3. In a VAL system with multiple VAL services, a single user authentication as in step 1 can be used for multiple VAL service authorizations for the user.
The signalling user agent completes the SIP level registration with the SIP core (and an optional third-party registration with the VAL service server(s)).
Where communications with a partner VAL system using interconnection are required, user authorization takes place in the serving VAL system of the VAL service user, using the VAL user service authorization procedure specified in subclauses 5.2.5 and 5.2.6 of TS 33.434.
The high level procedure for VAL server to provision required information to SEAL identity management server in order to support VAL user authentication is described in the following subclause.
The procedure for VAL server to provision required information to SEAL identity management server in order to support VAL user authentication is illustrated in Figure 12.3.4.2-1.
The VAL server sends a request message to identity management server to provision required information. The request message includes identity of the VAL server, security credentials of the VAL server, and service provider specific information like identity list per VAL service.
Upon receiving the request, the identity management server authorizes the request based on the security credentials provided in the request and considering the service level agreement between VAL service provider and SEAL service provider. If VAL server is authorized to use the SEAL service, then the identity management server stores the details about the VAL server including the list of VAL user IDs per VAL service. The identity management server sends the response message to the VAL server.