Content for TS 23.434 Word version: 18.5.0

0… 4… 5 6… 6.4… 6.5… 6.5.3… 7… 8… 8.2.2… 9… 9.3… 9.3.2.21… 9.3.3… 9.3.6… 9.3.11… 9.3.13… 9.3.14… 9.4… 9.4.6… 9.5… 10… 10.3… 10.3.2.22… 10.3.3… 10.3.7… 10.3.10… 10.4… 11… 11.3… 11.3.3… 11.4… 12… 12.3… 13… 14… 14.2.2.2… 14.3… 14.3.2.20… 14.3.2.40… 14.3.3… 14.3.3.3… 14.3.4… 14.3.4.6 14.3.4.7… 14.3.4A… 14.3.4A.3… 14.3.4A.4… 14.3.4A.6… 14.3.4A.8… 14.3.4A.9… 14.3.4A.10… 14.3.5… 14.3.6… 14.3.9… 14.3.12… 14.4… 15… 16… 17… 18… A B…

12.3 Procedures and information flows for identity management 12.3.1 General 12.3.2 Information flows 12.3.2.1 VAL server provisioning request 12.3.2.2 VAL server provisioning response 12.3.3 General user authentication and authorization for VAL services 12.3.3.1 General 12.3.3.2 Primary VAL system 12.3.3.3 Interconnection partner VAL system 12.3.4 VAL server provisioning for identity management service 12.3.4.1 General 12.3.4.2 Procedure 12.4 SEAL APIs for identity management 12.4.1 General 12.4.3 SS_IdmParameterProvisioning API 12.4.3.1 General 12.4.3.2 Provide_Configuration operation
...

12.3 Procedures and information flows for identity management p. 140

12.3.1 General p. 140

The procedures related to the identity management are described in the following subclauses.

12.3.2 Information flows p. 140

12.3.2.1 VAL server provisioning request |R18| p. 140

Table 12.3.2.1-1 describes the information flow from the VAL server to the identity management server for providing provisioning configuration.

Table 12.3.2.1-1: VAL server provisioning request

Information element	Status	Description
Requester Identity	M	The identity of the VAL server performing the request.
List of VAL service specific information	M	Provides the list of VAL service specific information
> VAL service ID	M	Identify of the VAL service for which the configuration information is provided.
> identity list	M	Identify list of VAL users for the specific VAL service (i.e. VAL User IDs or VAL UE IDs)

12.3.2.2 VAL server provisioning response |R18| p. 140

Table 12.3.2.2-1 describes the information flow from the identity management server to the VAL server as a response for providing provisioning configuration.

Table 12.3.2.2-1: VAL server provisioning response

Information element	Status	Description
Result	M	Indicates success or failure of the request

12.3.3 General user authentication and authorization for VAL services p. 141

12.3.3.1 General p. 141

The high level user authentication and authorization procedure is described in the following subclause.

12.3.3.2 Primary VAL system p. 141

Figure 12.3.3.2-1 is a high level user authentication and authorization flow.

The user authentication process shown in Figure 12.3.3.2-1 may take place in some scenarios as a separate step independently from a SIP registration phase, for example if the SIP core is outside the domain of the VAL server.

A procedure for user authentication is illustrated in Figure 12.3.3.2-1. Other alternatives may be possible, such as authenticating the user within the SIP registration phase.

Reproduction of 3GPP TS 23.434, Fig. 12.3.3.2-1: VAL user authentication and registration with Primary VAL system, single domain

Figure 12.3.3.2-1: VAL user authentication and registration with Primary VAL system, single domain

Step 1.

In this step the identity management client begins the user authorization procedure. The VAL user supplies the user credentials (e.g. biometrics, secureID, username/password) for verification with the identity management server. This step may occur before or after step 3. In a VAL system with multiple VAL services, a single user authentication as in step 1 can be used for multiple VAL service authorizations for the user.

Step 2.

The signalling user agent establishes a secure connection to the SIP core for the purpose of SIP level authentication and registration.

Step 3.

The signalling user agent completes the SIP level registration with the SIP core (and an optional third-party registration with the VAL service server(s)).

12.3.3.3 Interconnection partner VAL system p. 141

Where communications with a partner VAL system using interconnection are required, user authorization takes place in the serving VAL system of the VAL service user, using the VAL user service authorization procedure specified in subclauses 5.2.5 and 5.2.6 of TS 33.434.

12.3.4 VAL server provisioning for identity management service |R18| p. 142

12.3.4.1 General p. 142

The high level procedure for VAL server to provision required information to SEAL identity management server in order to support VAL user authentication is described in the following subclause.

12.3.4.2 Procedure p. 142

The procedure for VAL server to provision required information to SEAL identity management server in order to support VAL user authentication is illustrated in Figure 12.3.4.2-1.

Reproduction of 3GPP TS 23.434, Fig. 12.3.4.2-1: VAL Server provisioning to SEAL Identity Management Server

Figure 12.3.4.2-1: VAL Server provisioning to SEAL Identity Management Server

Step 1.

The VAL server sends a request message to identity management server to provision required information. The request message includes identity of the VAL server, security credentials of the VAL server, and service provider specific information like identity list per VAL service.

Step 2.

Upon receiving the request, the identity management server authorizes the request based on the security credentials provided in the request and considering the service level agreement between VAL service provider and SEAL service provider. If VAL server is authorized to use the SEAL service, then the identity management server stores the details about the VAL server including the list of VAL user IDs per VAL service. The identity management server sends the response message to the VAL server.

12.4 SEAL APIs for identity management p. 142

12.4.1 General p. 142

Table 12.4.1-1 illustrates the SEAL APIs for identity management.

Table 12.4.1-1: List of SEAL APIs for identity management

API Name	API Operations	Known Consumer(s)	Communication Type
SS_IdmParameterProvisioning	Provide_Configuration	VAL server	Request /Response

12.4.3.1 General p. 143

API description:

This API enables the VAL server to provision configuration for the VAL service to the SEAL IM-S.

12.4.3.2 Provide_Configuration operation p. 143

API operation name:

Provide_Configuration

Description:

Provisioning of VAL service configuration to IM-S.

Known Consumers:

VAL server.

Inputs:

See subclause 12.3.2.1

Outputs:

See subclause 12.3.2.2

See subclause 12.3.4.2 for the details of usage of this API operation.