Content for TS 23.280 Word version: 19.4.0
1…
5…
6
7…
8…
9…
10…
10.1.5…
10.2…
10.2.6…
10.3…
10.6…
10.7…
10.7.3.8…
10.8…
10.9…
10.9.3.9…
10.10…
10.10.3
10.11…
10.12…
10.13…
10.14…
10.15…
10.16…
10.17…
11…
11.5…
A…
B…
C…
E…
10.6 General user authentication and authorization for MC services
10.6.1 Primary MC system
10.6.2 Interconnection partner MC system
10.6.3 Migration to partner MC system
...
...
10.6 General user authentication and authorization for MC services p. 127
10.6.1 Primary MC system |R15| p. 127
The user authentication process shown in Figure 10.6.1-1 may take place in some scenarios as a separate step independently from a SIP registration phase, for example if the SIP core is outside the domain of the MC service server.
A procedure for user authentication is illustrated in Figure 10.6.1-1. Other alternatives may be possible, such as authenticating the user within the SIP registration phase.
Step 1.
In this step the identity management client begins the user authorization procedure. The MC service user supplies the user credentials (e.g. biometrics, secureID, username/password) for verification with the identity management server. This step may occur before or after step 3. In a MC system with multiple MC services, a single user authentication as in step 1 can be used for multiple MC service authorizations for the user.
Step 2.
The signalling user agent establishes a secure connection to the SIP core for the purpose of SIP level authentication and registration.
Step 3.
The signalling user agent completes the SIP level registration with the SIP core (and an optional third-party registration with the MC service server(s)).
10.6.2 Interconnection partner MC system |R15| p. 128
Where communications with a partner MC system using interconnection are required, user authorization takes place in the serving MC system of the MC service user, using the MCX user service authorization procedure specified in TS 33.180.
10.6.3 Migration to partner MC system |R15| p. 128
10.6.3.1 General p. 128
The following subclauses describe the procedure used for user authentication and service authorization when migrating to a partner MC system.
To enable migration, the inter-domain MCX user service authorization procedures specified in TS 33.180 are used.
10.6.3.2 Information flows p. 129
10.6.3.2.1 Migration service authorization request p. 129
Table 10.6.3.2.1-1 describes the information flow migration service authorization request sent from the MC service client of the migrating MC service user to the partner MC service server, and from the partner MC service server to the primary MC service server of the migrating MC service user.
| Information element | Status | Description |
|---|---|---|
| MC service ID (see NOTE 1) | M | The MC service ID of the migrating MC service user provided by the partner MC system. |
| MC service ID | M | The MC service ID of the migrating MC service user in the primary MC system of the MC service user. |
| MC service user profile index (see NOTE 2) | M | The MC service user profile index of the selected MC service user profile. |
|
NOTE 1:
The MC service ID is provided by the identity management server in the partner MC system during authentication of the migrating MC service user.
NOTE 2:
The MC service user profile index refers to the MC service user profile provided by the primary MC system of the MC service user that has been selected by the MC service user in order to request migrated MC service on the partner MC system.
|
||
10.6.3.2.2 Migration service authorization response p. 129
Table 10.6.3.2.2-1 describes the information flow migration service authorization response sent from the primary MC service server of the migrating MC service user to the partner MC service server of the migrating MC service user, and from the partner MC service server to the MC service client of the migrating MC service user. This information flow is sent individually addressed on unicast or multicast.
| Information element | Status | Description |
|---|---|---|
| MC service ID (see NOTE) | M | The MC service ID of the migrating MC service user provided by the partner MC system. |
| MC service ID (see NOTE) | M | The MC service ID of the migrating MC service user in the primary MC system of the MC service user. |
| Result | M | Success or failure of the migration MC service authorization request |
|
NOTE:
The MC service IDs are the MC service IDs that were provided in the migration service authorization request.
|
||
10.6.3.2.3 Migration service de-authorization notification |R18| p. 129
Table 10.6.3.2.3-1 describes the information flow migration service de-authorization notification sent by a MC service server of Primary MC system of migrated MC service user to a migrated partner MC system from which MC service user is migrating out.
| Information element | Status | Description |
|---|---|---|
| MC service ID (see NOTE 1) | M | The MC service ID of the migrated MC service user provided by the partner MC system. |
| MC service ID | M | The MC service ID of the migrated MC service user in the primary MC system of the MC service user. |
|
NOTE 1:
The MC service ID is provided by the identity management server in the partner MC system during authentication of the migrated MC service user.
|
||
10.6.3.2.4 MC service authorization notification |R18| p. 130
Table 10.6.3.2.4-1 describes the information flow about the notification for successful completion of MC service user service authorization after migrating to the partner MC system.
| Information element | Status | Description |
|---|---|---|
| MC service ID | M | The MC service ID of the migrating MC service user provided by the partner MC system. |
| Service authorization Indication | M | Indication to provide the successful completion of MC service user service authorization after migrating to the partner MC system. |
10.6.3.3 Procedures p. 130
10.6.3.3.1 Migration service authorization procedure |R18| p. 130
The procedure for service authorization for migration to a partner MC system and subsequent service authorization to migration partner MC system is shown in Figure 10.6.3.3.1-1.
Pre-conditions
- The MC service user wishes to migrate to the partner MC system.
- The MC service client has been configured with an MC service user profile that contains the necessary parameters needed for connectivity with the partner MC system.
- A user authentication process has taken place which has supplied the necessary credentials to the MC service client to permit service authorization to take place in the partner MC system.
Step 1.
The MC service client requests migration service authorization with the partner MC service server indicating the selected MC service user profile to be used during migrated MC service. The MC service client provides both the MC service ID provided during user authentication in the partner MC system, and the MC service ID of the MC service user in the primary MC system of the MC service user.
Step 2.
The partner MC service server performs an initial authorization check to verify that the MC service user is permitted to migrate to the partner MC system from the primary MC system of the MC service user.
Step 3.
The partner MC service server identifies the primary MC system of the MC service user of the MC service client by use of the MC service ID of the MC service user in the primary MC system of the MC service user, which was presented by the MC service client in step 1, and sends a migration service authorization request to the gateway server in the partner MC system.
Step 4.
The partner MC system gateway server identifies the primary MC system of the MC service user from the MC service ID presented in step 3, and forwards the migration service authorization request to the gateway server of the primary MC system.
Step 5.
The gateway server in the primary MC system of the MC service user identifies the primary MC service server of the MC service user from the MC service ID presented in step 3, and forwards the migration service authorization request to that MC service server.
Step 6.
The primary MC service server of the MC service user performs an authorization check, to verify that migration is permitted to that partner MC system by this MC service user using the indicated MC service user profile.
Step 7.
The primary MC service server marks the MC service user as having migrated, and records the partner MC system as the migrated MC system. The primary MC service server also stores other necessary information related to the migrated MC service user (e.g., MC service ID of the migrated MC service user provided by the primary MC system mapped to the MC service ID of the migrated MC service user provided by partner MC system).
Step 8.
The primary MC service server sends a migration service authorization response to the gateway server in the primary MC system.
Step 9.
The gateway server in the primary MC system sends the migration service authorization response to the gateway server in the partner MC system.
Step 10.
The gateway server in the partner MC system sends the migration service authorization response to the partner MC service server.
Step 11.
The partner MC service server stores the necessary information related to the migrated MC service user (e.g., MC service ID of the migrated MC service user provided by the primary MC system mapped to the MC service ID of the migrated MC service user provided by partner MC system). The migration status of the MC service user allows proper communication redirection back to the primary MC system once the migrated MC service user is no longer migrated on this partner MC system.
Step 12.
The partner MC service server sends the migration service authorization response to the MC service client, confirming that successful migration and service authorization has taken place.
Step 13.
The MC service user successfully completes the MC service authorization with the MC service server within the partner MC system to which the MC service user is migrating into.
Step 14.
The partner MC service server of partner MC system notifies the primary MC system of the MC service user of the MC service client by sending the MC service authorization notification.
10.6.3.3.2 Migration service de-authorization procedure initiated by MC service server |R18| p. 132
10.6.3.3.2.1 Migrated MC service user returns back to its primary MC system p. 132
The procedure for migration service de-authorization from a partner MC system is shown in Figure 10.6.3.3.2.1-1.
Pre-conditions
- The MC service user has successfully completed the MC service authorisation with the MC service server within the primary MC system to which the MC service user is returning back from migrated MC system.
Step 1.
The primary MC service server sends a migration service de-authorization notification to the primary MC system gateway server.
Step 2.
The primary MC system gateway server sends the migration service de-authorization notification to the partner MC system gateway server.
Step 3.
The partner MC system gateway server sends the migration service de-authorization notification to the partner MC service server.
Step 4.
The partner MC service server updates the stored necessary information related to the was-migrated MC service user accordingly, (e.g., MC service user's MC service ID provided by the primary MC system mapped to the MC service ID provided by partner MC system).
10.6.3.3.2.2 Migrated MC service user migrate to another partner MC system p. 133
The procedure for migration service de-authorization from a partner MC system is shown in Figure 10.6.3.3.2.2-1.
Pre-conditions
- The MC service user has successfully completed the MC service authorization with the MC service server within the partner MC system C to which the MC service user is migrating into.
Step 1.
The partner MC service server of partner MC system C notifys the primary MC system of the MC service user of the MC service client by sending the MC service authorization notification.
Step 2.
Send the migration service de-authorization notification as specified in the steps 1-4 in Figure 10.6.3.3.2.1-1 of clause 10.6.3.3.2.1.
