Content for TR 33.980 Word version: 17.0.0
0 Introduction
1 Scope
2 References
3 Definitions, symbols and abbreviations
3.1 Definitions
3.2 Abbreviations
...
...
0 Introduction p. 5
1 Scope p. 6
The present document provides guidelines on the interworking of the Generic Authentication Architecture (GAA) and the Liberty Alliance architecture. The document studies the details of possible interworking methods between the Security Assertion Markup Language v2.0, SAML v2.0 (or alternatively the Liberty Alliance Identity Federation Framework, ID-FF), the Identity Web Services Framework (ID-WSF) , the Security Assertion Markup Language (SAML) and a component of GAA called the Generic Bootstrapping Architecture (GBA). This document only applies if Liberty Alliance and GBA or SAML v2.0 and GBA are used in combination.
2 References p. 6
The following documents contain provisions, which, through reference in this text, constitute provisions of the present document.
- References are either specific (identified by date of publication, edition number, version number, etc.) or non specific.
- For a specific reference, subsequent revisions do not apply.
- For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]
TS 33.220: "Generic Authentication Architecture (GAA); Generic bootstrapping architecture".
[2]
TS 33.222: "Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS)".
[3]
TS 33.221: "Generic Authentication Architecture (GAA); Support for subscriber certificates".
[4]
TS 24.109: "Bootstrapping interface (Ub) and network application function interface (Ua); Protocol details".
[5]
TS 29.109: "Generic Authentication Architecture (GAA); Zh and Zn Interfaces based on the Diameter protocol; Stage 3".
[6]
Liberty Alliance Project, ID-WSF v2.0: "Liberty ID-WSF Security Mechanisms".
[7]
Liberty Alliance Project, ID-FF v1.2: "Liberty ID-FF Architecture Overview".
[8]
Liberty Alliance Project, ID-WSF v2.0: "Liberty ID-WSF Authentication Service Specification and Single Sign-On Service".
[9]
Liberty Alliance Project, ID-WSF v2.0: "Liberty ID-WSF SOAP Binding Specification".
[10]
Liberty Alliance Project, ID-WSF v2.0: "Liberty ID-WSF Discovery Service Specification".
[11]
Organization for the Advancement of Structured Information Standards (OASIS), SAML v2 Core "Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0".
[12]
Liberty Alliance Project, ID-FF v1.2: "Liberty ID-FF Bindings and Profiles Specification".
[13]
Organization for the Advancement of Structured Information Standards (OASIS), "Profiles for the OASIS Security Assertion Markup Language (SAML) v2.0".
[14]
Liberty Alliance Project, ID-WSF v1.2: "Security Mechanisms".
[15]
Liberty Alliance Project Support Documents: "Authentication Context Specification" v2.0.
[16]
Liberty Alliance Project, ID-WSF "Profiles for Liberty enabled User Agents and Devices" v2.0.
[17]
RFC 2222 (1997), "Simple Authentication and Security Layer (SASL)".
[18]
RFC 2831 (2000), "Using Digest Authentication as a SASL Mechanism".
[19]
RFC 2617 (1999), "HTTP Authentication: Basic and Digest Access Authentication".
[20]
Liberty Alliance Project Support Documents: "Liberty Reverse HTTP Binding for SOAP Specification" v1.1.
[21]
TR 21.905: "Vocabulary for 3GPP Specifications".
[22]
RFC 3546 (2003-06), "Transport Layer Security (TLS) Extensions".
[23]
Liberty Alliance Project, ID-SIS: "Liberty Alliance ID-SIS 1.0 Specifications".
[24]
RFC 2246 (1999-01), "The TLS Protocol Version 1.0".
[25]
RFC 4279 (2005-12), "Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)".
[26]
Liberty Alliance Project, ID-FF v1.2: "Liberty ID-FF Protocols and Schema Specification".
[27]
Organization for the Advancement of Structured Information Standards (OASIS), "Authentication Contexts for the OASIS Security Assertion Markup Language (SAML) V2.0".
[28]
Organization for the Advancement of Structured Information Standards (OASIS), SAML v2 Core "Conformance Requirements for the OASIS Security Assertion Markup Language (SAML) V2.0".
[29]
TS 23.003: "Numbering, addressing and identification".
3 Definitions, symbols and abbreviations p. 7
3.1 Definitions p. 7
For the purposes of the present document, the terms and definitions given in TR 21.905 and the following apply.
Assertion (SAML assertion) is an XML-based data structure defined by SAML v2.0 [28]. Assertions are collections of one or more statements made by a SAML authority (also known as an issuer), such as an authentication statement or attribute statement. As used in Liberty, assertions typically concern things such as:
an act of authentication performed by the Principal, attribute information about a Principal, or an authorization permission applying to a Principal with respect to a specified resource.
Attribute:
A distinct, named characteristic of a Principal or other system entity.
Bootstrapping Server Function (BSF):
A BSF is hosted in a network element under the control of an MNO. BSF, HSS, and UEs participate in GBA in which a shared secret is established between the network and a UE by running a bootstrapping procedure. The shared secret can be used between NAFs and UEs, for example, for authentication purposes.
Defederate (federation termination):
To eliminate the linkage between a Principal's account at an identity provider and a service provider.
Discovery Service (DS):
An ID-WSF service facilitating the registration, and subsequent discovery of, ID-WSF service instances, as indexed by Principal identity [10].
Federation:
A is an act of establishing a relationship between two entities or an association compromising any number of service providers and identity providers.
GBA Function:
A is a function on the ME executing the bootstrapping procedure with BSF (i.e. supporting the Ub reference point) and providing Ua applications with a security association to run bootstrapping usage procedure. The GBA function is called by a Ua application when the Ua application wants to use the bootstrapped security association.
Identity Provider (IdP):
A Liberty-enabled system entity that manages identity information on behalf of Principals and provides assertions of Principal authentication to other providers e.g. other service providers.
Liberty-Enabled User Agent or Device (LUAD):
A device (or user agent) that has specific support for one or more profiles of the Liberty specifications. A LUAD may perform one or more Liberty system entity roles as defined by the Liberty specifications it implements. For example, a LUAD LECP is a user agent or device that supports the Liberty LECP profile, a LUAD ECP is a user agent or device that supports the SAML v2.0 ECP Profile and a LUAD-DS would define a device or user agent offering a Liberty ID-WSF Discovery Service [10].
Liberty Identity Federation Framework (ID-FF):
A system that enables identity federation and management through features such as identity/account linkage, simplified sign on, and simple session management.
Liberty Identity Web Services Framework (ID-WSF):
A system that provides the framework for building interoperable identity services, permission based attribute sharing, identity service description and discovery, and the associated security profiles.
Network Application Function (NAF):
A NAF is hosted in a network element. GBA may be used between NAFs and UEs for authentication purposes, and for securing the communication path between the UE and the NAF.
Principal:
A principal is a system entity whose identity can be authenticated. In Liberty usage the term Principal is often synonymous with "user". The Principal is the legitimate user of the UE.
Service Provider (SP):
A SP is a role donned by system entities. The SP interacts with other system entities primarily via plain HTTP. From a Principal's perspective, a Service Provider is typically a web site providing services and / or goods.
Web Service:
- A service defined in terms of an XML-based protocol, often transported over SOAP, and / or a service whose instances, and possible data objects managed therein, are concisely addressable via URIs.
- A web service utilizing [9], [6] and [10].
A WSC is a role donned by a system entity when it makes a request to a web service.
Web Service Provider (WSP):
A WSP is a role donned by a system entity when it provides a web service.
3.2 Abbreviations p. 8
For the purposes of the present document, the following abbreviations apply (origin of term if GAA or LAP/SAML):
AS
Authentication Service (as defined by LAP)
BSF
Bootstrapping Server Function (GAA)
B-TID
Bootstrapping Transaction Identifier (GAA)
DS
Discovery Service (as defined by LAP)
ECP
Enhanced Client or Proxy (as defined by SAML)
FQDN
Fully Qualified Domain Name
GAA
Generic Authentication Architecture
GBA
Generic Bootstrapping Architecture (GAA)
GSID
GAA Service Identifier (GAA)
GUSS
GBA User Security Settings (GAA)
HSS
Home Subscriber Server
ID-FF
Identity Federation Framework (as defined by LAP)
ID-SIS
Identity Service Interface Specification (as defined by LAP)
IdP
Identity Provider (as defined by LAP/SAML)
ID-WSF
Identity Web Services Framework (as defined by LAP)
LAP
Liberty Alliance Project
LECP
Liberty-Enabled Client or Proxy (as defined by LAP)
LUAD
Liberty-Enabled User Agent or Device (as defined by LAP)
NAF
Network Application Function (GAA)
PAOS
Reversed HTTP binding for SOAP (as defined by LAP/SAML)
SAML
Security Assertion Markup Language
SASL
Simple Authentication and Security Layer
SOAP
Simple Object Access Protocol
SP
Service Provider
SSO
Single Sign-On
SSOS
SSO Service
UE
User Equipment
UID
User Identifier
USS
User Security Setting
WSC
Web Service Consumer (as defined by LAP)
WSP
Web Service Provider (as defined by LAP)
