Content for TR 33.995 Word version: 18.0.0
1 Scope
2 References
3 Definitions and abbreviations
3.1 Definitions
3.2 Abbreviations
4 Relation of the present study to other related work in 3GPP
5 Requirements identified in the present study
6 Solutions for Liberty Alliance/SAML - 3GPP interworking
6.1 General
...
...
1 Scope p. 5
The present study investigates the security aspects of the service requirements specified by SA1 in clause 26 of TS 22.101, on the integration of SSO frameworks with 3GPP networks for various operator authentication configurations (e.g. configurations using GBA or not using GBA).
In particular, this study evaluates existing interworking solutions between SSO frameworks and 3GPP authentication mechanisms against the SA1 service requirements. The study is not limited to evaluation of existing interworking solutions and new interworking solutions may be developed as appropriate.
The study covers the security requirements to enable the operator to become the preferred SSO Identity Provider by allowing the usage of credentials on the UE for SSO services, as well as ways for the 3GPP operator to leverage its trust framework and its reliable and robust secure credential handling infra-structure to provide SSO service based on operator-controlled credentials.
2 References p. 5
The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
- References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
- For a specific reference, subsequent revisions do not apply.
- For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]
TR 21.905: "Vocabulary for 3GPP Specifications".
[2]
TR 22.895: "Study on Service aspects of integration of Single Sign-On (SSO) frameworks with 3GPP operator-controlled resources and mechanisms".
[3]
TR 33.980: "Interworking of Liberty Alliance Identity Federation Framework (ID-FF), Identity Web Service Framework (ID-WSF) and the Generic Authentication Architecture (GAA)".
[4]
TR 33.924: "Identity management and 3GPP security interworking; Identity management and Generic Authentication Architecture (GAA) interworking".
[5]
TR 33.804: "Single Sign On Application Security for Common IMS - based on SIP Digest".
[6]
TS 33.220: "Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture".
[7]
TS 24.109: "Bootstrapping interface (Ub) and network application function interface (Ua); Protocol details".
[8]
TS 29.109: "Generic Authentication Architecture (GAA); Zh and Zn Interfaces based on the Diameter protocol; Stage 3".
[9]
OpenID Foundation "OpenID Authentication 2.0", http://openid.net/ .
[10]
TS 33.222: "Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS)"
[11]
TS 22.101: "Service aspects; Service principles".
[12]
TR 33.905: "Recommendations for trusted open platforms".
[13]
OpenID Foundation "OpenID Provider Authentication Policy Extension 1.0", http://openid.net/ .
3 Definitions and abbreviations p. 6
3.1 Definitions p. 6
For the purposes of the present document, the terms and definitions given in TR 21.905, TS 22.101 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
Authorization:
a mechanism or process which determines what a particular user or a group of users can access or do.
Multi-factor authentication:
a method of logon verification where at least two different factors of proof are provided, and jointly verified. There are three generally recognized types of authentication factors:
- Type 1 - Something You Know. Type 1 includes, but is not limited to, passwords, PINs, combinations, code words, or secret handshakes. Anything that a user can remember and then type, say, do, perform, or otherwise recall when needed falls into this category.
- Type 2 - Something You Have. Type 2 includes all items that are physical objects, such as, but not limited to, keys, smart phones, smart cards, USB drives, and token devices. (A token device produces a time-based PIN or can compute a response from a challenge number issued by the server.)
- Type 3 - Something You Are. Type 3 includes any part of the human body that can be offered for verification, such as, but not limited to, fingerprints, palm scanning, facial recognition, retina scans, iris scans, and voice verification.
a method of logon verification where the authentication can take several steps or phases to complete. Multi-step authentication differs from multi-factor authentication in that it does not strictly require that each authentication factor be different, or that multiple factors are evaluated in conjunction.
3.2 Abbreviations p. 6
For the purposes of the present document, the abbreviations given in TR 21.905, TS 22.101 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
IdP
Identity Provider
RP
Relaying Party
SSO
Single Sign-On
4 Relation of the present study to other related work in 3GPP p. 6
Other SSO related work in 3GPP
Completed SA1 work
This study evaluates the completed and ongoing SA3 SSO work against the service requirements identified by SA1 in clause 26 of TS 22.101.
All input in this study is intended to have a clear relation to the SA1 service requirements. This study is not intended duplicate functionality supporting SA1 service requirements, when such functionality can be offered by existing SSO mechanisms. In particular existing solutions in other SA3 specifications are evaluated and new ones can be proposed only if the existing solutions would not meet the SA1 service requirements.
- SSO requirements, clause 26 of TS 22.101;
- Study on integration of SSO frameworks with 3GPP, TR 22.895.
- Liberty - GBA interworking, TR 33.980;
- OpenID - GBA interworking, TR 33.924.
- SSO with SIP Digest, TR 33.804.
5 Requirements identified in the present study p. 7
The purpose of this clause is to identify potential security requirements in the present study, if any. The requirements may be general or specific to identified SSO frameworks as seen appropriate.
6 Solutions for Liberty Alliance/SAML - 3GPP interworking p. 7
6.1 General p. 7
The purpose of this clause is to investigate the existing (and possible new) solutions for interworking of Liberty Alliance/SAML and 3GPP authentication mechanisms and evaluate the solutions against the SA1 requirements.
