ETSI GS INS 001-2011 Identity and access management for Networks and Services IdM Interoperability between Operators or ISPs with Enterprise《网络和业务的身份和接入管理 运营商和ISP企业间的IdM互用性(版本1 1 1.pdf

《ETSI GS INS 001-2011 Identity and access management for Networks and Services IdM Interoperability between Operators or ISPs with Enterprise《网络和业务的身份和接入管理 运营商和ISP企业间的IdM互用性(版本1 1 1.pdf》由会员分享，可在线阅读，更多相关《ETSI GS INS 001-2011 Identity and access management for Networks and Services IdM Interoperability between Operators or ISPs with Enterprise《网络和业务的身份和接入管理 运营商和ISP企业间的IdM互用性(版本1 1 1.pdf（38页珍藏版）》请在麦多课文档分享上搜索。

1、 ETSI GS INS 001 V1.1.1 (2011-03)Group Specification Identity and access management for Networks and Services;IdM Interoperability between Operators orISPs with EnterpriseDisclaimer This document has been produced and approved by the Identity and Access Management for Networks and Services (ETSI INS

2、) ETSI Industry Specification Group (ISG) and represents the views of those members who participated in this ISG. It does not necessarily represent the views of the entire ETSI membership. ETSI ETSI GS INS 001 V1.1.1 (2011-03) 2Reference DGS/INS-001 Keywords access, ID, interoperability, management,

3、 network, service, use case ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies o

4、f the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF)

5、. In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of

6、 this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as

7、authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2011. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTM, TIPHONTM, the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered fo

8、r the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. LTE is a Trade Mark of ETSI currently being registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trad

9、e Marks registered and owned by the GSM Association. ETSI ETSI GS INS 001 V1.1.1 (2011-03) 3Contents Intellectual Property Rights 5g3Foreword . 5g3Introduction 5g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 6g33 Abbreviations . 7g34 IdM Overview: authenticatio

10、n and attribute exchange. 7g34.1 Operators/ISPs 7g34.1.1 Authentication . 7g34.1.2 Attribute Exchange . 8g34.2 Enterprise (and Home Network) 9g34.2.1 Authentication . 9g34.2.2 Attribute Exchange . 10g35 Operator/ISP-Enterprise Use Cases 10g35.1 SSO for small enterprises and home network users . 10g3

11、5.1.1 Description 10g35.1.2 Actors 10g35.1.2.1 Actors specific Issues 10g35.1.2.2 Actors specific benefits . 11g35.1.3 Pre-Condition 11g35.1.4 Post-Condition 11g35.1.5 Normative Flow 12g35.2 Attribute Sharing between Operator and Web Enterprise 12g35.2.1 Description 12g35.2.2 Actors 12g35.2.2.1 Acto

12、rs specific Issues 13g35.2.2.2 Actors specific benefits . 13g35.2.3 Pre-Condition 13g35.2.4 Post-Condition 13g35.2.5 Normative Flow 14g35.3 Outsource billing to operator 14g35.3.1 Description 14g35.3.2 Actors 14g35.3.2.1 Actors specific Issues 15g35.3.2.2 Actors specific benefits . 15g35.3.3 Pre-Con

13、dition 15g35.3.4 Post-Condition 15g35.3.5 Normative Flow 16g35.4 Integration of XaaS and multi-stage IdM systems . 17g35.4.1 Description 17g35.4.2 Actors 17g35.4.2.1 Actors specific Issues 17g35.4.2.2 Actors specific benefits . 18g35.4.3 Pre-Conditions 18g35.4.4 Post-Condition 18g35.4.5 Example Flow

14、 . 19g35.5 Authentication as a service . 20g35.5.1 Description 20g35.5.2 Actors 20g35.5.2.1 Actors Specific Issues . 20g35.5.2.2 Actor Specific Benefits . 21g3ETSI ETSI GS INS 001 V1.1.1 (2011-03) 45.5.3 Pre-conditions . 21g35.5.4 Post-conditions . 21g35.5.5 Example Flow . 22g35.6 Summary Table of U

15、se Cases. 22g36 Functional requirements . 23g37 Functional Requirements: Impact on current architectures 23g38 Functional architecture definition 24g38.1 General . 24g38.1.1 Authentication relationship . 25g38.1.2 Attribute exchange relationship 26g38.1.3 Functional elements description . 27g38.1.3.

16、1 Identity Provider . 27g38.1.3.2 Attribute Provider . 27g38.1.3.3 Authorization Authority 27g38.1.3.3.1 Authorization Enforcement . 27g38.1.3.3.2 Authorization Validation/Decision 28g38.1.3.4 Authentication Authority 28g38.1.3.4.1 Authentication Enforcement 28g38.1.3.4.2 Authentication Validation/D

17、ecision 28g38.1.3.5 Charging Provider . 28g38.1.3.6 Identity Provisioning . 29g38.1.3.7 Identity Broker 29g38.2 Interfaces 29g38.2.1.1 IdentityResolution . 29g38.2.1.2 IdentityManagement . 30g38.2.1.3 AttributeManagement . 30g38.2.1.4 IdentityAuthentication 31g38.2.2 IdentityCharging interface 32g38

18、.3 Protocols . 32g38.3.1 Interface c . 32g38.3.2 Interface d . 32g38.3.3 Interface e1 . 32g38.3.4 Interface e2 . 32g39 Operator/ISP-Enterprise IdM Interoperability instantiation . 33g39.1 Instantiation SSO for small enterprises and home network users . 33g39.1.1 Instantiation Video On Demand System

19、. 33g39.1.2 Instantiation Local IdM (e.g. Home or Enterprise IdM) . 33g39.1.3 Instantiation Operator IdM . 33g39.1.4 Use of Interfaces . 33g39.2 Instantiation Authentication as a Service . 34g39.2.1 Instantiation Enterprise . 34g39.2.2 Instantiation Mobile Operator . 35g39.2.3 Use of Interfaces . 36

20、g3Annex A (informative): Authors and contributors 37g3History 38g3ETSI ETSI GS INS 001 V1.1.1 (2011-03) 5Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicl

21、y available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI We

22、b server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or

23、may be, or may become, essential to the present document. Foreword This Group Specification (GS) has been produced by ETSI Industry Specification (ISG) Identity and access management for Networks and Services (INS). Introduction In the present document we present an architecture and its instantiatio

24、n for use cases where interoperability exists between Operators and Enterprises in terms of authentication and attribute exchange. Historically both domains were seen as separated, without any kind of interactions. The demand for new scenarios, i.e. Software as a Service, implies that some interacti

25、ons need to be in place. This cooperation can be achieved either by exchanging data about the user or reusing the authentication context. The first part of the present document provides a brief overview of the actual authentication and attributes exchange within the Operator and the Enterprise. Next

26、, a set of use cases which demand for cooperation between Enterprise and Operators are presented. These use cases are the ground to collect the requirements and the impact of such requirements in the actual architectures. The second part of the present document presents the architecture in terms of

27、functions and its relationships, which answers the collected requirements. Moreover it describes the interfaces and the protocols such interfaces can use. Finally two examples of its instantiation are presented. ETSI ETSI GS INS 001 V1.1.1 (2011-03) 61 Scope The present document presents a set of us

28、e-cases where the interoperability between Operators and Enterprise allows authentication reuse and attributes exchange. It identifies and describes the requirements imposed by such scenarios, derives an architecture and describes a set of interfaces or operations between architectural elements. 2 R

29、eferences References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies.

30、 Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. 2.1 Normative refere

31、nces The following referenced documents are necessary for the application of the present document. Not applicable. 2.2 Informative references The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject

32、area. i.1 Cantor, S., Kemp, J., Philpott, R., and Maler, E.: “Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0“. March 2005. NOTE: Available at http:/docs.oasis-open.org/security/saml/v2.0/. i.2 OpenID Foundation. NOTE: Available at http:/ i.3 S. Cantor, J. Kemp,

33、 and D. Champagne (editors): “Liberty ID-FF bindings and profiles specification - 1.2-errata-v2.0, 2004. Liberty Alliance Project“. i.4 S. Cantor, J. Kemp, R. Philpott and E. Maler (editors): “Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0“, OASIS - December 20

34、09. i.5 S. Cantor, J. Kemp, R. Philpott, E. Maler and P. Mishra (editors): “Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0“, OASIS - March 2005. i.6 S. Cantor, J. Kemp, R. Philpott, E. Maler and F. Hirsch (editors): “Bindings for the OASIS Security Assertion Mark

35、up Language (SAML) V2.0“, OASIS - March 2005. i.7 J. Hughes, S. Cantor, J. Hodges, P. Mishra, R. Philpott, E. Maler and F. Hirsch (editors): “Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0“, OASIS - December 2009. i.8 S. Cantor, J. Moreh, R. Phipott and E. Maler (editors): “Me

36、tadata for the OASIS Security Assertion Markup Language (SAML) V2.0“, OASIS - December 2009. i.9 F. Hirsch, R. Philpott and E. Maler (editors): “Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0“, OASIS - March 2005. ETSI ETSI GS INS 001 V1.1.1 (2011-03

37、) 7i.10 P. Mishra, R. Philpott and E. Maler (editors): “Conformance Requirements for the OASIS Security Assertion Markup Language (SAML) V2.0“, OASIS - March 2005. i.11 J. Hodges, R. Philpott and E. Maler (editors): “Glossary for the OASIS Security Assertion Markup Language (SAML) V2.0“, OASIS - Mar

38、ch 2005. 3 Abbreviations For the purposes of the present document, the following abbreviations apply: AAA Authentication Authorization and Accounting AAAS Authentication, Authorization and Accounting Server AKA Authentication and Key Agreement CPE Customer Premises Equipment DB DataBase DHP Data Han

39、dling Policy GSM Global System for Mobile Communications HSS Home Subscriber Server HTTP Hypertext Transfer Protocol ID IDentity IdM Identity Management IdP Identity ProviderIMSI International Mobile Subscriber Identity ISP Internet Service Provider LDAP Lightweight Directory Access Protocol ME Mobi

40、le Equipment MO Mobile Operator NAS Network Access Server PKI Public Key Infrastructure PW Password QoS Quality of Service SaaS Software as a Service SAML Security Assertion Markup Language SIM Subscriber Identity Module SP Service Provider SSO Single Sign-On U(SIM) Universal Subscriber Identity Mod

41、ule UE User Equipment USB Universal Serial Bus VoD Video on Demand VPN Virtual Private Network w.r.t. with respect to WS Web ServiceXaaS X as a Service 4 IdM Overview: authentication and attribute exchange 4.1 Operators/ISPs This clause briefly describes the authentication and attributes exchange me

42、chanisms and architecture for an operator. ETSI ETSI GS INS 001 V1.1.1 (2011-03) 84.1.1 Authentication Authentication defines the process where one entity (commonly named server) verifies another entitys claim to holding a specific digital identity (commonly named client). Authentication is accompli

43、shed using two different processes: i) Implicit authentication (device authentication) - relies only on an implicit authentication through physical or logical identity on the layer 2 transport layer. ii) Explicit authentication (user authentication) - relies on an explicit signaling between the clie

44、nt (UE) and the authentication server. The UE sends its corresponding credentials to the server where they must be validated. Different types of credentials could be used. Examples are passwords, digital certificates, or one-time tokens. The network registration involves the authentication and autho

45、rization procedures between a client (UE) and the server which controls the access to the access network based on the credentials the UE sent and the policies. In order to provide interoperability between various network equipments, protocols for various segments of the authentication model have bee

46、n standardized. Figure 1 provides an abstract architecture for the typically network authentication mechanisms. Figure 1: Network authentication abstract architecture The architecture is composed by different entities, presented next: 1) User Equipment (UE) - represents the entity which needs to be

47、authenticated, during the network registration. The result of a successful authentication procedure results in network access. 2) Network Access Server (NAS) - This entity translates the network access requests issued by the UE and forwards it to the AAA (Authentication, Authorization and Accounting

48、) Server. 3) AAA Server - represents the server which performs the user authentication and authorization for network access. This entity retrieves authentication data from a database that could, or not, be collocated with the AAA server. After a successfully authentication the AAA server produces a

49、set of authorization rules that are enforced in the NAS entity. Those rules are typically, operators defined and stored in the Attributes Database (DB). 4) AAA Proxy - the AAA Proxy is a typical AAA server which acts as a proxy for the users requests. Upon the reception of users requests it forwards them to the AAA server in charge of the authentication procedure. The AAA server location is one of the AAA proxy functionalities. Responses received back from the AAA server will be returned to the NAS. 5) Attributes DB - this entity cont