ETSI GS INS 003-2010 Identity and access management for Networks and Services Distributed User Profile Management Using Network Operator as Identity Broker (V1 1 1)《网络和业务的身份和接入管理 分.pdf

1、 ETSI GS INS 003 V1.1.1 (2010-11)Group Specification Identity and access management for Networks and Services;Distributed User Profile Management;Using Network Operator as Identity BrokerETSI ETSI GS INS 003 V1.1.1 (2010-11) 2Reference DGS/INS-003 Keywords access, ID, manegement, network, profile, s

2、ervice ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present documen

3、t can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute,

4、 the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI

5、documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written

6、 permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2010. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTM, TIPHONTM, the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered for the benefit of its

7、Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. LTE is a Trade Mark of ETSI currently being registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered an

8、d owned by the GSM Association. ETSI ETSI GS INS 003 V1.1.1 (2010-11) 3Contents Intellectual Property Rights 5g3Foreword . 5g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 6g33 Definitions and abbreviations . 7g33.1 Definitions 7g33.2 Abbreviations . 8g34 User P

9、rofile Management in Cross-Domain Cases 8g34.1 Current Landscape 9g34.1.1 OASIS SAML. 9g34.1.2 Liberty Alliance ID-WSF and DST 10g34.1.3 OpenID Attribute Exchange . 11g34.1.4 3GPP GUP and UDC 11g34.1.4.1 Generic User Profile 11g34.1.4.1.1 General Architecture . 11g34.1.4.1.2 GUP Server 11g34.1.4.1.3

10、 Repository Access Function (RAF) . 12g34.1.4.1.4 Applications. 12g34.1.4.2 3GPP User Data Convergence 13g34.1.4.2.1 Entities . 13g34.1.4.2.2 Message Types 14g34.1.5 OMA GSSM, SUPM, NGSI . 14g34.1.6 ETSI STF 342 . 14g34.2 Problem Statement . 15g34.3 Potential Network Operator Role . 15g35 Use Cases

11、. 15g35.1 My personal profile service 15g35.1.1 Short Description 15g35.1.2 Actors 16g35.1.2.1 Actor Specific Issues . 16g35.1.2.2 Actor Specific Benefits . 16g35.1.3 Pre-conditions . 16g35.1.4 Post-conditions . 17g35.1.5 Normal Flow . 17g35.1.6 Alternative Flow 1: Updates the data with selected ser

12、vices 18g35.1.7 Alternative Flow 2: MyPersonal Portal Service with Identity Provider storing data 19g35.2 Use Case 2: Web Shop usage without subscription 19g35.2.1 Short Description 19g35.2.2 Actors 19g35.2.2.1 Actor Specific Issues . 20g35.2.2.2 Actor Specific Benefits . 20g35.2.3 Pre-conditions .

13、20g35.2.4 Post-conditions . 21g35.2.5 Normal Flow . 21g35.2.6 Alternative Flow 1: Video Purchase with Federation . 22g35.3 Use Case 2-b: Web Shop usage with subscription . 22g35.3.1 Short Description 22g35.3.2 Actors 23g35.3.2.1 Actor Specific Issues . 23g35.3.2.2 Actor Specific Benefits . 23g35.3.3

14、 Pre-conditions . 23g3ETSI ETSI GS INS 003 V1.1.1 (2010-11) 45.3.4 Post-conditions . 24g35.3.5 Normal Flow. 24g35.3.6 Alternative Flow 1: Video Purchase with Users interruption. 25g35.4 Profile updates from individual services 25g35.4.1 Short Description 25g35.4.2 Actors . 26g35.4.2.1 Actor Specific

15、 Issues 26g35.4.2.2 Actor Specific Benefits . 26g35.4.3 Pre-conditions . 26g35.4.4 Post-conditions . 27g35.4.5 Normal Flow 27g35.4.6 Alternative Flow 1: Updates the data according to the pre-define rules . 28g35.4.7 Alternative Flow 2: Updates the data with Users interruption . 29g35.5 User identity

16、 attribute sharing between operator/ISP and web enterprise 29g35.5.1 Description . 29g35.5.2 Actors . 29g35.5.2.1 Actors specific Issues 30g35.5.2.2 Actors specific benefits . 30g35.5.3 Pre-Condition . 30g35.5.4 Post-Condition 30g35.5.5 Normative Flow 30g36 Requirements 31g36.1 User 31g36.2 Service

17、Provider . 31g36.2.1 As provider of user profile 31g36.2.2 As consumer of user profile 31g36.3 Identity Broker . 31g37 Technical Details 32g37.1 Architecture 32g37.2 Components 33g37.3 Interfaces: Interface between User Profile Consumer (and User) and Identity Broker 33g37.4 Interface between Identi

18、ty Broker and User Profile Provider 33g37.5 Accessing Protocol . 34g37.5.1 DST usage . 34g37.5.2 SAML-DST 35g37.6 User Profile Schema . 35g38 Conclusion 35g3Annex A (informative): Authors and contributors 36g3History 37g3ETSI ETSI GS INS 003 V1.1.1 (2010-11) 5Intellectual Property Rights IPRs essent

19、ial or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentiall

20、y Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by

21、 ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Group Specification (GS) has been produced by ETSI Industry Specification

22、 (ISG) Identity and access management for Networks and Services (INS). ETSI ETSI GS INS 003 V1.1.1 (2010-11) 61 Scope The present document analyses the telecommunication operators role acting as Identity Broker to facilitate the anchor functionalities for the management of distributed user profile i

23、nformation, which is currently handled in an ad-hoc or proprietary way without standardized way. The present document also defines the protocol specifying the procedure to access to the user profile information via Identity Broker, the extensible user profile data model as core and the user profile

24、data model for the telecommunication area, to be standardized. 2 References References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest ver

25、sion of the reference document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication ET

26、SI cannot guarantee their long term validity. 2.1 Normative references The following referenced documents are necessary for the application of the present document. 1 Liberty Alliance Data Services Template v2.1. NOTE: Available at http:/www.projectliberty.org/liberty/content/download/879/6213/file/

27、liberty-idwsf-dst-v2.1.pdf. 2 OASIS Security Services (SAML) TC. NOTE: Available at http:/www.oasis-open.org/committees/security/. 2.2 Informative references The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a par

28、ticular subject area. i.1 ETSI TR 122 985: “Universal Mobile Telecommunications System (UMTS); Service requirements for the User Data Convergence (UDC) (3GPP TR 22.985)“. i.2 ETSI TS 123 335: “Universal Mobile Telecommunications System (UMTS); LTE; User Data Convergence (UDC); Technical realization

29、and information flows; Stage 2 (3GPP TS 23.335)“. i.3 ETSI TS 129 240 (V8.0.0): “Universal Mobile Telecommunications System (UMTS); LTE; 3GPP Generic User Profile (GUP); Stage 3; Network (3GPP TS 29.240 version 8.0.0 Release 8)“. i.4 ETSI TS 129 335: “Digital cellular telecommunications system (Phas

30、e 2+); Universal Mobile Telecommunications System (UMTS); LTE; User Data Convergence (UDC); User data repository access protocol over the Ud interface; Stage 3 (3GPP TS 29.335)“. i.5 Liberty ID-WSF Web Services Framework Overview. NOTE: Available at http:/www.projectliberty.org/liberty/content/downl

31、oad/889/6243/file/liberty-idwsf-overview-v2.0.pdf. i.6 OpenID. NOTE: Available at http:/ ETSI ETSI GS INS 003 V1.1.1 (2010-11) 7i.7 Open Mobile Alliance. NOTE: Available at http:/www.openmobilealliance.org/. i.8 Open Mobile Alliance, OMA-ERP-GSSM-V1-0: “OMA General Service Subscription Management“.

32、NOTE: Available at http:/www.openmobilealliance.org/. i.9 Open Mobile Alliance, OMA-RD-SUPM-V1-0: “Service User Profile Management Architecture“. NOTE: Available at http:/www.openmobilealliance.org/. i.10 Open Mobile Alliance, OMA-ERP-NGSI-V1_0: “OMA Next Generation Service Interfaces“. NOTE: Availa

33、ble at http:/www.openmobilealliance.org/. i.11 ETSI EG 202 325 (V1.1.1): “Human Factors (HF); User Profile Management“. i.12 ETSI ES 202 746 (V1.1.1): “Human Factors (HF); Personalization and User Profile Management; User Profile Preferences and Information“. i.13 ETSI TS 102 747 (V1.1.1): “Human Fa

34、ctors (HF); Personalization and User Profile Management; Architectural Framework“. i.14 Schema for Open ID Exchange (AX Schema). NOTE: Available at http:/www.axschema.org/. i.15 Organization for the Advancement of Structured Information Standards. NOTE: Available at http:/www.oasis-open.org/. i.16 E

35、TSI GS INS 002: “ Identity and Access Management for Networks and Services; Distributed Access Control for Telecommunications; Use Cases and Requirements“. i.17 ETSI GS INS 001: “Identity and access management for Networks and Services; IdM Inter-operability between Operators or ISPs with Enterprise

36、“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: circle of trust: federation of service providers and identity providers that have business relationships based on Liberty (or similar) architecture, and operational

37、 agreements, with whom users can transact business in a secure and seamless environment identity broker: Service Provider that receives requests for Identity information from another Service Provider and subsequently requests that information from other Provider(s) NOTE: The Identity Broker aggregat

38、es the data and responds to the originating Service Provider. ETSI ETSI GS INS 003 V1.1.1 (2010-11) 83.2 Abbreviations For the purposes of the present document, the following abbreviations apply: AX Attribute Exchange CRUD Create Read Update and Delete DTS Data Services Template FE Front Ends GSSM G

39、eneral Service Subscription Management GUP Generic User Profile HLR Home Location Register HSS Home Subscriber Server IdP Identity Provider ID-WSF Identity Web Services Framework NGSI Next Generation Service Interface OASIS Organisation for the Advancement of Structured Information Standards OMA Ope

40、n Mobile Alliance OSS Operation Support System RAF Repository Access Function SAML Security Assertion Markup Language SOAP Simple Object Access Protocol SUPM Service User Profile Management UDC User Data Convergence UDR User Data Repository UML Unified Modeling Language VOD Video-On-Demand XML Exten

41、sible Markup Language 4 User Profile Management in Cross-Domain Cases Today, the user profile information is stored / managed / used at different service providers fully distributed. Application service provider needs to retrieve profiles of a user from different attribute providers in order to perf

42、orm personalized services to that user. At the same time, users want to manage their distributed profile in an easy yet privacy protected way. To fulfil these requirements, there are needs for the anchor point for accessing all the user profile information by users and service providers, and this an

43、chor point must have sufficient trust both by users and application service providers. The involvement of trusted Identity Provider as this anchor point is straightforward approach for distributed user profile management. The user profile information is already maintained at Identity Provider as att

44、ribute, where the standards for the attribute exchange mechanism already exists, which and should be extendable to the fully distributed user profile cases. These trusted Identity Providers are considered as telecommunication operators. Many of the telecommunication operators already serve as Identi

45、ty Providers, have trust relationship with their users, and have secure network infrastructure, which provide secure and privacy protected way of accessing data, technically and socially, thus considered as suitable for the anchor point of the distributed user profile management. Thus, this work ite

46、m proposes for the study and standardization of the distributed user profile management by extending the Identity Provider, where the Identity provider is considered as telecommunication operator, taken both the business and technical aspects into consideration. This clause provides the overview of

47、the existing standard works relevant to the distributed user profile management, identifies the problems/missing points to realize the distributed user profile management in cross-domain cases and proposes the approach to address those points. ETSI ETSI GS INS 003 V1.1.1 (2010-11) 94.1 Current Lands

48、cape 4.1.1 OASIS SAML SAML 2 is an XML-based framework for communicating user authentication, authorisation, and attribute information developed by the Organization for the Advancement of Structured Information Standards (OASIS) i.15. SAML allows business entities to make assertions regarding the id

49、entity, attributes, and entitlements of a subject (an entity that is often a human user) to other entities, such as a partner company or another enterprise application. Thus, SAML can be considered as the transport protocol standard for federated identity management. SAML supports federation in multiple ways and focuses on the mapping of attributes into a uniform namespace and the secure, reliable transport of assertions. SAML is defined in terms of assertions, protocols, bindings, and profiles. An assertio