10.6 General user authentication and authorization for MC services
23.2803GPPCommon functional architecture to support mission critical servicesRelease 18Stage 2TS
10.6.1 Primary MC system
NOTE: Figure 10.6.1-1 is a high level user authentication and authorization flow. 3GPP TS 33.180 [25] defines the specific user authentication and authorization architecture required by the MC services in order to realize the MC service user authentication and authorization requirements as defined in 3GPP TS 22.280 [3].
The user authentication process shown in figure 10.6.1-1 may take place in some scenarios as a separate step independently from a SIP registration phase, for example if the SIP core is outside the domain of the MC service server.
A procedure for user authentication is illustrated in figure 10.6.1-1. Other alternatives may be possible, such as authenticating the user within the SIP registration phase.
Figure 10.6.1-1: MC service user authentication and registration with Primary MC system, single domain
1. In this step the identity management client begins the user authorization procedure. The MC service user supplies the user credentials (e.g. biometrics, secureID, username/password) for verification with the identity management server. This step may occur before or after step 3. In a MC system with multiple MC services, a single user authentication as in step 1 can be used for multiple MC service authorizations for the user.
2. The signalling user agent establishes a secure connection to the SIP core for the purpose of SIP level authentication and registration.
3. The signalling user agent completes the SIP level registration with the SIP core (and an optional third-party registration with the MC service server(s)).
NOTE: The MC service client(s) perform the corresponding MC service authorization for the user by utilizing the result of this procedure.
10.6.2 Interconnection partner MC system
Where communications with a partner MC system using interconnection are required, user authorization takes place in the serving MC system of the MC service user, using the MCX user service authorization procedure specified in 3GPP TS 33.180 [25].
10.6.3 Migration to partner MC system
10.6.3.1 General
The following subclauses describe the procedure used for user authentication and service authorization when migrating to a partner MC system.
To enable migration, the inter-domain MCX user service authorization procedures specified in 3GPP TS 33.180 [25] are used.
10.6.3.2 Information flows for migrated service authorization
10.6.3.2.1 Migration service authorization request
Table 10.6.3.2.1-1 describes the information flow migration service authorization request sent from the MC service client of the migrating MC service user to the partner MC service server, and from the partner MC service server to the primary MC service server of the migrating MC service user.
Table 10.6.3.2.1-1: Migration service authorization request
|
Information element |
Status |
Description |
|
MC service ID (see NOTE 1) |
M |
The MC service ID of the migrating MC service user provided by the partner MC system. |
|
MC service ID |
M |
The MC service ID of the migrating MC service user in the primary MC system of the MC service user. |
|
MC service user profile index (see NOTE 2) |
M |
The MC service user profile index of the selected MC service user profile. |
|
NOTE 1: The MC service ID is provided by the identity management server in the partner MC system during authentication of the migrating MC service user. NOTE 2: The MC service user profile index refers to the MC service user profile provided by the primary MC system of the MC service user that has been selected by the MC service user in order to request migrated MC service on the partner MC system. |
||
10.6.3.2.2 Migration service authorization response
Table 10.6.3.2.2-1 describes the information flow migration service authorization response sent from the primary MC service server of the migrating MC service user to the partner MC service server of the migrating MC service user, and from the partner MC service server to the MC service client of the migrating MC service user. This information flow is sent individually addressed on unicast or multicast.
Table 10.6.3.2.2-1: Migration service authorization response
|
Information element |
Status |
Description |
|
MC service ID (see NOTE) |
M |
The MC service ID of the migrating MC service user provided by the partner MC system. |
|
MC service ID (see NOTE) |
M |
The MC service ID of the migrating MC service user in the primary MC system of the MC service user. |
|
Result |
M |
Success or failure of the migration MC service authorization request |
|
NOTE: The MC service IDs are the MC service IDs that were provided in the migration service authorization request. |
||
10.6.3.3 Procedure
The procedure for service authorization for migration to a partner MC system is shown in figure 10.6.3.3-1.
Pre-conditions
– The MC service user wishes to migrate to the partner MC system.
– The MC service client has been configured with an MC service user profile that contains the necessary parameters needed for connectivity with the partner MC system.
– A user authentication process has taken place which has supplied the necessary credentials to the MC service client to permit service authorization to take place in the partner system.
Figure 10.6.3.3-1 Service authorization for migration to partner MC system
1. The MC service client requests migration service authorization with the partner MC service server indicating the selected MC service user profile to be used during migrated MC service. The MC service client provides both the MC service ID provided during user authentication in the partner MC system, and the MC service ID of the MC service user in the primary MC system of the MC service user.
NOTE 1: The migrating MC service client also provides authentication credentials which are specified in 3GPP TS 33.180 [25].
2. The partner MC service server performs an initial authorization check to verify that the MC service user is permitted to migrate to the partner MC system from the primary MC system of the MC service user.
NOTE 2: The criteria for the initial authorization check is outside the scope of the present document, but for example could be based on a pre-configured list of users who are expected to request migrated service authorization.
3. The partner MC service server identifies the primary MC system of the MC service user of the MC service client by use of the MC service ID of the MC service user in the primary MC system of the MC service user, which was presented by the MC service client in step 1, and sends a migration service authorization request to the gateway server in the partner MC system.
4. The partner MC system gateway server identifies the primary MC system of the MC service user from the MC service ID presented in step 3, and forwards the migration service authorization request to the gateway server of the primary MC system.
5. The gateway server in the primary MC system of the MC service user identifies the primary MC service server of the MC service user from the MC service ID presented in step 3, and forwards the migration service authorization request to that MC service server.
6. The primary MC service server of the MC service user performs an authorization check, to verify that migration is permitted to that partner MC system by this MC service user using the indicated MC service user profile.
7. The primary MC service server marks the MC service user as having migrated, and records the partner MC system as the migrated MC system.
8. The primary MC service server sends a migration service authorization response to the gateway server in the primary MC system.
9. The gateway server in the primary MC system sends the migration service authorization response to the gateway server in the partner MC system.
10. The gateway server in the partner MC system sends the migration service authorization response to the partner MC service server.
11. The partner MC service server stores the necessary information related to the migrated MC service user (e.g., MC service ID of the migrated MC service user provided by the primary MC system mapped to the MC service ID of the migrated MC service user provided by partner MC system). The migration status of the MC service user allows proper communication redirection back to the primary MC system once the migrated MC service user is no longer migrated on this partner MC system.
Editor’s note: How the partner MC system gets informed that the MC service client no longer receives MC services from that partner MC system is FFS.
12. The partner MC service server sends the migration service authorization response to the MC service client, confirming that successful migration and service authorization has taken place.
NOTE 3: If topology hiding is not used, the migration service authorization request and migration service authorization response messages are sent between the MC service servers in the primary and partner MC system without the need to be sent via an MC gateway server.